当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2014-066289
漏洞标题:
兰蔻官方互动平台SQL注射漏洞
相关厂商:
兰蔻官方
漏洞作者:
炊烟
提交时间:
2014-06-27 17:00
修复时间:
2014-08-11 17:02
公开时间:
2014-08-11 17:02
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
20
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2014-06-27: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-08-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT.

详细说明:

http://www.rosebeauty.com.cn/member/register
登录框POST注入


还有爆路径
/home/imag/release_rosebeauty_com_cn/site/library/Zend/Application/Bootstrap/Bootstrap.php

漏洞证明:


Database: lancome_rb2
[129 tables]
+------------------------------+
| 1yuecomment                  |
| 1yuethread                   |
| 2yuecomment                  |
| 2yuethread                   |
| 3yuecomment                  |
| 3yuethread                   |
| 4yuecomment                  |
| 4yuethread                   |
| 5yuecomment                  |
| 5yuethread                   |
| ad                           |
| ad_category                  |
| ad_type                      |
| admin_group                  |
| admin_ip_whitelist           |
| admin_menu                   |
| admin_setting                |
| admin_users                  |
| admin_users_action           |
| back_users                   |
| badge                        |
| badge_award                  |
| badge_award_user             |
| badge_category               |
| cache_table_efchic_thread    |
| cache_table_index_hot_thread |
| cache_table_thread_comment   |
| cache_table_topic            |
| cache_table_try_hot_thread   |
| cce_award                    |
| cce_prize                    |
| cce_thread_skin_cate         |
| cce_user                     |
| channel                      |
| cic_log                      |
| comment                      |
| efchic_thread_vote           |
| email_import                 |
| enjoy                        |
| event                        |
| event_award                  |
| event_category               |
| event_prize                  |
| event_prize_users            |
| event_users                  |
| event_users_feeds            |
| feeds                        |
| gameResult                   |
| keywordlist                  |
| landing                      |
| login_url                    |
| lp_big_show                  |
| lp_comment                   |
| lp_limit_gifts               |
| lp_magazine                  |
| lp_media                     |
| lp_prize_user                |
| lp_product                   |
| lp_product_hot_five_cache    |
| lp_product_hot_four_cache    |
| lp_qa                        |
| lp_specialist                |
| lp_tags                      |
| lp_test                      |
| lp_up                        |
| lp_user                      |
| lp_video                     |
| lp_want_list                 |
| luckydraw_award              |
| luckydraw_prize              |
| luckydraw_thread             |
| magazine                     |
| notice                       |
| notice_content               |
| notice_sendlist              |
| reg_repeat_users             |
| searchfeeds                  |
| temp_tables_for_bbs_count    |
| test0                        |
| thread                       |
| thread_at                    |
| thread_comment               |
| thread_ga_cache              |
| thread_ga_cache_old          |
| thread_ga_cachebak           |
| thread_index_recommend       |
| thread_magazine              |
| thread_recommend_list        |
| thread_reply                 |
| thread_share                 |
| thread_tmp_20140507          |
| thread_topic                 |
| thread_upload                |
| thread_upload_temp           |
| thread_user_recommend        |
| tmpuser120                   |
| topic                        |
| trial_vote                   |
| user_email                   |
| user_enjoy                   |
| user_guide                   |
| user_info                    |
| user_lucky                   |
| users                        |
| users_action                 |
| users_active                 |
| users_active_mobile          |
| users_badge                  |
| users_badge_prize            |
| users_buddy                  |
| users_daren                  |
| users_daren_modify           |
| users_email_back             |
| users_follow                 |
| users_follow_magazine        |
| users_from_test              |
| users_getpassword_code       |
| users_mogujie                |
| users_skinfile               |
| users_thread                 |
| users_tmp                    |
| users_wechat                 |
| users_wechat_tmp             |
| users_weibo                  |
| vote_history                 |
| vote_option                  |
| vote_user                    |
| weibo_fetch_content          |
| weibo_fetch_keywords         |
+------------------------------+


Table: users
[54 columns]
+----------------------+--------------+
| Column               | Type         |
+----------------------+--------------+
| from                 | varchar(20)  |
| time                 | timestamp    |
| actived              | int(1)       |
| actived_mobile       | int(1)       |
| address              | varchar(200) |
| apply_count          | int(6)       |
| apply_success_count  | int(6)       |
| award_count          | int(6)       |
| badgereset           | tinyint(1)   |
| badges_count         | int(8)       |
| birthdayday          | varchar(2)   |
| birthdaymonth        | varchar(2)   |
| birthdayyear         | varchar(4)   |
| city                 | varchar(30)  |
| comefrom             | varchar(50)  |
| cus_id               | int(10)      |
| daren                | int(1)       |
| daren_channel        | int(6)       |
| daren_time           | datetime     |
| email                | varchar(100) |
| fid                  | int(8)       |
| followers_count      | int(8)       |
| friends_count        | int(8)       |
| from_url             | varchar(255) |
| gender               | varchar(1)   |
| head                 | varchar(200) |
| idcard               | varchar(20)  |
| ip                   | varchar(15)  |
| is_admin             | int(1)       |
| is_update_birthday   | int(1)       |
| last_at_count        | int(8)       |
| last_comment_count   | int(8)       |
| last_followers_count | int(8)       |
| last_login_ip        | varchar(15)  |
| last_login_time      | datetime     |
| last_repost_count    | int(8)       |
| login_count          | int(6)       |
| luckytime            | tinyint(1)   |
| mobile               | varchar(11)  |
| nickname             | varchar(40)  |
| nickname_match       | varchar(200) |
| notice_count         | int(8)       |
| password             | varchar(50)  |
| province             | varchar(30)  |
| realname             | varchar(30)  |
| score                | int(10)      |
| sign                 | varchar(100) |
| status               | int(1)       |
| thread_count         | int(6)       |
| topic_count          | int(6)       |
| user_id              | int(8)       |
| verified_reason      | varchar(50)  |
| verified_reason_old  | varchar(50)  |
| zip                  | varchar(6)   |
+----------------------+--------------+

修复方案:

过滤.

版权声明:转载请注明来源 炊烟@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝