当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160683

漏洞标题:香港海港锦鲤集团主站SQL注入(导致泄露用户alipay,paypal,5000多账号密码邮箱等信息)(香港地區)

相关厂商:香港海港锦鲤集团

漏洞作者: 路人甲

提交时间:2015-12-14 13:24

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

如题,未对SQL注入做任何防护,也有一部分可能已被黑阔脱裤

详细说明:

看一下,挺大的站呀

site.png


可是某个存在注入的页面和payload貌似被百度抓取下来了,直接可以访问证明:

init.png


因此可Union查询回显数据

漏洞证明:

sqlmap抽掉了,所以手注搞起
数据库:

dbs.png


koi_db的表名:

db1_table.png


即:

koi_db:
[+] activation
[+] address_name
[+] address_province
[+] adv
[+] alipay
[+] anwser
[+] banner
[+] banner_old
[+] banner_tmp
[+] banner_tmp_old
[+] bid
[+] bid_action
[+] bid_image
[+] bid_temp
[+] bid_title
[+] bid_title_old
[+] calendar
[+] category
[+] diary
[+] edm_campaign
[+] game
[+] game_content
[+] game_score
[+] game_score_content
[+] gift
[+] gift_action
[+] internal_photo
[+] internal_photo_content
[+] knowledge
[+] location
[+] mem_temp
[+] member
[+] news
[+] paypal_bid
[+] paypal_cart_info
[+] paypal_payment_info
[+] point_history
[+] product
[+] product_image
[+] question
[+] salesorder
[+] salesorder_items
[+] sc_main
[+] sc_users
[+] sms_verify
[+] staff
[+] table_forum
[+] table_log
[+] user_login
[+] votevideo
[+] votevideo_title
[+] votevideo_type
[+] votevideoact
[+] votevideoact_bak_20131129
[+] votevideoact_bak_20141229


类似可以得到其他数据库的表名:

koishop:
[+] wp_commentmeta
[+] wp_comments
[+] wp_formbuilder_fields
[+] wp_formbuilder_forms
[+] wp_formbuilder_pages
[+] wp_formbuilder_responses
[+] wp_formbuilder_results
[+] wp_formbuilder_tags
[+] wp_icl_content_status
[+] wp_icl_core_status
[+] wp_icl_currencies
[+] wp_icl_flags
[+] wp_icl_languages
[+] wp_icl_languages_translations
[+] wp_icl_locale_map
[+] wp_icl_message_status
[+] wp_icl_node
[+] wp_icl_reminders
[+] wp_icl_string_positions
[+] wp_icl_string_status
[+] wp_icl_string_translations
[+] wp_icl_strings
[+] wp_icl_translate
[+] wp_icl_translate_job
[+] wp_icl_translation_status
[+] wp_icl_translations
[+] wp_links
[+] wp_options
[+] wp_postmeta
[+] wp_posts
[+] wp_pronamic_ideal_configurations
[+] wp_pronamic_ideal_payments
[+] wp_term_relationships
[+] wp_term_taxonomy
[+] wp_terms
[+] wp_usermeta
[+] wp_users
[+] wp_vs_current_online_users
[+] wp_vs_overall_counter
[+] wp_woocommerce_attribute_taxonomies
[+] wp_woocommerce_downloadable_product_permissions
[+] wp_woocommerce_shipping_table_rates
[+] wp_woocommerce_shipping_zone_locations
[+] wp_woocommerce_shipping_zone_shipping_methods
[+] wp_woocommerce_shipping_zones
[+] wp_woocommerce_termmeta
pennydb:
[+] accounts
[+] addresses
[+] affiliate_codes
[+] affiliates
[+] answers
[+] auction_emails
[+] auctions
[+] autobids
[+] bidbutlers
[+] bids
[+] categories
[+] countries
[+] coupon_types
[+] coupons
[+] credits
[+] currencies
[+] departments
[+] genders
[+] image_defaults
[+] images
[+] integrals
[+] languages
[+] limits
[+] managers
[+] members
[+] messages
[+] news
[+] newsletters
[+] orders
[+] package_points
[+] packages
[+] pages
[+] points
[+] products
[+] questions
[+] referrals
[+] reminders
[+] rewards
[+] setting_increments
[+] settings
[+] smartbids
[+] sources
[+] statuses
[+] translations
[+] users
[+] watchlists


推断可能是三个站点的数据都在这里了,下面再看一下列信息:

koi_db:
[-] alipay
[+] trade_no
[+] paydate
[+] out_trade_no
[+] price
[+] subject
[+] body
[+] buyer_email
[+] receive_name
[+] receive_address
[+] receive_zip
[+] receive_phone
[+] receive_mobile
[+] trade_status
[+] trade_flag
[-] paypal_payment_info
[+] firstname
[+] lastname
[+] buyer_email
[+] street
[+] city
[+] state
[+] zipcode
[+] memo
[+] itemname
[+] itemnumber
[+] os0
[+] on0
[+] os1
[+] on1
[+] quantity
[+] paymentdate
[+] paymenttype
[+] txnid
[+] mc_gross
[+] mc_fee
[+] paymentstatus
[+] pendingreason
[+] txntype
[+] tax
[+] mc_currency
[+] mc_shipping
[+] reasoncode
[+] custom
[+] country
[+] datecreation
koishop:
[-] wp_users
[+] ID
[+] user_login
[+] user_pass
[+] user_nicename
[+] user_email
[+] user_url
[+] user_registered
[+] user_activation_key
[+] user_status
[+] display_name
pennydb:
[-] users
[+] id
[+] username
[+] password
[+] first_name
[+] last_name
[+] mobile
[+] date_of_birth
[+] gender_id
[+] email
[+] active
[+] key
[+] newsletter
[+] admin
[+] autobidder
[+] source_id
[+] source_extra
[+] tax_number
[+] phone_number
[+] bid_balance
[+] ip
[+] created
[+] modified
[+] sms_verified
[+] mem_active
[+] total_point
[+] mem_block
[+] mem_del
[+] total_cash_coupon
[+] mem_address
[+] USER
[+] CURRENT_CONNECTIONS
[+] TOTAL_CONNECTIONS


以上可以看出有alipay,paypal,用户账号密码邮箱和手机号等信息,下面给出截图验证一下:

pennydb.userdemo.png


pennydb_usersdemo3.png


koishop_wp_usersdemo2.png

修复方案:

设置过滤策略,提醒管理员及用户及时更换密码(因为百度就直接出来带union的页面了)

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-18 11:05

厂商回复:

Referred to related parties.

最新状态:

暂无

漏洞评价:

评价