当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011450

漏洞标题:URL Redirection Bug & Possible SQL注射BUG in 佳品网

相关厂商:佳品网

漏洞作者: Gunther

提交时间:2012-08-28 15:29

修复时间:2012-09-02 15:29

公开时间:2012-09-02 15:29

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-08-28: 细节已通知厂商并且等待厂商处理中
2012-09-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

There are URL Redirection Bugs & Possible SQL注射BUG in 佳品网

详细说明:

Possible SQL注射BUG is found here:
http://www.jiapin.com/listgoods/index/cat_id/+union+select+1,2,+--
http://www.jiapin.com/listgoods/index/cat_id/+sleep(1)%23

Accessing that url and you will see the following error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'union select 1,2, --;#sqlEye::http://www.jiapin.com/listgoods/index/cat_id/+unio' at line 1
#0 /www/goods/library/Zend/Db/Statement.php(320): Zend_Db_Statement_Pdo->_execute(Array)
#1 /www/goods/library/Zend/Db/Adapter/Abstract.php(481): Zend_Db_Statement->execute(Array)
#2 /www/goods/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('select cat_id,c...', Array)
#3 /www/goods/library/Zend/Db/Adapter/Abstract.php(738): Zend_Db_Adapter_Pdo_Abstract->query('select cat_id,c...', Array)
#4 /www/goods/application/default/models/SeoModel.php(37): Zend_Db_Adapter_Abstract->fetchAll('select cat_id,c...')
#5 /www/goods/application/default/models/SeoModel.php(62): SeoModel->seo_search_lists(' union select 1...')
#6 /www/goods/application/default/controllers/ListgoodsController.php(30): SeoModel->seo_TDK(' union select 1...', NULL, NULL, Array)
#7 /www/goods/library/Zend/Controller/Action.php(513): ListgoodsController->indexAction()
#8 /www/goods/library/Zend/Controller/Dispatcher/Standard.php(295): Zend_Controller_Action->dispatch('indexAction')
#9 /www/goods/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#10 /www/goods/html/bootstrap.php(102): Zend_Controller_Front->dispatch()
#11 /www/goods/html/bootstrap.php(31): Application->dispatch()
#12 /www/goods/html/index.php(75): Application->__construct(Array)
#13 {main}


Severity: URL Redirection bug
Confidence: Confident
Host: http://user.jiapin.com/
Path: /pageview/pos?app=from_tag&url=http://www.jiapin.com/list/14565.html
Issue detail:
This is considered quite serious if it's in a consumer type of website as attackers can make use of this to redirect victims to another website.
Ok, the flaw is that the original url will look like the following
http://user.jiapin.com/pageview/pos?app=from_tag&url=http://www.jiapin.com/list/14565.html
However, an attacker can change the final url to the following
user.jiapin.com/pageview/pos?app=from_tag&url=http://ebay.de
If attackers have exploit kit, they can redirect victims to their website, fire up an iframe showing the original content from jiapin.com
After they had exploited or trojanised the victim, just do another redirect to the original website.
This way, victims will not notice much. :D In my test case, i redirect user(s) to ebay.de :D
The other URL Redirection bug could be found here:
http://user.jiapin.com/cps/cpslogin/together/c5ac81fe5e0d6246dcb4c769ead4c3ea?url_t=http://news.jiapin.com/html/zx/jiapinguandi/2012/0822/6690.html
Similarly, if you replace
http://news.jiapin.com/html/zx/jiapinguandi/2012/0822/6690.html
with http://ebay.de and the final url look like this:
http://user.jiapin.com/cps/cpslogin/together/c5ac81fe5e0d6246dcb4c769ead4c3ea?url_t=http://ebay.de
Victims will be redirected to eBay.de instead

漏洞证明:

Or the image below

修复方案:

版权声明:转载请注明来源 Gunther@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2012-09-02 15:29

厂商回复:

最新状态:

暂无