漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0124553
漏洞标题:中国国家地理网重要分站存在SQL注入百万用户及管理信息泄露
相关厂商:中国国家地理网
漏洞作者: 路人甲
提交时间:2015-07-13 13:57
修复时间:2015-08-31 15:20
公开时间:2015-08-31 15:20
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-17: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向核心白帽子及相关领域专家公开
2015-08-06: 细节向普通白帽子公开
2015-08-16: 细节向实习白帽子公开
2015-08-31: 细节向公众公开
简要描述:
既然想在乌云呆着了 漏洞也就专注的提交给乌云了 在乌云和补天查重 未发现重复。 该厂商已经在补天注册 并修复过漏洞了 希望能积极联系下厂商 提交到补天按照这个数据量【1164193】 也许就是RMB奖励了 但是白帽子是有信仰的。
详细说明:
【注入点: download.dili360.com/?act=download&vid=2】
sqlmap截图:
数据库信息; 可以看到admin user member等重要表名
Database: cngcms
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cms_member_mag | 1164193 |
| cms_order | 313875 |
| cms_channel_active | 254406 |
| cms_ios_devicetoken | 234958 |
| cms_order_action | 121197 |
| cms_posts_favorit | 107882 |
| cms_posts_pic_keyworditem | 104806 |
| cms_android_msg_log | 97186 |
| cms_posts_pic | 92873 |
| cms_tp_index | 58357 |
| cms_writer_item | 57812 |
| cms_activate_stat | 39052 |
| cms_tag_post | 38970 |
| cms_contribute_pic | 36161 |
| cms_api_request | 32756 |
| cms_keywords_item | 27944 |
| cms_channel_mag | 18716 |
| cms_keywords | 17710 |
| cms_iap_hacklog | 16298 |
| cms_tag | 13979 |
| cms_posts_pic_keyword | 13511 |
| cms_iap_log | 11657 |
| cms_posts_content | 11357 |
| cms_posts_info | 11357 |
| cms_editor_item | 10215 |
| cms_posts_format | 9817 |
| cms_contribute | 9537 |
| cms_coordinate_posts | 9143 |
| cms_writer | 7419 |
| cms_coordinate | 6958 |
| cms_gallery_pic | 5590 |
| cms_author | 4116 |
| cms_user_profile | 3340 |
| cms_comment | 2117 |
| cms_posts_like | 1962 |
| cms_site_feedback | 1551 |
| cms_member_syncmag | 1509 |
| cms_map | 1475 |
| cms_feedback | 1400 |
| cms_event_qrcode_log | 1091 |
| cms_comment_sub | 907 |
| cms_coordinate_tmp | 868 |
| cms_top | 842 |
| cms_event_qrcode | 836 |
| cms_event_qrcode_mag | 825 |
| cms_author_cate | 778 |
| cms_mag_focus | 774 |
| cms_homepage_posts | 772 |
| cms_pic_tag_union | 583 |
| cms_posts_pic_download | 559 |
| cms_padpic_tag_union | 534 |
| cms_tag_post_author | 481 |
| cms_mag_info | 477 |
| cms_gallery | 465 |
| cms_pic_tag | 464 |
| cms_padpic | 461 |
| cms_padpic_tag | 447 |
| cms_qrcode | 440 |
| cms_focus_pic | 427 |
| cms_friendlink | 418 |
| cms_pic | 411 |
| cms_mag_tmp | 394 |
| cms_focustg_pic | 365 |
| cms_vip_info | 344 |
| cms_map_district | 304 |
| cms_coordinate_pics | 303 |
| cms_posts_pic_group | 302 |
| cms_coordinate_padpics | 258 |
| cms_start | 175 |
| cms_editor | 160 |
| cms_comment_like | 149 |
| cms_admin_menu | 90 |
| cms_topic | 83 |
| cms_cng_pic | 82 |
| cms_tag_count | 82 |
| cms_news_pic | 75 |
| cms_admin | 66 |
| cms_focus | 66 |
| cms_news | 62 |
| cms_focustg | 55 |
| cms_aiap_log | 49 |
| cms_channel | 49 |
| cms_hd_user | 44 |
| cms_news_format | 37 |
| cms_ver | 33 |
| cms_tp_user | 32 |
| cms_tp_tag | 27 |
| cms_event_log | 25 |
| cms_sight_column | 24 |
| cms_tp_download_queue | 21 |
| cms_mag_cate | 17 |
| cms_goods_order | 14 |
| cms_homepage_data | 14 |
| cms_video | 13 |
| cms_contribute_notice | 11 |
| cms_tp_menu | 11 |
| cms_message | 10 |
| cms_cng_history | 8 |
| cms_tp_department | 8 |
| cms_admin_role | 7 |
| cms_channel_model | 7 |
| cms_sight_pic | 7 |
| cms_style | 7 |
| cms_vip_batch | 7 |
| cms_news_cate | 6 |
| cms_join | 5 |
| cms_goods_img | 4 |
| cms_event_focus | 3 |
| cms_tp_role | 3 |
| cms_discount | 2 |
| cms_goods_info | 2 |
| cms_js | 2 |
| cms_tp_company | 2 |
| cms_author_editor | 1 |
| cms_event_list | 1 |
| cms_goods_merchant | 1 |
| cms_mag_ad | 1 |
| cms_sight | 1 |
| cms_wx | 1 |
+---------------------------------------+---------+
Database: cngcms_test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cms_activate_log | 9716485 |
| cms_activate_log2 | 4134714 |
| cms_activate_log3 | 3383609 |
| cms_activate_log1 | 2198162 |
| `cms_posts_pic-20141123` | 83545 |
| cms_tag_post2014 | 28958 |
| cms_www_tag_post | 28928 |
| cms_www_tag_post_bak_2014_5_22 | 28926 |
| cms_channel_mag_20141023 | 18473 |
| cms_contribute_pic | 17639 |
| cms_posts_pic | 17343 |
| cms_tag2014 | 15425 |
| cms_www_cate_tag | 15376 |
| `cms_www_cate_tag_bak_2013-12-24` | 14845 |
| `cms_www_cate_tag_bak_2013-12-3` | 14832 |
| cms_member_mag | 12497 |
| `cms_www_cate_tag_bak_2013-11-27` | 11691 |
| cms_posts_info | 11093 |
| cms_posts_info_bak | 9802 |
| cms_posts_content | 9730 |
| cms_author | 5632 |
| cms_author2014 | 5632 |
| cms_order | 5416 |
| cms_www_tag | 4845 |
| cms_contribute | 4135 |
| cms_channel_mag | 3465 |
| cms_channel_active | 2818 |
| cms_posts_favorit | 2275 |
| cms_coordinate_posts | 1935 |
| cms_coordinate | 1604 |
| cms_order_action | 1038 |
| cms_mag_focus | 718 |
| cms_padpic_tag_union | 472 |
| cms_mag_info | 451 |
| `cms_mag_info-20140919` | 448 |
| cms_padpic_tag | 405 |
| cms_padpic | 400 |
| cms_coordinate_tmp | 375 |
| cms_iap_log | 341 |
| cms_focus_pic | 217 |
| cms_focustg_pic | 189 |
| cms_mag_info_bak | 156 |
| cms_homepage_posts | 140 |
| cms_news_pic | 108 |
| cms_api_request | 64 |
| cms_admin_menu | 62 |
| cms_coordinate_pics | 58 |
| cms_coordinate_padpics | 53 |
| cms_topic | 49 |
| cms_channel_20141023 | 48 |
| cms_feedback | 48 |
| cms_posts_format | 40 |
| cms_admin | 37 |
| cms_news | 31 |
| cms_channel | 27 |
| cms_ios_devicetoken | 23 |
| cms_qrcode | 18 |
| cms_top | 16 |
| cms_ver | 14 |
| cms_posts_pic_group | 10 |
| cms_news_cate | 6 |
| cms_style | 6 |
| cms_admin_role | 5 |
| cms_goods_img | 5 |
| cms_mag_cate | 5 |
| cms_start | 5 |
| cms_channel_model | 4 |
| cms_discount | 2 |
| cms_js | 2 |
| cms_news_format | 2 |
| cms_vip_info | 2 |
| cms_goods_info | 1 |
| cms_goods_merchant | 1 |
| cms_vip_batch | 1 |
+---------------------------------------+---------+
Database: scenic
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| sc_photo | 19287 |
| sc_view_point_click | 11707 |
| sc_user_point | 6991 |
| sc_zuimei | 2547 |
| sc_user_point_favour | 1253 |
| sc_view_point | 881 |
| sc_comment | 806 |
| sc_zuimei_bak | 119 |
| sc_refer | 52 |
| sc_view_point_favour | 30 |
| sc_index_select | 12 |
| sc_week_select | 9 |
| sc_zuimei_week | 9 |
| sc_admin_menu | 7 |
| sc_admin_mani | 4 |
| sc_admin | 2 |
| sc_admin_power | 2 |
| sc_admin_role | 2 |
| sc_admin_user | 2 |
| sc_about | 1 |
| sc_zuimei_about | 1 |
+---------------------------------------+---------+
Database: jeepapp
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| jp_user | 878 |
| jp_poi | 794 |
| jp_poi_route | 768 |
| jp_pic | 308 |
| jp_userpoi | 304 |
| jp_route | 50 |
| map_scene | 35 |
| jp_admin_menu | 11 |
| jp_top_pic | 4 |
| jp_admin_role | 2 |
| jp_admin | 1 |
| jp_info | 1 |
| jp_ver | 1 |
+---------------------------------------+---------+
Database: download
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| down_stats | 960592 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2393 |
| STATISTICS | 529 |
| TABLES | 265 |
| KEY_COLUMN_USAGE | 259 |
| TABLE_CONSTRAINTS | 241 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| SCHEMA_PRIVILEGES | 65 |
| CHARACTER_SETS | 36 |
| SCHEMATA | 6 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
漏洞证明:
注入点: download.dili360.com/?act=download&vid=2
sqlmap截图:
数据库信息; 可以看到admin user member等重要表名
Database: cngcms
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cms_member_mag | 1164193 |
| cms_order | 313875 |
| cms_channel_active | 254406 |
| cms_ios_devicetoken | 234958 |
| cms_order_action | 121197 |
| cms_posts_favorit | 107882 |
| cms_posts_pic_keyworditem | 104806 |
| cms_android_msg_log | 97186 |
| cms_posts_pic | 92873 |
| cms_tp_index | 58357 |
| cms_writer_item | 57812 |
| cms_activate_stat | 39052 |
| cms_tag_post | 38970 |
| cms_contribute_pic | 36161 |
| cms_api_request | 32756 |
| cms_keywords_item | 27944 |
| cms_channel_mag | 18716 |
| cms_keywords | 17710 |
| cms_iap_hacklog | 16298 |
| cms_tag | 13979 |
| cms_posts_pic_keyword | 13511 |
| cms_iap_log | 11657 |
| cms_posts_content | 11357 |
| cms_posts_info | 11357 |
| cms_editor_item | 10215 |
| cms_posts_format | 9817 |
| cms_contribute | 9537 |
| cms_coordinate_posts | 9143 |
| cms_writer | 7419 |
| cms_coordinate | 6958 |
| cms_gallery_pic | 5590 |
| cms_author | 4116 |
| cms_user_profile | 3340 |
| cms_comment | 2117 |
| cms_posts_like | 1962 |
| cms_site_feedback | 1551 |
| cms_member_syncmag | 1509 |
| cms_map | 1475 |
| cms_feedback | 1400 |
| cms_event_qrcode_log | 1091 |
| cms_comment_sub | 907 |
| cms_coordinate_tmp | 868 |
| cms_top | 842 |
| cms_event_qrcode | 836 |
| cms_event_qrcode_mag | 825 |
| cms_author_cate | 778 |
| cms_mag_focus | 774 |
| cms_homepage_posts | 772 |
| cms_pic_tag_union | 583 |
| cms_posts_pic_download | 559 |
| cms_padpic_tag_union | 534 |
| cms_tag_post_author | 481 |
| cms_mag_info | 477 |
| cms_gallery | 465 |
| cms_pic_tag | 464 |
| cms_padpic | 461 |
| cms_padpic_tag | 447 |
| cms_qrcode | 440 |
| cms_focus_pic | 427 |
| cms_friendlink | 418 |
| cms_pic | 411 |
| cms_mag_tmp | 394 |
| cms_focustg_pic | 365 |
| cms_vip_info | 344 |
| cms_map_district | 304 |
| cms_coordinate_pics | 303 |
| cms_posts_pic_group | 302 |
| cms_coordinate_padpics | 258 |
| cms_start | 175 |
| cms_editor | 160 |
| cms_comment_like | 149 |
| cms_admin_menu | 90 |
| cms_topic | 83 |
| cms_cng_pic | 82 |
| cms_tag_count | 82 |
| cms_news_pic | 75 |
| cms_admin | 66 |
| cms_focus | 66 |
| cms_news | 62 |
| cms_focustg | 55 |
| cms_aiap_log | 49 |
| cms_channel | 49 |
| cms_hd_user | 44 |
| cms_news_format | 37 |
| cms_ver | 33 |
| cms_tp_user | 32 |
| cms_tp_tag | 27 |
| cms_event_log | 25 |
| cms_sight_column | 24 |
| cms_tp_download_queue | 21 |
| cms_mag_cate | 17 |
| cms_goods_order | 14 |
| cms_homepage_data | 14 |
| cms_video | 13 |
| cms_contribute_notice | 11 |
| cms_tp_menu | 11 |
| cms_message | 10 |
| cms_cng_history | 8 |
| cms_tp_department | 8 |
| cms_admin_role | 7 |
| cms_channel_model | 7 |
| cms_sight_pic | 7 |
| cms_style | 7 |
| cms_vip_batch | 7 |
| cms_news_cate | 6 |
| cms_join | 5 |
| cms_goods_img | 4 |
| cms_event_focus | 3 |
| cms_tp_role | 3 |
| cms_discount | 2 |
| cms_goods_info | 2 |
| cms_js | 2 |
| cms_tp_company | 2 |
| cms_author_editor | 1 |
| cms_event_list | 1 |
| cms_goods_merchant | 1 |
| cms_mag_ad | 1 |
| cms_sight | 1 |
| cms_wx | 1 |
+---------------------------------------+---------+
Database: cngcms_test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cms_activate_log | 9716485 |
| cms_activate_log2 | 4134714 |
| cms_activate_log3 | 3383609 |
| cms_activate_log1 | 2198162 |
| `cms_posts_pic-20141123` | 83545 |
| cms_tag_post2014 | 28958 |
| cms_www_tag_post | 28928 |
| cms_www_tag_post_bak_2014_5_22 | 28926 |
| cms_channel_mag_20141023 | 18473 |
| cms_contribute_pic | 17639 |
| cms_posts_pic | 17343 |
| cms_tag2014 | 15425 |
| cms_www_cate_tag | 15376 |
| `cms_www_cate_tag_bak_2013-12-24` | 14845 |
| `cms_www_cate_tag_bak_2013-12-3` | 14832 |
| cms_member_mag | 12497 |
| `cms_www_cate_tag_bak_2013-11-27` | 11691 |
| cms_posts_info | 11093 |
| cms_posts_info_bak | 9802 |
| cms_posts_content | 9730 |
| cms_author | 5632 |
| cms_author2014 | 5632 |
| cms_order | 5416 |
| cms_www_tag | 4845 |
| cms_contribute | 4135 |
| cms_channel_mag | 3465 |
| cms_channel_active | 2818 |
| cms_posts_favorit | 2275 |
| cms_coordinate_posts | 1935 |
| cms_coordinate | 1604 |
| cms_order_action | 1038 |
| cms_mag_focus | 718 |
| cms_padpic_tag_union | 472 |
| cms_mag_info | 451 |
| `cms_mag_info-20140919` | 448 |
| cms_padpic_tag | 405 |
| cms_padpic | 400 |
| cms_coordinate_tmp | 375 |
| cms_iap_log | 341 |
| cms_focus_pic | 217 |
| cms_focustg_pic | 189 |
| cms_mag_info_bak | 156 |
| cms_homepage_posts | 140 |
| cms_news_pic | 108 |
| cms_api_request | 64 |
| cms_admin_menu | 62 |
| cms_coordinate_pics | 58 |
| cms_coordinate_padpics | 53 |
| cms_topic | 49 |
| cms_channel_20141023 | 48 |
| cms_feedback | 48 |
| cms_posts_format | 40 |
| cms_admin | 37 |
| cms_news | 31 |
| cms_channel | 27 |
| cms_ios_devicetoken | 23 |
| cms_qrcode | 18 |
| cms_top | 16 |
| cms_ver | 14 |
| cms_posts_pic_group | 10 |
| cms_news_cate | 6 |
| cms_style | 6 |
| cms_admin_role | 5 |
| cms_goods_img | 5 |
| cms_mag_cate | 5 |
| cms_start | 5 |
| cms_channel_model | 4 |
| cms_discount | 2 |
| cms_js | 2 |
| cms_news_format | 2 |
| cms_vip_info | 2 |
| cms_goods_info | 1 |
| cms_goods_merchant | 1 |
| cms_vip_batch | 1 |
+---------------------------------------+---------+
Database: scenic
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| sc_photo | 19287 |
| sc_view_point_click | 11707 |
| sc_user_point | 6991 |
| sc_zuimei | 2547 |
| sc_user_point_favour | 1253 |
| sc_view_point | 881 |
| sc_comment | 806 |
| sc_zuimei_bak | 119 |
| sc_refer | 52 |
| sc_view_point_favour | 30 |
| sc_index_select | 12 |
| sc_week_select | 9 |
| sc_zuimei_week | 9 |
| sc_admin_menu | 7 |
| sc_admin_mani | 4 |
| sc_admin | 2 |
| sc_admin_power | 2 |
| sc_admin_role | 2 |
| sc_admin_user | 2 |
| sc_about | 1 |
| sc_zuimei_about | 1 |
+---------------------------------------+---------+
Database: jeepapp
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| jp_user | 878 |
| jp_poi | 794 |
| jp_poi_route | 768 |
| jp_pic | 308 |
| jp_userpoi | 304 |
| jp_route | 50 |
| map_scene | 35 |
| jp_admin_menu | 11 |
| jp_top_pic | 4 |
| jp_admin_role | 2 |
| jp_admin | 1 |
| jp_info | 1 |
| jp_ver | 1 |
+---------------------------------------+---------+
Database: download
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| down_stats | 960592 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2393 |
| STATISTICS | 529 |
| TABLES | 265 |
| KEY_COLUMN_USAGE | 259 |
| TABLE_CONSTRAINTS | 241 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| SCHEMA_PRIVILEGES | 65 |
| CHARACTER_SETS | 36 |
| SCHEMATA | 6 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2015-07-17 15:19
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向中国科学院通报,由其后续协调网站管理部门处置。
最新状态:
暂无