pickone公司資料庫注入漏洞 - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2017-00365
  • Vendor: pickone
  • Title: pickone公司資料庫注入漏洞
  • Introduction: 搜尋字串未檢查直接串接sql語法導致sql資料語法外洩

處理狀態

目前狀態

公開
Last Update : 2017/05/11
  • 新提交
  • 已審核
  • 已通報
  • 已修補
  • 已複測
  • 公開

處理歷程

  • 2017/04/19 12:11:09 : 新提交 (由 鄉民 更新此狀態)
  • 2017/04/19 22:31:12 : 審核完成 (由 HITCON ZeroDay 平台自動更新)
  • 2017/04/24 02:00:37 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2017/04/25 13:10:27 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2017/04/25 19:35:19 : 已修補 (由 HITCON ZeroDay 平台自動更新)
  • 2017/05/08 02:11:36 : 確認已修補 (由 HITCON ZeroDay 平台自動更新)
  • 2017/05/11 03:00:16 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2017-00365
  • 通報者:鄉民
  • 風險:高
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

https://www.pickoneplace.com/search/program?uses=3&county=%E5%8F%B0%E5%8C%97%E5%B8%82%27&max_people=1.20%27&keywords=

敘述

搜尋直接帶在URL參數中,所以嘗試在參數中加入' 來測試回傳結果,結果直接吐sql資料表的query字串如下:
A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND county = '台北市\'' AND program.onoff = 1 AND space.onoff =' at line 8

SELECT program., space.county, space.district, space.title as spaceTitle, IF( total_price > 0 AND min_time > 0, total_price / min_time, IF( whole_price > 0 AND whole_time > 0, whole_price / whole_time, IF( min_pay > 0 AND min_people >0 AND min_time > 0, (per_people min_people) / min_time, IF( min_pay > 0 AND min_time > 0, per_people / min_time, IF( min_pay > 0 AND min_people > 0, per_people 0, IF( min_pay > 0, per_people 0, IF( per_people > 0 AND min_pay = 0 AND min_people > 0, per_people min_people, IF( per_people > 0 AND min_pay = 0, per_people, whole_price 0 ) ) ) ) )))) as hrPrice FROM (program) JOIN space ON program.space_no=space.no JOIN program_time ON program_time.program_no=program.no JOIN program_uses ON program.no=program_uses.program_no WHERE uses = '3' AND max_people >= 1 AND max_people <= 20' AND county = '台北市\'' AND program.onoff = 1 AND space.onoff = 1 GROUP BY program.no, program.prefer ORDER BY current_order desc, prefer desc

Filename: /var/www/html/space/models/search_model.php

Line Number: 249

擷圖

留言討論

;