当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059290

漏洞标题:微盟主站SQL注入可至大量信息泄漏

相关厂商:weimob.com

漏洞作者: U神

提交时间:2014-05-03 20:50

修复时间:2014-06-17 20:51

公开时间:2014-06-17 20:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-03: 细节已通知厂商并且等待厂商处理中
2014-05-04: 厂商已经确认,细节仅向厂商公开
2014-05-14: 细节向核心白帽子及相关领域专家公开
2014-05-24: 细节向普通白帽子公开
2014-06-03: 细节向实习白帽子公开
2014-06-17: 细节向公众公开

简要描述:

详细说明:

#1.微盟一个比较主要的地方存在SQL注入。

www.weimob.com/snsmobile?id=1472&v=555c3efd5c1f6c44004dda76628f25f9&pid=95967&wechat_id=fromUsername


注入参数:

pid


大量数据库,可跨裤查询,危害与" WooYun: 国内某微信营销平台管理系统存在漏洞(几十万商家账户信息、财务、报表等数据不保) "一致


01.jpg


#2.最主要的数据库,420个表:

Database: d_wm_wechat
[420 tables]
+---------------------------------------+
| funds_bill                            |
| funds_bill                            |
| t_wm_activity_sncode                  |
| t_wm_activity_sncode                  |
| t_wm_activity_users                   |
| t_wm_activity_users                   |
| t_wm_admin                            |
| t_wm_admin                            |
| t_wm_agent                            |
| t_wm_agent                            |
| t_wm_albums                           |
| t_wm_albums                           |
| t_wm_albums_pic                       |
| t_wm_albums_pic                       |
| t_wm_announce                         |
| t_wm_announce                         |
| t_wm_app_config                       |
| t_wm_app_config                       |
| t_wm_big_wheel                        |
| t_wm_big_wheel                        |
| t_wm_bindlog                          |
| t_wm_bindlog                          |
| t_wm_business                         |
| t_wm_business                         |
| t_wm_busness_login_log                |
| t_wm_busness_login_log                |
| t_wm_car_brand                        |
| t_wm_car_brand                        |
| t_wm_car_case                         |
| t_wm_car_case                         |
| t_wm_car_case_custom                  |
| t_wm_car_case_custom                  |
| t_wm_car_model                        |
| t_wm_car_model                        |
| t_wm_car_picfull                      |
| t_wm_car_picfull                      |
| t_wm_car_reserve                      |
| t_wm_car_reserve                      |
| t_wm_car_reserve_custom               |
| t_wm_car_reserve_custom               |
| t_wm_car_sell                         |
| t_wm_car_sell                         |
| t_wm_car_series                       |
| t_wm_car_series                       |
| t_wm_car_set                          |
| t_wm_car_set                          |
| t_wm_car_tool                         |
| t_wm_car_tool                         |
| t_wm_card_info                        |
| t_wm_card_info                        |
| t_wm_card_manager                     |
| t_wm_card_manager                     |
| t_wm_cardcare                         |
| t_wm_cardcare                         |
| t_wm_cardsent                         |
| t_wm_cardsent                         |
| t_wm_channel                          |
| t_wm_channel                          |
| t_wm_channel_type                     |
| t_wm_channel_type                     |
| t_wm_consume                          |
| t_wm_consume                          |
| t_wm_coupons                          |
| t_wm_coupons                          |
| t_wm_current_city_region              |
| t_wm_current_city_region              |
| t_wm_custom_keyword                   |
| t_wm_custom_keyword                   |
| t_wm_custom_menu                      |
| t_wm_custom_menu                      |
| t_wm_custom_reply_lbs                 |
| t_wm_custom_reply_lbs                 |
| t_wm_custom_reply_music               |
| t_wm_custom_reply_music               |
| t_wm_custom_reply_news                |
| t_wm_custom_reply_news                |
| t_wm_custom_reply_text                |
| t_wm_custom_reply_text                |
| t_wm_email_log                        |
| t_wm_email_log                        |
| t_wm_email_send_queue                 |
| t_wm_email_send_queue                 |
| t_wm_estate_album                     |
| t_wm_estate_album                     |
| t_wm_estate_category                  |
| t_wm_estate_category                  |
| t_wm_estate_expert                    |
| t_wm_estate_expert                    |
| t_wm_estate_house                     |
| t_wm_estate_house                     |
| t_wm_estate_impress_system            |
| t_wm_estate_impress_system            |
| t_wm_estate_impress_user              |
| t_wm_estate_impress_user              |
| t_wm_estate_picfull                   |
| t_wm_estate_picfull                   |
| t_wm_estate_set                       |
| t_wm_estate_set                       |
| t_wm_exam                             |
| t_wm_exam                             |
| t_wm_exam_question                    |
| t_wm_exam_question                    |
| t_wm_exam_sncode                      |
| t_wm_exam_sncode                      |
| t_wm_exam_test                        |
| t_wm_exam_test                        |
| t_wm_exam_users                       |
| t_wm_exam_users                       |
| t_wm_exam_users_logs                  |
| t_wm_exam_users_logs                  |
| t_wm_festival_activity                |
| t_wm_festival_activity                |
| t_wm_festival_user                    |
| t_wm_festival_user                    |
| t_wm_food_class                       |
| t_wm_food_class                       |
| t_wm_food_combo                       |
| t_wm_food_combo                       |
| t_wm_food_dishes                      |
| t_wm_food_dishes                      |
| t_wm_food_like                        |
| t_wm_food_like                        |
| t_wm_food_order                       |
| t_wm_food_order                       |
| t_wm_food_table                       |
| t_wm_food_table                       |
| t_wm_food_tags                        |
| t_wm_food_tags                        |
| t_wm_grade                            |
| t_wm_grade                            |
| t_wm_hotel                            |
| t_wm_hotel                            |
| t_wm_hotel_order                      |
| t_wm_hotel_order                      |
| t_wm_hotel_room                       |
| t_wm_hotel_room                       |
| t_wm_invite_code                      |
| t_wm_invite_code                      |
| t_wm_ip                               |
| t_wm_ip                               |
| t_wm_log_member_coupons               |
| t_wm_log_member_coupons               |
| t_wm_logskeyword                      |
| t_wm_logskeyword                      |
| t_wm_logsscore                        |
| t_wm_logsscore                        |
| t_wm_lotteryticket                    |
| t_wm_lotteryticket                    |
| t_wm_market                           |
| t_wm_market                           |
| t_wm_market_business_base             |
| t_wm_market_business_base             |
| t_wm_market_business_info             |
| t_wm_market_business_info             |
| t_wm_market_business_privilege        |
| t_wm_market_business_privilege        |
| t_wm_market_business_shop             |
| t_wm_market_business_shop             |
| t_wm_market_business_tiny             |
| t_wm_market_business_tiny             |
| t_wm_market_business_vip              |
| t_wm_market_business_vip              |
| t_wm_market_class                     |
| t_wm_market_class                     |
| t_wm_market_member                    |
| t_wm_market_member                    |
| t_wm_mcard                            |
| t_wm_mcard                            |
| t_wm_mcardreceive                     |
| t_wm_mcardreceive                     |
| t_wm_mconsumption                     |
| t_wm_mconsumption                     |
| t_wm_media_reports                    |
| t_wm_media_reports                    |
| t_wm_member_coupon                    |
| t_wm_member_coupon                    |
| t_wm_member_gift                      |
| t_wm_member_gift                      |
| t_wm_member_marketing_activity        |
| t_wm_member_marketing_activity        |
| t_wm_member_program                   |
| t_wm_member_program                   |
| t_wm_member_recharge                  |
| t_wm_member_recharge                  |
| t_wm_membercard                       |
| t_wm_membercard                       |
| t_wm_message                          |
| t_wm_message                          |
| t_wm_message_black                    |
| t_wm_message_black                    |
| t_wm_message_config                   |
| t_wm_message_config                   |
| t_wm_mprivileges                      |
| t_wm_mprivileges                      |
| t_wm_new_member                       |
| t_wm_new_member                       |
| t_wm_new_member_address               |
| t_wm_new_member_address               |
| t_wm_new_member_announce              |
| t_wm_new_member_announce              |
| t_wm_new_member_announce_view         |
| t_wm_new_member_announce_view         |
| t_wm_new_member_bill                  |
| t_wm_new_member_bill                  |
| t_wm_new_member_card                  |
| t_wm_new_member_card                  |
| t_wm_new_member_card_coupon           |
| t_wm_new_member_card_coupon           |
| t_wm_new_member_card_gift             |
| t_wm_new_member_card_gift             |
| t_wm_new_member_card_recharge         |
| t_wm_new_member_card_recharge         |
| t_wm_new_member_cardsent              |
| t_wm_new_member_cardsent              |
| t_wm_new_member_consume_activities    |
| t_wm_new_member_consume_activities    |
| t_wm_new_member_consume_log           |
| t_wm_new_member_consume_log           |
| t_wm_new_member_coupon                |
| t_wm_new_member_coupon                |
| t_wm_new_member_customer_care         |
| t_wm_new_member_customer_care         |
| t_wm_new_member_define_field          |
| t_wm_new_member_define_field          |
| t_wm_new_member_define_info           |
| t_wm_new_member_define_info           |
| t_wm_new_member_entity                |
| t_wm_new_member_entity                |
| t_wm_new_member_grade                 |
| t_wm_new_member_grade                 |
| t_wm_new_member_integral_exchange     |
| t_wm_new_member_integral_exchange     |
| t_wm_new_member_integral_exchange_log |
| t_wm_new_member_integral_exchange_log |
| t_wm_new_member_messages              |
| t_wm_new_member_messages              |
| t_wm_new_member_number                |
| t_wm_new_member_number                |
| t_wm_new_member_privilege             |
| t_wm_new_member_privilege             |
| t_wm_new_member_recharge_activities   |
| t_wm_new_member_recharge_activities   |
| t_wm_new_member_recommend             |
| t_wm_new_member_recommend             |
| t_wm_new_member_score                 |
| t_wm_new_member_score                 |
| t_wm_new_member_score_log             |
| t_wm_new_member_score_log             |
| t_wm_new_member_system_field          |
| t_wm_new_member_system_field          |
| t_wm_new_receive_coupon               |
| t_wm_new_receive_coupon               |
| t_wm_notice                           |
| t_wm_notice                           |
| t_wm_order_items                      |
| t_wm_order_items                      |
| t_wm_outside_link                     |
| t_wm_outside_link                     |
| t_wm_panorama                         |
| t_wm_panorama                         |
| t_wm_panorama_picture                 |
| t_wm_panorama_picture                 |
| t_wm_payment_cfg                      |
| t_wm_payment_cfg                      |
| t_wm_payment_sequence                 |
| t_wm_payment_sequence                 |
| t_wm_plcaccount                       |
| t_wm_plcaccount                       |
| t_wm_privilege_config                 |
| t_wm_privilege_config                 |
| t_wm_privilege_role                   |
| t_wm_privilege_role                   |
| t_wm_question_cat                     |
| t_wm_question_cat                     |
| t_wm_questions                        |
| t_wm_questions                        |
| t_wm_reg_config                       |
| t_wm_reg_config                       |
| t_wm_reg_customer                     |
| t_wm_reg_customer                     |
| t_wm_region                           |
| t_wm_region                           |
| t_wm_register                         |
| t_wm_register                         |
| t_wm_related_question_cat             |
| t_wm_related_question_cat             |
| t_wm_reserve                          |
| t_wm_reserve                          |
| t_wm_reserve_custom                   |
| t_wm_reserve_custom                   |
| t_wm_score                            |
| t_wm_score                            |
| t_wm_scratch_card                     |
| t_wm_scratch_card                     |
| t_wm_service                          |
| t_wm_service                          |
| t_wm_service_config                   |
| t_wm_service_config                   |
| t_wm_service_custom                   |
| t_wm_service_custom                   |
| t_wm_service_sms                      |
| t_wm_service_sms                      |
| t_wm_smash_egg                        |
| t_wm_smash_egg                        |
| t_wm_smash_egg_sncode                 |
| t_wm_smash_egg_sncode                 |
| t_wm_smashegg_users                   |
| t_wm_smashegg_users                   |
| t_wm_sms_history                      |
| t_wm_sms_history                      |
| t_wm_sms_log                          |
| t_wm_sms_log                          |
| t_wm_spoutlet                         |
| t_wm_spoutlet                         |
| t_wm_spoutlet_domain                  |
| t_wm_spoutlet_domain                  |
| t_wm_store                            |
| t_wm_store                            |
| t_wm_survey                           |
| t_wm_survey                           |
| t_wm_survey_options                   |
| t_wm_survey_options                   |
| t_wm_survey_userinfo                  |
| t_wm_survey_userinfo                  |
| t_wm_survey_useroption                |
| t_wm_survey_useroption                |
| t_wm_tg_eticket                       |
| t_wm_tg_eticket                       |
| t_wm_tg_funds_bill                    |
| t_wm_tg_funds_bill                    |
| t_wm_tg_goods                         |
| t_wm_tg_goods                         |
| t_wm_tg_goods_attribute               |
| t_wm_tg_goods_attribute               |
| t_wm_tg_goods_attribute_detail        |
| t_wm_tg_goods_attribute_detail        |
| t_wm_tg_goods_picture                 |
| t_wm_tg_goods_picture                 |
| t_wm_tg_goods_store_related           |
| t_wm_tg_goods_store_related           |
| t_wm_tg_order                         |
| t_wm_tg_order                         |
| t_wm_tg_order_delivery                |
| t_wm_tg_order_delivery                |
| t_wm_tg_order_delivery_detail         |
| t_wm_tg_order_delivery_detail         |
| t_wm_tg_order_item                    |
| t_wm_tg_order_item                    |
| t_wm_tg_order_refund                  |
| t_wm_tg_order_refund                  |
| t_wm_tg_order_refund_detail           |
| t_wm_tg_order_refund_detail           |
| t_wm_tg_product                       |
| t_wm_tg_product                       |
| t_wm_tg_send_sms                      |
| t_wm_tg_send_sms                      |
| t_wm_tg_user                          |
| t_wm_tg_user                          |
| t_wm_tg_user_address                  |
| t_wm_tg_user_address                  |
| t_wm_user                             |
| t_wm_user                             |
| t_wm_vote                             |
| t_wm_vote                             |
| t_wm_vote_options                     |
| t_wm_vote_options                     |
| t_wm_vote_user                        |
| t_wm_vote_user                        |
| t_wm_wall                             |
| t_wm_wall                             |
| t_wm_wall_bigwheel                    |
| t_wm_wall_bigwheel                    |
| t_wm_wall_content                     |
| t_wm_wall_content                     |
| t_wm_wall_lottery                     |
| t_wm_wall_lottery                     |
| t_wm_wall_photo                       |
| t_wm_wall_photo                       |
| t_wm_wall_race                        |
| t_wm_wall_race                        |
| t_wm_wall_race_log                    |
| t_wm_wall_race_log                    |
| t_wm_wall_user                        |
| t_wm_wall_user                        |
| t_wm_wall_vote                        |
| t_wm_wall_vote                        |
| t_wm_wall_winner                      |
| t_wm_wall_winner                      |
| t_wm_web_desktop_menus                |
| t_wm_web_desktop_menus                |
| t_wm_webclass                         |
| t_wm_webclass                         |
| t_wm_webconfig                        |
| t_wm_webconfig                        |
| t_wm_webmenu                          |
| t_wm_webmenu                          |
| t_wm_webplugmenu                      |
| t_wm_webplugmenu                      |
| t_wm_webslide                         |
| t_wm_webslide                         |
| t_wm_weimobpay_logs                   |
| t_wm_weimobpay_logs                   |
| t_wm_weimobpay_open_minded            |
| t_wm_weimobpay_open_minded            |
| t_wm_weimobpay_open_minded_detail     |
| t_wm_weimobpay_open_minded_detail     |
| t_wm_weimobpay_payment_cfg            |
| t_wm_weimobpay_payment_cfg            |
| t_wm_weimobpay_sequence               |
| t_wm_weimobpay_sequence               |
| t_wm_weimobpay_withdrawal             |
| t_wm_weimobpay_withdrawal             |
| t_wm_weimobpay_withdrawal_detail      |
| t_wm_weimobpay_withdrawal_detail      |
| t_wm_wp_device                        |
| t_wm_wp_device                        |
| t_wm_yldaccount                       |
| t_wm_yldaccount                       |
| v_wm_shop_auth                        |
| v_wm_shop_auth                        |
+---------------------------------------+

漏洞证明:

#3.由于表太多太多,为了证明其危害性,表里的数据就不一一查看了这里给小小翻译一下表的含义,即大概存储的内容:

从对表名称简单百度翻译一下就知道存储了多少重要信息(百度翻译不是很准确)


02.jpg


03.jpg


随便一个看看~

Table: funds_bill
[21 columns]
+-------------------+----------------------+
| Column            | Type                 |
+-------------------+----------------------+
| admin_user_id     | int(10) unsigned     |
| admin_user_name   | varchar(30)          |
| amount            | decimal(10,2)        |
| bank              | varchar(100)         |
| bank_account      | varchar(100)         |
| created_time      | timestamp            |
| currency          | varchar(10)          |
| id                | int(10) unsigned     |
| memo              | text                 |
| order_id          | int(10) unsigned     |
| order_sn          | varchar(50)          |
| pay_account       | varchar(100)         |
| pay_bank          | varchar(100)         |
| pay_sub_bank      | varchar(100)         |
| payment_type_id   | smallint(5) unsigned |
| payment_type_name | varchar(100)         |
| status            | tinyint(1) unsigned  |
| third_id          | varchar(255)         |
| update_time       | timestamp            |
| user_id           | int(10) unsigned     |
| user_name         | varchar(50)          |
+-------------------+----------------------+


再翻译一下,真恐怖,咱们还是不能去dump的。

04.jpg


#4.各种管理员帐号密码,解密要收费啊,解密之后可如后台进行商家管理,操作如: WooYun: 国内某微信营销平台管理系统存在漏洞(几十万商家账户信息、财务、报表等数据不保)

05.jpg


修复方案:

PS:乌云的审核制度认为影响极大的予以将漏洞走大厂商流程(前台显示),如果只证明存在sql注射则会被定为小厂商,1/5的rank,所以为了证明其危害性极大,找了大半天表想翻出一点敏感信息来证明其危害性,所以才有了上文说到的存在敏感信息,但本人未脱裤,未对数据库做任何恶意操作,未进行增删查改下载等恶意性操作,对注射出的信息都已经删除未保留,白帽子不会做违背道德的事情的,切勿跨省,请您放心修补漏洞。另请希望给以20rank。

版权声明:转载请注明来源 U神@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-05-04 22:05

厂商回复:

感谢你对系统提出宝贵意见,漏洞已修复

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-03 21:22 | Coody 认证白帽子 ( 核心白帽子 | Rank:1565 漏洞数:189 | 不接单、不黑产;如遇接单收徒、绝非本人所...)

    U神,你好。

  2. 2014-05-04 08:08 | 卡卡 ( 普通白帽子 | Rank:447 漏洞数:52 | <script>alert('安全团队长期招人')</scrip...)

    U神,再见!

  3. 2014-05-06 12:15 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @微盟 有木有小礼物呀

  4. 2014-05-06 23:19 | xiaokinghk ( 实习白帽子 | Rank:82 漏洞数:16 | 【DBA】)

    @U神 目测没有

  5. 2014-05-06 23:44 | win32 ( 实习白帽子 | Rank:36 漏洞数:9 | 溜达)

    @U神 经过测试确实毛都木有

  6. 2014-07-22 01:16 | 伤心小女孩 ( 路人 | Rank:10 漏洞数:9 )

    我想要源码- -

  7. 2014-07-30 11:01 | 进化程序猿 ( 实习白帽子 | Rank:38 漏洞数:2 | su -)

    @U神 想看下数据结构~~~