乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-03: 细节已通知厂商并且等待厂商处理中 2014-05-04: 厂商已经确认,细节仅向厂商公开 2014-05-14: 细节向核心白帽子及相关领域专家公开 2014-05-24: 细节向普通白帽子公开 2014-06-03: 细节向实习白帽子公开 2014-06-17: 细节向公众公开
#1.微盟一个比较主要的地方存在SQL注入。
www.weimob.com/snsmobile?id=1472&v=555c3efd5c1f6c44004dda76628f25f9&pid=95967&wechat_id=fromUsername
注入参数:
pid
大量数据库,可跨裤查询,危害与" WooYun: 国内某微信营销平台管理系统存在漏洞(几十万商家账户信息、财务、报表等数据不保) "一致
#2.最主要的数据库,420个表:
Database: d_wm_wechat[420 tables]+---------------------------------------+| funds_bill || funds_bill || t_wm_activity_sncode || t_wm_activity_sncode || t_wm_activity_users || t_wm_activity_users || t_wm_admin || t_wm_admin || t_wm_agent || t_wm_agent || t_wm_albums || t_wm_albums || t_wm_albums_pic || t_wm_albums_pic || t_wm_announce || t_wm_announce || t_wm_app_config || t_wm_app_config || t_wm_big_wheel || t_wm_big_wheel || t_wm_bindlog || t_wm_bindlog || t_wm_business || t_wm_business || t_wm_busness_login_log || t_wm_busness_login_log || t_wm_car_brand || t_wm_car_brand || t_wm_car_case || t_wm_car_case || t_wm_car_case_custom || t_wm_car_case_custom || t_wm_car_model || t_wm_car_model || t_wm_car_picfull || t_wm_car_picfull || t_wm_car_reserve || t_wm_car_reserve || t_wm_car_reserve_custom || t_wm_car_reserve_custom || t_wm_car_sell || t_wm_car_sell || t_wm_car_series || t_wm_car_series || t_wm_car_set || t_wm_car_set || t_wm_car_tool || t_wm_car_tool || t_wm_card_info || t_wm_card_info || t_wm_card_manager || t_wm_card_manager || t_wm_cardcare || t_wm_cardcare || t_wm_cardsent || t_wm_cardsent || t_wm_channel || t_wm_channel || t_wm_channel_type || t_wm_channel_type || t_wm_consume || t_wm_consume || t_wm_coupons || t_wm_coupons || t_wm_current_city_region || t_wm_current_city_region || t_wm_custom_keyword || t_wm_custom_keyword || t_wm_custom_menu || t_wm_custom_menu || t_wm_custom_reply_lbs || t_wm_custom_reply_lbs || t_wm_custom_reply_music || t_wm_custom_reply_music || t_wm_custom_reply_news || t_wm_custom_reply_news || t_wm_custom_reply_text || t_wm_custom_reply_text || t_wm_email_log || t_wm_email_log || t_wm_email_send_queue || t_wm_email_send_queue || t_wm_estate_album || t_wm_estate_album || t_wm_estate_category || t_wm_estate_category || t_wm_estate_expert || t_wm_estate_expert || t_wm_estate_house || t_wm_estate_house || t_wm_estate_impress_system || t_wm_estate_impress_system || t_wm_estate_impress_user || t_wm_estate_impress_user || t_wm_estate_picfull || t_wm_estate_picfull || t_wm_estate_set || t_wm_estate_set || t_wm_exam || t_wm_exam || t_wm_exam_question || t_wm_exam_question || t_wm_exam_sncode || t_wm_exam_sncode || t_wm_exam_test || t_wm_exam_test || t_wm_exam_users || t_wm_exam_users || t_wm_exam_users_logs || t_wm_exam_users_logs || t_wm_festival_activity || t_wm_festival_activity || t_wm_festival_user || t_wm_festival_user || t_wm_food_class || t_wm_food_class || t_wm_food_combo || t_wm_food_combo || t_wm_food_dishes || t_wm_food_dishes || t_wm_food_like || t_wm_food_like || t_wm_food_order || t_wm_food_order || t_wm_food_table || t_wm_food_table || t_wm_food_tags || t_wm_food_tags || t_wm_grade || t_wm_grade || t_wm_hotel || t_wm_hotel || t_wm_hotel_order || t_wm_hotel_order || t_wm_hotel_room || t_wm_hotel_room || t_wm_invite_code || t_wm_invite_code || t_wm_ip || t_wm_ip || t_wm_log_member_coupons || t_wm_log_member_coupons || t_wm_logskeyword || t_wm_logskeyword || t_wm_logsscore || t_wm_logsscore || t_wm_lotteryticket || t_wm_lotteryticket || t_wm_market || t_wm_market || t_wm_market_business_base || t_wm_market_business_base || t_wm_market_business_info || t_wm_market_business_info || t_wm_market_business_privilege || t_wm_market_business_privilege || t_wm_market_business_shop || t_wm_market_business_shop || t_wm_market_business_tiny || t_wm_market_business_tiny || t_wm_market_business_vip || t_wm_market_business_vip || t_wm_market_class || t_wm_market_class || t_wm_market_member || t_wm_market_member || t_wm_mcard || t_wm_mcard || t_wm_mcardreceive || t_wm_mcardreceive || t_wm_mconsumption || t_wm_mconsumption || t_wm_media_reports || t_wm_media_reports || t_wm_member_coupon || t_wm_member_coupon || t_wm_member_gift || t_wm_member_gift || t_wm_member_marketing_activity || t_wm_member_marketing_activity || t_wm_member_program || t_wm_member_program || t_wm_member_recharge || t_wm_member_recharge || t_wm_membercard || t_wm_membercard || t_wm_message || t_wm_message || t_wm_message_black || t_wm_message_black || t_wm_message_config || t_wm_message_config || t_wm_mprivileges || t_wm_mprivileges || t_wm_new_member || t_wm_new_member || t_wm_new_member_address || t_wm_new_member_address || t_wm_new_member_announce || t_wm_new_member_announce || t_wm_new_member_announce_view || t_wm_new_member_announce_view || t_wm_new_member_bill || t_wm_new_member_bill || t_wm_new_member_card || t_wm_new_member_card || t_wm_new_member_card_coupon || t_wm_new_member_card_coupon || t_wm_new_member_card_gift || t_wm_new_member_card_gift || t_wm_new_member_card_recharge || t_wm_new_member_card_recharge || t_wm_new_member_cardsent || t_wm_new_member_cardsent || t_wm_new_member_consume_activities || t_wm_new_member_consume_activities || t_wm_new_member_consume_log || t_wm_new_member_consume_log || t_wm_new_member_coupon || t_wm_new_member_coupon || t_wm_new_member_customer_care || t_wm_new_member_customer_care || t_wm_new_member_define_field || t_wm_new_member_define_field || t_wm_new_member_define_info || t_wm_new_member_define_info || t_wm_new_member_entity || t_wm_new_member_entity || t_wm_new_member_grade || t_wm_new_member_grade || t_wm_new_member_integral_exchange || t_wm_new_member_integral_exchange || t_wm_new_member_integral_exchange_log || t_wm_new_member_integral_exchange_log || t_wm_new_member_messages || t_wm_new_member_messages || t_wm_new_member_number || t_wm_new_member_number || t_wm_new_member_privilege || t_wm_new_member_privilege || t_wm_new_member_recharge_activities || t_wm_new_member_recharge_activities || t_wm_new_member_recommend || t_wm_new_member_recommend || t_wm_new_member_score || t_wm_new_member_score || t_wm_new_member_score_log || t_wm_new_member_score_log || t_wm_new_member_system_field || t_wm_new_member_system_field || t_wm_new_receive_coupon || t_wm_new_receive_coupon || t_wm_notice || t_wm_notice || t_wm_order_items || t_wm_order_items || t_wm_outside_link || t_wm_outside_link || t_wm_panorama || t_wm_panorama || t_wm_panorama_picture || t_wm_panorama_picture || t_wm_payment_cfg || t_wm_payment_cfg || t_wm_payment_sequence || t_wm_payment_sequence || t_wm_plcaccount || t_wm_plcaccount || t_wm_privilege_config || t_wm_privilege_config || t_wm_privilege_role || t_wm_privilege_role || t_wm_question_cat || t_wm_question_cat || t_wm_questions || t_wm_questions || t_wm_reg_config || t_wm_reg_config || t_wm_reg_customer || t_wm_reg_customer || t_wm_region || t_wm_region || t_wm_register || t_wm_register || t_wm_related_question_cat || t_wm_related_question_cat || t_wm_reserve || t_wm_reserve || t_wm_reserve_custom || t_wm_reserve_custom || t_wm_score || t_wm_score || t_wm_scratch_card || t_wm_scratch_card || t_wm_service || t_wm_service || t_wm_service_config || t_wm_service_config || t_wm_service_custom || t_wm_service_custom || t_wm_service_sms || t_wm_service_sms || t_wm_smash_egg || t_wm_smash_egg || t_wm_smash_egg_sncode || t_wm_smash_egg_sncode || t_wm_smashegg_users || t_wm_smashegg_users || t_wm_sms_history || t_wm_sms_history || t_wm_sms_log || t_wm_sms_log || t_wm_spoutlet || t_wm_spoutlet || t_wm_spoutlet_domain || t_wm_spoutlet_domain || t_wm_store || t_wm_store || t_wm_survey || t_wm_survey || t_wm_survey_options || t_wm_survey_options || t_wm_survey_userinfo || t_wm_survey_userinfo || t_wm_survey_useroption || t_wm_survey_useroption || t_wm_tg_eticket || t_wm_tg_eticket || t_wm_tg_funds_bill || t_wm_tg_funds_bill || t_wm_tg_goods || t_wm_tg_goods || t_wm_tg_goods_attribute || t_wm_tg_goods_attribute || t_wm_tg_goods_attribute_detail || t_wm_tg_goods_attribute_detail || t_wm_tg_goods_picture || t_wm_tg_goods_picture || t_wm_tg_goods_store_related || t_wm_tg_goods_store_related || t_wm_tg_order || t_wm_tg_order || t_wm_tg_order_delivery || t_wm_tg_order_delivery || t_wm_tg_order_delivery_detail || t_wm_tg_order_delivery_detail || t_wm_tg_order_item || t_wm_tg_order_item || t_wm_tg_order_refund || t_wm_tg_order_refund || t_wm_tg_order_refund_detail || t_wm_tg_order_refund_detail || t_wm_tg_product || t_wm_tg_product || t_wm_tg_send_sms || t_wm_tg_send_sms || t_wm_tg_user || t_wm_tg_user || t_wm_tg_user_address || t_wm_tg_user_address || t_wm_user || t_wm_user || t_wm_vote || t_wm_vote || t_wm_vote_options || t_wm_vote_options || t_wm_vote_user || t_wm_vote_user || t_wm_wall || t_wm_wall || t_wm_wall_bigwheel || t_wm_wall_bigwheel || t_wm_wall_content || t_wm_wall_content || t_wm_wall_lottery || t_wm_wall_lottery || t_wm_wall_photo || t_wm_wall_photo || t_wm_wall_race || t_wm_wall_race || t_wm_wall_race_log || t_wm_wall_race_log || t_wm_wall_user || t_wm_wall_user || t_wm_wall_vote || t_wm_wall_vote || t_wm_wall_winner || t_wm_wall_winner || t_wm_web_desktop_menus || t_wm_web_desktop_menus || t_wm_webclass || t_wm_webclass || t_wm_webconfig || t_wm_webconfig || t_wm_webmenu || t_wm_webmenu || t_wm_webplugmenu || t_wm_webplugmenu || t_wm_webslide || t_wm_webslide || t_wm_weimobpay_logs || t_wm_weimobpay_logs || t_wm_weimobpay_open_minded || t_wm_weimobpay_open_minded || t_wm_weimobpay_open_minded_detail || t_wm_weimobpay_open_minded_detail || t_wm_weimobpay_payment_cfg || t_wm_weimobpay_payment_cfg || t_wm_weimobpay_sequence || t_wm_weimobpay_sequence || t_wm_weimobpay_withdrawal || t_wm_weimobpay_withdrawal || t_wm_weimobpay_withdrawal_detail || t_wm_weimobpay_withdrawal_detail || t_wm_wp_device || t_wm_wp_device || t_wm_yldaccount || t_wm_yldaccount || v_wm_shop_auth || v_wm_shop_auth |+---------------------------------------+
#3.由于表太多太多,为了证明其危害性,表里的数据就不一一查看了这里给小小翻译一下表的含义,即大概存储的内容:
从对表名称简单百度翻译一下就知道存储了多少重要信息(百度翻译不是很准确)
随便一个看看~
Table: funds_bill[21 columns]+-------------------+----------------------+| Column | Type |+-------------------+----------------------+| admin_user_id | int(10) unsigned || admin_user_name | varchar(30) || amount | decimal(10,2) || bank | varchar(100) || bank_account | varchar(100) || created_time | timestamp || currency | varchar(10) || id | int(10) unsigned || memo | text || order_id | int(10) unsigned || order_sn | varchar(50) || pay_account | varchar(100) || pay_bank | varchar(100) || pay_sub_bank | varchar(100) || payment_type_id | smallint(5) unsigned || payment_type_name | varchar(100) || status | tinyint(1) unsigned || third_id | varchar(255) || update_time | timestamp || user_id | int(10) unsigned || user_name | varchar(50) |+-------------------+----------------------+
再翻译一下,真恐怖,咱们还是不能去dump的。
#4.各种管理员帐号密码,解密要收费啊,解密之后可如后台进行商家管理,操作如: WooYun: 国内某微信营销平台管理系统存在漏洞(几十万商家账户信息、财务、报表等数据不保)
PS:乌云的审核制度认为影响极大的予以将漏洞走大厂商流程(前台显示),如果只证明存在sql注射则会被定为小厂商,1/5的rank,所以为了证明其危害性极大,找了大半天表想翻出一点敏感信息来证明其危害性,所以才有了上文说到的存在敏感信息,但本人未脱裤,未对数据库做任何恶意操作,未进行增删查改下载等恶意性操作,对注射出的信息都已经删除未保留,白帽子不会做违背道德的事情的,切勿跨省,请您放心修补漏洞。另请希望给以20rank。
危害等级:高
漏洞Rank:20
确认时间:2014-05-04 22:05
感谢你对系统提出宝贵意见,漏洞已修复
暂无