当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0174207
漏洞标题:
看我直连高顿www主站数据库(28库/两百万用户数据含密码)
相关厂商:
高顿财经
漏洞作者:
JutaZ
提交时间:
2016-02-01 17:51
修复时间:
2016-03-14 15:10
公开时间:
2016-03-14 15:10
漏洞类型:
重要敏感信息泄露
危害等级:
自评Rank:
20
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-02-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-03-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT 安全无小事

详细说明:


#1 github泄露:

https://github.com/zhangxiaocenfoxmail/Python_MySQLd/blob/39edcf37ecd9db38d2b36bff5dcabc3c98b2c256/select.py
#!/bin/env python
# -*- coding: <utf-8> -*-
import MySQLdb
import re
q=re.compile(r'(?<=T).(?![^\d])')
try:  
   conn_src=MySQLdb.connect(host="115.29.228.53",user="root", passwd="2Ls56VwEK2wUuYDV",port=4453,db="gaodun",charset="utf8" )
except MySQLdb.Error as e:  
  print('connect fails!{}'.format(e))  
conn_src.set_character_set('utf8')
cursor = conn_src.cursor()
id_sql="select id from gd_card_code where card_id=108"
cursor.execute(id_sql)
ids=cursor.fetchall()
content_sql="select num from gd_card_code where card_id  = 108"
cursor.execute(content_sql)
contents=cursor.fetchall()
for  connect in contents:
	 c=connect[0]
	 numd=q.sub('2',c)
	 update_sql="update gd_card_code set num ='%s',prefix='T254' where card_id = 108" % (numd)
	 cursor.execute(update_sql)
	 cursor.execute('commit')
	 print(update_sql)
conn_src.close()


用户名:root
密码:2Ls56VwEK2wUuYDV
IP地址:115.29.228.53 端口:4453
#2 IP反查

IP反查.png


#3 连接成功

连接成功.png


#4 28个库

24个库.png


#5 192万用户

高顿192万.png


#6 root权限不再深入

漏洞证明:

#1 github泄露:

https://github.com/zhangxiaocenfoxmail/Python_MySQLd/blob/39edcf37ecd9db38d2b36bff5dcabc3c98b2c256/select.py
#!/bin/env python
# -*- coding: <utf-8> -*-
import MySQLdb
import re
q=re.compile(r'(?<=T).(?![^\d])')
try:  
   conn_src=MySQLdb.connect(host="115.29.228.53",user="root", passwd="2Ls56VwEK2wUuYDV",port=4453,db="gaodun",charset="utf8" )
except MySQLdb.Error as e:  
  print('connect fails!{}'.format(e))  
conn_src.set_character_set('utf8')
cursor = conn_src.cursor()
id_sql="select id from gd_card_code where card_id=108"
cursor.execute(id_sql)
ids=cursor.fetchall()
content_sql="select num from gd_card_code where card_id  = 108"
cursor.execute(content_sql)
contents=cursor.fetchall()
for  connect in contents:
	 c=connect[0]
	 numd=q.sub('2',c)
	 update_sql="update gd_card_code set num ='%s',prefix='T254' where card_id = 108" % (numd)
	 cursor.execute(update_sql)
	 cursor.execute('commit')
	 print(update_sql)
conn_src.close()


用户名:root
密码:2Ls56VwEK2wUuYDV
IP地址:115.29.228.53 端口:4453
#2 IP反查

IP反查.png


#3 连接成功

连接成功.png


#4 28个库

24个库.png


#5 192万用户

高顿192万.png


select count(*) from `gd_members`
1999559

1.png


#6 root权限不再深入

修复方案:

#1 内部自查
#2 穷孩子买不起网课,求送~

版权声明:转载请注明来源 JutaZ@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)