当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011383

漏洞标题:天语手机支付漏洞+SQL注入

相关厂商:天语手机

漏洞作者: zhk

提交时间:2012-08-26 22:09

修复时间:2012-10-10 22:10

公开时间:2012-10-10 22:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-26: 细节已通知厂商并且等待厂商处理中
2012-08-29: 厂商已经确认,细节仅向厂商公开
2012-09-08: 细节向核心白帽子及相关领域专家公开
2012-09-18: 细节向普通白帽子公开
2012-09-28: 细节向实习白帽子公开
2012-10-10: 细节向公众公开

简要描述:

天语手机支付漏洞+SQL注入
我相信在乌云,不止我知道
支付漏洞现在一般是利用不成了,看数据库里早在11年就有人下0.01元的订单了
主要是还有个付款金额会显示0.01,不过加上SQL注入可以把它改掉。

详细说明:

注入点:http://www.k-touch.cn/product/detail?prod_id=39
这里只列一个,其它的自己排查




这里付款的我不想再付,就用之前的截图了


漏洞证明:

Database: kt_system                                                                                                                                  
[7 tables]
+---------------------------------------+
| kt_admin |
| kt_category |
| kt_cms |
| kt_feedback |
| kt_mem_login |
| kt_region |
| kt_setting |
+---------------------------------------+
Database: ivy_tianyu
[30 tables]
+---------------------------------------+
| ivy_active_info |
| ivy_ad_info |
| ivy_admin_info |
| ivy_card_info |
| ivy_card_log |
| ivy_cart |
| ivy_cat_info |
| ivy_city |
| ivy_county |
| ivy_download_info |
| ivy_faq_info |
| ivy_image_info |
| ivy_news_info |
| ivy_order_info |
| ivy_order_info_0814 |
| ivy_order_log |
| ivy_order_product |
| ivy_order_product_0817 |
| ivy_order_refund |
| ivy_package_info |
| ivy_product_info |
| ivy_province |
| ivy_service |
| ivy_shop_info |
| ivy_shop_info_0812 |
| ivy_spec_info |
| ivy_user_address |
| ivy_user_order |
| ivy_user_order_0814 |
| ivy_works |
+---------------------------------------+
Database: nagios
[1 table]
+---------------------------------------+
| test |
+---------------------------------------+
Database: kt_order
[9 tables]
+---------------------------------------+
| kt_address |
| kt_at_product |
| kt_at_store |
| kt_cart |
| kt_lsxx_copy |
| kt_order |
| kt_order_detail |
| kt_refunddetail |
| kt_refundinfo |
+---------------------------------------+
Database: kt_store
[17 tables]
+---------------------------------------+
| kt_attrib |
| kt_category |
| kt_interests |
| kt_interests_detail |
| kt_lsxx |
| kt_product |
| kt_product_attrib |
| kt_product_comment |
| kt_product_content |
| kt_product_details |
| kt_product_photo |
| kt_product_tag |
| kt_store |
| kt_store_comment |
| kt_store_image |
| kt_store_log |
| kt_store_logistics |
+---------------------------------------+
Database: kt_user
[15 tables]
+---------------------------------------+
| kt_cart |
| kt_comment |
| kt_mobile |
| kt_mobile_imei |
| kt_msg |
| kt_msg_content |
| kt_user_basic |
| kt_user_basic_test |
| kt_user_count |
| kt_user_forget |
| kt_user_getpwd |
| kt_user_log |
| kt_user_online |
| kt_user_profile |
| kt_user_redpackage |
+---------------------------------------+
Database: mysql
[25 tables]
+---------------------------------------+
| columns_priv |
| db |
| event |
| func |
| general_log |
| ghost |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| tempMix4 |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------------------+
Database: test
[1 table]
+---------------------------------------+
| test |
+---------------------------------------+
Database: kt_cms
[4 tables]
+---------------------------------------+
| kt_ads |
| kt_cms |
| kt_cms_module |
| kt_cms_module_detail |
+---------------------------------------+
Database: ivy_bbs
[250 tables]
+---------------------------------------+
| pre_common_addon |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_credit_log |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_stat_field |
| pre_common_member_stat_fieldcache |
| pre_common_member_stat_search |
| pre_common_member_stat_searchcache |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_moderate |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_report |
| pre_common_searchindex |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_word |
| pre_common_word_type |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_tlog |
| pre_dsu_paulsign |
| pre_dsu_paulsignset |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupranking |
| pre_forum_groupuser |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_tableid |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_postposition |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_threadclass |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_docomment |
| pre_home_doing |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_ucenter_admins |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_0 |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
| pre_ucenter_pm_messages_6 |
| pre_ucenter_pm_messages_7 |
| pre_ucenter_pm_messages_8 |
| pre_ucenter_pm_messages_9 |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
| pre_xwb_bind_info |
| pre_xwb_bind_thread |
| pre_xwb_session |
| temp2 |
| temp3 |
| test2 |
| udf_temp |
+---------------------------------------+
Database: tianyu
[316 tables]
+---------------------------------------+
| ivy_ad_info |
| ivy_admin_info |
| ivy_download_info |
| ivy_image_info |
| ivy_news_info |
| pre_common_addon |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_credit_log |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_stat_field |
| pre_common_member_stat_fieldcache |
| pre_common_member_stat_search |
| pre_common_member_stat_searchcache |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_moderate |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_report |
| pre_common_searchindex |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_word |
| pre_common_word_type |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_tlog |
| pre_dsu_paulsign |
| pre_dsu_paulsignset |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupranking |
| pre_forum_groupuser |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_tableid |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_postposition |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_threadclass |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_docomment |
| pre_home_doing |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_ucenter_admins |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_0 |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
| pre_ucenter_pm_messages_6 |
| pre_ucenter_pm_messages_7 |
| pre_ucenter_pm_messages_8 |
| pre_ucenter_pm_messages_9 |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
| pre_xwb_bind_info |
| pre_xwb_bind_thread |
| pre_xwb_session |
| temp2 |
| temp3 |
| test2 |
| ty_access |
| ty_adlink |
| ty_admin |
| ty_application |
| ty_article |
| ty_asort |
| ty_card_info |
| ty_card_log |
| ty_charge |
| ty_city |
| ty_comment |
| ty_county |
| ty_deli_pay |
| ty_delive |
| ty_departments |
| ty_depletion |
| ty_dictionary |
| ty_down_info |
| ty_elec_coupon |
| ty_formodels |
| ty_help |
| ty_inventory |
| ty_job |
| ty_logistics |
| ty_mobile_info |
| ty_node |
| ty_notice |
| ty_order |
| ty_order_detail |
| ty_order_info |
| ty_order_log |
| ty_orderinfo_log |
| ty_ordetail |
| ty_product |
| ty_products_income |
| ty_promotion |
| ty_property |
| ty_propertyval |
| ty_province |
| ty_recommend |
| ty_refund |
| ty_resetpwd |
| ty_role |
| ty_role_user |
| ty_shop |
| ty_shouce_info |
| ty_sort |
| ty_spec |
| ty_syslog |
| ty_tech_cat |
| ty_type |
| ty_typeval |
| ty_uploadimg |
| ty_user |
| ty_user_info |
| ty_user_login |
| ty_user_points |
| ty_user_pointslog |
| ty_video_info |
| ty_xchg_order |
| ty_xchg_order_detail |
| udf_temp |
+---------------------------------------+
Database: information_schema
[54 tables]
+---------------------------------------+
| CHARACTER_SETS |
| CLIENT_STATISTICS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_TEMPORARY_TABLES |
| GLOBAL_VARIABLES |
| INDEX_STATISTICS |
| INNODB_BUFFER_POOL_PAGES |
| INNODB_BUFFER_POOL_PAGES_BLOB |
| INNODB_BUFFER_POOL_PAGES_INDEX |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_INDEX_STATS |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_RSEG |
| INNODB_SYS_INDEXES |
| INNODB_SYS_STATS |
| INNODB_SYS_TABLES |
| INNODB_TABLE_STATS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| QUERY_RESPONSE_TIME |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLE_STATISTICS |
| TEMPORARY_TABLES |
| THREAD_STATISTICS |
| TRIGGERS |
| USER_PRIVILEGES |
| USER_STATISTICS |
| VIEWS |
| XTRADB_ADMIN_COMMAND |
| XTRADB_ENHANCEMENTS |
+---------------------------------------+

修复方案:

改吧

版权声明:转载请注明来源 zhk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-08-29 23:54

厂商回复:

CNVD确认漏洞情况(未直接复现支付漏洞,复现SQL注入情况),已由CNVD直接联系网站管理方进行处置。
按丙个漏洞累计计分,其中,SQL注入按完全影响机密性进行评分,支付漏洞按部分影响完整性、可用性进行评分,rank=7.79*1.0*1.0+6.42*1.0*1.2=15.494

最新状态:

暂无