当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-018923

漏洞标题:爱丽网某站SQL注射

相关厂商:aili.com

漏洞作者: 小胖子

提交时间:2013-02-20 09:58

修复时间:2013-04-06 09:59

公开时间:2013-04-06 09:59

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-02-20: 细节已通知厂商并且等待厂商处理中
2013-02-20: 厂商已经确认,细节仅向厂商公开
2013-03-02: 细节向核心白帽子及相关领域专家公开
2013-03-12: 细节向普通白帽子公开
2013-03-22: 细节向实习白帽子公开
2013-04-06: 细节向公众公开

简要描述:

我们都是神枪手,每一个礼物消灭一个漏洞!

详细说明:

怕重复,还专门问了剑心才发的,欢迎新厂商,希望你们重视信息安全!
问题一:配置文件错误导致SQL数据库账户密码泄漏,可惜是内网。
http://plus.aili.com/1/1/gif.php

SQLerr.jpg


问题2:SQL注射,数据好多啊,读数据读了半天啊!
注入点:http://plus.aili.com/pk.php?a=list&id=28

biao.jpg


biao2.jpg


SQL3.jpg


不一一列举了,详细信息如下。

Database: newcms
[168 tables]
+---------------------------+
| 7120_eastdata_sp          |
| 7120_eastdata_ty          |
| 7120_eastmedicine_sort    |
| 7120_illnessbase          |
| 7120_illtype              |
| 7120_part                 |
| 7120_westdata_sp          |
| 7120_westdata_ty          |
| 7120_westmedicine_sort    |
| Jewelry_arc_image         |
| Jewelry_archives          |
| Jewelry_category          |
| Jewelry_vote_config       |
| admin                     |
| admin_arc_upid            |
| admin_count               |
| admin_panel               |
| admin_role                |
| admin_role_cat            |
| admin_role_priv           |
| aili_adsell_brand         |
| aili_adsell_type          |
| aili_member               |
| aili_member_field         |
| aili_member_visit         |
| aili_store                |
| ailimap                   |
| album_contents            |
| albums                    |
| app_arc_topic             |
| app_archives              |
| app_channel               |
| app_feedback              |
| app_images                |
| app_topic                 |
| app_version               |
| arc_channel               |
| arc_column                |
| arc_flag                  |
| arc_flag_img              |
| arc_index                 |
| arc_recom                 |
| arc_topic                 |
| archive_count             |
| archive_total             |
| archives                  |
| archives_gq               |
| archives_jk               |
| articles                  |
| articles_img              |
| articles_play_bak         |
| authors                   |
| block                     |
| block_art                 |
| category_priv             |
| channel_count             |
| channel_total             |
| channels                  |
| collection_content        |
| collection_history        |
| collection_node           |
| collection_program        |
| column_count              |
| column_order_relation     |
| column_total              |
| columns                   |
| comment_bq                |
| comment_total             |
| comments                  |
| comments_topic            |
| crontab                   |
| domainip                  |
| enterprise                |
| enterprise_case           |
| enterprise_evaluate       |
| enterprise_evaluate_score |
| enterprise_info           |
| enterprise_level          |
| enterprise_type           |
| exam_form                 |
| exam_form_element         |
| exam_student              |
| exam_student_title        |
| exam_title                |
| favorites                 |
| flag                      |
| friend_link               |
| friend_link_class         |
| haina_test                |
| help                      |
| help_type                 |
| history_log               |
| homepage                  |
| hot_tags                  |
| hot_tags_class            |
| images                    |
| imgs                      |
| index_count               |
| keylist                   |
| keywords                  |
| log_albums                |
| log_arccreate             |
| log_articles              |
| log_channels              |
| log_columns               |
| log_create                |
| log_images                |
| log_login                 |
| log_sys                   |
| log_templet_category      |
| log_templets              |
| log_topics                |
| log_votes                 |
| mango_field               |
| mango_member              |
| mango_vote_config         |
| menu                      |
| message                   |
| msnad                     |
| navigation                |
| new_vote_main             |
| new_vote_option           |
| new_vote_problem          |
| pctag                     |
| pk_cdata                  |
| pk_cdata_log              |
| pk_comment                |
| pk_comment_log            |
| pk_tdata                  |
| pk_tdata_log              |
| pk_themes                 |
| rtss                      |
| source                    |
| suggest                   |
| sys_config                |
| sys_config_group          |
| tags                      |
| tags_arc                  |
| tags_category             |
| tags_log                  |
| tags_relation             |
| tags_upid                 |
| tagscate_channel          |
| task                      |
| task_log                  |
| templet_canedit           |
| templet_category          |
| templets                  |
| topic_block               |
| topic_block_style         |
| topic_count               |
| topic_diy_data            |
| topic_diy_tpl             |
| topic_hallowmas_ip        |
| topic_hallowmas_user      |
| topic_history             |
| topic_lab_user            |
| topic_pic                 |
| topic_total               |
| topics                    |
| tpl_history               |
| tpl_type                  |
| vote                      |
| vote_comments             |
| vote_count                |
| vote_option               |
| webnav                    |
| webnav_class              |
+---------------------------+

漏洞证明:

见详细说明。

修复方案:

过滤啊亲,一个礼物消灭一个漏洞?求礼物,求20rank!

版权声明:转载请注明来源 小胖子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-02-20 10:22

厂商回复:

感谢小胖子朋友。信息安全对我们来说很重要。

最新状态:

暂无