当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143862

漏洞标题:takee全息手机(钛客科技)官网存漏洞可泄露100多万用户

相关厂商:钛客科技

漏洞作者: AuGe

提交时间:2015-09-28 13:32

修复时间:2015-11-12 13:34

公开时间:2015-11-12 13:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

#SQL注入漏洞
注入URL:

http://www.takee.com.cn/product/index/?id=45

ID参数可控
Database: new_mall
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ks_user | 1066711 |----用户信息
用户表Column

Database: new_mall
Table: ks_user
[28 columns]
+--------------+-------------------+
| Column | Type |
+--------------+-------------------+
| from | varchar(20) |
| activetime | int(10) unsigned |
| address_id | int(11) |
| answer | varchar(200) |
| bind_phone | varchar(11) |
| city_id | int(10) unsigned |
| con_log_time | int(10) |
| country | varchar(10) |
| dian | int(11) |
| email | varchar(200) |
| face | varchar(120) |
| gender | enum('m','f','s') |
| id | int(10) unsigned |
| is_email | int(11) |
| is_safe | int(11) |
| logintotal | int(10) |
| nickname | varchar(32) |
| notice | varchar(200) |
| password | varchar(32) |
| question | varchar(200) |
| role_id | int(10) unsigned |
| sessionid | varchar(32) |
| socketid | int(10) unsigned |
| state | tinyint(1) |
| title_id | int(10) unsigned |
| ul_id | int(11) |
| user_money | decimal(10,2) |
| username | varchar(32) |
+--------------+-------------------+


不深入了~地址,手机,邮箱,账号,密码 全部泄露

0.jpg

漏洞证明:

Database: new_mall
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ks_user | 1066711 |
| ks_user_extension | 1066692 |
| ks_reserve_log | 1002210 |
| ks_test | 145176 |
| ks_order_goods | 9108 |
| ks_order_notify | 7074 |
| ks_order_action | 5843 |
| ks_pay_log | 5422 |
| ks_order | 5389 |
| ks_user_address | 4220 |
| ks_discount_card | 4200 |
| ks_region | 3418 |
| ks_region_copy | 3403 |
| ks_order_copy | 3240 |
| ks_presell_log | 2555 |
| ks_reserve_log_bak | 1000 |
| ks_session | 630 |
| ks_zhaomo | 320 |
| ks_attribute | 210 |
| ks_txt_change_order | 133 |
| ks_change_order | 102 |
| ks_change_order_one | 72 |
| ks_vote_gallery | 42 |
| ks_news | 37 |
| ks_goods_gallery | 29 |
| ks_city | 19 |
| ks_qiyeshop | 15 |
| ks_category | 14 |
| ks_vote | 14 |
| ks_goods | 11 |
| ks_singlepage | 5 |
| ks_good_peijian | 4 |
| ks_goods_pat | 4 |
| ks_payment | 4 |
| ks_discount | 3 |
| ks_role | 3 |
| ks_goods_pic | 2 |
| ks_note | 2 |
| ks_app_user | 1 |
| ks_config | 1 |
| ks_kill | 1 |
| ks_presell | 1 |
| ks_reserve | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| INNODB_BUFFER_PAGE | 3008 |
| COLUMNS | 1384 |
| SESSION_VARIABLES | 331 |
| GLOBAL_VARIABLES | 319 |
| GLOBAL_STATUS | 312 |
| SESSION_STATUS | 312 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| STATISTICS | 172 |
| INNODB_BUFFER_PAGE_LRU | 142 |
| PARTITIONS | 132 |
| TABLES | 132 |
| KEY_COLUMN_USAGE | 103 |
| TABLE_CONSTRAINTS | 78 |
| USER_PRIVILEGES | 56 |
| CHARACTER_SETS | 39 |
| SCHEMA_PRIVILEGES | 32 |
| PLUGINS | 23 |
| ENGINES | 9 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| INNODB_CMPMEM | 5 |
| INNODB_CMPMEM_RESET | 5 |
| SCHEMATA | 5 |
| INNODB_BUFFER_POOL_STATS | 1 |
| PROCESSLIST | 1 |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 1047 |
| help_topic | 511 |
| help_keyword | 467 |
| help_category | 40 |
| `user` | 2 |
| db | 2 |
| proxies_priv | 1 |
+---------------------------------------+---------+

修复方案:

过滤 毕竟是大品牌

版权声明:转载请注明来源 AuGe@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)